Merge pull request #1 from boostsecurityio/fix/github-pages

JonathanSerafini · web-flow · commit de9afce26de6 · 2024-03-27T14:36:46.000-04:00
upgrade terraform provider and github-pages config
diff --git a/main.tf b/main.tf
@@ -37,6 +37,8 @@ locals {
   issue_labels_merge_with_github_labels = local.gh_labels
   # Per default, GitHub activates vulnerability  alerts for public repositories and disables it for private repositories
   vulnerability_alerts = var.vulnerability_alerts != null ? var.vulnerability_alerts : local.private ? false : true
+
+  web_commit_signoff_required = var.web_commit_signoff_required == null ? lookup(var.defaults, "web_commit_signoff_required", false) : var.web_commit_signoff_required
 }
 
 locals {
@@ -112,6 +114,8 @@ resource "github_repository" "repository" {
   archive_on_destroy   = var.archive_on_destroy
   vulnerability_alerts = local.vulnerability_alerts
 
+  web_commit_signoff_required = local.web_commit_signoff_required
+
   dynamic "template" {
     for_each = local.template
 
@@ -125,11 +129,17 @@ resource "github_repository" "repository" {
     for_each = var.pages != null ? [true] : []
 
     content {
-      source {
-        branch = var.pages.branch
-        path   = try(var.pages.path, "/")
+      dynamic "source" {
+        for_each = try(var.pages.build_type, null) == "workflow" ? [] : [true]
+
+        content {
+          branch = var.pages.branch
+          path   = try(var.pages.path, "/")
+        }
       }
-      cname = try(var.pages.cname, null)
+
+      build_type = try(var.pages.build_type, null)
+      cname      = try(var.pages.cname, null)
     }
   }
 
@@ -202,9 +212,7 @@ resource "github_branch_protection" "branch_protection" {
 
   allows_deletions                = try(var.branch_protections_v4[each.value].allows_deletions, false)
   allows_force_pushes             = try(var.branch_protections_v4[each.value].allows_force_pushes, false)
-  blocks_creations                = try(var.branch_protections_v4[each.value].blocks_creations, false)
   enforce_admins                  = try(var.branch_protections_v4[each.value].enforce_admins, true)
-  push_restrictions               = try(var.branch_protections_v4[each.value].push_restrictions, [])
   require_conversation_resolution = try(var.branch_protections_v4[each.value].require_conversation_resolution, false)
   require_signed_commits          = try(var.branch_protections_v4[each.value].require_signed_commits, false)
   required_linear_history         = try(var.branch_protections_v4[each.value].required_linear_history, false)
@@ -219,6 +227,7 @@ resource "github_branch_protection" "branch_protection" {
       pull_request_bypassers          = try(required_pull_request_reviews.value.pull_request_bypassers, [])
       require_code_owner_reviews      = try(required_pull_request_reviews.value.require_code_owner_reviews, true)
       required_approving_review_count = try(required_pull_request_reviews.value.required_approving_review_count, 0)
+      require_last_push_approval      = try(required_pull_request_reviews.value.require_last_push_approval, true)
     }
   }
 
diff --git a/variables.tf b/variables.tf
@@ -117,9 +117,10 @@ variable "auto_init" {
 variable "pages" {
   description = "(Optional) The repository's GitHub Pages configuration. (Default: {})"
   # type = object({
-  # branch = string
-  # path   = string
-  # cname  = string
+  # branch      = string
+  # path        = string or null
+  # cname       = string
+  # build_type  = workflow or legacy (requires branch and optional path )
   # })
   type    = any
   default = null
@@ -333,9 +334,7 @@ variable "branch_protections_v4" {
   #       pattern                         = string
   #       allows_deletions                = optional(bool, false)
   #       allows_force_pushes             = optional(bool, false)
-  #       blocks_creations                = optional(bool, false)
   #       enforce_admins                  = optional(bool, false)
-  #       push_restrictions               = optional(list(string), [])
   #       require_conversation_resolution = optional(bool, false)
   #       require_signed_commits          = optional(bool, false)
   #       required_linear_history         = optional(bool, false)
@@ -556,6 +555,12 @@ variable "app_installations" {
   default     = []
 }
 
+variable "web_commit_signoff_required" {
+  type        = bool
+  description = "(Optional) Require contributors to sign off on web-based commits."
+  default     = null
+}
+
 # ------------------------------------------------------------------------------
 # MODULE CONFIGURATION PARAMETERS
 # These variables are used to configure the module.
diff --git a/versions.tf b/versions.tf
@@ -9,7 +9,7 @@ terraform {
   required_providers {
     github = {
       source  = "integrations/github"
-      version = ">= 4.20, < 6.0"
+      version = ">= 4.20, < 7.0"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ terraform {`
`9`	`9`	`required_providers {`
`10`	`10`	`github = {`
`11`	`11`	`source = "integrations/github"`
`12`		`- version = ">= 4.20, < 6.0"`
	`12`	`+ version = ">= 4.20, < 7.0"`
`13`	`13`	`}`
`14`	`14`	`}`
`15`	`15`	`}`