From 620085520a351e5940ef61411f101eb5c3e28f14 Mon Sep 17 00:00:00 2001
From: Wiktoria Van Harneveldt <w.dev+git@mailbox.org>
Date: Fri, 19 Jun 2026 15:27:28 +0200
Subject: [PATCH] ci(terraform): add repository rules as code

Manage GitHub repo settings and main branch protection via
terraform-module-github-repository, matching webdev-bot.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/CODEOWNERS                         |  1 +
 .github/workflows/terraform-repository.yml | 37 +++++++++
 terraform/repository/.terraform.lock.hcl   | 24 ++++++
 terraform/repository/main.tf               | 91 ++++++++++++++++++++++
 terraform/repository/versions.tf           | 16 ++++
 5 files changed, 169 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/workflows/terraform-repository.yml
 create mode 100644 terraform/repository/.terraform.lock.hcl
 create mode 100644 terraform/repository/main.tf
 create mode 100644 terraform/repository/versions.tf

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..d9e59b6
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+/terraform/repository/ @wiktoriavh
diff --git a/.github/workflows/terraform-repository.yml b/.github/workflows/terraform-repository.yml
new file mode 100644
index 0000000..aa1c1a2
--- /dev/null
+++ b/.github/workflows/terraform-repository.yml
@@ -0,0 +1,37 @@
+name: Terraform Repository
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - terraform/repository/**
+
+concurrency:
+  group: terraform-repository-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: terraform/repository
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.5.0
+
+      - name: Terraform Init
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: terraform init
+
+      - name: Terraform Apply
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: terraform apply -auto-approve
diff --git a/terraform/repository/.terraform.lock.hcl b/terraform/repository/.terraform.lock.hcl
new file mode 100644
index 0000000..f566b45
--- /dev/null
+++ b/terraform/repository/.terraform.lock.hcl
@@ -0,0 +1,24 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/integrations/github" {
+  version     = "6.12.1"
+  constraints = "~> 6.0"
+  hashes = [
+    "h1:bGz4LIep/7PVrqy6P8cTYbAJpdxXGrupUJjkCczlzIs=",
+    "zh:3e1a4081ecb9518fdf0074db83c16ad00dc81ffe8249a6e3cf1894e947e28df6",
+    "zh:4cb8224b7f530795b674ac044675f6b22a7c9154f55eb9f76c5af6c7534056a4",
+    "zh:560bc08637926191f6871a89e986022ca67c70afda5bebca34b5216e6fac69c9",
+    "zh:5a70b5d2ac650c5c9819a1875411ebda229d0fcc6c9f57f9d751852ca3cd77ac",
+    "zh:8668d93bd4dc2ffa2545e1473af600a925d479b16033a71a4498a16f3b683c0c",
+    "zh:86eacc6059fd057948e178b665ba5cce74bd5488a9e1035734e60ff5ef1b6f8f",
+    "zh:a329fac98881d8dfc211a9bdc0ec6f2948f0b0c2704d1b6cbe5307403c7ad1b2",
+    "zh:dadd44abab3c52b9d572955afaef1658790e17ea355ee22b58996d81d28e02d8",
+    "zh:de9f455ef342cc38fb76bce844bfcd376fb81a4b9f9bc2fae023ff99efdf1338",
+    "zh:f8c6d2e8351b334491790358574e0a30a7c6d7f5b80f7daf32a7c0f3e9b1ab19",
+    "zh:fab41971a3edee04ab6eceaeab4eeb9a2b2f38a2af3b06eda93e2117b64994be",
+    "zh:fb1279b566dd9c8c117b2e4e0cc8344413b8fc8f2a3e24be22a9b2610551777b",
+    "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25",
+    "zh:fe79d2a861fb9af420fa5bd7f02c031b2a0a3edf5dbc46022c8ecc7a33cf2b6d",
+  ]
+}
diff --git a/terraform/repository/main.tf b/terraform/repository/main.tf
new file mode 100644
index 0000000..136d2d8
--- /dev/null
+++ b/terraform/repository/main.tf
@@ -0,0 +1,91 @@
+module "repository" {
+  source = "git::https://github.com/r-webdev/terraform-module-github-repository.git//modules/service?ref=v1.0.0"
+
+  # Repository name on GitHub (must match the remote, e.g. r-webdev/website).
+  name = "webring-webdev-webdesign"
+
+  # Short summary shown on the repo homepage and in search results.
+  description = "Webring of professional web developers and web designers."
+
+  # Who can see the repo: public, private, or internal (org members only).
+  # Public is required on GitHub Free for branch protection rules to apply.
+  visibility = "public"
+
+  # Tags used for discovery and filtering on GitHub.
+  topics = ["webring", "astro"]
+
+  # Default branch for new PRs and clones; must already exist on GitHub before protection rules apply.
+  default_branch = "main"
+
+  # --- Merge settings ---
+
+  # Disallow standard merge commits (only squash merges allowed).
+  allow_merge_commit = false
+
+  # Allow squash merges — combines all commits into one on merge.
+  allow_squash_merge = true
+
+  # Disallow rebase merges onto the base branch.
+  allow_rebase_merge = false
+
+  # Use the PR title as the squash commit subject line.
+  squash_merge_commit_title = "PR_TITLE"
+
+  # Include individual commit messages in the squash commit body.
+  squash_merge_commit_message = "COMMIT_MESSAGES"
+
+  # Remove the feature branch from GitHub after the PR is merged.
+  delete_branch_on_merge = true
+
+  # Do not allow merging automatically once checks and reviews pass (manual merge required).
+  allow_auto_merge = false
+
+  # --- Repository features ---
+
+  # Enable GitHub Issues for bugs and feature requests.
+  has_issues = true
+
+  # Disable GitHub Projects (Kanban-style boards tied to the repo).
+  has_projects = false
+
+  # Disable the repo wiki.
+  has_wiki = false
+
+  # Disable GitHub Discussions.
+  has_discussions = false
+
+  # Send Dependabot security alerts for vulnerable dependencies (relevant for private repos).
+  vulnerability_alerts = true
+
+  # If Terraform destroys this resource, archive the repo instead of deleting it permanently.
+  archive_on_destroy = true
+
+  # --- Access control ---
+
+  # Map of org team slug → permission level (pull, triage, push, maintain, admin).
+  team_permissions = {
+    # Full admin access: settings, branch protection, team management.
+    admins = "admin"
+    # Write access: push to branches and open/merge PRs (subject to branch protection).
+    moderators = "push"
+  }
+
+  # --- Branch protection (main) ---
+
+  branch_protection = {
+    main = {
+      # Require all conversations on a PR to be resolved before merge.
+      required_conversation_resolution = true
+
+      # Pull request review requirements before merge.
+      required_pull_request_reviews = {
+        # New commits dismiss previous approvals so reviewers re-check changes.
+        dismiss_stale_reviews = true
+        # Require approval from CODEOWNERS when changed files match .github/CODEOWNERS.
+        require_code_owner_reviews = true
+        # At least one approving review from someone other than the author.
+        required_approving_review_count = 1
+      }
+    }
+  }
+}
diff --git a/terraform/repository/versions.tf b/terraform/repository/versions.tf
new file mode 100644
index 0000000..ab56268
--- /dev/null
+++ b/terraform/repository/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+  # Minimum Terraform version required by the GitHub repository module.
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+  }
+}
+
+provider "github" {
+  # GitHub organization that owns this repository.
+  owner = "r-webdev"
+}