From 3476dc9c76d40bf63d54e4c0f447d552935798bf Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Mon, 3 Feb 2025 13:05:25 +1000
Subject: [PATCH] terraform: add infra repo and ruleset

---
 terraform/github-repo-infra.tf   | 75 ++++++++++++++++++++++++++++++++
 terraform/shell.nix              |  1 +
 terraform/terraform_providers.tf |  8 ++++
 3 files changed, 84 insertions(+)
 create mode 100644 terraform/github-repo-infra.tf

diff --git a/terraform/github-repo-infra.tf b/terraform/github-repo-infra.tf
new file mode 100644
index 0000000..53626bb
--- /dev/null
+++ b/terraform/github-repo-infra.tf
@@ -0,0 +1,75 @@
+resource "github_repository" "infra" {
+  name         = "infra"
+  description  = "nix-community infrastructure [maintainer=@zowoq]"
+  homepage_url = "https://nix-community.org"
+
+  topics = [
+    "nix-community-buildbot",
+    "nix-darwin",
+    "nixos",
+    "terraform",
+  ]
+
+  allow_auto_merge       = true
+  allow_merge_commit     = false
+  allow_rebase_merge     = true
+  allow_squash_merge     = false
+  delete_branch_on_merge = true
+  has_discussions        = true
+  has_issues             = true
+  vulnerability_alerts   = true
+
+
+  pages {
+    build_type = "workflow"
+    cname      = "nix-community.org"
+
+    source {
+      branch = "master"
+      path   = "/"
+    }
+  }
+}
+
+resource "github_repository_ruleset" "infra" {
+  name        = "default branch"
+  repository  = github_repository.infra.name
+  target      = "branch"
+  enforcement = "active"
+
+  conditions {
+    ref_name {
+      include = ["~DEFAULT_BRANCH"]
+      exclude = []
+    }
+  }
+
+  rules {
+    deletion         = true
+    non_fast_forward = true
+
+    merge_queue {
+      check_response_timeout_minutes    = 60
+      grouping_strategy                 = "ALLGREEN"
+      max_entries_to_build              = 1
+      max_entries_to_merge              = 1
+      merge_method                      = "REBASE"
+      min_entries_to_merge              = 1
+      min_entries_to_merge_wait_minutes = 5
+    }
+
+    pull_request {
+      dismiss_stale_reviews_on_push     = false
+      require_code_owner_review         = false
+      require_last_push_approval        = false
+      required_approving_review_count   = 0
+      required_review_thread_resolution = false
+    }
+
+    required_status_checks {
+      required_check {
+        context = "buildbot/nix-build"
+      }
+    }
+  }
+}
diff --git a/terraform/shell.nix b/terraform/shell.nix
index af75dfe..8c76393 100644
--- a/terraform/shell.nix
+++ b/terraform/shell.nix
@@ -7,6 +7,7 @@
         packages = [
           (terraform.withPlugins (p: [
             p.cloudflare
+            p.github
             p.hydra
             p.sops
             p.tfe
diff --git a/terraform/terraform_providers.tf b/terraform/terraform_providers.tf
index 30cf557..9e32ff3 100644
--- a/terraform/terraform_providers.tf
+++ b/terraform/terraform_providers.tf
@@ -3,6 +3,9 @@ terraform {
     cloudflare = {
       source = "cloudflare/cloudflare"
     }
+    github = {
+      source = "integrations/github"
+    }
     hydra = {
       source = "DeterminateSystems/hydra"
     }
@@ -23,6 +26,11 @@ provider "cloudflare" {
   api_token = data.sops_file.nix-community.data["CLOUDFLARE_API_TOKEN"]
 }
 
+provider "github" {
+  # admin provides their own token
+  owner = "nix-community"
+}
+
 provider "hydra" {
   host     = "https://hydra.nix-community.org"
   password = data.sops_file.nix-community.data["HYDRA_PASSWORD"]