Merge branch 'main' into support-workflow-permissions

M0NsTeRRR · web-flow · commit 86f830efeb85 · 2025-03-05T11:20:21.000+01:00
diff --git a/github/apps.go b/github/apps.go
@@ -31,7 +31,7 @@ func GenerateOAuthTokenFromApp(baseURL, appID, appInstallationID, pemData string
 }
 
 func getInstallationAccessToken(baseURL string, jwt string, installationID string) (string, error) {
-	if baseURL != "https://api.github.com/" {
+	if baseURL != "https://api.github.com/" && !GHECDataResidencyMatch.MatchString(baseURL) {
 		baseURL += "api/v3/"
 	}
 
diff --git a/github/config.go b/github/config.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"regexp"
 	"strings"
 	"time"
 
@@ -36,6 +37,10 @@ type Owner struct {
 	IsOrganization bool
 }
 
+// GHECDataResidencyMatch is a regex to match a GitHub Enterprise Cloud data residency URL:
+// https://[hostname].ghe.com instances expect paths that behave similar to GitHub.com, not GitHub Enterprise Server.
+var GHECDataResidencyMatch = regexp.MustCompile(`^https:\/\/[a-zA-Z0-9.\-]*\.ghe\.com$`)
+
 func RateLimitedHTTPClient(client *http.Client, writeDelay time.Duration, readDelay time.Duration, retryDelay time.Duration, parallelRequests bool, retryableErrors map[int]bool, maxRetries int) *http.Client {
 
 	client.Transport = NewEtagTransport(client.Transport)
@@ -80,7 +85,7 @@ func (c *Config) NewGraphQLClient(client *http.Client) (*githubv4.Client, error)
 		return nil, err
 	}
 
-	if uv4.String() != "https://api.github.com/" {
+	if uv4.String() != "https://api.github.com/" && !GHECDataResidencyMatch.MatchString(uv4.String()) {
 		uv4.Path = path.Join(uv4.Path, "api/graphql/")
 	} else {
 		uv4.Path = path.Join(uv4.Path, "graphql")
@@ -96,7 +101,7 @@ func (c *Config) NewRESTClient(client *http.Client) (*github.Client, error) {
 		return nil, err
 	}
 
-	if uv3.String() != "https://api.github.com/" {
+	if uv3.String() != "https://api.github.com/" && !GHECDataResidencyMatch.MatchString(uv3.String()) {
 		uv3.Path = uv3.Path + "api/v3/"
 	}
 
diff --git a/github/config_test.go b/github/config_test.go
@@ -7,6 +7,64 @@ import (
 	"github.com/shurcooL/githubv4"
 )
 
+func TestGHECDataResidencyMatch(t *testing.T) {
+	testCases := []struct {
+		url         string
+		matches     bool
+		description string
+	}{
+		{
+			url:         "https://customer.ghe.com",
+			matches:     true,
+			description: "GHEC data residency URL with customer name",
+		},
+		{
+			url:         "https://customer-name.ghe.com",
+			matches:     true,
+			description: "GHEC data residency URL with hyphenated name",
+		},
+		{
+			url:         "https://api.github.com",
+			matches:     false,
+			description: "GitHub.com API URL",
+		},
+		{
+			url:         "https://github.com",
+			matches:     false,
+			description: "GitHub.com URL",
+		},
+		{
+			url:         "https://example.com",
+			matches:     false,
+			description: "Generic URL",
+		},
+		{
+			url:         "http://customer.ghe.com",
+			matches:     false,
+			description: "Non-HTTPS GHEC URL",
+		},
+		{
+			url:         "https://customer.ghe.com/api/v3",
+			matches:     false,
+			description: "GHEC URL with path",
+		},
+		{
+			url:         "https://ghe.com",
+			matches:     false,
+			description: "GHEC domain without subdomain",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			matches := GHECDataResidencyMatch.MatchString(tc.url)
+			if matches != tc.matches {
+				t.Errorf("URL %q: expected match=%v, got %v", tc.url, tc.matches, matches)
+			}
+		})
+	}
+}
+
 func TestAccConfigMeta(t *testing.T) {
 
