From 16eb94f4ce5225e479bf7f6759ec2e0c3fc5409e Mon Sep 17 00:00:00 2001
From: Ihor Hrytskiv <ihor.hrytskiv@macpaw.com>
Date: Mon, 2 Dec 2024 21:33:43 +0200
Subject: [PATCH 1/8] fix: importing rulesets

---
 .../resource_github_organization_ruleset.go   |  5 ++
 github/respository_rules_utils.go             | 48 ++++++++++++++++++-
 2 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/github/resource_github_organization_ruleset.go b/github/resource_github_organization_ruleset.go
index 014b28ef65..e8eaae8cba 100644
--- a/github/resource_github_organization_ruleset.go
+++ b/github/resource_github_organization_ruleset.go
@@ -428,6 +428,11 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 							Description: "Choose which Actions workflows must pass before branches can be merged into a branch that matches this rule.",
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
+									"do_not_enforce_on_create": {
+										Type:        schema.TypeBool,
+										Optional:    true,
+										Description: "Allow repositories and branches to be created if a check would otherwise prohibit it.",
+									},
 									"required_workflow": {
 										Type:        schema.TypeSet,
 										MinItems:    1,
diff --git a/github/respository_rules_utils.go b/github/respository_rules_utils.go
index cfb8ceb462..69e9e6227d 100644
--- a/github/respository_rules_utils.go
+++ b/github/respository_rules_utils.go
@@ -357,7 +357,8 @@ func expandRules(input []interface{}, org bool) []*github.RepositoryRule {
 		}
 
 		params := &github.RequiredWorkflowsRuleParameters{
-			RequiredWorkflows: requiredWorkflows,
+			DoNotEnforceOnCreate: requiredWorkflowsMap["do_not_enforce_on_create"].(bool),
+			RequiredWorkflows:    requiredWorkflows,
 		}
 		rulesSlice = append(rulesSlice, github.NewRequiredWorkflowsRule(params))
 	}
@@ -504,6 +505,51 @@ func flattenRules(rules []*github.RepositoryRule, org bool) []interface{} {
 			rule["required_check"] = requiredStatusChecksSlice
 			rule["strict_required_status_checks_policy"] = params.StrictRequiredStatusChecksPolicy
 			rulesMap[v.Type] = []map[string]interface{}{rule}
+
+		case "workflows":
+			var params github.RequiredWorkflowsRuleParameters
+
+			err := json.Unmarshal(*v.Parameters, &params)
+			if err != nil {
+				log.Printf("[INFO] Unexpected error unmarshalling rule %s with parameters: %v",
+					v.Type, v.Parameters)
+			}
+
+			requiredWorkflowsSlice := make([]map[string]interface{}, 0)
+			for _, check := range params.RequiredWorkflows {
+				requiredWorkflowsSlice = append(requiredWorkflowsSlice, map[string]interface{}{
+					"repository_id": check.RepositoryID,
+					"path":          check.Path,
+					"ref":           check.Ref,
+				})
+			}
+
+			rule := make(map[string]interface{})
+			rule["do_not_enforce_on_create"] = params.DoNotEnforceOnCreate
+			rule["required_workflow"] = requiredWorkflowsSlice
+			rulesMap["required_workflows"] = []map[string]interface{}{rule}
+
+		case "code_scanning":
+			var params github.RequiredCodeScanningRuleParameters
+
+			err := json.Unmarshal(*v.Parameters, &params)
+			if err != nil {
+				log.Printf("[INFO] Unexpected error unmarshalling rule %s with parameters: %v",
+					v.Type, v.Parameters)
+			}
+
+			requiredCodeScanningSlice := make([]map[string]interface{}, 0)
+			for _, check := range params.RequiredCodeScanningTools {
+				requiredCodeScanningSlice = append(requiredCodeScanningSlice, map[string]interface{}{
+					"alerts_threshold":          check.AlertsThreshold,
+					"security_alerts_threshold": check.SecurityAlertsThreshold,
+					"tool":                      check.Tool,
+				})
+			}
+
+			rule := make(map[string]interface{})
+			rule["required_code_scanning_tool"] = requiredCodeScanningSlice
+			rulesMap["required_code_scanning"] = []map[string]interface{}{rule}
 		}
 	}
 

From a0c6dae53da59b488c4a1059a6326822eed2bc41 Mon Sep 17 00:00:00 2001
From: Ihor Hrytskiv <ihor.hrytskiv@macpaw.com>
Date: Wed, 18 Dec 2024 00:06:33 +0200
Subject: [PATCH 2/8] feat: adding tests

---
 ...source_github_organization_ruleset_test.go | 37 ++++++++++++++++++-
 ...resource_github_repository_ruleset_test.go | 33 ++++++++++++++++-
 2 files changed, 66 insertions(+), 4 deletions(-)

diff --git a/github/resource_github_organization_ruleset_test.go b/github/resource_github_organization_ruleset_test.go
index 9aae9f35b9..d6d9b6e64a 100644
--- a/github/resource_github_organization_ruleset_test.go
+++ b/github/resource_github_organization_ruleset_test.go
@@ -63,6 +63,7 @@ func TestGithubOrganizationRulesets(t *testing.T) {
 					}
 
 					required_workflows {
+						do_not_enforce_on_create = true
 						required_workflow {
 							path          = "path/to/workflow.yaml"
 							repository_id = 1234
@@ -91,13 +92,45 @@ func TestGithubOrganizationRulesets(t *testing.T) {
 
