feat: Support rule type code_scanning (#2436)

* feat: support rule type code_scanning for github_organization_ruleset and github_repository_ruleset * feat: docs * feat: docs * chore: remove tag protection endpoint --------- Co-authored-by: Keegan Campbell <[email protected]>
integrations · Nov 21, 2024 · c644bee · c644bee
1 parent 5214d17
commit c644bee
Show file tree

Hide file tree

Showing 6 changed files with 136 additions and 2 deletions.
diff --git a/github/resource_github_organization_ruleset.go b/github/resource_github_organization_ruleset.go
@@ -457,6 +457,41 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 								},
 							},
 						},
+						"required_code_scanning": {
+							Type:        schema.TypeList,
+							MaxItems:    1,
+							Optional:    true,
+							Description: "Choose which tools must provide code scanning results before the reference is updated. When configured, code scanning must be enabled and have results for both the commit and the reference being updated.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"required_code_scanning_tool": {
+										Type:        schema.TypeSet,
+										MinItems:    1,
+										Required:    true,
+										Description: "Tools that must provide code scanning results for this rule to pass.",
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"alerts_threshold": {
+													Type:        schema.TypeString,
+													Required:    true,
+													Description: "The severity level at which code scanning results that raise alerts block a reference update. Can be one of: `none`, `errors`, `errors_and_warnings`, `all`.",
+												},
+												"security_alerts_threshold": {
+													Type:        schema.TypeString,
+													Required:    true,
+													Description: "The severity level at which code scanning results that raise security alerts block a reference update. Can be one of: `none`, `critical`, `high_or_higher`, `medium_or_higher`, `all`.",
+												},
+												"tool": {
+													Type:        schema.TypeString,
+													Required:    true,
+													Description: "The name of a code scanning tool.",
+												},
+											},
+										},
+									},
+								},
+							},
+						},
 					},
 				},
 			},

diff --git a/github/resource_github_organization_ruleset_test.go b/github/resource_github_organization_ruleset_test.go
@@ -69,6 +69,14 @@ func TestGithubOrganizationRulesets(t *testing.T) {
 						}
 					}
 
+					required_code_scanning {
+					  required_code_scanning_tool {
+						alerts_threshold = "errors"
+						security_alerts_threshold = "high_or_higher"
+						tool = "CodeQL"
+					  }
+					}
+
 					branch_name_pattern {
 						name     = "test"
 						negate   = false

diff --git a/github/resource_github_repository_ruleset.go b/github/resource_github_repository_ruleset.go
@@ -409,6 +409,41 @@ func resourceGithubRepositoryRuleset() *schema.Resource {
 								},
 							},
 						},
+						"required_code_scanning": {
+							Type:        schema.TypeList,
+							MaxItems:    1,
+							Optional:    true,
+							Description: "Choose which tools must provide code scanning results before the reference is updated. When configured, code scanning must be enabled and have results for both the commit and the reference being updated.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"required_code_scanning_tool": {
+										Type:        schema.TypeSet,
+										MinItems:    1,
+										Required:    true,
+										Description: "Tools that must provide code scanning results for this rule to pass.",
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"alerts_threshold": {
+													Type:        schema.TypeString,
+													Required:    true,
+													Description: "The severity level at which code scanning results that raise alerts block a reference update. Can be one of: `none`, `errors`, `errors_and_warnings`, `all`.",
+												},
+												"security_alerts_threshold": {
+													Type:        schema.TypeString,
+													Required:    true,
+													Description: "The severity level at which code scanning results that raise security alerts block a reference update. Can be one of: `none`, `critical`, `high_or_higher`, `medium_or_higher`, `all`.",
+												},
+												"tool": {
+													Type:        schema.TypeString,
+													Required:    true,
+													Description: "The name of a code scanning tool",
+												},
+											},
+										},
+									},
+								},
+							},
+						},
 					},
 				},
 			},

diff --git a/github/respository_rules_utils.go b/github/respository_rules_utils.go
@@ -362,6 +362,38 @@ func expandRules(input []interface{}, org bool) []*github.RepositoryRule {
 		rulesSlice = append(rulesSlice, github.NewRequiredWorkflowsRule(params))
 	}
 
+	// Required code scanning to pass before merging rule
+	if v, ok := rulesMap["required_code_scanning"].([]interface{}); ok && len(v) != 0 {
+		requiredCodeScanningMap := v[0].(map[string]interface{})
+		requiredCodeScanningTools := make([]*github.RuleRequiredCodeScanningTool, 0)
+
+		if requiredCodeScanningInput, ok := requiredCodeScanningMap["required_code_scanning_tool"]; ok {
+
+			requiredCodeScanningSet := requiredCodeScanningInput.(*schema.Set)
+			for _, codeScanningMap := range requiredCodeScanningSet.List() {
+				codeScanningTool := codeScanningMap.(map[string]interface{})
+
+				// Get all parameters
+				alertsThreshold := github.String(codeScanningTool["alerts_threshold"].(string))
+				securityAlertsThreshold := github.String(codeScanningTool["security_alerts_threshold"].(string))
+				tool := github.String(codeScanningTool["tool"].(string))
+
+				params := &github.RuleRequiredCodeScanningTool{
+					AlertsThreshold:         *alertsThreshold,
+					SecurityAlertsThreshold: *securityAlertsThreshold,
+					Tool:                    *tool,
+				}
+
+				requiredCodeScanningTools = append(requiredCodeScanningTools, params)
+			}
+		}
+
+		params := &github.RequiredCodeScanningRuleParameters{
+			RequiredCodeScanningTools: requiredCodeScanningTools,
+		}
+		rulesSlice = append(rulesSlice, github.NewRequiredCodeScanningRule(params))
+	}
+
 	return rulesSlice
 }
 

diff --git a/website/docs/r/organization_ruleset.html.markdown b/website/docs/r/organization_ruleset.html.markdown
@@ -91,6 +91,8 @@ The `rules` block supports the following:
 
