feat(boostsecurityio): Github pages, web_commit_signoff_required, and terraform provider 6.x fixing pages (#5)

* update for terraform provider 6.x fixing pages

* add web_commit_signoff_required

* doc: Update CHANGELOG

---------

Co-authored-by: Jonathan Serafini <jonathan@serafini.ca>

Author: gaima8

CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.19.1]
+
+### Changed
+
+  JonathanSerafini: update for terraform provider 6.x fixing pages
+  JonathanSerafini: add web_commit_signoff_required
+
 ## [0.19.0]
 
 ### Changed

main.tf

@@ -42,6 +42,8 @@ locals {
   issue_labels_merge_with_github_labels = local.gh_labels
   # Per default, GitHub activates vulnerability  alerts for public repositories and disables it for private repositories
   vulnerability_alerts = var.vulnerability_alerts != null ? var.vulnerability_alerts : local.private ? false : true
+
+  web_commit_signoff_required = var.web_commit_signoff_required == null ? lookup(var.defaults, "web_commit_signoff_required", false) : var.web_commit_signoff_required
 }
 
 locals {
@@ -117,6 +119,8 @@ resource "github_repository" "repository" {
   archive_on_destroy   = var.archive_on_destroy
   vulnerability_alerts = local.vulnerability_alerts
 
+  web_commit_signoff_required = local.web_commit_signoff_required
+
   squash_merge_commit_title   = local.squash_merge_commit_title
   squash_merge_commit_message = local.squash_merge_commit_message
   merge_commit_title          = local.merge_commit_title
@@ -135,11 +139,17 @@ resource "github_repository" "repository" {
     for_each = var.pages != null ? [true] : []
 
     content {
-      source {
-        branch = var.pages.branch
-        path   = try(var.pages.path, "/")
+      dynamic "source" {
+        for_each = try(var.pages.build_type, null) == "workflow" ? [] : [true]
+
+        content {
+          branch = var.pages.branch
+          path   = try(var.pages.path, "/")
+        }
       }
-      cname = try(var.pages.cname, null)
+
+      build_type = try(var.pages.build_type, null)
+      cname      = try(var.pages.cname, null)
     }
   }
 
@@ -212,9 +222,7 @@ resource "github_branch_protection" "branch_protection" {
 
   allows_deletions                = try(var.branch_protections_v4[each.value].allows_deletions, false)
   allows_force_pushes             = try(var.branch_protections_v4[each.value].allows_force_pushes, false)
-  blocks_creations                = try(var.branch_protections_v4[each.value].blocks_creations, false)
   enforce_admins                  = try(var.branch_protections_v4[each.value].enforce_admins, true)
-  push_restrictions               = try(var.branch_protections_v4[each.value].push_restrictions, [])
   require_conversation_resolution = try(var.branch_protections_v4[each.value].require_conversation_resolution, false)
   require_signed_commits          = try(var.branch_protections_v4[each.value].require_signed_commits, false)
   required_linear_history         = try(var.branch_protections_v4[each.value].required_linear_history, false)
@@ -229,6 +237,7 @@ resource "github_branch_protection" "branch_protection" {
       pull_request_bypassers          = try(required_pull_request_reviews.value.pull_request_bypassers, [])
       require_code_owner_reviews      = try(required_pull_request_reviews.value.require_code_owner_reviews, true)
       required_approving_review_count = try(required_pull_request_reviews.value.required_approving_review_count, 0)
+      require_last_push_approval      = try(required_pull_request_reviews.value.require_last_push_approval, true)
     }
   }
 

variables.tf

@@ -117,9 +117,10 @@ variable "auto_init" {
 variable "pages" {
   description = "(Optional) The repository's GitHub Pages configuration. (Default: {})"
   # type = object({
-  # branch = string
-  # path   = string
-  # cname  = string
+  # branch      = string
+  # path        = string or null
+  # cname       = string
+  # build_type  = workflow or legacy (requires branch and optional path )
   # })
   type    = any
   default = null
@@ -333,9 +334,7 @@ variable "branch_protections_v4" {
   #       pattern                         = string
   #       allows_deletions                = optional(bool, false)
   #       allows_force_pushes             = optional(bool, false)
-  #       blocks_creations                = optional(bool, false)
   #       enforce_admins                  = optional(bool, false)
-  #       push_restrictions               = optional(list(string), [])
   #       require_conversation_resolution = optional(bool, false)
   #       require_signed_commits          = optional(bool, false)
   #       required_linear_history         = optional(bool, false)
@@ -556,6 +555,12 @@ variable "app_installations" {
   default     = []
 }
 
+variable "web_commit_signoff_required" {
+  type        = bool
+  description = "(Optional) Require contributors to sign off on web-based commits."
+  default     = null
+}
+
 variable "squash_merge_commit_title" {
   type        = string
   description = "(Optional) Can be `PR_BODY`, `COMMIT_MESSAGES`, or `BLANK` for a default squash merge commit message."

versions.tf

@@ -9,7 +9,7 @@ terraform {
   required_providers {
     github = {
       source  = "integrations/github"
-      version = ">= 4.31, < 6.0"
+      version = ">= 4.31, < 7.0"
     }
   }
 }