GCSS-1135: Add support for GitHub environment with deployment policy

[ljuboops257]

Add GitHub Environment Support with Improved Deployment Policy Structure

This PR adds support for GitHub repository environments and introduces a cleaner, more intuitive deployment policy structure throughout the codebase.

• https://github.com/G-Research/gr-oss/issues/1135
• https://github.com/G-Research/gr-oss/issues/1137

Key Changes

🚀 New Feature: GitHub Environments

• Terraform Module: Added support for managing GitHub environments with deployment policies, reviewers, and protection rules
• Importer Tool: Can now import existing GitHub environment configurations when enabled
• Deployment Policies: Three supported modes:
  • protected_branches - Only protected branches can deploy
  • selected_branches_and_tags - Specific branch/tag patterns can deploy
  • No policy - Any branch can deploy

🎛️ Feature Flag System

• New Configuration: import-config.yaml now supports feature flags
• Enable with: feature_github_environment: true
• Default: All features disabled (backward compatible)
• Architecture: Config-driven, no CLI changes needed

  # gcss-config-repo/config/import-config.yaml
  feature_github_environment: true  # Enable environment import

📝 Environment Configuration Structure

  environments:
    - environment: production
      wait_timer: 300
      can_admins_bypass: false
      prevent_self_review: true
      reviewers:
        users: ["octocat"]
        teams: ["platform-team"]  # ⚠️ Teams must have repo access
      deployment_policy:
        policy_type: protected_branches

    - environment: staging
      deployment_policy:
        policy_type: selected_branches_and_tags
        branch_patterns: ["main", "release/*"]
        tag_patterns: ["v*"]

🔧 Implementation Details

Importer Changes:

• Added FeatureGithubEnvironment constant
• Feature check: cfg.IsFeatureEnabled(FeatureGithubEnvironment)
• Fetches environment data from GitHub API including deployment policies
• Generates YAML with new deployment_policy structure

Terraform Changes:

• Dynamic environment resources based on YAML configuration
• Handles deployment branch policies via separate resources
• Import blocks for existing environments

📚 Documentation

• feature_github_environment.md: Complete guide for environment configuration
• ADDING_FEATURES.md: How to add new feature-flagged functionality
• LOCAL_DEVELOPMENT_SETUP.md: Updated with environment examples
• GITHUB_ACTIONS_WORKFLOWS.md: New comprehensive workflow documentation
• DEVELOPERS_GUIDE.md: Environment field reference

How to Use

  1. Enable the feature:
    # import-config.yaml
    feature_github_environment: true
  2. Import existing repos with environments:
    just import-repo org/repo
  3. Or add environments to new repos:
    # repos/my-repo.yaml
    environments:
      - environment: production
        deployment_policy:
          policy_type: protected_branches

🔄 Migration

• All existing YAML configurations updated to new structure
• Backward compatibility not required (clean implementation)
• Feature flag feature_github_environment: true controls environment import

Testing

• ✅ Feature flag system working (disabled by default)
• ✅ Environment import from GitHub API
• ✅ Terraform resource creation and management
• ✅ All documentation updated

Important Notes

• Feature is opt-in via feature_github_environment: true
• Teams in reviewers must have repository access first
• Maximum 6 combined users + teams as reviewers (GitHub limitation)

---

This PR adds GitHub environment support as a new, feature-flagged capability that can be gradually rolled out without affecting existing workflows.

References

• Terraform GitHub Provider - Environments
• Terraform GitHub provider - Deployment policy
• GitHub API - Environments
• GitHub Actions - Deployment Environments

[pavlovic-ivan]

This should be in another document, something like IMPORTER_DEVELOPERS_GUIDE.md or in the LOCAL_DEVELOPMENT_SETUP.md (if it's not already there).

The DEVELOPERS_GUIDE.md should focus only on the fields allowed to be set in a repo yaml config file

[pavlovic-ivan]

Isn't this a value in minutes not seconds? Please verify

[ljuboops257]

correct, it's in minutes (max is 30 days or 43200 minutes) - will update it
verifyuing on my org for demo1 repo and its actual config

are you ok with below edit?