 	// FIXME: Skip test runs during travis lint checking
diff --git a/github/resource_github_actions_repository_oidc_subject_claim_customization_template.go b/github/resource_github_actions_repository_oidc_subject_claim_customization_template.go
@@ -95,7 +95,7 @@ func resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateRead(d
 	template, _, err := client.Actions.GetRepoOIDCSubjectClaimCustomTemplate(ctx, owner, repository)
 
 	if err != nil {
-		return err
+		return deleteResourceOn404AndSwallow304OtherwiseReturnError(err, d, "actions repository oidc subject claim customization template (%s, %s)", owner, repository)
 	}
 
 	if err = d.Set("repository", repository); err != nil {
diff --git a/github/resource_github_repository_ruleset.go b/github/resource_github_repository_ruleset.go
@@ -258,6 +258,65 @@ func resourceGithubRepositoryRuleset() *schema.Resource {
 								},
 							},
 						},
+						"merge_queue": {
+							Type:        schema.TypeList,
+							MaxItems:    1,
+							Optional:    true,
+							Description: "Merges must be performed via a merge queue.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"check_response_timeout_minutes": {
+										Type:             schema.TypeInt,
+										Optional:         true,
+										Default:          60,
+										ValidateDiagFunc: toDiagFunc(validation.IntBetween(0, 360), "check_response_timeout_minutes"),
+										Description:      "Maximum time for a required status check to report a conclusion. After this much time has elapsed, checks that have not reported a conclusion will be assumed to have failed. Defaults to `60`.",
+									},
+									"grouping_strategy": {
+										Type:             schema.TypeString,
+										Optional:         true,
+										Default:          "ALLGREEN",
+										ValidateDiagFunc: toDiagFunc(validation.StringInSlice([]string{"ALLGREEN", "HEADGREEN"}, false), "grouping_strategy"),
+										Description:      "When set to ALLGREEN, the merge commit created by merge queue for each PR in the group must pass all required checks to merge. When set to HEADGREEN, only the commit at the head of the merge group, i.e. the commit containing changes from all of the PRs in the group, must pass its required checks to merge. Can be one of: ALLGREEN, HEADGREEN. Defaults to `ALLGREEN`.",
+									},
+									"max_entries_to_build": {
+										Type:             schema.TypeInt,
+										Optional:         true,
+										Default:          5,
+										ValidateDiagFunc: toDiagFunc(validation.IntBetween(0, 100), "max_entries_to_merge"),
+										Description:      "Limit the number of queued pull requests requesting checks and workflow runs at the same time. Defaults to `5`.",
+									},
+									"max_entries_to_merge": {
+										Type:             schema.TypeInt,
+										Optional:         true,
+										Default:          5,
+										ValidateDiagFunc: toDiagFunc(validation.IntBetween(0, 100), "max_entries_to_merge"),
+										Description:      "The maximum number of PRs that will be merged together in a group. Defaults to `5`.",
+									},
+									"merge_method": {
+										Type:             schema.TypeString,
+										Optional:         true,
+										Default:          "MERGE",
+										ValidateDiagFunc: toDiagFunc(validation.StringInSlice([]string{"MERGE", "SQUASH", "REBASE"}, false), "merge_method"),
+										Description:      "Method to use when merging changes from queued pull requests. Can be one of: MERGE, SQUASH, REBASE. Defaults to `MERGE`.",
+									},
+									"min_entries_to_merge": {
+										Type:             schema.TypeInt,
+										Optional:         true,
+										Default:          1,
+										ValidateDiagFunc: toDiagFunc(validation.IntBetween(0, 100), "min_entries_to_merge"),
+										Description:      "The minimum number of PRs that will be merged together in a group. Defaults to `1`.",
+									},
+									"min_entries_to_merge_wait_minutes": {
+										Type:             schema.TypeInt,
+										Optional:         true,
+										Default:          5,
+										ValidateDiagFunc: toDiagFunc(validation.IntBetween(0, 360), "min_entries_to_merge_wait_minutes"),
+										Description:      "The time merge queue should wait after the first PR is added to the queue for the minimum group size to be met. After this time has elapsed, the minimum group size will be ignored and a smaller group will be merged. Defaults to `5`.",
+									},
+								},
+							},
+						},
 						"non_fast_forward": {
 							Type:        schema.TypeBool,
 							Optional:    true,
diff --git a/github/resource_github_repository_ruleset_test.go b/github/resource_github_repository_ruleset_test.go
@@ -20,7 +20,8 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 		config := fmt.Sprintf(`
 			resource "github_repository" "test" {
 				name = "tf-acc-test-%s"
-				auto_init = false
+				auto_init = true
+				default_branch = "main"
 			}
 
