[FEAT]: Add Support for GitHub Enterprise Rulesets

examples/enterprise_rulesets/README.md

@@ -0,0 +1,54 @@
+# GitHub Enterprise Ruleset Examples
+
+This directory demonstrates how to configure GitHub Enterprise rulesets using the Terraform GitHub provider.
+
+## Overview
+
+Enterprise rulesets allow you to enforce policies across all organizations in your GitHub Enterprise. The examples showcase all four target types:
+
+- **Branch Target** (`branch_target.tf`) - Branch protection rules with PR requirements, status checks, and commit patterns
+- **Tag Target** (`tag_target.tf`) - Tag protection rules with naming patterns and immutability controls
+- **Push Target** (`push_target.tf`) - File restrictions, size limits, and content policies (beta feature)
+- **Repository Target** (`rulesets.tf`) - Repository management rules for creation, deletion, and naming conventions
+
+## Requirements
+
+- GitHub Enterprise Cloud account
+- Personal access token with enterprise admin permissions
+- Terraform >= 0.14
+
+## Usage
+
+1. Set your environment variables:
+
+```bash
+export TF_VAR_github_token="your_github_token"
+export TF_VAR_enterprise_slug="your-enterprise-slug"
+```
+
+2. Customize the examples by replacing `"your-enterprise"` with your actual enterprise slug
+
+3. Apply the configuration:
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+## Target Types
+
+Each target type supports different rules:
+
+- **Branch/Tag**: creation, deletion, update, signatures, linear history, PR requirements, status checks
+- **Push**: file restrictions, size limits, file extensions, commit patterns
+- **Repository**: creation, deletion, transfer, naming patterns, visibility controls
+
+See the individual `.tf` files for detailed examples and available rules.
+
+## Important Notes
+
+- All enterprise rulesets require organization and repository targeting via `conditions`
+- The `push` target is currently in beta and subject to change
+- Branch and tag targets require `ref_name` conditions
+- Repository and push targets do not use `ref_name` conditions

examples/enterprise_rulesets/branch_rulesets.tf

@@ -0,0 +1,136 @@
+# Example: Branch target ruleset with comprehensive branch protection rules
+# This ruleset applies to branches across the enterprise
+
+resource "github_enterprise_ruleset" "branch_protection" {
+  enterprise_slug = "your-enterprise"
+  name            = "branch-protection-ruleset"
+  target          = "branch"
+  enforcement     = "active"
+
+  # Optional: Allow certain users/teams to bypass the ruleset
+  bypass_actors {
+    actor_id    = 1
+    actor_type  = "OrganizationAdmin"
+    bypass_mode = "always"
+  }
+
+  bypass_actors {
+    actor_type  = "DeployKey"
+    bypass_mode = "always"
+  }
+
+  # Conditions define which organizations, repositories, and refs this ruleset applies to
+  conditions {
+    # Target all organizations in the enterprise
+    organization_name {
+      include = ["~ALL"]
+      exclude = []
+    }
+
+    # Target all repositories
+    repository_name {
+      include = ["~ALL"]
+      exclude = ["test-*"] # Exclude test repositories
+    }
+
+    # Target all branches (required for branch target)
+    ref_name {
+      include = ["~DEFAULT_BRANCH", "main", "master", "release/*"]
+      exclude = ["experimental/*"]
+    }
+  }
+
+  # Rules that apply to matching branches
+  rules {
+    # Prevent branch creation without bypass permission
+    creation = true
+
+    # Prevent branch updates without bypass permission
+    update = false
+
+    # Prevent branch deletion without bypass permission
+    deletion = true
+
+    # Require linear history (no merge commits)
+    required_linear_history = true
+
+    # Require signed commits
+    required_signatures = true
+
+    # Prevent force pushes
+    non_fast_forward = true
+
+    # Pull request requirements
+    pull_request {
+      dismiss_stale_reviews_on_push     = true
+      require_code_owner_review         = true
+      require_last_push_approval        = true
+      required_approving_review_count   = 2
+      required_review_thread_resolution = true
+      allowed_merge_methods             = ["squash", "merge"]
+    }
+
+    # Status check requirements
+    required_status_checks {
+      strict_required_status_checks_policy = true
+      do_not_enforce_on_create             = false
+
+      required_check {
+        context        = "ci/build"
+        integration_id = 0
+      }
+
+      required_check {
+        context        = "ci/test"
+        integration_id = 0
+      }
+    }
+
+    # Commit message pattern requirements
+    commit_message_pattern {
+      name     = "Conventional Commits"
+      operator = "regex"
+      pattern  = "^(feat|fix|docs|style|refactor|test|chore)(\\(.+\\))?: .{1,50}"
+      negate   = false
+    }
+
+    # Commit author email pattern
+    commit_author_email_pattern {
+      name     = "Corporate Email Only"
+      operator = "regex"
+      pattern  = "@your-company\\.com$"
+      negate   = false
+    }
+
+    # Committer email pattern
+    committer_email_pattern {
+      name     = "Corporate Email Only"
+      operator = "regex"
+      pattern  = "@your-company\\.com$"
+      negate   = false
+    }
+
+    # Branch name pattern (only for branch target)
+    branch_name_pattern {
+      name     = "Valid Branch Names"
+      operator = "regex"
+      pattern  = "^(main|master|develop|feature/|bugfix/|hotfix/|release/)"
+      negate   = false
+    }
+
+    # Code scanning requirements
+    required_code_scanning {
+      required_code_scanning_tool {
+        tool                       = "CodeQL"
+        alerts_threshold           = "errors"
+        security_alerts_threshold  = "high_or_higher"
+      }
+    }
+
+    # Copilot code review (if enabled)
+    copilot_code_review {
+      review_on_push           = true
+      review_draft_pull_requests = false
+    }
+  }
+}

