Update branch protection logic to include GitHub Pro account checks a…

…nd improve context handling for required status checks
CSVD · Feb 21, 2025 · 1d18e79 · 1d18e79
1 parent f3693a6
commit 1d18e79
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 7 deletions.
diff --git a/branch_protection.tf b/branch_protection.tf
@@ -22,7 +22,7 @@ locals {
 # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection
 resource "github_branch_protection" "protection" {
   for_each = {
-    for k, v in local.branch_protection_rules : k => v if var.enforce_prs
+    for k, v in local.branch_protection_rules : k => v if var.enforce_prs && (!var.github_is_private || var.github_pro_enabled)
   }
 
   repository_id = var.create_repo ? github_repository.repo[0].node_id : data.github_repository.existing[0].node_id
@@ -45,7 +45,7 @@ resource "github_branch_protection" "protection" {
     for_each = var.required_status_checks != null ? ["true"] : []
     content {
       strict   = try(var.required_status_checks.strict, true)
-      contexts = var.required_status_checks.contexts
+      contexts = try(var.required_status_checks.contexts, [])
     }
   }
 

diff --git a/github_repo.tftest.hcl b/github_repo.tftest.hcl
@@ -80,7 +80,7 @@ run "verify_branch_protection_with_strict_settings" {
   variables {
     github_default_branch                   = "main"
     enforce_prs                             = true
-    github_is_private                       = true
+    github_is_private                       = false
     github_required_approving_review_count  = 2
     github_enforce_admins_branch_protection = true
     github_dismiss_stale_reviews            = true
@@ -89,7 +89,7 @@ run "verify_branch_protection_with_strict_settings" {
     pull_request_bypassers                  = ["test-user"]
     required_status_checks = {
       strict   = true
-      contexts = ["test/build", "test/lint"]
+      contexts = try(["test/build", "test/lint"], [])
     }
   }
 
@@ -477,7 +477,7 @@ run "verify_complete_repository_config" {
   variables {
     name                                    = "test-complete-config"
     repo_org                                = "TestOrg"
-    github_is_private                       = true
+    github_is_private                       = false
     github_repo_description                 = "Complete configuration test"
     github_repo_topics                      = ["test", "complete", "config"]
     github_has_issues                       = true
@@ -521,7 +521,7 @@ run "verify_complete_repository_config" {
       github_repository.repo[0].has_projects == true,
       github_repository.repo[0].has_discussions == true,
       github_repository.repo[0].allow_auto_merge == true,
-      github_repository.repo[0].visibility == "private",
+      github_repository.repo[0].visibility == "public",
       github_repository.repo[0].vulnerability_alerts == true,
       can(github_repository.repo[0].security_and_analysis[0].advanced_security[0].status) &&
       github_repository.repo[0].security_and_analysis[0].advanced_security[0].status == "enabled",

diff --git a/variables.tf b/variables.tf
@@ -409,4 +409,10 @@ variable "require_last_push_approval" {
   description = "Require approval from the last pusher"
   type        = bool
   default     = false
-}
+}
+
+variable github_pro_enabled {
+  type        = bool
+  default     = false
+  description = "Is this a Github Pro Account? If not, then it's limited in feature set"
+}