[FEAT]: Enable Use bypass_actor for Organization Rulesets

docs/resources/repository_ruleset.md

@@ -304,7 +304,6 @@ The `rules` block supports the following:
 
 ~> Note: at the time of writing this, the following actor types correspond to the following actor IDs:
 
-- `OrganizationAdmin` -> `1`
 - `RepositoryRole` (This is the actor type, the following are the base repository roles and their associated IDs.)
   - `maintain` -> `2`
   - `write` -> `4`

github/resource_github_organization_ruleset.go

@@ -32,6 +32,8 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 
 		CustomizeDiff: resourceGithubOrganizationRulesetDiff,
 
+		Description: "Creates a GitHub organization ruleset.\n\nThis resource allows you to create and manage rulesets on the organization level. When applied, a new ruleset will be created. When destroyed, that ruleset will be removed.",
+
 		Schema: map[string]*schema.Schema{
 			"name": {
 				Type:             schema.TypeString,
@@ -63,19 +65,19 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 							Type:        schema.TypeInt,
 							Optional:    true,
 							Default:     nil,
-							Description: "The ID of the actor that can bypass a ruleset. When `actor_type` is `OrganizationAdmin`, this should be set to `1`. Some resources such as DeployKey do not have an ID and this should be omitted.",
+							Description: "The ID of the actor that can bypass a ruleset. Required for `Integration`, `RepositoryRole`, `Team`, and `User` actor types. If actor_type is `OrganizationAdmin`, actor_id is ignored. If actor_type is `DeployKey`, this should be omitted. For `RepositoryRole` the following `actor_id` values are known: 2 = Maintain, 4 = Write, 5 = Admin.",
 						},
 						"actor_type": {
 							Type:             schema.TypeString,
 							Required:         true,
-							ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"Integration", "OrganizationAdmin", "RepositoryRole", "Team", "DeployKey"}, false)),
-							Description:      "The type of actor that can bypass a ruleset. Can be one of: `Integration`, `OrganizationAdmin`, `RepositoryRole`, `Team`, or `DeployKey`.",
+							ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"Integration", "OrganizationAdmin", "RepositoryRole", "Team", "DeployKey", "User"}, false)),
+							Description:      "The type of actor that can bypass a ruleset. Can be one of: `Integration`, `OrganizationAdmin`, `RepositoryRole`, `Team`, `DeployKey`, or `User`.",
 						},
 						"bypass_mode": {
 							Type:             schema.TypeString,
 							Required:         true,
 							ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"always", "pull_request", "exempt"}, false)),
-							Description:      "When the specified actor can bypass the ruleset. pull_request means that an actor can only bypass rules on pull requests. Can be one of: `always`, `pull_request`, `exempt`.",
+							Description:      "When the specified actor can bypass the ruleset. `pull_request` means that an actor can only bypass rules on pull requests. Can be one of: `always`, `pull_request`, `exempt`.",
 						},
 					},
 				},
@@ -94,14 +96,14 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 				Type:        schema.TypeList,
 				Optional:    true,
 				MaxItems:    1,
-				Description: "Parameters for an organization ruleset condition.The branch and tag rulesets conditions object should contain both repository_name and ref_name properties, or both repository_id and ref_name properties, or both repository_property and ref_name properties. The push rulesets conditions object does not require the ref_name property.",
+				Description: "Parameters for an organization ruleset condition.The branch and tag rulesets conditions object should contain both repository_name and ref_name properties, or both repository_id and ref_name properties, or both repository_property and ref_name properties. The push rulesets conditions object does not require the ref_name property. Exactly one of `repository_id`, `repository_name`, or `repository_property` must be set for the ruleset to target repositories.",
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"ref_name": {
 							Type:        schema.TypeList,
 							Optional:    true,
 							MaxItems:    1,
-							Description: "Targets refs that match the specified patterns. Required for `branch` and `tag` targets.",
+							Description: "Targets refs that match the specified patterns. Required for `branch` and `tag` targets.\n  ~> **Note:** For `push` targets, do not include `ref_name` in conditions. Push rulesets operate on file content, not on refs.",
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"include": {
@@ -246,7 +248,7 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 				Type:        schema.TypeList,
 				Required:    true,
 				MaxItems:    1,
-				Description: "Rules within the ruleset.",
+				Description: "Rules within the ruleset.\n  ~> **Note:** Rules are target-specific. `branch` and `tag` targets support rules like `creation`, `deletion`, `pull_request`, `required_status_checks`, etc. `push` targets only support `file_path_restriction`, `max_file_size`, `max_file_path_length`, and `file_extension_restriction`. Using the wrong rules for a target will result in a validation error.",
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"creation": {

github/resource_github_organization_ruleset_test.go

@@ -72,7 +72,6 @@ resource "github_organization_ruleset" "test" {
 	}
 
 	bypass_actors {
-		actor_id    = 1
 		actor_type  = "OrganizationAdmin"
 		bypass_mode = "always"
 	}
@@ -167,7 +166,6 @@ resource "github_organization_ruleset" "test" {
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.actor_id", "5"),
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.actor_type", "RepositoryRole"),
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.bypass_mode", "always"),
-						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.actor_id", "1"),
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.actor_type", "OrganizationAdmin"),
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.bypass_mode", "always"),
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "rules.0.pull_request.0.allowed_merge_methods.#", "3"),
@@ -184,6 +182,102 @@ resource "github_organization_ruleset" "test" {
 		})
 	})
 
