ci: add repository rules as code (#60)

* chore: add terraform reposity rules

* chore: apply terraform

* chore: add GitHub Actions workflow for Terraform repository management

* chore: add CODEOWNERS file and require code owner reviews for changes in Terraform repository

* chore: update .gitignore to include Terraform files and Docker configuration

* chore: remove Terraform state and backup files along with associated provider and module configurations

* chore: update repository module to require branches to be up to date before merging, removing hardcoded check names

Author: wiktoriavh

.github/CODEOWNERS

@@ -0,0 +1 @@
+/terraform/repository/ @wiktoriavh

.github/workflows/terraform-repository.yml

@@ -0,0 +1,37 @@
+name: Terraform Repository
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - terraform/repository/**
+
+concurrency:
+  group: terraform-repository-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: terraform/repository
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.5.0
+
+      - name: Terraform Init
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: terraform init
+
+      - name: Terraform Apply
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: terraform apply -auto-approve

.gitignore

@@ -25,4 +25,9 @@ guides-tracker.json
 advent-of-code-tracker.json
 
 # Docker
-docker-compose.yml
+docker-compose.yml
+
+# terraform
+**/.terraform/
+*.tfstate
+*.tfstate.*

terraform/repository/.terraform.lock.hcl

@@ -0,0 +1,99 @@
+module "repository" {
+  source = "git::https://github.com/r-webdev/terraform-module-github-repository.git//modules/service?ref=v1.0.0"
+
+  # Repository name on GitHub (must match the remote, e.g. r-webdev/website).
+  name = "webdev-bot"
+
+  # Short summary shown on the repo homepage and in search results.
+  description = "Discord communitybot for the Web Dev & Design Discord server."
+
+  # Link shown in the GitHub sidebar
+  # homepage_url = "https://example.com"
+
+  # Who can see the repo: public, private, or internal (org members only).
+  # Public is required on GitHub Free for branch protection rules to apply.
+  visibility = "public"
+
+  # Tags used for discovery and filtering on GitHub.
+  topics = ["discord", "bot"]
+
+  # Default branch for new PRs and clones; must already exist on GitHub before protection rules apply.
+  default_branch = "main"
+
+  # --- Merge settings ---
+
+  # Disallow standard merge commits (only squash merges allowed).
+  allow_merge_commit = false
+
+  # Allow squash merges — combines all commits into one on merge.
+  allow_squash_merge = true
+
+  # Disallow rebase merges onto the base branch.
+  allow_rebase_merge = false
+
+  # Use the PR title as the squash commit subject line.
+  squash_merge_commit_title = "PR_TITLE"
+
+  # Include individual commit messages in the squash commit body.
+  squash_merge_commit_message = "COMMIT_MESSAGES"
+
+  # Remove the feature branch from GitHub after the PR is merged.
+  delete_branch_on_merge = true
+
+  # Do not allow merging automatically once checks and reviews pass (manual merge required).
+  allow_auto_merge = false
+
+  # --- Repository features ---
+
+  # Enable GitHub Issues for bugs and feature requests.
+  has_issues = true
+
+  # Disable GitHub Projects (Kanban-style boards tied to the repo).
+  has_projects = false
+
+  # Disable the repo wiki.
+  has_wiki = false
+
+  # Disable GitHub Discussions.
+  has_discussions = false
+
+  # Send Dependabot security alerts for vulnerable dependencies (relevant for private repos).
+  vulnerability_alerts = true
+
+  # If Terraform destroys this resource, archive the repo instead of deleting it permanently.
+  archive_on_destroy = true
+
+  # --- Access control ---
+
+  # Map of org team slug → permission level (pull, triage, push, maintain, admin).
+  team_permissions = {
+    # Full admin access: settings, branch protection, team management.
+    admins = "admin"
+    # Write access: push to branches and open/merge PRs (subject to branch protection).
+    moderators = "push"
+  }
+
+  # --- Branch protection (main) ---
+
+  branch_protection = {
+    main = {
+      # Require all conversations on a PR to be resolved before merge.
+      required_conversation_resolution = true
+
+      # Pull request review requirements before merge.
+      required_pull_request_reviews = {
+        # New commits dismiss previous approvals so reviewers re-check changes.
+        dismiss_stale_reviews = true
+        # Require approval from CODEOWNERS when changed files match .github/CODEOWNERS.
+        require_code_owner_reviews = true
+        # At least one approving review from someone other than the author.
+        required_approving_review_count = 1
+      }
+
+      # Require branches to be up to date before merging; no hardcoded check names.
+      required_status_checks = {
+        strict = true
+      }
+    }
+  }
+}

terraform/repository/main.tf

@@ -0,0 +1,16 @@
+terraform {
+  # Minimum Terraform version required by the GitHub repository module.
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+  }
+}
+
+provider "github" {
+  # GitHub organization that owns this repository.
+  owner = "r-webdev"
+}