[FEAT]: Require approval from someone other than the last pusher

[tatutoivio-bf4d]

Describe the need

I see that at least according to the branch_protection documentation of the currently latest version (5.7.0) the "Require approval from someone other than the last pusher" option isn't available for the required_pull_request_reviews parameter.

That boolean option would be very important for my use case, and its name could be e.g. require_non_last_pusher_approval.

SDK Version

No response

API Version

No response

Relevant log output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[tatutoivio-bf4d]

Looking at the GitHub API, I can see that the proper name for the option might rather be require_last_push_approval.

[fproulx-boostsecurity]

This is such an important improvement to branch protection. I hope this will go in soon.

[kfcampbell]

I agree, this would be awesome to have! Do either of you have interest in opening a PR for this behavior?

[wwsean08]

Looking into this, it looks like github.com/shurcooL/githubv4 will have to be updated first to support this new property unless I'm misinterpreting the code. I'm going to try and work on getting a PR against that repo this weekend to add the field. There are actually a couple of new fields missing which I'm going to try to get into the githubv4 library for branch protections. I'll post the PR link here if I'm able to get one opened over there since it's a pre-requisite for this work.

[wwsean08]

Actually no need for me to open a PR, this one takes care of the necessary change, shurcooL/githubv4#107

[wwsean08]

I've got a commit here that does all the work to add this option as well as the lock branch option since they were introduced at the same time. Because my test requires overriding the current version of the githubv4 library I haven't bothered opening a PR, but this should give someone a good start if someone else wants to take it up once the dependent change above is merged. I imagine you will be able to get away with leaving the go.mod at 1.16, but I had trouble which I think had to do with the go.mod (specifically golang.org/x/oauth2 v0.1.0) in the githubv4 repo which seemed to need a package introduced in 1.17, but I didn't dig too deep into the issue, so your results may vary.

If I'm able to open a PR once that (or another PR on githubv4 gets merged) I will, but I am not able to spend as much time on this as I would like so hopefully my code snippet above helps someone down the line. Below is the code I wrote to test and validate it so it should work along with a screenshot of the results:

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = "~> 5.0"
    }
  }
}

provider "github" {
  owner = "REDACTED"
}

data "github_repository" "repo" {
  full_name = "REDACTED/REDACTED"
}

resource "github_branch_protection" "protection" {
  repository_id              = data.github_repository.repo.node_id
  pattern                    = "test"
  lock_branch                = true
  required_pull_request_reviews {
    require_last_push_approval = true
  }
}

[wwsean08]

Good news, today a PR I opened that just updates the schema got merged 🎉 . Friday I will look to open a simplified version of my previous change as a PR to hopefully get this feature implemented