ci(terraform): add repository rules as code

.github/CODEOWNERS

@@ -0,0 +1 @@
+/terraform/repository/ @wiktoriavh

.github/workflows/terraform-repository.yml

@@ -0,0 +1,37 @@
+name: Terraform Repository
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - terraform/repository/**
+
+concurrency:
+  group: terraform-repository-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: terraform/repository
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.5.0
+
+      - name: Terraform Init
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: terraform init
+
+      - name: Terraform Apply
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: terraform apply -auto-approve

terraform/repository/main.tf

@@ -0,0 +1,91 @@
+module "repository" {
+  source = "git::https://github.com/r-webdev/terraform-module-github-repository.git//modules/service?ref=v1.0.0"
+
+  # Repository name on GitHub (must match the remote, e.g. r-webdev/website).
+  name = "webring-webdev-webdesign"
+
+  # Short summary shown on the repo homepage and in search results.
+  description = "Webring of professional web developers and web designers."
+
+  # Who can see the repo: public, private, or internal (org members only).
+  # Public is required on GitHub Free for branch protection rules to apply.
+  visibility = "public"
+
+  # Tags used for discovery and filtering on GitHub.
+  topics = ["webring", "astro"]
+
+  # Default branch for new PRs and clones; must already exist on GitHub before protection rules apply.
+  default_branch = "main"
+
+  # --- Merge settings ---
+
+  # Disallow standard merge commits (only squash merges allowed).
+  allow_merge_commit = false
+
+  # Allow squash merges — combines all commits into one on merge.
+  allow_squash_merge = true
+
+  # Disallow rebase merges onto the base branch.
+  allow_rebase_merge = false
+
+  # Use the PR title as the squash commit subject line.
+  squash_merge_commit_title = "PR_TITLE"
+
+  # Include individual commit messages in the squash commit body.
+  squash_merge_commit_message = "COMMIT_MESSAGES"
+
+  # Remove the feature branch from GitHub after the PR is merged.
+  delete_branch_on_merge = true
+
+  # Do not allow merging automatically once checks and reviews pass (manual merge required).
+  allow_auto_merge = false
+
+  # --- Repository features ---
+
+  # Enable GitHub Issues for bugs and feature requests.
+  has_issues = true
+
+  # Disable GitHub Projects (Kanban-style boards tied to the repo).
+  has_projects = false
+
+  # Disable the repo wiki.
+  has_wiki = false
+
+  # Disable GitHub Discussions.
+  has_discussions = false
+
+  # Send Dependabot security alerts for vulnerable dependencies (relevant for private repos).
+  vulnerability_alerts = true
+
+  # If Terraform destroys this resource, archive the repo instead of deleting it permanently.
+  archive_on_destroy = true
+
+  # --- Access control ---
+
+  # Map of org team slug → permission level (pull, triage, push, maintain, admin).
+  team_permissions = {
+    # Full admin access: settings, branch protection, team management.
+    admins = "admin"
+    # Write access: push to branches and open/merge PRs (subject to branch protection).
+    moderators = "push"
+  }
+
+  # --- Branch protection (main) ---
+
+  branch_protection = {
+    main = {
+      # Require all conversations on a PR to be resolved before merge.
+      required_conversation_resolution = true
+
+      # Pull request review requirements before merge.
+      required_pull_request_reviews = {
+        # New commits dismiss previous approvals so reviewers re-check changes.
+        dismiss_stale_reviews = true
+        # Require approval from CODEOWNERS when changed files match .github/CODEOWNERS.
+        require_code_owner_reviews = true
+        # At least one approving review from someone other than the author.
+        required_approving_review_count = 1
+      }
+    }
+  }
+}

terraform/repository/versions.tf

@@ -0,0 +1,16 @@
+terraform {
+  # Minimum Terraform version required by the GitHub repository module.
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+  }
+}
+
+provider "github" {
+  # GitHub organization that owns this repository.
+  owner = "r-webdev"
+}