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(
-				"github_organization_ruleset.test", "name",
+				"github_organization_ruleset.test",
+				"name",
 				"test",
 			),
 			resource.TestCheckResourceAttr(
-				"github_organization_ruleset.test", "enforcement",
+				"github_organization_ruleset.test",
+				"enforcement",
 				"active",
 			),
+			resource.TestCheckResourceAttr(
+				"github_organization_ruleset.test",
+				"rules.0.required_workflows.0.do_not_enforce_on_create",
+				"true",
+			),
+			resource.TestCheckResourceAttr(
+				"github_organization_ruleset.test",
+				"rules.0.required_workflows.0.required_workflow.0.path",
+				"path/to/workflow.yaml",
+			),
+			resource.TestCheckResourceAttr(
+				"github_organization_ruleset.test",
+				"rules.0.required_workflows.0.required_workflow.0.repository_id",
+				"1234",
+			),
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test",
+				"rules.0.required_code_scanning.0.required_code_scanning_tool.0.alerts_threshold",
+				"errors",
+			),
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test",
+				"rules.0.required_code_scanning.0.required_code_scanning_tool.0.security_alerts_threshold",
+				"high_or_higher",
+			),
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test",
+				"rules.0.required_code_scanning.0.required_code_scanning_tool.0.tool",
+				"CodeQL",
+			),
 		)
 
 		testCase := func(t *testing.T, mode string) {
diff --git a/github/resource_github_repository_ruleset_test.go b/github/resource_github_repository_ruleset_test.go
index a51682507f..be61567bfe 100644
--- a/github/resource_github_repository_ruleset_test.go
+++ b/github/resource_github_repository_ruleset_test.go
@@ -21,6 +21,7 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 			resource "github_repository" "test" {
 				name = "tf-acc-test-%s"
 				auto_init = false
+				vulnerability_alerts = true
 			}
 
 			resource "github_repository_environment" "example" {
@@ -72,6 +73,14 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 						strict_required_status_checks_policy = true
 					}
 
+					required_code_scanning {
+					  required_code_scanning_tool {
+						alerts_threshold = "errors"
+						security_alerts_threshold = "high_or_higher"
+						tool = "CodeQL"
+					  }
+					}
+
 					non_fast_forward = true
 				}
 			}
@@ -79,13 +88,30 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(
-				"github_repository_ruleset.test", "name",
+				"github_repository_ruleset.test",
+				"name",
 				"test",
 			),
 			resource.TestCheckResourceAttr(
-				"github_repository_ruleset.test", "enforcement",
+				"github_repository_ruleset.test",
+				"enforcement",
 				"active",
 			),
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test",
+				"rules.0.required_code_scanning.0.required_code_scanning_tool.0.alerts_threshold",
+				"errors",
+			),
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test",
+				"rules.0.required_code_scanning.0.required_code_scanning_tool.0.security_alerts_threshold",
+				"high_or_higher",
+			),
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test",
+				"rules.0.required_code_scanning.0.required_code_scanning_tool.0.tool",
+				"CodeQL",
+			),
 		)
 
 		testCase := func(t *testing.T, mode string) {
@@ -128,6 +154,7 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 			resource "github_repository" "test" {
 				name = "tf-acc-test-%s"
 				auto_init = false
+				vulnerability_alerts = true
 			}
 
 			resource "github_repository_environment" "example" {
@@ -199,6 +226,7 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 			resource "github_repository" "test" {
 			  name         = "%[1]s"
 			  description  = "Terraform acceptance tests %[2]s"
+			  vulnerability_alerts = true
 			}
 
 			resource "github_repository_ruleset" "test" {
@@ -270,6 +298,7 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 			  name         = "tf-acc-test-import-%[1]s"
 			  description  = "Terraform acceptance tests %[1]s"
 			  auto_init 	 = false
+			  vulnerability_alerts = true
 			}
 
 			resource "github_repository_environment" "example" {

From ddd8b2464387cceb2f39776e60b2b8e49695379e Mon Sep 17 00:00:00 2001
From: ihor-hrytskiv <39990360+ihor-hrytskiv@users.noreply.github.com>
Date: Tue, 4 Mar 2025 11:30:13 +0200
Subject: [PATCH 3/8] Update resource_github_repository_ruleset_test.go

---
 github/resource_github_repository_ruleset_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github/resource_github_repository_ruleset_test.go b/github/resource_github_repository_ruleset_test.go
index 90782a7c0f..03fc602b12 100644
--- a/github/resource_github_repository_ruleset_test.go
+++ b/github/resource_github_repository_ruleset_test.go
@@ -22,7 +22,7 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 				name = "tf-acc-test-%s"
 				auto_init = true
 				default_branch = "main"
-        vulnerability_alerts = true
+                                vulnerability_alerts = true
 			}
 
 			resource "github_repository_environment" "example" {

From 110048a34dbb4c0daf9bc9e83df2dbc259c4a2c2 Mon Sep 17 00:00:00 2001
From: ihor-hrytskiv <39990360+ihor-hrytskiv@users.noreply.github.com>
Date: Tue, 4 Mar 2025 11:31:55 +0200
Subject: [PATCH 4/8] Update resource_github_repository_ruleset_test.go

