Skip to content

Adopt remaining rulesets declaratively as provider-upjet-github gains support (10 org rulesets + push + Actions policies) #69

Description

@devantler

🤖 Generated by the Daily AI Assistant

Problem

The org's GitHub rulesets are now managed declaratively in
devantler-tech/.github deploy/rulesets/
(Crossplane via provider-upjet-github). The initial import adopts 12 of 22
rulesets Observe-first and adds a net-new v* tag-protection ruleset — but
provider-upjet-github v0.19.1 has a narrower ruleset schema than GitHub's API,
so 10 org rulesets remain UI-managed, and neither push rulesets nor the new
Actions workflow-execution-protections are expressible. This issue tracks closing
that gap as the provider catches up.

What the provider cannot express (verified against the live CRDs)

Capability missing in provider Rulesets / features it blocks
repository_property conditions (custom-property scoping) 6 org rulesets: code-scanning (Type), EnableAutoMerge, LintDocumentation, ScanGitHubActions, .NET (language), Go (language)
Rule type code_quality "Require code quality results"
Rule type copilot_code_review "Automatically request Copilot code review"
Target repository "restrict-names", "restrict-transfers"
Rule type repository_transfer + EnterpriseOwner bypass "restrict-transfers"
Push-file rules (file_path_restriction, max_file_size, file_extension_restriction, max_file_path_length) any push ruleset (none today, but not adoptable)
Actor/event workflow-trigger rules (2026-06-18 workflow execution protections) Actions policies — also relies on repository_property scoping

Proposed direction

  • Watch provider-upjet-github
    / upstream integrations/terraform-provider-github
    for support of the above (esp. repository_property conditions — it unblocks 6 at once).
  • When a capability lands: bump the provider, then re-home the now-expressible rulesets
    into deploy/rulesets/ Observe-first, and update the importability matrix in
    deploy/rulesets/README.md.
  • If the maintainer agrees, file upstream feature requests (kept out of scope here — no
    outward-facing issues without sign-off).

Acceptance

Every currently-UI-managed ruleset is either (a) expressible and adopted under
deploy/rulesets/, or (b) explicitly documented as permanently UI-only. Push and
Actions-trigger policies are likewise either adoptable or documented as out of provider
scope.

Size: ongoing / upstream-dependent. The 10 UI-managed rulesets stay fully active and
enforced in the meantime — this is about bringing them under GitOps, not changing them.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions