From a7c4a9b184324a7efe4826f3ca546e34a7c2040c Mon Sep 17 00:00:00 2001 From: Timo Sand Date: Tue, 2 Jun 2026 20:56:50 +0300 Subject: [PATCH 1/4] Add test and implementation for `User` bypass_actor Signed-off-by: Timo Sand --- .../resource_github_organization_ruleset.go | 4 +- ...source_github_organization_ruleset_test.go | 96 +++++++++++++++++++ 2 files changed, 98 insertions(+), 2 deletions(-) diff --git a/github/resource_github_organization_ruleset.go b/github/resource_github_organization_ruleset.go index 53dc7d24ed..e26e8b3519 100644 --- a/github/resource_github_organization_ruleset.go +++ b/github/resource_github_organization_ruleset.go @@ -68,8 +68,8 @@ func resourceGithubOrganizationRuleset() *schema.Resource { "actor_type": { Type: schema.TypeString, Required: true, - ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"Integration", "OrganizationAdmin", "RepositoryRole", "Team", "DeployKey"}, false)), - Description: "The type of actor that can bypass a ruleset. Can be one of: `Integration`, `OrganizationAdmin`, `RepositoryRole`, `Team`, or `DeployKey`.", + ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"Integration", "OrganizationAdmin", "RepositoryRole", "Team", "DeployKey", "User"}, false)), + Description: "The type of actor that can bypass a ruleset. Can be one of: `Integration`, `OrganizationAdmin`, `RepositoryRole`, `Team`, `DeployKey`, or `User`.", }, "bypass_mode": { Type: schema.TypeString, diff --git a/github/resource_github_organization_ruleset_test.go b/github/resource_github_organization_ruleset_test.go index 30afe67393..70780510b4 100644 --- a/github/resource_github_organization_ruleset_test.go +++ b/github/resource_github_organization_ruleset_test.go @@ -184,6 +184,102 @@ resource "github_organization_ruleset" "test" { }) }) + t.Run("creates_branch_ruleset_with_user_bypass_actor", func(t *testing.T) { + randomID := acctest.RandString(5) + repoName := fmt.Sprintf("%srepo-org-ruleset-%s", testResourcePrefix, randomID) + rulesetName := fmt.Sprintf("%s-branch-ruleset-%s", testResourcePrefix, randomID) + + config := fmt.Sprintf(` +resource "github_repository" "test" { + name = "%s" + visibility = "private" + auto_init = true +} + +data "github_user" "current" { + username = "%[3]s" +} + +resource "github_organization_ruleset" "test" { + name = "%[2]s" + target = "branch" + enforcement = "active" + + bypass_actors { + actor_type = "User" + bypass_mode = "always" + actor_id = tonumber(data.github_user.current.id) + } + + conditions { + repository_name { + include = ["~ALL"] + exclude = [] + } + + ref_name { + include = ["~ALL"] + exclude = [] + } + } + + rules { + creation = true + + update = true + + deletion = true + required_linear_history = true + + required_signatures = false + + pull_request { + required_approving_review_count = 2 + required_review_thread_resolution = true + require_code_owner_review = true + dismiss_stale_reviews_on_push = true + require_last_push_approval = true + } + + copilot_code_review { + review_on_push = true + review_draft_pull_requests = false + } + + required_status_checks { + + required_check { + context = "ci" + } + + strict_required_status_checks_policy = true + do_not_enforce_on_create = true + } + + non_fast_forward = true + } +} +`, repoName, rulesetName, testAccConf.username) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { skipUnlessHasPaidOrgs(t) }, + ProviderFactories: providerFactories, + Steps: []resource.TestStep{ + { + Config: config, + ConfigStateChecks: []statecheck.StateCheck{ + statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("name"), knownvalue.StringExact(rulesetName)), + statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("target"), knownvalue.StringExact("branch")), + statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("enforcement"), knownvalue.StringExact("active")), + statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("bypass_actors").AtSliceIndex(0).AtMapKey("actor_type"), knownvalue.StringExact("User")), + statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("bypass_actors").AtSliceIndex(0).AtMapKey("bypass_mode"), knownvalue.StringExact("always")), + statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("bypass_actors").AtSliceIndex(0).AtMapKey("actor_id"), knownvalue.NotNull()), + }, + }, + }, + }) + }) + t.Run("create_ruleset_with_repository_property", func(t *testing.T) { randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum) rulesetName := fmt.Sprintf("%s-repo-prop-ruleset-%s", testResourcePrefix, randomID) From 421145db30585a4a3fea9b5c18ae3c8154cb4e41 Mon Sep 17 00:00:00 2001 From: Timo Sand Date: Tue, 2 Jun 2026 20:58:10 +0300 Subject: [PATCH 2/4] Uses resource Description for docs description Signed-off-by: Timo Sand --- github/resource_github_organization_ruleset.go | 2 ++ templates/resources/organization_ruleset.md.tmpl | 6 ++---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/github/resource_github_organization_ruleset.go b/github/resource_github_organization_ruleset.go index e26e8b3519..ab5a912516 100644 --- a/github/resource_github_organization_ruleset.go +++ b/github/resource_github_organization_ruleset.go @@ -32,6 +32,8 @@ func resourceGithubOrganizationRuleset() *schema.Resource { CustomizeDiff: resourceGithubOrganizationRulesetDiff, + Description: "Creates a GitHub organization ruleset.\n\nThis resource allows you to create and manage rulesets on the organization level. When applied, a new ruleset will be created. When destroyed, that ruleset will be removed.", + Schema: map[string]*schema.Schema{ "name": { Type: schema.TypeString, diff --git a/templates/resources/organization_ruleset.md.tmpl b/templates/resources/organization_ruleset.md.tmpl index a723b07eff..de54687a10 100644 --- a/templates/resources/organization_ruleset.md.tmpl +++ b/templates/resources/organization_ruleset.md.tmpl @@ -1,14 +1,12 @@ --- page_title: "{{.Name}} ({{.Type}}) - {{.RenderedProviderName}}" description: |- - Creates a GitHub organization ruleset. + {{ $arr := split .Description "\n"}}{{ index $arr 0 | plainmarkdown | trimspace }} --- # {{.Name}} ({{.Type}}) -Creates a GitHub organization ruleset. - -This resource allows you to create and manage rulesets on the organization level. When applied, a new ruleset will be created. When destroyed, that ruleset will be removed. +{{ .Description | trimspace }} ## Example Usage From 428954b54ef11cbaa898c4d9270b4e936288a1ae Mon Sep 17 00:00:00 2001 From: Timo Sand Date: Tue, 2 Jun 2026 20:58:53 +0300 Subject: [PATCH 3/4] Replace manual argument references with schema based generation Signed-off-by: Timo Sand --- docs/resources/organization_ruleset.md | 344 +++++++++++------- .../resource_github_organization_ruleset.go | 10 +- .../resources/organization_ruleset.md.tmpl | 269 +------------- 3 files changed, 211 insertions(+), 412 deletions(-) diff --git a/docs/resources/organization_ruleset.md b/docs/resources/organization_ruleset.md index 9077e14cb3..231c282447 100644 --- a/docs/resources/organization_ruleset.md +++ b/docs/resources/organization_ruleset.md @@ -100,274 +100,340 @@ resource "github_organization_ruleset" "example_push" { } ``` -## Argument Reference + +## Schema -- `enforcement` - (Required) (String) Possible values for Enforcement are `disabled`, `active`, `evaluate`. Note: `evaluate` is currently only supported for owners of type `organization`. +### Required -- `name` - (Required) (String) The name of the ruleset. +- `enforcement` (String) The enforcement level of the ruleset. `evaluate` allows admins to test rules before enforcing them. Possible values are `disabled`, `active`, and `evaluate`. Note: `evaluate` is only available for Enterprise plans. +- `name` (String) The name of the ruleset. +- `rules` (Block List, Min: 1, Max: 1) Rules within the ruleset. + ~> **Note:** Rules are target-specific. `branch` and `tag` targets support rules like `creation`, `deletion`, `pull_request`, `required_status_checks`, etc. `push` targets only support `file_path_restriction`, `max_file_size`, `max_file_path_length`, and `file_extension_restriction`. Using the wrong rules for a target will result in a validation error. (see [below for nested schema](#nestedblock--rules)) +- `target` (String) The target of the ruleset. Possible values are branch, tag and push. -- `rules` - (Required) (Block List, Min: 1, Max: 1) Rules within the ruleset. (see [below for nested schema](#rules)) +### Optional -- `target` - (Required) (String) Possible values are `branch`, `tag` and `push`. +- `bypass_actors` (Block List) The actors that can bypass the rules in this ruleset. (see [below for nested schema](#nestedblock--bypass_actors)) +- `conditions` (Block List, Max: 1) Parameters for an organization ruleset condition.The branch and tag rulesets conditions object should contain both repository_name and ref_name properties, or both repository_id and ref_name properties, or both repository_property and ref_name properties. The push rulesets conditions object does not require the ref_name property. Exactly one of `repository_id`, `repository_name`, or `repository_property` must be set for the ruleset to target repositories. (see [below for nested schema](#nestedblock--conditions)) -- `bypass_actors` - (Optional) (Block List) The actors that can bypass the rules in this ruleset. (see [below for nested schema](#bypass_actors)) +### Read-Only -- `conditions` - (Optional) (Block List, Max: 1) Parameters for an organization ruleset condition. For `branch` and `tag` targets, `ref_name` is required alongside one of `repository_name` or `repository_id`. For `push` targets, `ref_name` must NOT be set - only `repository_name` or `repository_id` should be used. (see [below for nested schema](#conditions)) +- `etag` (String) An etag representing the ruleset for caching purposes. +- `id` (String) The ID of this resource. +- `node_id` (String) GraphQL global node id for use with v4 API. +- `ruleset_id` (Number) GitHub ID for the ruleset. -### Rules + +### Nested Schema for `rules` -The `rules` block supports the following: +Optional: -~> **Note:** Rules are target-specific. `branch` and `tag` targets support rules like `creation`, `deletion`, `pull_request`, `required_status_checks`, etc. `push` targets only support `file_path_restriction`, `max_file_size`, `max_file_path_length`, and `file_extension_restriction`. Using the wrong rules for a target will result in a validation error. +- `branch_name_pattern` (Block List, Max: 1) Parameters to be used for the branch_name_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. Conflicts with `tag_name_pattern` as it only applies to rulesets with target `branch`. (see [below for nested schema](#nestedblock--rules--branch_name_pattern)) +- `commit_author_email_pattern` (Block List, Max: 1) Parameters to be used for the commit_author_email_pattern rule. (see [below for nested schema](#nestedblock--rules--commit_author_email_pattern)) +- `commit_message_pattern` (Block List, Max: 1) Parameters to be used for the commit_message_pattern rule. (see [below for nested schema](#nestedblock--rules--commit_message_pattern)) +- `committer_email_pattern` (Block List, Max: 1) Parameters to be used for the committer_email_pattern rule. (see [below for nested schema](#nestedblock--rules--committer_email_pattern)) +- `copilot_code_review` (Block List, Max: 1) Automatically request Copilot code review for new pull requests if the author has access to Copilot code review and their premium requests quota has not reached the limit. (see [below for nested schema](#nestedblock--rules--copilot_code_review)) +- `creation` (Boolean) Only allow users with bypass permission to create matching refs. +- `deletion` (Boolean) Only allow users with bypass permissions to delete matching refs. +- `file_extension_restriction` (Block List, Max: 1) Prevent pushes based on file extensions. (see [below for nested schema](#nestedblock--rules--file_extension_restriction)) +- `file_path_restriction` (Block List, Max: 1) Prevent commits that include changes in specified file paths from being pushed to the commit graph. (see [below for nested schema](#nestedblock--rules--file_path_restriction)) +- `max_file_path_length` (Block List, Max: 1) Prevent pushes based on file path length. (see [below for nested schema](#nestedblock--rules--max_file_path_length)) +- `max_file_size` (Block List, Max: 1) Prevent pushes based on file size. (see [below for nested schema](#nestedblock--rules--max_file_size)) +- `non_fast_forward` (Boolean) Prevent users with push access from force pushing to refs. +- `pull_request` (Block List, Max: 1) Require all commits be made to a non-target branch and submitted via a pull request before they can be merged. (see [below for nested schema](#nestedblock--rules--pull_request)) +- `required_code_scanning` (Block List, Max: 1) Choose which tools must provide code scanning results before the reference is updated. When configured, code scanning must be enabled and have results for both the commit and the reference being updated. (see [below for nested schema](#nestedblock--rules--required_code_scanning)) +- `required_linear_history` (Boolean) Prevent merge commits from being pushed to matching branches. +- `required_signatures` (Boolean) Commits pushed to matching branches must have verified signatures. +- `required_status_checks` (Block List, Max: 1) Choose which status checks must pass before branches can be merged into a branch that matches this rule. When enabled, commits must first be pushed to another branch, then merged or pushed directly to a branch that matches this rule after status checks have passed. (see [below for nested schema](#nestedblock--rules--required_status_checks)) +- `required_workflows` (Block List, Max: 1) Choose which Actions workflows must pass before branches can be merged into a branch that matches this rule. (see [below for nested schema](#nestedblock--rules--required_workflows)) +- `tag_name_pattern` (Block List, Max: 1) Parameters to be used for the tag_name_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. Conflicts with `branch_name_pattern` as it only applies to rulesets with target `tag`. (see [below for nested schema](#nestedblock--rules--tag_name_pattern)) +- `update` (Boolean) Only allow users with bypass permission to update matching refs. -- `branch_name_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the branch_name_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. Conflicts with `tag_name_pattern` as it only applies to rulesets with target `branch`. (see [below for nested schema](#rulesbranch_name_pattern)) + +### Nested Schema for `rules.branch_name_pattern` -- `commit_author_email_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the commit_author_email_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. (see [below for nested schema](#rulescommit_author_email_pattern)) +Required: -- `commit_message_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the commit_message_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. (see [below for nested schema](#rulescommit_message_pattern)) +- `operator` (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. +- `pattern` (String) The pattern to match with. -- `committer_email_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the committer_email_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. (see [below for nested schema](#rulescommitter_email_pattern)) +Optional: -- `creation` - (Optional) (Boolean) Only allow users with bypass permission to create matching refs. +- `name` (String) How this rule will appear to users. +- `negate` (Boolean) If true, the rule will fail if the pattern matches. -- `deletion` - (Optional) (Boolean) Only allow users with bypass permissions to delete matching refs. -- `non_fast_forward` - (Optional) (Boolean) Prevent users with push access from force pushing to branches. + +### Nested Schema for `rules.commit_author_email_pattern` -- `pull_request` - (Optional) (Block List, Max: 1) Require all commits be made to a non-target branch and submitted via a pull request before they can be merged. (see [below for nested schema](#rulespull_request)) +Required: -- `copilot_code_review` - (Optional) (Block List, Max: 1) Automatically request Copilot code review for new pull requests if the author has access to Copilot code review and their premium requests quota has not reached the limit. (see [below for nested