Suggested change

	- **`wait_timer`**: *(optional, int)* Delay in seconds (max 43200)
	- **`wait_timer`**: *(optional, int)* Delay in minutes (max 43200 or 30 days)

[pavlovic-ivan]

Yeah, looks good

[pavlovic-ivan]

I don't think this file is necessary. We have an example configuration file in the config template repo: https://github.com/G-Research/github-terraformer-configuration-template/blob/main/repos/repository.yaml.example

Consider moving information to the example

[pavlovic-ivan]

General remark: the name gcss-config-repo shouldn't be mentioned because that is arbitrary name of the configuration repo. And it's not how it's named in GR org. It can lead to confusion of new adopters

[pavlovic-ivan]

Shouldn't be a part of this PR. Please move it to another PR that focuses on documentation. This one should be only about environments

[pavlovic-ivan]

Shouldn't be a part of this PR. Please move it to another PR that focuses on documentation. This one should be only about environments

[pavlovic-ivan]

Shouldn't be a part of this PR. Please move it to another PR that focuses on documentation. This one should be only about environments

[pavlovic-ivan]

Shouldn't be a part of this PR. Please move it to another PR that focuses on documentation. This one should be only about environments

[pavlovic-ivan]

Shouldn't be a part of this PR. Please move it to another PR that focuses on documentation. This one should be only about environments. Also, i don't get the purpose of this file. Maybe we go through this on a call?

[pavlovic-ivan]

Module modules/terraform-github-repository is vendored. That means it shouldn't be changed. All changes and features are added to the root module

[pavlovic-ivan]

Module modules/terraform-github-repository is vendored. That means it shouldn't be changed. All changes and features are added to the root module

[pavlovic-ivan]

Module modules/terraform-github-repository is vendored. That means it shouldn't be changed. All changes and features are added to the root module

[pavlovic-ivan]

Once environments are moved from the child module to the root module, this should be removed.

[pavlovic-ivan]

This will change once environments are moved to root module

[pavlovic-ivan]

Please move this to environments.go. And remove comments

[pavlovic-ivan]

Not needed, please remove

[pavlovic-ivan]

It can be max 6 in total, not 6 per list

[pavlovic-ivan]

Suggested change

	FeatureGithubEnvironment = "feature_github_environment"
	FeatureGithubEnvironments = "feature_github_environments"

[pavlovic-ivan]

This line means that any field added to the root of the import-config.yaml file that has a boolean value will act as a feature flag, eg:

feature_github_environment: true
some_ficticious_feature: true

Both will be captured. We want a strict configuration file that can be (de)serialized explicitly. Please change the Config struct accordingly

[pavlovic-ivan]

This is not correct information. Please remove it. It's also affected by the comment https://github.com/G-Research/github-terraformer/pull/28/files#r2549525571

[pavlovic-ivan]

Please remove comments. Also, topics are already supported

[pavlovic-ivan]

the three ifs can be reduced. you added a function that is not used cfg.IsFeatureEnabled that you can use to reduce the number of ifs. once that is done, you won't need enableEnvironments any more

[pavlovic-ivan]

This should be changed so that we fail the import if getting the environments fail. Repo can not and shouldn't be partially imported, otherwise we will get drift in terraform. So it's "all or nothing" approach

[pavlovic-ivan]

Similar as above, this should be changed so that we fail the import if getting the environments fail. Repo can not and shouldn't be partially imported, otherwise we will get drift in terraform. So it's "all or nothing" approach

[pavlovic-ivan]

This should be changed to a more go idiomatic approach, where you capture the error, log it, and escalate it above to the called function. Check the rest of the code to see how it's done, it's used everywhere. function resolveEnvironments will then return ([]Environment, error)

[pavlovic-ivan]

Keep this one it's useful

[pavlovic-ivan]

i don't understand this. please explain

[pavlovic-ivan]

I will remove comments that say "remove comments", and leave only those that say "keep this comment" so that the number of asked changes here are reduced, but it also means that comments should be removed

[pavlovic-ivan]

Keep this comment line, remove second and third

[pavlovic-ivan]

remove, unless you found a case where this is set. if there is one, then this block and the other on top can be merged, and reduced

[pavlovic-ivan]

This needs an else statement that should raise an error, because it means someone tampered with the json file and introduced something we don't know exists, or Github made a change, and we should be aware if any of the two happened. If so, throw an error, and fail the import.

[pavlovic-ivan]

These two should work together and check if length of both arrays in total is bigger than 6. If yes, throw an error, and fail the import.

[pavlovic-ivan]

Please take a look at comments and change accordingly