examples/enterprise_rulesets/main.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+  }
+}

examples/enterprise_rulesets/push_rulesets.tf

@@ -0,0 +1,154 @@
+# Example: Push target ruleset for file and content restrictions
+# This ruleset applies to all pushes across the enterprise
+
+resource "github_enterprise_ruleset" "push_restrictions" {
+  enterprise_slug = "your-enterprise"
+  name            = "push-restrictions-ruleset"
+  target          = "push"
+  enforcement     = "active"
+
+  # Allow deploy keys and organization admins to bypass
+  bypass_actors {
+    actor_type  = "DeployKey"
+    bypass_mode = "always"
+  }
+
+  bypass_actors {
+    actor_id    = 1
+    actor_type  = "OrganizationAdmin"
+    bypass_mode = "always"
+  }
+
+  # Conditions define which organizations and repositories this ruleset applies to
+  # Note: ref_name is NOT used for push target
+  conditions {
+    # Target all organizations
+    organization_name {
+      include = ["~ALL"]
+      exclude = []
+    }
+
+    # Target all repositories
+    repository_name {
+      include = ["~ALL"]
+      exclude = ["sandbox-*"]
+    }
+  }
+
+  # Rules that apply to all pushes
+  rules {
+    # Restrict specific file paths from being pushed
+    file_path_restriction {
+      restricted_file_paths = [
+        "secrets.txt",
+        "*.key",
+        "*.pem",
+        ".env",
+        "credentials/*"
+      ]
+    }
+
+    # Limit maximum file size to prevent large files
+    max_file_size {
+      max_file_size = 100 # Max 100 MB
+    }
+
+    # Limit maximum file path length
+    max_file_path_length {
+      max_file_path_length = 255
+    }
+
+    # Restrict specific file extensions
+    file_extension_restriction {
+      restricted_file_extensions = [
+        "*.exe",
+        "*.dll",
+        "*.so",
+        "*.dylib",
+        "*.zip",
+        "*.tar.gz"
+      ]
+    }
+
+    # Commit message pattern
+    commit_message_pattern {
+      name     = "Valid Commit Message"
+      operator = "regex"
+      pattern  = "^(feat|fix|docs|style|refactor|test|chore)(\\(.+\\))?: .+"
+      negate   = false
+    }
+
+    # Commit author email pattern
+    commit_author_email_pattern {
+      name     = "Corporate Email"
+      operator = "ends_with"
+      pattern  = "@your-company.com"
+      negate   = false
+    }
+
+    # Committer email pattern
+    committer_email_pattern {
+      name     = "Corporate Email"
+      operator = "ends_with"
+      pattern  = "@your-company.com"
+      negate   = false
+    }
+  }
+}
+
+# Example: Security-focused push ruleset
+resource "github_enterprise_ruleset" "security_push_restrictions" {
+  enterprise_slug = "your-enterprise"
+  name            = "security-push-restrictions"
+  target          = "push"
+  enforcement     = "active"
+
+  conditions {
+    organization_name {
+      include = ["~ALL"]
+      exclude = []
+    }
+
+    repository_name {
+      include = ["*-prod", "*-production"]
+      exclude = []
+    }
+  }
+
+  rules {
+    # Block common secret file patterns
+    file_path_restriction {
+      restricted_file_paths = [
+        "*.pem",
+        "*.key",
+        "*.cert",
+        "*.p12",
+        "*.pfx",
+        ".env",
+        ".env.*",
+        "secrets.yml",
+        "credentials.json"
+      ]
+    }
+
+    # Strict file size limits for production
+    max_file_size {
+      max_file_size = 50 # Max 50 MB
+    }
+
+    # Block executable and archive files
+    file_extension_restriction {
+      restricted_file_extensions = [
+        "*.exe",
+        "*.dll",
+        "*.so",
+        "*.dylib",
+        "*.bin",
+        "*.dmg"
+      ]
+    }
+
+    # Require signed commits
+    required_signatures = true
+  }
+}