schema](#rulescopilot_code_review)) +- `operator` (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. +- `pattern` (String) The pattern to match with. -- `required_linear_history` - (Optional) (Boolean) Prevent merge commits from being pushed to matching branches. +Optional: -- `required_signatures` - (Optional) (Boolean) Commits pushed to matching branches must have verified signatures. +- `name` (String) How this rule will appear to users. +- `negate` (Boolean) If true, the rule will fail if the pattern matches. -- `required_status_checks` - (Optional) (Block List, Max: 1) Choose which status checks must pass before branches can be merged into a branch that matches this rule. When enabled, commits must first be pushed to another branch, then merged or pushed directly to a branch that matches this rule after status checks have passed. (see [below for nested schema](#rulesrequired_status_checks)) -- `required_workflows` - (Optional) (Block List, Max: 1) Define which Actions workflows must pass before changes can be merged into a branch matching the rule. Multiple workflows can be specified. (see [below for nested schema](#rulesrequired_workflows)) + +### Nested Schema for `rules.commit_message_pattern` -- `required_code_scanning` - (Optional) (Block List, Max: 1) Define which tools must provide code scanning results before the reference is updated. When configured, code scanning must be enabled and have results for both the commit and the reference being updated. Multiple code scanning tools can be specified. (see [below for nested schema](#rulesrequired_code_scanning)) +Required: -- `tag_name_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the tag_name_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. Conflicts with `branch_name_pattern` as it only applies to rulesets with target `tag`. (see [below for nested schema](#rulestag_name_pattern)) +- `operator` (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. +- `pattern` (String) The pattern to match with. -- `file_path_restriction` - (Optional) (Block List, Max: 1) Prevent commits that include changes to specified file paths from being pushed to the commit graph. This rule only applies to rulesets with target `push`. (see [below for nested schema](#rulesfile_path_restriction)) +Optional: -- `max_file_size` - (Optional) (Block List, Max: 1) Prevent commits that include files with a specified file size from being pushed to the commit graph. This rule only applies to rulesets with target `push`. (see [below for nested schema](#rulesmax_file_size)) +- `name` (String) How this rule will appear to users. +- `negate` (Boolean) If true, the rule will fail if the pattern matches. -- `max_file_path_length` - (Optional) (Block List, Max: 1) Prevent commits that include file paths that exceed a specified character limit from being pushed to the commit graph. This rule only applies to rulesets with target `push`. (see [below for nested schema](#rulesmax_file_path_length)) -- `file_extension_restriction` - (Optional) (Block List, Max: 1) Prevent commits that include files with specified file extensions from being pushed to the commit graph. This rule only applies to rulesets with target `push`. (see [below for nested schema](#rulesfile_extension_restriction)) + +### Nested Schema for `rules.committer_email_pattern` -- `update` - (Optional) (Boolean) Only allow users with bypass permission to update matching refs. +Required: -#### rules.branch_name_pattern +- `operator` (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. +- `pattern` (String) The pattern to match with. -- `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. +Optional: -- `pattern` - (Required) (String) The pattern to match with. +- `name` (String) How this rule will appear to users. +- `negate` (Boolean) If true, the rule will fail if the pattern matches. -- `name` - (Optional) (String) How this rule will appear to users. -- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. + +### Nested Schema for `rules.copilot_code_review` -#### rules.commit_author_email_pattern +Optional: -- `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. +- `review_draft_pull_requests` (Boolean) Copilot automatically reviews draft pull requests before they are marked as ready for review. Defaults to `false`. +- `review_on_push` (Boolean) Copilot automatically reviews each new push to the pull request. Defaults to `false`. -- `pattern` - (Required) (String) The pattern to match with. -- `name` - (Optional) (String) How this rule will appear to users. + +### Nested Schema for `rules.file_extension_restriction` -- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. +Required: -#### rules.commit_message_pattern +- `restricted_file_extensions` (Set of String) The file extensions that are restricted from being pushed to the commit graph. -- `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. -- `pattern` - (Required) (String) The pattern to match with. + +### Nested Schema for `rules.file_path_restriction` -- `name` - (Optional) (String) How this rule will appear to users. +Required: -- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. +- `restricted_file_paths` (List of String) The file paths that are restricted from being pushed to the commit graph. -#### rules.committer_email_pattern -- `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. + +### Nested Schema for `rules.max_file_path_length` -- `pattern` - (Required) (String) The pattern to match with. +Required: -- `name` - (Optional) (String) How this rule will appear to users. +- `max_file_path_length` (Number) The maximum allowed length of a file path. -- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. -#### rules.pull_request + +### Nested Schema for `rules.max_file_size` -- `allowed_merge_methods` - (Optional) (List of String, Min: 1) Array of merge methods to be allowed. Allowed values include `merge`, `squash`, and `rebase`. At least one must be enabled. +Required: -- `dismiss_stale_reviews_on_push` - (Optional) (Boolean) New, reviewable commits pushed will dismiss previous pull request review approvals. Defaults to `false`. +- `max_file_size` (Number) The maximum allowed size of a file in megabytes (MB). Valid range is 1-100 MB. -- `require_code_owner_review` - (Optional) (Boolean) Require an approving review in pull requests that modify files that have a designated code owner. Defaults to `false`. -- `require_last_push_approval` - (Optional) (Boolean) Whether the most recent reviewable push must be approved by someone other than the person who pushed it. Defaults to `false`. + +### Nested Schema for `rules.pull_request` -- `required_approving_review_count` - (Optional) (Number) The number of approving reviews that are required before a pull request can be merged. Defaults to `0`. +Optional: -- `required_review_thread_resolution` - (Optional) (Boolean) All conversations on code must be resolved before a pull request can be merged. Defaults to `false`. +- `allowed_merge_methods` (List of String) Array of allowed merge methods. Allowed values include `merge`, `squash`, and `rebase`. At least one option must be enabled. +- `dismiss_stale_reviews_on_push` (Boolean) New, reviewable commits pushed will dismiss previous pull request review approvals. Defaults to `false`. +- `require_code_owner_review` (Boolean) Require an approving review in pull requests that modify files that have a designated code owner. Defaults to `false`. +- `require_last_push_approval` (Boolean) Whether the most recent reviewable push must be approved by someone other than the person who pushed it. Defaults to `false`. +- `required_approving_review_count` (Number) The number of approving reviews that are required before a pull request can be merged. Defaults to `0`. +- `required_review_thread_resolution` (Boolean) All conversations on code must be resolved before a pull request can be merged. Defaults to `false`. +- `required_reviewers` (Block List) Require specific reviewers to approve pull requests targeting matching branches. Note: This feature is in beta and subject to change. (see [below for nested schema](#nestedblock--rules--pull_request--required_reviewers)) -#### rules.copilot_code_review + +### Nested Schema for `rules.pull_request.required_reviewers` -- `review_on_push` - (Optional) (Boolean) Copilot