 * `required_workflows` - (Optional) (Block List, Max: 1) Define which Actions workflows must pass before changes can be merged into a branch matching the rule. Multiple workflows can be specified. (see [below for nested schema](#rules.required_workflows))
 
+* `required_code_scanning` - (Optional) (Block List, Max: 1) Define which tools must provide code scanning results before the reference is updated. When configured, code scanning must be enabled and have results for both the commit and the reference being updated. Multiple code scanning tools can be specified. (see [below for nested schema](#rules.required_code_scanning))
+
 * `tag_name_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the tag_name_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. Conflicts with `branch_name_pattern` as it only applies to rulesets with target `tag`. (see [below for nested schema](#rules.tag_name_pattern))
 
 * `update` - (Optional) (Boolean) Only allow users with bypass permission to update matching refs.
@@ -171,6 +173,18 @@ The `rules` block supports the following:
 
 * `ref` - (Optional) (String) The optional ref from which to fetch the workflow. Defaults to `master`.
 
+#### rules.required_code_scanning ####
+
+* `required_code_scanning_tool` - (Required) (Block Set, Min: 1) Actions code scanning tools that are required. Multiple can be defined. (see [below for nested schema](#rules.required_workflows.required_code_scanning_tool))
+
+#### rules.required_code_scanning.required_code_scanning_tool ####
+
+* `alerts_threshold` - (Required) (String) The severity level at which code scanning results that raise alerts block a reference update. Can be one of: `none`, `errors`, `errors_and_warnings`, `all`.
+
+* `security_alerts_threshold` - (Required) (String) The severity level at which code scanning results that raise security alerts block a reference update. Can be one of: `none`, `critical`, `high_or_higher`, `medium_or_higher`, `all`.
+
+* `tool` - (Required) (String) The name of a code scanning tool.
+
 #### rules.tag_name_pattern ####
 
 * `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`.

diff --git a/website/docs/r/repository_ruleset.html.markdown b/website/docs/r/repository_ruleset.html.markdown
@@ -101,6 +101,8 @@ The `rules` block supports the following:
 
 * `tag_name_pattern` - (Optional) (Block List, Max: 1) Parameters to be used for the tag_name_pattern rule. This rule only applies to repositories within an enterprise, it cannot be applied to repositories owned by individuals or regular organizations. Conflicts with `branch_name_pattern` as it only applied to rulesets with target `tag`. (see [below for nested schema](#rules.tag_name_pattern))
 
+* `required_code_scanning` - (Optional) (Block List, Max: 1) Define which tools must provide code scanning results before the reference is updated. When configured, code scanning must be enabled and have results for both the commit and the reference being updated. Multiple code scanning tools can be specified. (see [below for nested schema](#rules.required_code_scanning))
+
 * `update` - (Optional) (Boolean) Only allow users with bypass permission to update matching refs.
 
 * `update_allows_fetch_and_merge` - (Optional) (Boolean) Branch can pull changes from its upstream repository. This is only applicable to forked repositories. Requires `update` to be set to `true`. Note: behaviour is affected by a known bug on the GitHub side which may cause issues when using this parameter.
@@ -179,8 +181,6 @@ The `rules` block supports the following:
 
 * `integration_id` - (Optional) (Number) The optional integration ID that this status check must originate from.
 
-
-
 #### rules.tag_name_pattern ####
 
 * `operator` - (Required) (String) The operator to use for matching. Can be one of: `starts_with`, `ends_with`, `contains`, `regex`.
@@ -191,7 +191,17 @@ The `rules` block supports the following:
 
 * `negate` - (Optional) (Boolean) If true, the rule will fail if the pattern matches.
 
+#### rules.required_code_scanning ####
+
+* `required_code_scanning_tool` - (Required) (Block Set, Min: 1) Actions code scanning tools that are required. Multiple can be defined. (see [below for nested schema](#rules.required_workflows.required_code_scanning_tool))
+
+#### rules.required_code_scanning.required_code_scanning_tool ####
+
+* `alerts_threshold` - (Required) (String) The severity level at which code scanning results that raise alerts block a reference update. Can be one of: `none`, `errors`, `errors_and_warnings`, `all`.
+
+* `security_alerts_threshold` - (Required) (String) The severity level at which code scanning results that raise security alerts block a reference update. Can be one of: `none`, `critical`, `high_or_higher`, `medium_or_higher`, `all`.
 
+* `tool` - (Required) (String) The name of a code scanning tool.
 
 #### bypass_actors ####