feat: Add repository file extension restrictions

github/resource_github_repository_ruleset.go

@@ -453,6 +453,7 @@ func resourceGithubRepositoryRuleset() *schema.Resource {
 								Schema: map[string]*schema.Schema{
 									"restricted_file_paths": {
 										Type:        schema.TypeList,
+										MinItems:    1,
 										Required:    true,
 										Description: "The file paths that are restricted from being pushed to the commit graph.",
 										Elem: &schema.Schema{
@@ -477,6 +478,21 @@ func resourceGithubRepositoryRuleset() *schema.Resource {
 								},
 							},
 						},
+						"file_extension_restriction": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: "Prevent pushes based on file extensions.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"restricted_file_extensions": {
+										Type:        schema.TypeSet,
+										MinItems:    1,
+										Required:    true,
+										Description: "A list of file extensions.",
+									},
+								},
+							},
+						},
 					},
 				},
 			},

github/resource_github_repository_ruleset_test.go

@@ -368,30 +368,33 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 			t.Skip("Skipping because `GITHUB_PAID_FEATURES` is not set to true")
 		}
 		config := fmt.Sprintf(`
-                                             resource "github_repository" "test" {
-                                                             name                 = "tf-acc-test-%s"
-                                                             auto_init            = false
-                                                             visibility           = "internal"
-                                                             vulnerability_alerts = true
-                                             }
-
-                                             resource "github_repository_ruleset" "test_push" {
-                                                             name        = "test-push"
-                                                             repository  = github_repository.test.id
-                                                             target      = "push"
-                                                             enforcement = "active"
-
-                                                             rules {
-                                                                             file_path_restriction {
-                                                                                             restricted_file_paths = ["test.txt"]
-                                                                             }
-																			max_file_size {
-																							max_file_size = 1048576
-																			}
-                                                             }
-                                             }
-
-                             `, randomID)
+			 resource "github_repository" "test" {
+				 name                 = "tf-acc-test-%s"
+				 auto_init            = false
+				 visibility           = "internal"
+				 vulnerability_alerts = true
+			 }
+
+			 resource "github_repository_ruleset" "test_push" {
+				 name        = "test-push"
+				 repository  = github_repository.test.id
+				 target      = "push"
+				 enforcement = "active"
+
+				 rules {
+					file_path_restriction {
+					  restricted_file_paths = ["test.txt"]
+					 }
+					max_file_size {
+					  max_file_size = 1048576
+					}
+					file_extension_restriction {
+					   restricted_file_extensions = ["*.zip"]
+					}
+				 }
+			 }
+
+		`, randomID)
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(
 				"github_repository_ruleset.test_push", "name",
@@ -409,6 +412,10 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 				"github_repository_ruleset.test_push", "rules.0.max_file_size.0.max_file_size",
 				"1048576",
 			),
+			resource.TestCheckResourceAttr(
+				"github_repository_ruleset.test_push", "rules.0.file_extension_restriction.0.restricted_file_extensions.0",
+				"*.zip",
+			),
 		)
 		testCase := func(t *testing.T, mode string) {
 			resource.Test(t, resource.TestCase{

github/respository_rules_utils.go

@@ -418,6 +418,19 @@ func expandRules(input []interface{}, org bool) []*github.RepositoryRule {
 
 	}
 
+	// file_extension_restriction rule
+	if v, ok := rulesMap["file_extension_restriction"].([]interface{}); ok && len(v) != 0 {
+		fileExtensionRestrictionMap := v[0].(map[string]interface{})
+		restrictedFileExtensions := make([]string, 0)
+		for _, extension := range fileExtensionRestrictionMap["restricted_file_extensions"].([]interface{}) {
+			restrictedFileExtensions = append(restrictedFileExtensions, extension.(string))
+		}
+		params := &github.RuleFileExtensionRestrictionParameters{
+			RestrictedFileExtensions: restrictedFileExtensions,
+		}
+		rulesSlice = append(rulesSlice, github.NewFileExtensionRestrictionRule(params))
+	}
+
 	return rulesSlice
 }
 

website/docs/r/repository_ruleset.html.markdown

@@ -209,12 +209,16 @@ The `rules` block supports the following:
 
 #### rules.file_path_restriction ####
 
-* `restricted_file_paths` - (Required) (String) The file paths that are restricted from being pushed to the commit graph.
+* `restricted_file_paths` - (Required) (Block Set, Min: 1) The file paths that are restricted from being pushed to the commit graph.
 
 #### rules.max_file_size ####
 
 * `max_file_size` - (Required) (Integer) The maximum allowed size, in bytes, of a file.
 
+#### rules.file_extension_restriction ####
+
+* `restricted_file_extensions` - (Required) (Block Set, Min: 1) The file extensions that are restricted from being pushed to the commit graph.
+
 #### bypass_actors ####
 
 * `actor_id` - (Required) (Number) The ID of the actor that can bypass a ruleset. If `actor_type` is `Integration`, `actor_id` is a GitHub App ID. App ID can be obtained by following instructions from the [Get an App API docs](https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-app)