automatically reviews each new push to the pull request. Defaults to `false`. +Required: -- `review_draft_pull_requests` - (Optional) (Boolean) Copilot automatically reviews draft pull requests before they are marked as ready for review. Defaults to `false`. +- `file_patterns` (List of String) File patterns (fnmatch syntax) that this reviewer must approve. +- `minimum_approvals` (Number) Minimum number of approvals required from this reviewer. Set to 0 to make approval optional. +- `reviewer` (Block List, Min: 1, Max: 1) The reviewer that must review matching files. (see [below for nested schema](#nestedblock--rules--pull_request--required_reviewers--reviewer)) -- `allowed_merge_methods` - (Required) (List of String, Min: 1) Array of merge methods to be allowed. Allowed values include `merge`, `squash`, and `rebase`. At least one must be enabled. + +### Nested Schema for `rules.pull_request.required_reviewers.reviewer` -- `required_reviewers` - (Optional) (Block List) Require specific reviewers to approve pull requests. Note: This feature is in beta. (see [below for nested schema](#rulespull_requestrequired_reviewers)) +Required: -#### rules.pull_request.required_reviewers +- `id` (Number) The ID of the reviewer that must review. +- `type` (String) The type of reviewer. Currently only `Team` is supported. -- `reviewer` - (Required) (Block List, Max: 1) The reviewer that must review matching files. (see [below for nested schema](#rulespull_requestrequired_reviewersreviewer)) -- `file_patterns` - (Required) (List of String) File patterns (fnmatch syntax) that this reviewer must approve. -- `minimum_approvals` - (Required) (Number) Minimum number of approvals required from this reviewer. Set to 0 to make approval optional. -#### rules.pull_request.required_reviewers.reviewer + +### Nested Schema for `rules.required_code_scanning` -- `id` - (Required) (Number) The ID of the reviewer (Team ID). +Required: -- `type` - (Required) (String) The type of reviewer. Currently only `Team` is supported. +- `required_code_scanning_tool` (Block Set, Min: 1) Tools that must provide code scanning results for this rule to pass. (see [below for nested schema](#nestedblock--rules--required_code_scanning--required_code_scanning_tool)) -#### rules.required_status_checks + +### Nested Schema for `rules.required_code_scanning.required_code_scanning_tool` -- `required_check` - (Required) (Block Set, Min: 1) Status checks that are required. Several can be defined. (see [below for nested schema](#rulesrequired_status_checksrequired_check)) +Required: -- `strict_required_status_checks_policy` - (Optional) (Boolean) Whether pull requests targeting a matching branch must be tested with the latest code. This setting will not take effect unless at least one status check is enabled. Defaults to `false`. +- `alerts_threshold` (String) The severity level at which code scanning results that raise alerts block a reference update. Can be one of: `none`, `errors`, `errors_and_warnings`, `all`. +- `security_alerts_threshold` (String) The severity level at which code scanning results that raise security alerts block a reference update. Can be one of: `none`, `critical`, `high_or_higher`, `medium_or_higher`, `all`. +- `tool` (String) The name of a code scanning tool. -- `do_not_enforce_on_create` - (Optional) (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it. Defaults to `false`. -#### rules.required_status_checks.required_check -- `context` - (Required) (String) The status check context name that must be present on the commit. + +### Nested Schema for `rules.required_status_checks` -- `integration_id` - (Optional) (Number) The optional integration ID that this status check must originate from. +Required: -- `do_not_enforce_on_create` - (Optional) (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it. Defaults to `false`. +- `required_check` (Block Set, Min: 1) Status checks that are required. Several can be defined. (see [below for nested schema](#nestedblock--rules--required_status_checks--required_check)) -#### rules.required_workflows +Optional: -- `do_not_enforce_on_create` - (Optional) (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it. Defaults to `false`. +- `do_not_enforce_on_create` (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it. +- `strict_required_status_checks_policy` (Boolean) Whether pull requests targeting a matching branch must be tested with the latest code. This setting will not take effect unless at least one status check is enabled. Defaults to `false`. -- `required_workflow` - (Required) (Block Set, Min: 1) Actions workflows that are required. Multiple can be defined. (see [below for nested schema](#rulesrequired_workflowsrequired_workflow)) + +### Nested Schema for `rules.required_status_checks.required_check` -#### rules.required_workflows.required_workflow +Required: -- `repository_id` - (Required) (Number) The ID of the repository. Names, full names and repository URLs are not supported. +- `context` (String) The status check context name that must be present on the commit. -- `path` - (Required) (String) The path to the YAML definition file of the workflow. +Optional: -- `ref` - (Optional) (String) The optional ref from which to fetch the workflow. Defaults to `master`. +- `integration_id` (Number) The optional integration ID that this status check must originate from. -#### rules.required_code_scanning -- `required_code_scanning_tool` - (Required) (Block Set, Min: 1) Actions code scanning tools that are required. Multiple can be defined. (see [below for nested schema](#rulesrequired_code_scanningrequired_code_scanning_tool)) -#### rules.required_code_scanning.required_code_scanning_tool + +### Nested Schema for `rules.required_workflows` -- `alerts_threshold` - (Required) (String) The severity level at which code scanning results that raise alerts block a reference update. Can be one of: `none`, `errors`, `errors_and_warnings`, `all`. +Required: -- `security_alerts_threshold` - (Required) (String) The severity level at which code scanning results that raise security alerts block a reference update. Can be one of: `none`, `critical`, `high_or_higher`, `medium_or_higher`, `all`. +- `required_workflow` (Block Set, Min: 1) Actions workflows that are required. Several can be defined. (see [below for nested schema](#nestedblock--rules--required_workflows--required_workflow)) -- `tool` - (Required) (String) The name of a code scanning tool. +Optional: -#### rules.tag_name_pattern +- `do_not_enforce_on_create` (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it. -- `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. + +### Nested Schema for `rules.required_workflows.required_workflow` -- `pattern` - (Required) (String) The pattern to match with. +Required: -- `name` - (Optional) (String) How this rule will appear to users. +- `path` (String) The path to the workflow YAML definition file. +- `repository_id` (Number) The repository in which the workflow is defined. -- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. +Optional: -#### rules.file_path_restriction +- `ref` (String) The ref (branch or tag) of the workflow file to use. -- `restricted_file_paths` - (Required) (Block Set, Min: 1) The file paths that are restricted from being pushed to the commit graph. -#### rules.max_file_size -- `max_file_size` - (Required) (Integer) The maximum allowed size, in megabytes (MB), of a file. Valid range is 1-100 MB. + +### Nested Schema for `rules.tag_name_pattern` -#### rules.max_file_path_length +Required: -- `max_file_path_length` - (Required) (Integer) The maximum number of characters allowed in file paths. +- `operator` (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. +- `pattern` (String) The pattern to match with. -#### rules.file_extension_restriction +Optional: -- `restricted_file_extensions` - (Required) (Block Set, Min: 1) The file extensions that are restricted from being pushed to the commit graph. +- `name` (String) How this rule will appear to users. +- `negate` (Boolean) If true, the rule will fail if the pattern matches. -#### bypass_actors -- `actor_id` - (Optional) (Number) The ID of the actor that can bypass a ruleset. Some