+	t.Run("creates_branch_ruleset_with_user_bypass_actor", func(t *testing.T) {
+		randomID := acctest.RandString(5)
+		repoName := fmt.Sprintf("%srepo-org-ruleset-%s", testResourcePrefix, randomID)
+		rulesetName := fmt.Sprintf("%s-branch-ruleset-%s", testResourcePrefix, randomID)
+
+		config := fmt.Sprintf(`
+resource "github_repository" "test" {
+	name = "%s"
+	visibility = "private"
+	auto_init = true
+}
+
+data "github_user" "current" {
+	username = "%[3]s"
+}
+
+resource "github_organization_ruleset" "test" {
+	name        = "%[2]s"
+	target      = "branch"
+	enforcement = "active"
+
+	bypass_actors {
+		actor_type  = "User"
+		bypass_mode = "always"
+		actor_id    = tonumber(data.github_user.current.id)
+	}
+
+	conditions {
+		repository_name {
+			include = ["~ALL"]
+			exclude = []
+		}
+
+		ref_name {
+			include = ["~ALL"]
+			exclude = []
+		}
+	}
+
+	rules {
+		creation = true
+
+		update = true
+
+		deletion                = true
+		required_linear_history = true
+
+		required_signatures = false
+
+		pull_request {
+			required_approving_review_count   = 2
+			required_review_thread_resolution = true
+			require_code_owner_review         = true
+			dismiss_stale_reviews_on_push     = true
+			require_last_push_approval        = true
+		}
+
+		copilot_code_review {
+			review_on_push             = true
+			review_draft_pull_requests = false
+		}
+
+		required_status_checks {
+
+			required_check {
+				context = "ci"
+			}
+
+			strict_required_status_checks_policy = true
+			do_not_enforce_on_create             = true
+		}
+
+		non_fast_forward = true
+	}
+}
+`, repoName, rulesetName, testAccConf.username)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasPaidOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("name"), knownvalue.StringExact(rulesetName)),
+						statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("target"), knownvalue.StringExact("branch")),
+						statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("enforcement"), knownvalue.StringExact("active")),
+						statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("bypass_actors").AtSliceIndex(0).AtMapKey("actor_type"), knownvalue.StringExact("User")),
+						statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("bypass_actors").AtSliceIndex(0).AtMapKey("bypass_mode"), knownvalue.StringExact("always")),
+						statecheck.ExpectKnownValue("github_organization_ruleset.test", tfjsonpath.New("bypass_actors").AtSliceIndex(0).AtMapKey("actor_id"), knownvalue.NotNull()),
+					},
+				},
+			},
+		})
+	})
+
 	t.Run("create_ruleset_with_repository_property", func(t *testing.T) {
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 		rulesetName := fmt.Sprintf("%s-repo-prop-ruleset-%s", testResourcePrefix, randomID)
@@ -500,7 +594,6 @@ resource "github_organization_ruleset" "test" {
 	}
 
 	bypass_actors {
-		actor_id    = 1
 		actor_type  = "OrganizationAdmin"
 		bypass_mode = "always"
 	}
@@ -544,7 +637,6 @@ resource "github_organization_ruleset" "test" {
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.actor_id", "5"),
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.actor_type", "RepositoryRole"),
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.1.bypass_mode", "always"),
-						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.actor_id", "1"),
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.actor_type", "OrganizationAdmin"),
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "bypass_actors.2.bypass_mode", "always"),
 						resource.TestCheckResourceAttr("github_organization_ruleset.test", "rules.0.file_path_restriction.0.restricted_file_paths.0", "test.txt"),
@@ -627,7 +719,6 @@ resource "github_organization_ruleset" "test" {
 	}
 
 	bypass_actors {
-		actor_id    = 1
 		actor_type  = "OrganizationAdmin"
 		bypass_mode = "always"
 	}
@@ -707,7 +798,6 @@ resource "github_organization_ruleset" "test" {
 	enforcement = "active"
 
 	bypass_actors {
-		actor_id    = 1
 		actor_type  = "OrganizationAdmin"
 		bypass_mode = "%s"
 	}

github/resource_github_repository_ruleset.go

@@ -68,7 +68,7 @@ func resourceGithubRepositoryRuleset() *schema.Resource {
 							Type:        schema.TypeInt,
 							Optional:    true,
 							Default:     nil,
-							Description: "The ID of the actor that can bypass a ruleset. When `actor_type` is `OrganizationAdmin`, this should be set to `1`. Some resources such as DeployKey do not have an ID and this should be omitted.",
+							Description: "The ID of the actor that can bypass a ruleset. Some resources such as DeployKey do not have an ID and this should be omitted.",
 						},
 						"actor_type": {
 							Type:             schema.TypeString,