feat(cutlery42): Various updates (#7)

* add support for allow_update_branch

* updating readme regarding allow_update_branch

* update versions.tf with required provider version

* feat: add multiple github features: pages build-type, allow_updates, environments, actions variables

* fix: wait_timer, users

* feat: support force_push_bypassers

* feat: add support for github provider v6.x

* fix: add block conditionally

---------

Co-authored-by: Tobias Lindberg <tobias.ehlert@gmail.com>
Co-authored-by: Tobias Habermann <tobias.habermann@digistore24.team>

Author: 3 people

README.md

@@ -174,6 +174,12 @@ See [variables.tf] and [examples/] for details and use-cases.
 
   Default is `false`.
 
+- [**`allow_update_branch`**](#var-allow_update_branch): *(Optional `bool`)*<a name="var-allow_update_branch"></a>
+
+  Set to `true` to suggest updating pull request branches.
+
+  Default is `false`.
+
 - [**`allow_auto_merge`**](#var-allow_auto_merge): *(Optional `bool`)*<a name="var-allow_auto_merge"></a>
 
   Set to `true`  to allow [auto-merging](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request)

README.tfdoc.hcl

@@ -206,6 +206,14 @@ section {
         END
       }
 
+      variable "allow_update_branch" {
+        type        = bool
+        default     = false
+        description = <<-END
+          Set to `true` to suggest updating pull request branches.
+        END
+      }
+
       variable "allow_auto_merge" {
         type        = bool
         default     = false

actions.tf

@@ -0,0 +1,6 @@
+resource "github_actions_variable" "repository_variable" {
+  for_each      = var.variables
+  repository    = github_repository.repository.name
+  variable_name = each.key
+  value         = each.value
+}

data.tf

@@ -0,0 +1,13 @@
+data "github_organization_teams" "all" {
+  summary_only = true
+}
+
+data "github_user" "user" {
+  for_each = toset(length(var.environments) > 0 ? distinct(concat([for n, e in var.environments : e.reviewer_users]...)) : [])
+  username = each.key
+}
+
+locals {
+  team_ids_by_slug = { for t in data.github_organization_teams.all.teams : (t.slug) => t.id }
+  user_ids_by_name = { for u in data.github_user.user : (u.username) => u.id }
+}

environments.tf

@@ -0,0 +1,63 @@
+variable "environments" {
+  type = map(object({
+    reviewer_teams = optional(list(string), [])
+    reviewer_users = optional(list(string), [])
+    deployment_branch_policy = optional(object({
+      protected_branches     = bool
+      custom_branch_policies = optional(bool)
+    }))
+    branch_patterns     = optional(list(string), [])
+    variables           = optional(map(string), {})
+    wait_timer          = optional(number)
+    prevent_self_review = optional(bool)
+  }))
+  default = {}
+}
+
+resource "github_repository_environment" "this" {
+  for_each            = var.environments
+  repository          = github_repository.repository.name
+  environment         = each.key
+  wait_timer          = each.value.wait_timer
+  prevent_self_review = each.value.prevent_self_review
+
+  dynamic "reviewers" {
+    for_each = length(each.value.reviewer_teams) > 0 || length(each.value.reviewer_users) > 0 ? [true] : []
+    content {
+      teams = [for slug in each.value.reviewer_teams : try(local.team_ids_by_slug[slug], slug)]
+      users = [for username in each.value.reviewer_users : local.user_ids_by_name[username]]
+    }
+  }
+
+  dynamic "deployment_branch_policy" {
+    for_each = each.value.deployment_branch_policy != null ? [each.value.deployment_branch_policy] : (length(each.value.branch_patterns) > 0 ? [{}] : [])
+    content {
+      protected_branches     = lookup(deployment_branch_policy.value, "protected_branches", false)
+      custom_branch_policies = lookup(deployment_branch_policy.value, "custom_branch_policies", length(each.value.branch_patterns) > 0)
+    }
+  }
+}
+
+resource "github_repository_deployment_branch_policy" "this" {
+  for_each = merge([for envName, env in var.environments : merge([for bp in env.branch_patterns : { ("${envName}:${bp}") : {
+    environment    = envName
+    branch_pattern = bp
+  } }]...)]...)
+  depends_on       = [github_repository_environment.this]
+  environment_name = each.value.environment
+  repository       = github_repository.repository.name
+  name             = each.value.branch_pattern
+}
+
+resource "github_actions_environment_variable" "this" {
+  for_each = merge([for envName, env in var.environments : merge([for k, v in env.variables : { ("${envName}:${k}") : {
+    environment = envName
+    key         = k
+    value       = v
+  } }]...)]...)
+  depends_on    = [github_repository_environment.this]
+  variable_name = each.value.key
+  environment   = each.value.environment
+  value         = each.value.value
+  repository    = github_repository.repository.name
+}

main.tf

@@ -16,6 +16,7 @@ locals {
   allow_merge_commit     = var.allow_merge_commit == null ? lookup(var.defaults, "allow_merge_commit", true) : var.allow_merge_commit
   allow_rebase_merge     = var.allow_rebase_merge == null ? lookup(var.defaults, "allow_rebase_merge", false) : var.allow_rebase_merge
   allow_squash_merge     = var.allow_squash_merge == null ? lookup(var.defaults, "allow_squash_merge", false) : var.allow_squash_merge
+  allow_update_branch    = var.allow_update_branch == null ? lookup(var.defaults, "allow_update_branch", false) : var.allow_update_branch
   allow_auto_merge       = var.allow_auto_merge == null ? lookup(var.defaults, "allow_auto_merge", false) : var.allow_auto_merge
   delete_branch_on_merge = var.delete_branch_on_merge == null ? lookup(var.defaults, "delete_branch_on_merge", true) : var.delete_branch_on_merge
   is_template            = var.is_template == null ? lookup(var.defaults, "is_template", false) : var.is_template
@@ -65,6 +66,7 @@ locals {
       merge({
         strict   = null
         contexts = []
+        checks   = []
     }, b.required_status_checks)] : []
   ]
 
