fix/feature: Adds support for max_file_size, max_file_path_length, file_extension_restriction, and unknown rulesets for repos and orgs (#2821)

* Adds support for max_file_size and file_extension_restriction and default rulesets

* Adds test coverage

* Adds support for max_file_path_length

* Removes unnecessary boxing

* fixes cast issue in tests

* Adds organizational push rulesets

* Updates docs for rulesets

Author: nickfloyd

github/resource_github_organization_ruleset.go

@@ -504,6 +504,74 @@ func resourceGithubOrganizationRuleset() *schema.Resource {
 								},
 							},
 						},
+						"file_path_restriction": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							MaxItems:    1,
+							Description: "Prevent commits that include changes in specified file paths from being pushed to the commit graph.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"restricted_file_paths": {
+										Type:        schema.TypeList,
+										MinItems:    1,
+										Required:    true,
+										Description: "The file paths that are restricted from being pushed to the commit graph.",
+										Elem: &schema.Schema{
+											Type: schema.TypeString,
+										},
+									},
+								},
+							},
+						},
+						"max_file_size": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							MaxItems:    1,
+							Description: "Prevent pushes based on file size.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"max_file_size": {
+										Type:        schema.TypeInt,
+										Required:    true,
+										Description: "The maximum allowed size of a file in bytes.",
+									},
+								},
+							},
+						},
+						"max_file_path_length": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							MaxItems:    1,
+							Description: "Prevent pushes based on file path length.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"max_file_path_length": {
+										Type:        schema.TypeInt,
+										Required:    true,
+										Description: "The maximum allowed length of a file path.",
+									},
+								},
+							},
+						},
+						"file_extension_restriction": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							MaxItems:    1,
+							Description: "Prevent pushes based on file extensions.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"restricted_file_extensions": {
+										Type:        schema.TypeSet,
+										MinItems:    1,
+										Required:    true,
+										Description: "The file extensions that are restricted from being pushed to the commit graph.",
+										Elem: &schema.Schema{
+											Type: schema.TypeString,
+										},
+									},
+								},
+							},
+						},
 					},
 				},
 			},

github/resource_github_organization_ruleset_test.go

@@ -576,3 +576,100 @@ func TestGithubOrganizationRulesets(t *testing.T) {
 	})
 
 }
+
+func TestOrganizationPushRulesetSupport(t *testing.T) {
+	// Test that organization push rulesets support all push-specific rules
+	// This is a unit test since it only validates the expand/flatten functionality
+
+	rulesMap := map[string]interface{}{
+		"file_path_restriction": []interface{}{
+			map[string]interface{}{
+				"restricted_file_paths": []interface{}{"secrets/", "*.key", "private/"},
+			},
+		},
+		"max_file_size": []interface{}{
+			map[string]interface{}{
+				"max_file_size": float64(10485760), // 10MB
+			},
+		},
+		"max_file_path_length": []interface{}{
+			map[string]interface{}{
+				"max_file_path_length": 250,
+			},
+		},
+		"file_extension_restriction": []interface{}{
+			map[string]interface{}{
+				"restricted_file_extensions": []interface{}{".exe", ".bat", ".sh", ".ps1"},
+			},
+		},
+	}
+
+	input := []interface{}{rulesMap}
+
+	// Test expand functionality (organization rulesets use org=true)
+	expandedRules := expandRules(input, true)
+
+	if len(expandedRules) != 4 {
+		t.Fatalf("Expected 4 expanded rules for organization push ruleset, got %d", len(expandedRules))
+	}
+
+	// Verify we have all expected push rule types
+	ruleTypes := make(map[string]bool)
+	for _, rule := range expandedRules {
+		ruleTypes[rule.Type] = true
+	}
+
+	expectedPushRules := []string{"file_path_restriction", "max_file_size", "max_file_path_length", "file_extension_restriction"}
+	for _, expectedType := range expectedPushRules {
+		if !ruleTypes[expectedType] {
+			t.Errorf("Expected organization push rule type %s not found in expanded rules", expectedType)
+		}
+	}
+
+	// Test flatten functionality (organization rulesets use org=true)
+	flattenedResult := flattenRules(expandedRules, true)
+
+	if len(flattenedResult) != 1 {
+		t.Fatalf("Expected 1 flattened result, got %d", len(flattenedResult))
+	}
+
+	flattenedRulesMap := flattenedResult[0].(map[string]interface{})
+
+	// Verify file_path_restriction
+	filePathRules := flattenedRulesMap["file_path_restriction"].([]map[string]interface{})
+	if len(filePathRules) != 1 {
+		t.Fatalf("Expected 1 file_path_restriction rule, got %d", len(filePathRules))
+	}
+	restrictedPaths := filePathRules[0]["restricted_file_paths"].([]string)
+	if len(restrictedPaths) != 3 {
+		t.Errorf("Expected 3 restricted file paths, got %d", len(restrictedPaths))
+	}
+
+	// Verify max_file_size
+	maxFileSizeRules := flattenedRulesMap["max_file_size"].([]map[string]interface{})
+	if len(maxFileSizeRules) != 1 {
+		t.Fatalf("Expected 1 max_file_size rule, got %d", len(maxFileSizeRules))
+	}
+	if maxFileSizeRules[0]["max_file_size"] != int64(10485760) {
+		t.Errorf("Expected max_file_size to be 10485760, got %v", maxFileSizeRules[0]["max_file_size"])
+	}
+
+	// Verify max_file_path_length
+	maxFilePathLengthRules := flattenedRulesMap["max_file_path_length"].([]map[string]interface{})
+	if len(maxFilePathLengthRules) != 1 {
+		t.Fatalf("Expected 1 max_file_path_length rule, got %d", len(maxFilePathLengthRules))
+	}
+	if maxFilePathLengthRules[0]["max_file_path_length"] != 250 {
+		t.Errorf("Expected max_file_path_length to be 250, got %v", maxFilePathLengthRules[0]["max_file_path_length"])
+	}
+
+	// Verify file_extension_restriction
+	fileExtRules := flattenedRulesMap["file_extension_restriction"].([]map[string]interface{})
+	if len(fileExtRules) != 1 {
+		t.Fatalf("Expected 1 file_extension_restriction rule, got %d", len(fileExtRules))
+	}
+	restrictedExts := fileExtRules[0]["restricted_file_extensions"].([]string)
+	if len(restrictedExts) != 4 {
+		t.Errorf("Expected 4 restricted file extensions, got %d", len(restrictedExts))
+	}
+}