actor types such as `DeployKey` do not have an ID. -- `actor_type` (String) The type of actor that can bypass a ruleset. Can be one of: `RepositoryRole`, `Team`, `Integration`, `OrganizationAdmin`. + +### Nested Schema for `bypass_actors` -- `bypass_mode` - (Optional) (String) When the specified actor can bypass the ruleset. pull_request means that an actor can only bypass rules on pull requests. Can be one of: `always`, `pull_request`, `exempt`. +Required: -~>Note: at the time of writing this, the following actor types correspond to the following actor IDs: +- `actor_type` (String) The type of actor that can bypass a ruleset. Can be one of: `Integration`, `OrganizationAdmin`, `RepositoryRole`, `Team`, `DeployKey`, or `User`. +- `bypass_mode` (String) When the specified actor can bypass the ruleset. `pull_request` means that an actor can only bypass rules on pull requests. Can be one of: `always`, `pull_request`, `exempt`. -- `OrganizationAdmin` -> `1` -- `RepositoryRole` (This is the actor type, the following are the base repository roles and their associated IDs.) - - `maintain` -> `2` - - `write` -> `4` - - `admin` -> `5` +Optional: -#### conditions +- `actor_id` (Number) The ID of the actor that can bypass a ruleset. Required for `Integration`, `RepositoryRole`, `Team`, and `User` actor types. If actor_type is `OrganizationAdmin`, actor_id is ignored. If actor_type is `DeployKey`, this should be omitted. For `RepositoryRole` the following `actor_id` values are known: 2 = Maintain, 4 = Write, 5 = Admin. -- `ref_name` - (Optional) (Block List, Max: 1) Required for `branch` and `tag` targets. Must NOT be set for `push` targets. (see [below for nested schema](#conditionsref_name)) -- `repository_id` (Optional) (List of Number) The repository IDs that the ruleset applies to. One of these IDs must match for the condition to pass. -- `repository_name` (Optional) (Block List, Max: 1) Targets repositories that match the specified name patterns. (see [below for nested schema](#conditionsrepository_name)) -- `repository_property` (Optional) (Block List, Max: 1) Targets repositories by custom or system properties. (see [below for nested schema](#conditionsrepository_property)) -Exactly one of `repository_id`, `repository_name`, or `repository_property` must be set for the rule to target repositories. + +### Nested Schema for `conditions` -~> **Note:** For `push` targets, do not include `ref_name` in conditions. Push rulesets operate on file content, not on refs. +Optional: -#### conditions.ref_name +- `ref_name` (Block List, Max: 1) Targets refs that match the specified patterns. Required for `branch` and `tag` targets. + ~> **Note:** For `push` targets, do not include `ref_name` in conditions. Push rulesets operate on file content, not on refs. (see [below for nested schema](#nestedblock--conditions--ref_name)) +- `repository_id` (List of Number) The repository IDs that the ruleset applies to. One of these IDs must match for the ruleset to apply. +- `repository_name` (Block List, Max: 1) Targets repositories that match the specified name patterns. (see [below for nested schema](#nestedblock--conditions--repository_name)) +- `repository_property` (Block List, Max: 1) Conditions to target repositories by custom or system properties. (see [below for nested schema](#nestedblock--conditions--repository_property)) -- `exclude` - (Required) (List of String) Array of ref names or patterns to exclude. The condition will not pass if any of these patterns match. + +### Nested Schema for `conditions.ref_name` -- `include` - (Required) (List of String) Array of ref names or patterns to include. One of these patterns must match for the condition to pass. Also accepts `~DEFAULT_BRANCH` to include the default branch or `~ALL` to include all branches. +Required: -#### conditions.repository_name +- `exclude` (List of String) Array of ref names or patterns to exclude. The condition will not pass if any of these patterns match. +- `include` (List of String) Array of ref names or patterns to include. One of these patterns must match for the condition to pass. Also accepts `~DEFAULT_BRANCH` to include the default branch or `~ALL` to include all branches. -- `exclude` - (Required) (List of String) Array of repository names or patterns to exclude. The condition will not pass if any of these patterns match. -- `include` - (Required) (List of String) Array of repository names or patterns to include. One of these patterns must match for the condition to pass. Also accepts `~ALL` to include all repositories. -- `protected` - (Optional) (Boolean) Whether renaming of target repositories is prevented. Defaults to `false`. -#### conditions.repository_property + +### Nested Schema for `conditions.repository_name` -- `include` - (Optional) (List of Repository Properties) The repository properties and values to include. All of these properties must match for the condition to pass. (see [below for nested schema](#conditionsrepository_propertyproperties)) +Required: -- `exclude` - (Optional) (List of Repository Properties) The repository properties and values to exclude. The condition will not pass if any of these properties match. (see [below for nested schema](#conditionsrepository_propertyproperties)) +- `exclude` (List of String) Array of repository names or patterns to exclude. The condition will not pass if any of these patterns match. +- `include` (List of String) Array of repository names or patterns to include. One of these patterns must match for the condition to pass. Also accepts `~ALL` to include all repositories. -#### conditions.repository_property.properties +Optional: -- `name` (Required) (String) The name of the repository property to target. +- `protected` (Boolean) Whether renaming of target repositories is prevented. -- `property_values` (Required) (Array of String) The values to match for the repository property. -- `source` (String) The source of the repository property. Defaults to 'custom' if not specified. Can be one of: `custom`, `system` + +### Nested Schema for `conditions.repository_property` -## Attributes Reference +Optional: -The following additional attributes are exported: +- `exclude` (List of Object) The repository properties and values to exclude. The ruleset will not apply if any of these properties match. (see [below for nested schema](#nestedatt--conditions--repository_property--exclude)) +- `include` (List of Object) The repository properties and values to include. All of these properties must match for the condition to pass. (see [below for nested schema](#nestedatt--conditions--repository_property--include)) -- `etag` (String) + +### Nested Schema for `conditions.repository_property.exclude` -- `node_id` (String) GraphQL global node id for use with v4 API. +Optional: -- `ruleset_id` (Number) GitHub ID for the ruleset. +- `name` (String) +- `property_values` (List of String) +- `source` (String) + + + +### Nested Schema for `conditions.repository_property.include` + +Optional: + +- `name` (String) +- `property_values` (List of String) +- `source` (String) ## Import diff --git a/github/resource_github_organization_ruleset.go b/github/resource_github_organization_ruleset.go index ab5a912516..2a9a793a65 100644 --- a/github/resource_github_organization_ruleset.go +++ b/github/resource_github_organization_ruleset.go @@ -65,7 +65,7 @@ func resourceGithubOrganizationRuleset() *schema.Resource { Type: schema.TypeInt, Optional: true, Default: nil, - Description: "The ID of the actor that can bypass a ruleset. When `actor_type` is `OrganizationAdmin`, this should be set to `1`. Some resources such as DeployKey do not have an ID and this should be omitted.", + Description: "The ID of the actor that can bypass a ruleset. Required for `Integration`, `RepositoryRole`, `Team`, and `User` actor types. If actor_type is `OrganizationAdmin`, actor_id is ignored. If actor_type is `DeployKey`, this should be omitted. For `RepositoryRole` the following `actor_id` values are known: 2 = Maintain, 4 = Write, 5 = Admin.", }, "actor_type": { Type: schema.TypeString, @@ -77,7 +77,7 @@ func resourceGithubOrganizationRuleset() *schema.Resource { Type: schema.TypeString, Required: true, ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"always", "pull_request", "exempt"}, false)), - Description: "When the specified actor can bypass the ruleset. pull_request means that an actor can only bypass rules on pull requests. Can be one of: `always`, `pull_request`, `exempt`.", + Description: "When the specified actor can bypass the ruleset. `pull_request` means that an actor can only bypass rules on pull requests. Can be one of: `always`, `pull_request`, `exempt`.", }, }, }, @@ -96,14 +96,14 @@ func resourceGithubOrganizationRuleset() *schema.Resource { Type: schema.TypeList, Optional: true, MaxItems: 1, - Description: "Parameters for an organization ruleset condition.The branch and tag rulesets conditions object should contain both repository_name and ref_name properties, or both repository_id and ref_name properties, or both repository_property and ref_name properties. The push rulesets conditions object does not require the ref_name property.", + Description: "Parameters for an organization ruleset condition.The branch and tag rulesets conditions object should contain both repository_name and ref_name properties, or both repository_id and ref_name properties, or both repository_property and ref_name properties. The push rulesets conditions object does not require the ref_name property. Exactly one of `repository_id`, `repository_name`, or `repository_property` must be set for the ruleset to target repositories.", Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "ref_name": { Type: schema.TypeList, Optional: true, MaxItems: 1, - Description: "Targets refs that match the specified patterns. Required for `branch` and `tag` targets.", + Description: "Targets refs that match the specified patterns. Required for `branch` and `tag` targets.\n ~> **Note:** For `push` targets, do not include `ref_name` in conditions. Push rulesets operate on file content, not on refs.", Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "include": { @@ -248,7 +248,7 @@ func resourceGithubOrganizationRuleset() *schema.Resource { Type: schema.TypeList, Required: true, MaxItems: 1, - Description: "Rules within the ruleset.", + Description: "Rules within the ruleset.\n ~> **Note:** Rules are target-specific. `branch` and `tag` targets support rules like `creation`, `deletion`, `pull_request`, `required_status_checks`, etc. `push` targets only support `file_path_restriction`, `max_file_size`, `max_file_path_length`, and `file_extension_restriction`. Using the wrong rules for a target will result in a validation error.", Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "creation": { diff --git a/templates/resources/organization_ruleset.md.tmpl b/templates/resources/organization_ruleset.md.tmpl index de54687a10..6064b16ddb 100644 --- a/templates/resources/organization_ruleset.md.tmpl +++ b/templates/resources/organization_ruleset.md.tmpl @@ -12,274 +12,7 @@ description: |- {{ tffile "examples/resources/organization_ruleset/example_1.tf" }} -## Argument Reference - -- `enforcement` - (Required) (String) Possible values for Enforcement are `disabled`, `active`, `evaluate`. Note: `evaluate` is currently only supported for owners of type `organization`. - -- `name` - (Required) (String) The name of the ruleset. - -- `rules` - (Required) (Block List, Min: 1, Max: 1) Rules within the ruleset. (see [below for nested schema](#rules)) - -- `target` - (Required) (String) Possible values are `branch`, `tag` and `push`. - -- `bypass_actors` - (Optional) (Block List) The actors that can bypass the rules in this ruleset. (see [below for nested schema](#bypass_actors)) - -- `conditions` - (Optional) (Block List, Max: 1) Parameters for an organization ruleset condition. For `branch` and `tag` targets, `ref_name` is required alongside one of `repository_name` or `repository_id`. For `push` targets, `ref_name` must NOT be set - only `repository_name` or `repository_id` should be used. (see [below for nested schema](#conditions)) - -### Rules - -The `rules` block supports the following: - -~> **Note:** Rules are target-specific. `branch` and `tag` targets support rules like `creation`, `deletion`, `pull_request`, `required_status_checks`, etc. `push` targets only support `file_path_restriction`, `max_file_size`, `max_file_path_length`, and `file_extension_restriction`. Using the wrong rules for a target will result in a validation error. - -- `branch_name_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the branch_name_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. Conflicts with `tag_name_pattern` as it only applies to rulesets with target `branch`. (see [below for nested schema](#rulesbranch_name_pattern)) - -- `commit_author_email_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the commit_author_email_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. (see [below for nested schema](#rulescommit_author_email_pattern)) - -- `commit_message_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the commit_message_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. (see [below for nested schema](#rulescommit_message_pattern)) - -- `committer_email_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the committer_email_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. (see [below for nested schema](#rulescommitter_email_pattern)) - -- `creation` - (Optional) (Boolean) Only allow users with bypass permission to create matching refs. - -- `deletion` - (Optional) (Boolean) Only allow users with bypass permissions to delete matching refs. - -- `non_fast_forward` - (Optional) (Boolean) Prevent users with push access from force pushing to branches. - -- `pull_request` - (Optional) (Block List, Max: 1) Require all commits be made to a non-target branch and submitted via a pull request before they can be merged. (see [below for nested schema](#rulespull_request)) - -- `copilot_code_review` - (Optional) (Block List, Max: 1) Automatically request Copilot code review for new pull requests if the author has access to Copilot code review and their premium requests quota has not reached the limit. (see [below for nested schema](#rulescopilot_code_review)) - -- `required_linear_history` - (Optional) (Boolean) Prevent merge commits from being pushed to matching branches. - -- `required_signatures` - (Optional) (Boolean) Commits pushed to matching branches must have verified signatures. - -- `required_status_checks` - (Optional) (Block List, Max: 1) Choose which status checks must pass before branches can be merged into a branch that matches this rule. When enabled, commits must first be pushed to another branch, then merged or pushed directly to a branch that matches this rule after status checks have passed. (see [below for nested schema](#rulesrequired_status_checks)) - -- `required_workflows` - (Optional) (Block List, Max: 1) Define which Actions workflows must pass before changes can be merged into a branch matching the rule. Multiple workflows can be specified. (see [below for nested schema](#rulesrequired_workflows)) - -- `required_code_scanning` - (Optional) (Block List, Max: 1) Define which tools must provide code scanning results before the reference is updated. When configured, code scanning must be enabled and have results for both the commit and the reference being updated. Multiple code scanning tools can be specified. (see [below for nested schema](#rulesrequired_code_scanning)) - -- `tag_name_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the tag_name_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. Conflicts with `branch_name_pattern` as it only applies to rulesets with target `tag`. (see [below for nested schema](#rulestag_name_pattern)) - -- `file_path_restriction` - (Optional) (Block List, Max: 1) Prevent commits that include changes to specified file paths from being pushed to the commit graph. This rule only applies to rulesets with target `push`. (see [below for nested schema](#rulesfile_path_restriction)) - -- `max_file_size` - (Optional) (Block List, Max: 1) Prevent commits that include files with a specified file size from being pushed to the commit graph. This rule only applies to rulesets with target `push`. (see [below for nested schema](#rulesmax_file_size)) - -- `max_file_path_length` - (Optional) (Block