🤖 Generated by the Daily AI Assistant
Problem
The org's GitHub rulesets are now managed declaratively in
devantler-tech/.github deploy/rulesets/
(Crossplane via provider-upjet-github). The initial import adopts 12 of 22
rulesets Observe-first and adds a net-new v* tag-protection ruleset — but
provider-upjet-github v0.19.1 has a narrower ruleset schema than GitHub's API,
so 10 org rulesets remain UI-managed, and neither push rulesets nor the new
Actions workflow-execution-protections are expressible. This issue tracks closing
that gap as the provider catches up.
What the provider cannot express (verified against the live CRDs)
| Capability missing in provider |
Rulesets / features it blocks |
repository_property conditions (custom-property scoping) |
6 org rulesets: code-scanning (Type), EnableAutoMerge, LintDocumentation, ScanGitHubActions, .NET (language), Go (language) |
Rule type code_quality |
"Require code quality results" |
Rule type copilot_code_review |
"Automatically request Copilot code review" |
Target repository |
"restrict-names", "restrict-transfers" |
Rule type repository_transfer + EnterpriseOwner bypass |
"restrict-transfers" |
Push-file rules (file_path_restriction, max_file_size, file_extension_restriction, max_file_path_length) |
any push ruleset (none today, but not adoptable) |
| Actor/event workflow-trigger rules (2026-06-18 workflow execution protections) |
Actions policies — also relies on repository_property scoping |
Proposed direction
- Watch
provider-upjet-github
/ upstream integrations/terraform-provider-github
for support of the above (esp. repository_property conditions — it unblocks 6 at once).
- When a capability lands: bump the provider, then re-home the now-expressible rulesets
into deploy/rulesets/ Observe-first, and update the importability matrix in
deploy/rulesets/README.md.
- If the maintainer agrees, file upstream feature requests (kept out of scope here — no
outward-facing issues without sign-off).
Acceptance
Every currently-UI-managed ruleset is either (a) expressible and adopted under
deploy/rulesets/, or (b) explicitly documented as permanently UI-only. Push and
Actions-trigger policies are likewise either adoptable or documented as out of provider
scope.
Size: ongoing / upstream-dependent. The 10 UI-managed rulesets stay fully active and
enforced in the meantime — this is about bringing them under GitOps, not changing them.
Problem
The org's GitHub rulesets are now managed declaratively in
devantler-tech/.githubdeploy/rulesets/(Crossplane via
provider-upjet-github). The initial import adopts 12 of 22rulesets Observe-first and adds a net-new
v*tag-protection ruleset — butprovider-upjet-githubv0.19.1 has a narrower ruleset schema than GitHub's API,so 10 org rulesets remain UI-managed, and neither push rulesets nor the new
Actions workflow-execution-protections are expressible. This issue tracks closing
that gap as the provider catches up.
What the provider cannot express (verified against the live CRDs)
repository_propertyconditions (custom-property scoping)Type), EnableAutoMerge, LintDocumentation, ScanGitHubActions, .NET (language), Go (language)code_qualitycopilot_code_reviewrepositoryrepository_transfer+EnterpriseOwnerbypassfile_path_restriction,max_file_size,file_extension_restriction,max_file_path_length)repository_propertyscopingProposed direction
provider-upjet-github/ upstream
integrations/terraform-provider-githubfor support of the above (esp.
repository_propertyconditions — it unblocks 6 at once).into
deploy/rulesets/Observe-first, and update the importability matrix indeploy/rulesets/README.md.outward-facing issues without sign-off).
Acceptance
Every currently-UI-managed ruleset is either (a) expressible and adopted under
deploy/rulesets/, or (b) explicitly documented as permanently UI-only. Push andActions-trigger policies are likewise either adoptable or documented as out of provider
scope.
Size: ongoing / upstream-dependent. The 10 UI-managed rulesets stay fully active and
enforced in the meantime — this is about bringing them under GitOps, not changing them.