From 5451a2d494ea0eb60d5e669e13ce669cdf997fae Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Mon, 3 Feb 2025 13:05:25 +1000
Subject: [PATCH] terraform: add infra repo and ruleset

---
 terraform/github-repo-infra.tf   | 85 ++++++++++++++++++++++++++++++++
 terraform/shell.nix              |  9 ++++
 terraform/terraform_providers.tf |  8 +++
 3 files changed, 102 insertions(+)
 create mode 100644 terraform/github-repo-infra.tf

diff --git a/terraform/github-repo-infra.tf b/terraform/github-repo-infra.tf
new file mode 100644
index 000000000..23dbbe74d
--- /dev/null
+++ b/terraform/github-repo-infra.tf
@@ -0,0 +1,85 @@
+resource "github_repository" "infra" {
+  name         = "infra"
+  description  = "nix-community infrastructure [maintainer=@zowoq]"
+  homepage_url = "https://nix-community.org"
+
+  topics = [
+    "nix-community-buildbot",
+    "nix-darwin",
+    "nixos",
+    "terraform",
+  ]
+
+  allow_auto_merge       = true
+  allow_merge_commit     = false
+  allow_rebase_merge     = true
+  allow_squash_merge     = false
+  delete_branch_on_merge = true
+  has_discussions        = true
+  has_issues             = true
+  vulnerability_alerts   = true
+
+
+  pages {
+    build_type = "workflow"
+    cname      = "nix-community.org"
+
+    source {
+      branch = "master"
+      path   = "/"
+    }
+  }
+}
+
+resource "github_repository_ruleset" "infra" {
+  name        = "default branch"
+  repository  = github_repository.infra.name
+  target      = "branch"
+  enforcement = "active"
+
+  conditions {
+    ref_name {
+      include = ["~DEFAULT_BRANCH"]
+      exclude = []
+    }
+  }
+
+  rules {
+    deletion         = true
+    non_fast_forward = true
+
+    merge_queue {
+      check_response_timeout_minutes    = 60
+      grouping_strategy                 = "ALLGREEN"
+      max_entries_to_build              = 1
+      max_entries_to_merge              = 1
+      merge_method                      = "REBASE"
+      min_entries_to_merge              = 1
+      min_entries_to_merge_wait_minutes = 5
+    }
+
+    pull_request {
+      required_approving_review_count   = 0
+      required_review_thread_resolution = false
+      require_code_owner_review         = false
+      dismiss_stale_reviews_on_push     = false
+      require_last_push_approval        = false
+    }
+
+    required_status_checks {
+      required_check {
+        context = "buildbot/nix-build"
+      }
+    }
+  }
+}
+
+import {
+  to = github_repository.infra
+  id = "infra"
+}
+
+# import {
+#   to = github_repository_ruleset.example
+#   id = "example:12345"
+# }
diff --git a/terraform/shell.nix b/terraform/shell.nix
index af75dfefc..c51e15792 100644
--- a/terraform/shell.nix
+++ b/terraform/shell.nix
@@ -7,6 +7,15 @@
         packages = [
           (terraform.withPlugins (p: [
             p.cloudflare
+            (p.github.overrideAttrs (_: {
+              patches = [
+                (fetchpatch {
+                  name = "add-support-for-merge-queues-in-repository-rulesets.patch";
+                  url = "https://github.com/integrations/terraform-provider-github/pull/2380.patch";
+                  hash = "sha256-aauj8YCybuH2iDNVIb/q4hNbs1rsTS2qNYNvQLbrZ7Q=";
+                })
+              ];
+            }))
             p.hydra
             p.sops
             p.tfe
diff --git a/terraform/terraform_providers.tf b/terraform/terraform_providers.tf
index 30cf557c9..c095b3663 100644
--- a/terraform/terraform_providers.tf
+++ b/terraform/terraform_providers.tf
@@ -3,6 +3,9 @@ terraform {
     cloudflare = {
       source = "cloudflare/cloudflare"
     }
+    github = {
+      source = "integrations/github"
+    }
     hydra = {
       source = "DeterminateSystems/hydra"
     }
@@ -29,6 +32,11 @@ provider "hydra" {
   username = "admin"
 }
 
+provider "github" {
+  # admin provides their own token
+  owner = "nix-community"
+}
+
 provider "tfe" {
   token = data.sops_file.nix-community.data["TFE_TOKEN"]
 }