List, Max: 1) Prevent commits that include file paths that exceed a specified character limit from being pushed to the commit graph. This rule only applies to rulesets with target `push`. (see [below for nested schema](#rulesmax_file_path_length)) - -- `file_extension_restriction` - (Optional) (Block List, Max: 1) Prevent commits that include files with specified file extensions from being pushed to the commit graph. This rule only applies to rulesets with target `push`. (see [below for nested schema](#rulesfile_extension_restriction)) - -- `update` - (Optional) (Boolean) Only allow users with bypass permission to update matching refs. - -#### rules.branch_name_pattern - -- `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. - -- `pattern` - (Required) (String) The pattern to match with. - -- `name` - (Optional) (String) How this rule will appear to users. - -- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. - -#### rules.commit_author_email_pattern - -- `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. - -- `pattern` - (Required) (String) The pattern to match with. - -- `name` - (Optional) (String) How this rule will appear to users. - -- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. - -#### rules.commit_message_pattern - -- `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. - -- `pattern` - (Required) (String) The pattern to match with. - -- `name` - (Optional) (String) How this rule will appear to users. - -- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. - -#### rules.committer_email_pattern - -- `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. - -- `pattern` - (Required) (String) The pattern to match with. - -- `name` - (Optional) (String) How this rule will appear to users. - -- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. - -#### rules.pull_request - -- `allowed_merge_methods` - (Optional) (List of String, Min: 1) Array of merge methods to be allowed. Allowed values include `merge`, `squash`, and `rebase`. At least one must be enabled. - -- `dismiss_stale_reviews_on_push` - (Optional) (Boolean) New, reviewable commits pushed will dismiss previous pull request review approvals. Defaults to `false`. - -- `require_code_owner_review` - (Optional) (Boolean) Require an approving review in pull requests that modify files that have a designated code owner. Defaults to `false`. - -- `require_last_push_approval` - (Optional) (Boolean) Whether the most recent reviewable push must be approved by someone other than the person who pushed it. Defaults to `false`. - -- `required_approving_review_count` - (Optional) (Number) The number of approving reviews that are required before a pull request can be merged. Defaults to `0`. - -- `required_review_thread_resolution` - (Optional) (Boolean) All conversations on code must be resolved before a pull request can be merged. Defaults to `false`. - -#### rules.copilot_code_review - -- `review_on_push` - (Optional) (Boolean) Copilot automatically reviews each new push to the pull request. Defaults to `false`. - -- `review_draft_pull_requests` - (Optional) (Boolean) Copilot automatically reviews draft pull requests before they are marked as ready for review. Defaults to `false`. - -- `allowed_merge_methods` - (Required) (List of String, Min: 1) Array of merge methods to be allowed. Allowed values include `merge`, `squash`, and `rebase`. At least one must be enabled. - -- `required_reviewers` - (Optional) (Block List) Require specific reviewers to approve pull requests. Note: This feature is in beta. (see [below for nested schema](#rulespull_requestrequired_reviewers)) - -#### rules.pull_request.required_reviewers - -- `reviewer` - (Required) (Block List, Max: 1) The reviewer that must review matching files. (see [below for nested schema](#rulespull_requestrequired_reviewersreviewer)) - -- `file_patterns` - (Required) (List of String) File patterns (fnmatch syntax) that this reviewer must approve. - -- `minimum_approvals` - (Required) (Number) Minimum number of approvals required from this reviewer. Set to 0 to make approval optional. - -#### rules.pull_request.required_reviewers.reviewer - -- `id` - (Required) (Number) The ID of the reviewer (Team ID). - -- `type` - (Required) (String) The type of reviewer. Currently only `Team` is supported. - -#### rules.required_status_checks - -- `required_check` - (Required) (Block Set, Min: 1) Status checks that are required. Several can be defined. (see [below for nested schema](#rulesrequired_status_checksrequired_check)) - -- `strict_required_status_checks_policy` - (Optional) (Boolean) Whether pull requests targeting a matching branch must be tested with the latest code. This setting will not take effect unless at least one status check is enabled. Defaults to `false`. - -- `do_not_enforce_on_create` - (Optional) (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it. Defaults to `false`. - -#### rules.required_status_checks.required_check - -- `context` - (Required) (String) The status check context name that must be present on the commit. - -- `integration_id` - (Optional) (Number) The optional integration ID that this status check must originate from. - -- `do_not_enforce_on_create` - (Optional) (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it. Defaults to `false`. - -#### rules.required_workflows - -- `do_not_enforce_on_create` - (Optional) (Boolean) Allow repositories and branches to be created if a check would otherwise prohibit it. Defaults to `false`. - -- `required_workflow` - (Required) (Block Set, Min: 1) Actions workflows that are required. Multiple can be defined. (see [below for nested schema](#rulesrequired_workflowsrequired_workflow)) - -#### rules.required_workflows.required_workflow - -- `repository_id` - (Required) (Number) The ID of the repository. Names, full names and repository URLs are not supported. - -- `path` - (Required) (String) The path to the YAML definition file of the workflow. - -- `ref` - (Optional) (String) The optional ref from which to fetch the workflow. Defaults to `master`. - -#### rules.required_code_scanning - -- `required_code_scanning_tool` - (Required) (Block Set, Min: 1) Actions code scanning tools that are required. Multiple can be defined. (see [below for nested schema](#rulesrequired_code_scanningrequired_code_scanning_tool)) - -#### rules.required_code_scanning.required_code_scanning_tool - -- `alerts_threshold` - (Required) (String) The severity level at which code scanning results that raise alerts block a reference update. Can be one of: `none`, `errors`, `errors_and_warnings`, `all`. - -- `security_alerts_threshold` - (Required) (String) The severity level at which code scanning results that raise security alerts block a reference update. Can be one of: `none`, `critical`, `high_or_higher`, `medium_or_higher`, `all`. - -- `tool` - (Required) (String) The name of a code scanning tool. - -#### rules.tag_name_pattern - -- `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`. - -- `pattern` - (Required) (String) The pattern to match with. - -- `name` - (Optional) (String) How this rule will appear to users. - -- `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches. - -#### rules.file_path_restriction - -- `restricted_file_paths` - (Required) (Block Set, Min: 1) The file paths that are restricted from being pushed to the commit graph. - -#### rules.max_file_size - -- `max_file_size` - (Required) (Integer) The maximum allowed size, in megabytes (MB), of a file. Valid range is 1-100 MB. - -#### rules.max_file_path_length - -- `max_file_path_length` - (Required) (Integer) The maximum number of characters allowed in file paths. - -#### rules.file_extension_restriction - -- `restricted_file_extensions` - (Required) (Block Set, Min: 1) The file extensions that are restricted from being pushed to the commit graph. - -#### bypass_actors - -- `actor_id` - (Optional) (Number) The ID of the actor that can bypass a ruleset. Some actor types such as `DeployKey` do not have an ID. - -- `actor_type` (String) The type of actor that can bypass a ruleset. Can be one of: `RepositoryRole`, `Team`, `Integration`, `OrganizationAdmin`. - -- `bypass_mode` - (Optional) (String) When the specified