---
 github/resource_github_repository_ruleset_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github/resource_github_repository_ruleset_test.go b/github/resource_github_repository_ruleset_test.go
index 03fc602b12..da98db38e8 100644
--- a/github/resource_github_repository_ruleset_test.go
+++ b/github/resource_github_repository_ruleset_test.go
@@ -311,7 +311,7 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 			  description  = "Terraform acceptance tests %[1]s"
 			  auto_init    = true
 			  default_branch = "main"
-        vulnerability_alerts = true
+                          vulnerability_alerts = true
 			}
 
 			resource "github_repository_environment" "example" {

From 4275d0151fa42088c37b0ed3297e0efbc5704b96 Mon Sep 17 00:00:00 2001
From: ihor-hrytskiv <39990360+ihor-hrytskiv@users.noreply.github.com>
Date: Tue, 4 Mar 2025 11:34:06 +0200
Subject: [PATCH 5/8] Update respository_rules_utils.go

---
 github/respository_rules_utils.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github/respository_rules_utils.go b/github/respository_rules_utils.go
index f449b96694..d1daa19cbc 100644
--- a/github/respository_rules_utils.go
+++ b/github/respository_rules_utils.go
@@ -570,7 +570,7 @@ func flattenRules(rules []*github.RepositoryRule, org bool) []interface{} {
 			rule["required_code_scanning_tool"] = requiredCodeScanningSlice
 			rulesMap["required_code_scanning"] = []map[string]interface{}{rule}
 
-    case "merge_queue":
+               case "merge_queue":
 			var params github.MergeQueueRuleParameters
 
 			err := json.Unmarshal(*v.Parameters, &params)

From 3f865dbc298cf92a0d14eb9e4dea3a7bcfa12d74 Mon Sep 17 00:00:00 2001
From: ihor-hrytskiv <39990360+ihor-hrytskiv@users.noreply.github.com>
Date: Tue, 4 Mar 2025 11:37:19 +0200
Subject: [PATCH 6/8] Update respository_rules_utils.go

---
 github/respository_rules_utils.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github/respository_rules_utils.go b/github/respository_rules_utils.go
index d1daa19cbc..8e1832eb9c 100644
--- a/github/respository_rules_utils.go
+++ b/github/respository_rules_utils.go
@@ -570,7 +570,7 @@ func flattenRules(rules []*github.RepositoryRule, org bool) []interface{} {
 			rule["required_code_scanning_tool"] = requiredCodeScanningSlice
 			rulesMap["required_code_scanning"] = []map[string]interface{}{rule}
 
-               case "merge_queue":
+		case "merge_queue":
 			var params github.MergeQueueRuleParameters
 
 			err := json.Unmarshal(*v.Parameters, &params)

From 4f6e0a770f6b89b6b7d6baaa09edbe80e805ee66 Mon Sep 17 00:00:00 2001
From: Ihor Hrytskiv <ihor.hrytskiv@macpaw.com>
Date: Tue, 4 Mar 2025 11:42:15 +0200
Subject: [PATCH 7/8] fix: lint

---
 github/respository_rules_utils.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github/respository_rules_utils.go b/github/respository_rules_utils.go
index 8e1832eb9c..ec6e3e58ab 100644
--- a/github/respository_rules_utils.go
+++ b/github/respository_rules_utils.go
@@ -525,7 +525,7 @@ func flattenRules(rules []*github.RepositoryRule, org bool) []interface{} {
 			rule["do_not_enforce_on_create"] = params.DoNotEnforceOnCreate
 			rulesMap[v.Type] = []map[string]interface{}{rule}
 
-    		case "workflows":
+		case "workflows":
 			var params github.RequiredWorkflowsRuleParameters
 
 			err := json.Unmarshal(*v.Parameters, &params)

From 7522b17d95830925f0cf244791e3128a1897cc1f Mon Sep 17 00:00:00 2001
From: Nick Floyd <139819+nickfloyd@users.noreply.github.com>
Date: Mon, 20 Oct 2025 15:55:19 -0500
Subject: [PATCH 8/8] Fix indentation for vulnerability_alerts in test

---
 github/resource_github_repository_ruleset_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github/resource_github_repository_ruleset_test.go b/github/resource_github_repository_ruleset_test.go
index da98db38e8..01c61f91a4 100644
--- a/github/resource_github_repository_ruleset_test.go
+++ b/github/resource_github_repository_ruleset_test.go
@@ -22,7 +22,7 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 				name = "tf-acc-test-%s"
 				auto_init = true
 				default_branch = "main"
-                                vulnerability_alerts = true
+                vulnerability_alerts = true
 			}
 
 			resource "github_repository_environment" "example" {