diff --git a/docs/operations/concept/repository-configuration.md b/docs/operations/concept/repository-configuration.md index 4cb2145..32ddd2e 100644 --- a/docs/operations/concept/repository-configuration.md +++ b/docs/operations/concept/repository-configuration.md @@ -17,7 +17,7 @@ Using the [`integrations/github`](https://registry.terraform.io/providers/integr |---|---| | `module.github_repository.github_repository.this` | Merge methods (squash + rebase only, no merge commits), auto-merge disabled, delete-branch-on-merge, secret scanning + push protection | | `module.github_repository.github_branch_protection.main` | Require a pull request and passing CI (`lint`, `test`, `build`) before merging into `main`; block direct pushes and force-pushes/deletion | -| `module.github_repository.github_repository_environment.production` | Placeholder deployment environment — no real deployment target exists yet | +| `module.github_repository.github_repository_environment.production`, `...staging` | The two fixed deployment environments every repo this module manages gets | | `module.github_repository.github_repository_collaborators.this` | The full, authoritative collaborator list (empty by default) | Solo-maintainer defaults were chosen deliberately: `main` requires a pull request but no minimum approval count, since GitHub can't let a lone maintainer approve their own PR, and branch admins aren't blanket-enforced so an emergency bypass stays possible. diff --git a/terraform/README.md b/terraform/README.md index 83fdede..cf75a33 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -1,8 +1,8 @@ # Repository configuration (Terraform) Manages this repository's GitHub settings as code: merge/auto-merge behavior, -delete-branch-on-merge, secret scanning, branch protection on `main`, a -placeholder deployment environment, and the collaborator list. Uses the +delete-branch-on-merge, secret scanning, branch protection on `main`, the +`production`/`staging` deployment environments, and the collaborator list. Uses the [`integrations/github`](https://registry.terraform.io/providers/integrations/github/latest/docs) provider. @@ -55,9 +55,9 @@ it first would try to *create* it and fail. Run this once, before the first ``` Nothing else needs importing: `main` currently has no branch protection -rule, there are no manually-added collaborators, and no `production` -environment exists yet — all three start as clean creates that match the -empty/absent live state. +rule, there are no manually-added collaborators, and neither the +`production` nor `staging` environment exists yet — all these start as +clean creates that match the empty/absent live state. ## What's intentionally not managed here diff --git a/terraform/github-repository/main.tf b/terraform/github-repository/main.tf index eff2a59..439bf4c 100644 --- a/terraform/github-repository/main.tf +++ b/terraform/github-repository/main.tf @@ -88,13 +88,19 @@ resource "github_branch_protection" "main" { ##### ENVIRONMENTS ##### # -# Placeholder — this template has no deployment target yet. Rename/adapt -# once a real environment exists to protect. +# Fixed set — every repo this module manages gets exactly "production" and +# "staging", named to match GitHub Actions environment-scoped secrets/vars +# and any workflow that deploys with `environment: production`/`staging`. resource "github_repository_environment" "production" { environment = "production" repository = github_repository.this.name } +resource "github_repository_environment" "staging" { + environment = "staging" + repository = github_repository.this.name +} + # Example environment variable (uncomment and adapt): # resource "github_actions_environment_variable" "example" { # repository = github_repository.this.name diff --git a/terraform/terraform.tfvars.example b/terraform/terraform.tfvars.example new file mode 100644 index 0000000..0781930 --- /dev/null +++ b/terraform/terraform.tfvars.example @@ -0,0 +1,6 @@ +# Copy to terraform.tfvars (gitignored) and fill in for the repo you're +# actually configuring — or let the bootstrap-repo skill generate this file +# for you from `git remote -v`. + +repository_owner = "your-github-username-or-org" +repository_name = "your-repo-name"