actor can bypass the ruleset. pull_request means that an actor can only bypass rules on pull requests. Can be one of: `always`, `pull_request`, `exempt`. - -~>Note: at the time of writing this, the following actor types correspond to the following actor IDs: - -- `OrganizationAdmin` -> `1` -- `RepositoryRole` (This is the actor type, the following are the base repository roles and their associated IDs.) - - `maintain` -> `2` - - `write` -> `4` - - `admin` -> `5` - -#### conditions - -- `ref_name` - (Optional) (Block List, Max: 1) Required for `branch` and `tag` targets. Must NOT be set for `push` targets. (see [below for nested schema](#conditionsref_name)) -- `repository_id` (Optional) (List of Number) The repository IDs that the ruleset applies to. One of these IDs must match for the condition to pass. -- `repository_name` (Optional) (Block List, Max: 1) Targets repositories that match the specified name patterns. (see [below for nested schema](#conditionsrepository_name)) -- `repository_property` (Optional) (Block List, Max: 1) Targets repositories by custom or system properties. (see [below for nested schema](#conditionsrepository_property)) - -Exactly one of `repository_id`, `repository_name`, or `repository_property` must be set for the rule to target repositories. - -~> **Note:** For `push` targets, do not include `ref_name` in conditions. Push rulesets operate on file content, not on refs. - -#### conditions.ref_name - -- `exclude` - (Required) (List of String) Array of ref names or patterns to exclude. The condition will not pass if any of these patterns match. - -- `include` - (Required) (List of String) Array of ref names or patterns to include. One of these patterns must match for the condition to pass. Also accepts `~DEFAULT_BRANCH` to include the default branch or `~ALL` to include all branches. - -#### conditions.repository_name - -- `exclude` - (Required) (List of String) Array of repository names or patterns to exclude. The condition will not pass if any of these patterns match. -- `include` - (Required) (List of String) Array of repository names or patterns to include. One of these patterns must match for the condition to pass. Also accepts `~ALL` to include all repositories. -- `protected` - (Optional) (Boolean) Whether renaming of target repositories is prevented. Defaults to `false`. - -#### conditions.repository_property - -- `include` - (Optional) (List of Repository Properties) The repository properties and values to include. All of these properties must match for the condition to pass. (see [below for nested schema](#conditionsrepository_propertyproperties)) - -- `exclude` - (Optional) (List of Repository Properties) The repository properties and values to exclude. The condition will not pass if any of these properties match. (see [below for nested schema](#conditionsrepository_propertyproperties)) - -#### conditions.repository_property.properties - -- `name` (Required) (String) The name of the repository property to target. - -- `property_values` (Required) (Array of String) The values to match for the repository property. - -- `source` (String) The source of the repository property. Defaults to 'custom' if not specified. Can be one of: `custom`, `system` - -## Attributes Reference - -The following additional attributes are exported: - -- `etag` (String) - -- `node_id` (String) GraphQL global node id for use with v4 API. - -- `ruleset_id` (Number) GitHub ID for the ruleset. +{{ .SchemaMarkdown | trimspace }} ## Import From edda4b199f72c95223dc08b218edd90d483dd704 Mon Sep 17 00:00:00 2001 From: Timo Sand Date: Wed, 3 Jun 2026 09:39:33 +0300 Subject: [PATCH 4/4] Remove mentions of `OrganizationAdmin` and `actor_id` 1 Signed-off-by: Timo Sand --- docs/resources/repository_ruleset.md | 1 - github/resource_github_organization_ruleset_test.go | 6 ------ github/resource_github_repository_ruleset.go | 2 +- templates/resources/repository_ruleset.md.tmpl | 1 - 4 files changed, 1 insertion(+), 9 deletions(-) diff --git a/docs/resources/repository_ruleset.md b/docs/resources/repository_ruleset.md index 3d7bfe1363..c93c8bb363 100644 --- a/docs/resources/repository_ruleset.md +++ b/docs/resources/repository_ruleset.md @@ -304,7 +304,6 @@ The `rules` block supports the following: ~> Note: at the time of writing this, the following actor types correspond to the following actor IDs: -- `OrganizationAdmin` -> `1` - `RepositoryRole` (This is the actor type, the following are the base repository roles and their associated IDs.) - `maintain` -> `2` - `write` -> `4` diff --git a/github/resource_github_organization_ruleset_test.go b/github/resource_github_organization_ruleset_test.go index 70780510b4..b1ededa87d 100644 --- a/github/resource_github_organization_ruleset_test.go +++ b/github/resource_github_organization_ruleset_test.go @@ -72,7 +72,6 @@ resource "github_organization_ruleset" "test" { } bypass_actors { - actor_id = 1 actor_type = "OrganizationAdmin" bypass_mode = "always" } @@ -167,7 +166,6 @@ resource "github_organization_ruleset" "test" { resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.actor_id", "5"), resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.actor_type", "RepositoryRole"), resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.bypass_mode", "always"), - resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.actor_id", "1"), resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.actor_type", "OrganizationAdmin"), resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.bypass_mode", "always"), resource.TestCheckResourceAttr("github_organization_ruleset.test", "rules.0.pull_request.0.allowed_merge_methods.#", "3"), @@ -596,7 +594,6 @@ resource "github_organization_ruleset" "test" { } bypass_actors { - actor_id = 1 actor_type = "OrganizationAdmin" bypass_mode = "always" } @@ -640,7 +637,6 @@ resource "github_organization_ruleset" "test" { resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.actor_id", "5"), resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.actor_type", "RepositoryRole"), resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.bypass_mode", "always"), - resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.actor_id", "1"), resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.actor_type", "OrganizationAdmin"), resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.bypass_mode", "always"), resource.TestCheckResourceAttr("github_organization_ruleset.test", "rules.0.file_path_restriction.0.restricted_file_paths.0", "test.txt"), @@ -723,7 +719,6 @@ resource "github_organization_ruleset" "test" { } bypass_actors { - actor_id = 1 actor_type = "OrganizationAdmin" bypass_mode = "always" } @@ -803,7 +798,6 @@ resource "github_organization_ruleset" "test" { enforcement = "active" bypass_actors { - actor_id = 1 actor_type = "OrganizationAdmin" bypass_mode = "%s" } diff --git a/github/resource_github_repository_ruleset.go b/github/resource_github_repository_ruleset.go index 72e0e9ce10..7ac7c43ea7 100644 --- a/github/resource_github_repository_ruleset.go +++ b/github/resource_github_repository_ruleset.go @@ -68,7 +68,7 @@ func resourceGithubRepositoryRuleset() *schema.Resource { Type: schema.TypeInt, Optional: true, Default: nil, - Description: "The ID of the actor that can bypass a ruleset. When `actor_type` is `OrganizationAdmin`, this should be set to `1`. Some resources such as DeployKey do not have an ID and this should be omitted.", + Description: "The ID of the actor that can bypass a ruleset. Some resources such as DeployKey do not have an ID and this should be omitted.", }, "actor_type": { Type: schema.TypeString, diff --git a/templates/resources/repository_ruleset.md.tmpl b/templates/resources/repository_ruleset.md.tmpl index d40b5262bb..7599492930 100644 --- a/templates/resources/repository_ruleset.md.tmpl +++ b/templates/resources/repository_ruleset.md.tmpl @@ -233,7 +233,6 @@ The `rules` block supports the following: ~> Note: at the time of writing this, the following actor types correspond to the following actor IDs: -- `OrganizationAdmin` -> `1` - `RepositoryRole` (This is the actor type, the following are the base repository roles and their associated IDs.) - `maintain` -> `2` - `write` -> `4`