@@ -106,6 +108,7 @@ resource "github_repository" "repository" {
   allow_merge_commit     = local.allow_merge_commit
   allow_rebase_merge     = local.allow_rebase_merge
   allow_squash_merge     = local.allow_squash_merge
+  allow_update_branch    = local.allow_update_branch
   allow_auto_merge       = local.allow_auto_merge
   delete_branch_on_merge = local.delete_branch_on_merge
   is_template            = local.is_template
@@ -147,9 +150,8 @@ resource "github_repository" "repository" {
           path   = try(var.pages.path, "/")
         }
       }
-
-      build_type = try(var.pages.build_type, null)
       cname      = try(var.pages.cname, null)
+      build_type = try(var.pages.build_type, null)
     }
   }
 
@@ -223,10 +225,20 @@ resource "github_branch_protection" "branch_protection" {
   allows_deletions                = try(var.branch_protections_v4[each.value].allows_deletions, false)
   allows_force_pushes             = try(var.branch_protections_v4[each.value].allows_force_pushes, false)
   enforce_admins                  = try(var.branch_protections_v4[each.value].enforce_admins, true)
+  force_push_bypassers            = try(var.branch_protections_v4[each.value].force_push_bypassers, [])
   require_conversation_resolution = try(var.branch_protections_v4[each.value].require_conversation_resolution, false)
   require_signed_commits          = try(var.branch_protections_v4[each.value].require_signed_commits, false)
   required_linear_history         = try(var.branch_protections_v4[each.value].required_linear_history, false)
 
+  dynamic "restrict_pushes" {
+    for_each = try(var.branch_protections_v4[each.value].blocks_creations, false) || length(try(var.branch_protections_v4[each.value].push_restrictions, [])) > 0 ? [1] : []
+
+    content {
+      blocks_creations = try(var.branch_protections_v4[each.value].blocks_creations, false)
+      push_allowances  = try(var.branch_protections_v4[each.value].push_restrictions, [])
+    }
+  }
+
   dynamic "required_pull_request_reviews" {
     for_each = try([var.branch_protections_v4[each.value].required_pull_request_reviews], [])
 
@@ -280,6 +292,7 @@ resource "github_branch_protection_v3" "branch_protection" {
     content {
       strict   = required_status_checks.value.strict
       contexts = required_status_checks.value.contexts
+      checks   = required_status_checks.value.checks
     }
   }
 

variables.tf

@@ -90,6 +90,12 @@ variable "allow_rebase_merge" {
   default     = null
 }
 
+variable "allow_update_branch" {
+  description = "(Optional) Set to true to suggest updating pull request branches. (Default: false)"
+  type        = bool
+  default     = null
+}
+
 variable "allow_auto_merge" {
   description = "(Optional) Set to true to allow auto-merging pull requests on the repository. If enabled for a pull request, the pull request will merge automatically when all required reviews are met and status checks have passed. (Default: false)"
   type        = bool
@@ -117,10 +123,10 @@ variable "auto_init" {
 variable "pages" {
   description = "(Optional) The repository's GitHub Pages configuration. (Default: {})"
   # type = object({
-  # branch      = string
-  # path        = string or null
-  # cname       = string
-  # build_type  = workflow or legacy (requires branch and optional path )
+  # branch     = string
+  # path       = string or null
+  # cname      = string
+  # build_type = workflow or legacy (requires branch and optional path )
   # })
   type    = any
   default = null
@@ -281,6 +287,7 @@ variable "branch_protections_v3" {
   #   required_status_checks = object({
   #     strict   = bool
   #     contexts = list(string)
+  #     checks   = list(string)
   #   })
   #   required_pull_request_reviews = object({
   #     dismiss_stale_reviews           = bool
@@ -335,6 +342,8 @@ variable "branch_protections_v4" {
   #       allows_deletions                = optional(bool, false)
   #       allows_force_pushes             = optional(bool, false)
   #       enforce_admins                  = optional(bool, false)
+  #       push_restrictions               = optional(list(string), [])
+  #       force_push_bypassers            = optional(list(string), [])
   #       require_conversation_resolution = optional(bool, false)
   #       require_signed_commits          = optional(bool, false)
   #       required_linear_history         = optional(bool, false)
@@ -585,6 +594,25 @@ variable "merge_commit_message" {
   default     = "PR_TITLE"
 }
 
+variable "variables" {
+  description = "(Optional) Configure action variables. For full details please check: https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable"
+  type        = map(string)
+
+  default = {}
+
+  validation {
+    condition     = length(var.variables) <= 500
+    error_message = "Github restricts the number of Action variables per repository to 500"
+  }
+
+  validation {
+    condition = alltrue(concat([true], [
+      for _, v in var.variables : length(v) <= 48 * 1000
+    ]))
+    error_message = "Github restricts the maximum size of a single Action variable to 48KB"
+  }
+}
+
 # ------------------------------------------------------------------------------
 # MODULE CONFIGURATION PARAMETERS
 # These variables are used to configure the module.

versions.tf

@@ -5,11 +5,10 @@
 terraform {
   required_version = "~> 1.0"
 
-  # branch_protections_v3 are broken in >= 5.3
   required_providers {
     github = {
       source  = "integrations/github"
-      version = ">= 4.31, < 7.0"
+      version = ">= 6.2, < 7.0"
     }
   }
 }