github/resource_github_repository_ruleset.go

@@ -544,6 +544,21 @@ func resourceGithubRepositoryRuleset() *schema.Resource {
 								},
 							},
 						},
+						"max_file_path_length": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							MaxItems:    1,
+							Description: "Prevent pushes based on file path length.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"max_file_path_length": {
+										Type:        schema.TypeInt,
+										Required:    true,
+										Description: "The maximum allowed length of a file path.",
+									},
+								},
+							},
+						},
 						"file_extension_restriction": {
 							Type:        schema.TypeList,
 							Optional:    true,

github/respository_rules_utils.go

@@ -441,6 +441,17 @@ func expandRules(input []interface{}, org bool) []*github.RepositoryRule {
 
 	}
 
+	// max_file_path_length rule
+	if v, ok := rulesMap["max_file_path_length"].([]interface{}); ok && len(v) != 0 {
+		maxFilePathLengthMap := v[0].(map[string]interface{})
+		maxFilePathLength := maxFilePathLengthMap["max_file_path_length"].(int)
+		params := &github.RuleMaxFilePathLengthParameters{
+			MaxFilePathLength: maxFilePathLength,
+		}
+		rulesSlice = append(rulesSlice, github.NewMaxFilePathLengthRule(params))
+
+	}
+
 	// file_extension_restriction rule
 	if v, ok := rulesMap["file_extension_restriction"].([]interface{}); ok && len(v) != 0 {
 		fileExtensionRestrictionMap := v[0].(map[string]interface{})
@@ -640,6 +651,45 @@ func flattenRules(rules []*github.RepositoryRule, org bool) []interface{} {
 			rule := make(map[string]interface{})
 			rule["restricted_file_paths"] = params.GetRestrictedFilePaths()
 			rulesMap[v.Type] = []map[string]interface{}{rule}
+
+		case "max_file_size":
+			var params github.RuleMaxFileSizeParameters
+			err := json.Unmarshal(*v.Parameters, &params)
+			if err != nil {
+				log.Printf("[INFO] Unexpected error unmarshalling rule %s with parameters: %v",
+					v.Type, v.Parameters)
+			}
+			rule := make(map[string]interface{})
+			rule["max_file_size"] = params.MaxFileSize
+			rulesMap[v.Type] = []map[string]interface{}{rule}
+
+		case "max_file_path_length":
+			var params github.RuleMaxFilePathLengthParameters
+			err := json.Unmarshal(*v.Parameters, &params)
+			if err != nil {
+				log.Printf("[INFO] Unexpected error unmarshalling rule %s with parameters: %v",
+					v.Type, v.Parameters)
+			}
+			rule := make(map[string]interface{})
+			rule["max_file_path_length"] = params.MaxFilePathLength
+			rulesMap[v.Type] = []map[string]interface{}{rule}
+
+		case "file_extension_restriction":
+			var params github.RuleFileExtensionRestrictionParameters
+			err := json.Unmarshal(*v.Parameters, &params)
+			if err != nil {
+				log.Printf("[INFO] Unexpected error unmarshalling rule %s with parameters: %v",
+					v.Type, v.Parameters)
+			}
+			rule := make(map[string]interface{})
+			rule["restricted_file_extensions"] = params.RestrictedFileExtensions
+			rulesMap[v.Type] = []map[string]interface{}{rule}
+
+		default:
+			// Handle unknown rule types (like Copilot code review, etc.) gracefully
+			// Log the unknown rule type but don't cause Terraform to fail or see a diff
+			log.Printf("[DEBUG] Ignoring unknown repository rule type: %s. This rule was likely added outside of Terraform (e.g., via GitHub UI) and is not yet supported by the provider.", v.Type)
+			// Note: We intentionally don't add this to rulesMap to avoid causing diffs for rules that aren't managed by Terraform
 		}
 	}