Skip to content

Commit

Permalink
Implement branch protection rules and refactor repository references …
Browse files Browse the repository at this point in the history 
…for GitHub actions secrets and variables
  • Loading branch information
Dave Arnold committed Feb 19, 2025
1 parent bca81ee commit 5aa4326
Show file tree
Hide file tree
Showing 5 changed files with 78 additions and 13 deletions.
11 changes: 3 additions & 8 deletions action_secrets.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,17 @@ locals {
repo_exists = var.create_repo ? github_repository.repo[0] : data.github_repository.existing[0]
}

# data "github_actions_public_key" "repo_key" {
# repository = local.github_repo.name
# count = local.repo_exists != null ? 1 : 0
# }

resource "github_actions_secret" "secret" {
for_each = tomap({ for secret in var.secrets : secret.name => secret.value })
repository = local.github_repo.name
repository = local.repo_exists.name
secret_name = each.key
encrypted_value = base64encode(each.value)
plaintext_value = each.value
depends_on = [local.repo_exists]
}

resource "github_actions_variable" "variable" {
for_each = tomap({ for _var in var.vars : _var.name => _var.value })
repository = local.github_repo.name
repository = local.repo_exists.name
variable_name = each.key
value = each.value
depends_on = [local.repo_exists]
Expand Down
51 changes: 51 additions & 0 deletions branch_protection.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
locals {
branch_protection_rules = {
main = {
pattern = var.github_default_branch
enforce_admins = var.github_enforce_admins_branch_protection
allows_deletions = false
require_signed_commits = true
required_linear_history = true
required_status_checks = var.required_status_checks
required_pull_request_reviews = {
dismiss_stale_reviews = var.github_dismiss_stale_reviews
require_code_owner_reviews = var.github_require_code_owner_reviews
required_approving_review_count = var.github_required_approving_review_count
pull_request_bypassers = var.pull_request_bypassers
}
}
}
}

resource "github_branch_protection" "protection" {
for_each = local.branch_protection_rules

repository_id = local.repo_exists.node_id
pattern = each.value.pattern
enforce_admins = each.value.enforce_admins
allows_deletions = try(each.value.allows_deletions, false)
allows_force_pushes = try(each.value.allows_force_pushes, false)
require_signed_commits = try(each.value.require_signed_commits, false)
required_linear_history = try(each.value.required_linear_history, false)

dynamic "required_status_checks" {
for_each = each.value.required_status_checks != null ? [each.value.required_status_checks] : []
content {
strict = try(required_status_checks.value.strict, true)
contexts = required_status_checks.value.contexts
}
}

dynamic "required_pull_request_reviews" {
for_each = each.value.required_pull_request_reviews != null ? [each.value.required_pull_request_reviews] : []
content {
dismiss_stale_reviews = try(required_pull_request_reviews.value.dismiss_stale_reviews, true)
restrict_dismissals = try(required_pull_request_reviews.value.restrict_dismissals, false)
require_code_owner_reviews = try(required_pull_request_reviews.value.require_code_owner_reviews, true)
required_approving_review_count = try(required_pull_request_reviews.value.required_approving_review_count, 1)
pull_request_bypassers = try(required_pull_request_reviews.value.pull_request_bypassers, [])
}
}

depends_on = [local.repo_exists]
}
6 changes: 6 additions & 0 deletions data.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
locals {
codeowners = length(var.additional_codeowners) > 0 ? flatten(["${var.repo_org}/${var.github_codeowners_team}", formatlist("${var.repo_org}/%s", var.additional_codeowners)]) : ["${var.repo_org}/${var.github_codeowners_team}"]
}

data "github_repository" "existing" {
count = var.create_repo ? 0 : 1
name = var.name
full_name = var.repo_org != null ? "${var.repo_org}/${var.name}" : var.name
}
5 changes: 0 additions & 5 deletions github_repo.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,3 @@ resource "github_repository" "repo" {
]
}
}

data "github_repository" "existing" {
count = var.create_repo ? 0 : 1
name = var.name
}
18 changes: 18 additions & 0 deletions terraform-github-repo.code-workspace
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"folders": [
{
"path": "."
},
{
"path": "../providers/terraform-provider-github/website/docs/r",
"name": "provider/github/resources"
},
{
"path": "../providers/terraform-provider-github/website/docs/d",
"name": "provider/github/data-sources"
},
{
"path": "../docs/terraform/website/docs/language"
},
]
}

0 comments on commit 5aa4326

Please sign in to comment.