From 19bb1af0d12ac62dd4bc5d8d73e79b47a0cd4336 Mon Sep 17 00:00:00 2001
From: Tim <hello@timsmart.co>
Date: Tue, 23 Jan 2024 11:43:39 +1300
Subject: [PATCH] add github_branch_protection for next-* (#31)

---
 terraform/github/repository.tf                | 27 ++++++++++---------
 terraform/github/terraform.tfvars             |  7 ++---
 terraform/github/variables.tf                 | 19 ++++++-------
 terraform/modules/github_repository/branch.tf | 24 +++++++++++++++++
 .../modules/github_repository/variables.tf    |  6 +++++
 5 files changed, 58 insertions(+), 25 deletions(-)

diff --git a/terraform/github/repository.tf b/terraform/github/repository.tf
index 96096cb80..e89adf1ed 100644
--- a/terraform/github/repository.tf
+++ b/terraform/github/repository.tf
@@ -1,15 +1,16 @@
 module "github_repository" {
-  source             = "../modules/github_repository"
-  for_each           = var.repositories
-  name               = each.key
-  description        = each.value.description
-  topics             = each.value.topics
-  homepage_url       = each.value.homepage_url
-  visibility         = each.value.visibility
-  collaborators      = each.value.collaborators
-  pages              = each.value.pages
-  has_discussions    = each.value.has_discussions
-  is_archived        = each.value.is_archived
-  allow_squash_merge = each.value.allow_squash_merge
-  allow_rebase_merge = each.value.allow_rebase_merge
+  source               = "../modules/github_repository"
+  for_each             = var.repositories
+  name                 = each.key
+  description          = each.value.description
+  topics               = each.value.topics
+  homepage_url         = each.value.homepage_url
+  visibility           = each.value.visibility
+  collaborators        = each.value.collaborators
+  pages                = each.value.pages
+  has_discussions      = each.value.has_discussions
+  is_archived          = each.value.is_archived
+  allow_squash_merge   = each.value.allow_squash_merge
+  allow_rebase_merge   = each.value.allow_rebase_merge
+  has_release_branches = each.value.has_release_branches
 }
diff --git a/terraform/github/terraform.tfvars b/terraform/github/terraform.tfvars
index 178e51c02..a4f6adef5 100755
--- a/terraform/github/terraform.tfvars
+++ b/terraform/github/terraform.tfvars
@@ -68,9 +68,10 @@ repositories = {
       { username = "remiguittaut", permission = "push" },
       { username = "rzeigler", permission = "push" },
     ]
-    pages        = { build_type = "workflow" }
-    homepage_url = "https://www.effect.website"
-    topics       = ["effect-system", "fp", "framework", "stack-safe", "typescript", "zio"]
+    pages                = { build_type = "workflow" }
+    homepage_url         = "https://www.effect.website"
+    topics               = ["effect-system", "fp", "framework", "stack-safe", "typescript", "zio"]
+    has_release_branches = true
   }
   eslint-plugin = {
     description = "A set of ESlint and TypeScript rules to work with Effect"
diff --git a/terraform/github/variables.tf b/terraform/github/variables.tf
index 5413effc7..95169014f 100644
--- a/terraform/github/variables.tf
+++ b/terraform/github/variables.tf
@@ -11,15 +11,16 @@ variable "default_branch" {
 variable "repositories" {
   description = "The Effect-TS organization repositories whose configuration should be managed"
   type = map(object({
-    description        = optional(string, "")
-    topics             = optional(set(string), [])
-    homepage_url       = optional(string, "")
-    visibility         = optional(string, "public")
-    is_archived        = optional(bool, false)
-    has_discussions    = optional(bool, false)
-    enable_changesets  = optional(bool, true)
-    allow_squash_merge = optional(bool, true)
-    allow_rebase_merge = optional(bool, false)
+    description          = optional(string, "")
+    topics               = optional(set(string), [])
+    homepage_url         = optional(string, "")
+    visibility           = optional(string, "public")
+    is_archived          = optional(bool, false)
+    has_discussions      = optional(bool, false)
+    enable_changesets    = optional(bool, true)
+    allow_squash_merge   = optional(bool, true)
+    allow_rebase_merge   = optional(bool, false)
+    has_release_branches = optional(bool, false)
     collaborators = optional(list(object({
       username   = string,
       permission = string
diff --git a/terraform/modules/github_repository/branch.tf b/terraform/modules/github_repository/branch.tf
index f1f886cd0..6fe016dea 100644
--- a/terraform/modules/github_repository/branch.tf
+++ b/terraform/modules/github_repository/branch.tf
@@ -27,3 +27,27 @@ resource "github_branch_protection" "main" {
     required_approving_review_count = 0
   }
 }
+
+
+resource "github_branch_protection" "next-release" {
+  # Branch protection can only be enabled on private repositories if using a
+  # paid GitHub plan
+  count = var.visibility == "public" && var.has_release_branches ? 1 : 0
+
+  repository_id           = github_repository.repository.node_id
+  pattern                 = "next-*"
+  enforce_admins          = true
+  required_linear_history = false
+  allows_deletions        = false
+  allows_force_pushes     = true
+  blocks_creations        = false
+
+  required_status_checks {
+    strict   = true
+    contexts = null
+  }
+
+  required_pull_request_reviews {
+    required_approving_review_count = 0
+  }
+}
diff --git a/terraform/modules/github_repository/variables.tf b/terraform/modules/github_repository/variables.tf
index d02124783..df2f10bb5 100644
--- a/terraform/modules/github_repository/variables.tf
+++ b/terraform/modules/github_repository/variables.tf
@@ -132,3 +132,9 @@ variable "delete_branch_on_merge" {
   description = "Automatically delete head branch after a pull request is merged. Defaults to 'true'."
   default     = true
 }
+
+variable "has_release_branches" {
+  type        = bool
+  description = "Has next-* branches for releases"
+  default     = false
+}