 			resource "github_repository_environment" "example" {
@@ -36,7 +37,7 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 
 				conditions {
 					ref_name {
-						include = ["~ALL"]
+						include = ["refs/heads/main"]
 						exclude = []
 					}
 				}
@@ -55,6 +56,16 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 
 					required_signatures = false
 
+					merge_queue {
+						check_response_timeout_minutes    = 10
+						grouping_strategy                 = "ALLGREEN"
+						max_entries_to_build              = 5
+						max_entries_to_merge              = 5
+						merge_method                      = "MERGE"
+						min_entries_to_merge              = 1
+						min_entries_to_merge_wait_minutes = 60
+					}
+
 					pull_request {
 						required_approving_review_count   = 2
 						required_review_thread_resolution = true
@@ -270,7 +281,8 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 			resource "github_repository" "test" {
 			  name         = "tf-acc-test-import-%[1]s"
 			  description  = "Terraform acceptance tests %[1]s"
-			  auto_init 	 = false
+			  auto_init    = true
+			  default_branch = "main"
 			}
 
 			resource "github_repository_environment" "example" {
@@ -286,7 +298,7 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 
 				conditions {
 					ref_name {
-						include = ["~ALL"]
+						include = ["refs/heads/main"]
 						exclude = []
 					}
 				}
@@ -313,6 +325,16 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 						require_last_push_approval        = true
 					}
 
+					merge_queue {
+						check_response_timeout_minutes    = 30
+						grouping_strategy                 = "HEADGREEN"
+						max_entries_to_build              = 4
+						max_entries_to_merge              = 4
+						merge_method                      = "SQUASH"
+						min_entries_to_merge              = 2
+						min_entries_to_merge_wait_minutes = 10
+					}
+
 					required_status_checks {
 
 						required_check {
@@ -366,6 +388,80 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 
 	})
 
+	t.Run("Creates repository ruleset with merge queue SQUASH method", func(t *testing.T) {
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name = "tf-acc-test-merge-queue-%s"
+				auto_init = true
+				default_branch = "main"
+			}
+
+			resource "github_repository_ruleset" "test" {
+				name        = "merge-queue-test"
+				repository  = github_repository.test.id
+				target      = "branch"
+				enforcement = "active"
+
+				conditions {
+					ref_name {
+						include = ["refs/heads/main"]
+						exclude = []
+					}
+				}
+
+				rules {
+					merge_queue {
+						check_response_timeout_minutes    = 30
+						grouping_strategy                 = "HEADGREEN"
+						max_entries_to_build              = 4
+						max_entries_to_merge              = 4
+						merge_method                      = "SQUASH"
+						min_entries_to_merge              = 2
+						min_entries_to_merge_wait_minutes = 10
+					}
+				}
+			}
+		`, randomID)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test", "name",
+				"merge-queue-test",
+			),
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test", "rules.0.merge_queue.0.merge_method",
+				"SQUASH",
+			),
+		)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  check,
+					},
+				},
+			})
+		}
+
+		t.Run("with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+
+		t.Run("with an individual account", func(t *testing.T) {
+			testCase(t, individual)
+		})
+
+		t.Run("with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+
+	})
+
 }
 
 func importRepositoryRulesetByResourcePaths(repoLogicalName, rulesetLogicalName string) resource.ImportStateIdFunc {
diff --git a/github/respository_rules_utils.go b/github/respository_rules_utils.go
@@ -300,6 +300,22 @@ func expandRules(input []interface{}, org bool) []*github.RepositoryRule {
 		rulesSlice = append(rulesSlice, github.NewPullRequestRule(params))
 	}
 
