feat: Add file path protection to rulesets and tests

Author: grahamhar

CONTRIBUTING.md

@@ -149,6 +149,9 @@ export GITHUB_OWNER=
 # enable testing of enterprise appliances
 export GITHUB_BASE_URL=
 
+# enable testing of GitHub Paid features, these normally also require an organization e.g. repository push rulesets
+export GITHUB_PAID_FEATURES=true
+
 # leverage helper accounts for tests requiring them
 # examples include:
 # - https://github.com/github-terraform-test-user

github/provider_utils.go

@@ -9,6 +9,7 @@ import (
 
 var testCollaborator = os.Getenv("GITHUB_TEST_COLLABORATOR")
 var isEnterprise = os.Getenv("ENTERPRISE_ACCOUNT")
+var isPaidPlan = os.Getenv("GITHUB_PAID_FEATURES")
 var testEnterprise = os.Getenv("ENTERPRISE_SLUG")
 var testOrganization = testOrganizationFunc()
 var testOwner = os.Getenv("GITHUB_OWNER")

github/resource_github_repository_ruleset.go

@@ -34,8 +34,8 @@ func resourceGithubRepositoryRuleset() *schema.Resource {
 			"target": {
 				Type:         schema.TypeString,
 				Required:     true,
-				ValidateFunc: validation.StringInSlice([]string{"branch", "tag"}, false),
-				Description:  "Possible values are `branch` and `tag`.",
+				ValidateFunc: validation.StringInSlice([]string{"branch", "push", "tag"}, false),
+				Description:  "Possible values are `branch`, `push` and `tag`.",
 			},
 			"repository": {
 				Type:        schema.TypeString,

github/resource_github_repository_ruleset_test.go

@@ -363,6 +363,67 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 		})
 
 	})
+	t.Run("Creates repository rulesets with paid features without errors", func(t *testing.T) {
+		if isPaidPlan != "true" {
+			t.Skip("Skipping because `GITHUB_PAID_FEATURES` is not set to true")
+		}
+		config := fmt.Sprintf(`
+                                             resource "github_repository" "test" {
+                                                             name                 = "tf-acc-test-%s"
+                                                             auto_init            = false
+                                                             visibility           = "internal"
+                                                             vulnerability_alerts = true
+                                             }
+
+                                             resource "github_repository_ruleset" "test_push" {
+                                                             name        = "test-push"
+                                                             repository  = github_repository.test.id
+                                                             target      = "push"
+                                                             enforcement = "active"
+
+                                                             rules {
+                                                                             file_path_restriction {
+                                                                                             restricted_file_paths = ["test.txt"]
+                                                                             }
+                                                             }
+                                             }
+                             `, randomID)
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test_push", "name",
+				"test-push",
+			),
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test_push", "target",
+				"push",
+			),
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test_push", "rules.0.file_path_restriction.0.restricted_file_paths.0",
+				"test.txt",
+			),
+		)
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  check,
+					},
+				},
+			})
+		}
+		t.Run("with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+		t.Run("with an individual account", func(t *testing.T) {
+			t.Skip("individual account not supported for this operation")
+		})
+		t.Run("with a paid plan in an organization", func(t *testing.T) {
+			testCase(t, organization)
+		})
+	})
 
 }
 

github/respository_rules_utils.go

@@ -362,6 +362,19 @@ func expandRules(input []interface{}, org bool) []*github.RepositoryRule {
 		rulesSlice = append(rulesSlice, github.NewRequiredWorkflowsRule(params))
 	}
 
+	// file_path_restriction rule
+	if v, ok := rulesMap["file_path_restriction"].([]interface{}); ok && len(v) != 0 {
+		filePathRestrictionMap := v[0].(map[string]interface{})
+		restrictedFilePaths := make([]string, 0)
+		for _, path := range filePathRestrictionMap["restricted_file_paths"].([]interface{}) {
+			restrictedFilePaths = append(restrictedFilePaths, path.(string))
+		}
+		params := &github.RuleFileParameters{
+			RestrictedFilePaths: &restrictedFilePaths,
+		}
+		rulesSlice = append(rulesSlice, github.NewFilePathRestrictionRule(params))
+	}
+
 	return rulesSlice
 }
 
@@ -472,6 +485,17 @@ func flattenRules(rules []*github.RepositoryRule, org bool) []interface{} {
 			rule["required_check"] = requiredStatusChecksSlice
 			rule["strict_required_status_checks_policy"] = params.StrictRequiredStatusChecksPolicy
 			rulesMap[v.Type] = []map[string]interface{}{rule}
+
+		case "file_path_restriction":
+			var params github.RuleFileParameters
+			err := json.Unmarshal(*v.Parameters, &params)
+			if err != nil {
+				log.Printf("[INFO] Unexpected error unmarshalling rule %s with parameters: %v",
+					v.Type, v.Parameters)
+			}
+			rule := make(map[string]interface{})
+			rule["restricted_file_paths"] = params.GetRestrictedFilePaths()
+			rulesMap[v.Type] = []map[string]interface{}{rule}
 		}
 	}