+	// Merge queue rule
+	if v, ok := rulesMap["merge_queue"].([]interface{}); ok && len(v) != 0 {
+		mergeQueueMap := v[0].(map[string]interface{})
+		params := &github.MergeQueueRuleParameters{
+			CheckResponseTimeoutMinutes:  mergeQueueMap["check_response_timeout_minutes"].(int),
+			GroupingStrategy:             mergeQueueMap["grouping_strategy"].(string),
+			MaxEntriesToBuild:            mergeQueueMap["max_entries_to_build"].(int),
+			MaxEntriesToMerge:            mergeQueueMap["max_entries_to_merge"].(int),
+			MergeMethod:                  mergeQueueMap["merge_method"].(string),
+			MinEntriesToMerge:            mergeQueueMap["min_entries_to_merge"].(int),
+			MinEntriesToMergeWaitMinutes: mergeQueueMap["min_entries_to_merge_wait_minutes"].(int),
+		}
+
+		rulesSlice = append(rulesSlice, github.NewMergeQueueRule(params))
+	}
+
 	// Required status checks rule
 	if v, ok := rulesMap["required_status_checks"].([]interface{}); ok && len(v) != 0 {
 		requiredStatusMap := v[0].(map[string]interface{})
@@ -507,6 +523,25 @@ func flattenRules(rules []*github.RepositoryRule, org bool) []interface{} {
 			rule["strict_required_status_checks_policy"] = params.StrictRequiredStatusChecksPolicy
 			rule["do_not_enforce_on_create"] = params.DoNotEnforceOnCreate
 			rulesMap[v.Type] = []map[string]interface{}{rule}
+
+		case "merge_queue":
+			var params github.MergeQueueRuleParameters
+
+			err := json.Unmarshal(*v.Parameters, &params)
+			if err != nil {
+				log.Printf("[INFO] Unexpected error unmarshalling rule %s with parameters: %v",
+					v.Type, v.Parameters)
+			}
+
+			rule := make(map[string]interface{})
+			rule["check_response_timeout_minutes"] = params.CheckResponseTimeoutMinutes
+			rule["grouping_strategy"] = params.GroupingStrategy
+			rule["max_entries_to_build"] = params.MaxEntriesToBuild
+			rule["max_entries_to_merge"] = params.MaxEntriesToMerge
+			rule["merge_method"] = params.MergeMethod
+			rule["min_entries_to_merge"] = params.MinEntriesToMerge
+			rule["min_entries_to_merge_wait_minutes"] = params.MinEntriesToMergeWaitMinutes
+			rulesMap[v.Type] = []map[string]interface{}{rule}
 		}
 	}
 
diff --git a/website/docs/r/repository_ruleset.html.markdown b/website/docs/r/repository_ruleset.html.markdown

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ func GenerateOAuthTokenFromApp(baseURL, appID, appInstallationID, pemData string`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`func getInstallationAccessToken(baseURL string, jwt string, installationID string) (string, error) {`
`34`		`- if baseURL != "https://api.github.com/" {`
	`34`	`+ if baseURL != "https://api.github.com/" && !GHECDataResidencyMatch.MatchString(baseURL) {`
`35`	`35`	`baseURL += "api/v3/"`
`36`	`36`	`}`
`37`	`37`
Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ func resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplateRead(d`
`95`	`95`	`template, _, err := client.Actions.GetRepoOIDCSubjectClaimCustomTemplate(ctx, owner, repository)`
`96`	`96`
`97`	`97`	`if err != nil {`
`98`		`- return err`
	`98`	`+ return deleteResourceOn404AndSwallow304OtherwiseReturnError(err, d, "actions repository oidc subject claim customization template (%s, %s)", owner, repository)`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`if err = d.Set("repository", repository); err != nil {`