feat: initial terraform configuration for GitHub org management

[xnoto]

Summary

OpenTofu configuration to manage GitHub organization resources as code.

What's Included

Component	Purpose
gh-repositories.tf	Repository creation and settings
gh-protections.tf	Branch protection rules
gh-secrets.tf	GitHub Actions secrets (via SOPS)
gh-iam.tf	Organization membership

CI/CD

• Runs on ghcr.io/makeitworkcloud/runner:latest container
• Pre-commit: validate, tflint, checkov, fmt, terraform-docs
• PR: plan output commented on PR
• Push to main: auto-apply (requires production environment approval)

Secrets Management

• SOPS + age encryption
• Secrets stored in secrets/secrets.yaml
• Requires SOPS_AGE_KEY in GitHub Actions

Notable Decisions

• No provider version pinning (uses lock file)
• S3 backend (credentials from SOPS at runtime)
• Branch protection enforces: linear history, PR reviews, conversation resolution

[github-actions]

OpenTofu Plan 📋

�[0m�[1m�[32mNo changes.�[0m�[1m Your infrastructure matches the configuration.�[0m

�[0mOpenTofu has compared your real infrastructure against your configuration and

[github-actions]

OpenTofu Plan 📋

No changes. Your infrastructure matches the configuration.

OpenTofu has compared your real infrastructure against your configuration and

[github-actions]

OpenTofu Plan

OpenTofu will perform the following actions:

  # github_branch_protection.protections["shared-workflows"] will be destroyed
  # (because key ["shared-workflows"] is not in for_each map)
  - resource "github_branch_protection" "protections" {
      - allows_deletions                = false -> null
      - allows_force_pushes             = false -> null
      - enforce_admins                  = true -> null
      - force_push_bypassers            = [] -> null
      - id                              = "BPR_kwDOQsfaHs4EO2Q7" -> null
      - lock_branch                     = false -> null
      - pattern                         = "main" -> null
      - repository_id                   = "R_kgDOQsfaHg" -> null
      - require_conversation_resolution = true -> null
      - require_signed_commits          = false -> null
      - required_linear_history         = true -> null

      - required_pull_request_reviews {
          - dismiss_stale_reviews           = true -> null
          - dismissal_restrictions          = [
              - "/xnoto",
            ] -> null
          - pull_request_bypassers          = [
              - "/xnoto",
            ] -> null
          - require_code_owner_reviews      = true -> null
          - require_last_push_approval      = true -> null
          - required_approving_review_count = 1 -> null
          - restrict_dismissals             = true -> null
        }

      - required_status_checks {
          - contexts = [] -> null
          - strict   = true -> null
        }

      - restrict_pushes {
          - blocks_creations = true -> null
          - push_allowances  = [
              - "/xnoto",
            ] -> null
        }
    }

  # github_repository.repositories["shared-workflows"] will be destroyed
  # (because key ["shared-workflows"] is not in for_each map)
  - resource "github_repository" "repositories" {
      - allow_auto_merge            = false -> null
      - allow_merge_commit          = true -> null
      - allow_rebase_merge          = true -> null
      - allow_squash_merge          = true -> null
      - allow_update_branch         = false -> null
      - archived                    = false -> null
      - default_branch              = "main" -> null
      - delete_branch_on_merge      = false -> null
      - etag                        = "W/\"12967aad3796cab07e03e26a2ed5210df90a102587f6068d4dc721127be39517\"" -> null
      - fork                        = "false" -> null
      - full_name                   = "makeitworkcloud/shared-workflows" -> null
      - git_clone_url               = "git://github.com/makeitworkcloud/shared-workflows.git" -> null
      - has_discussions             = false -> null
      - has_downloads               = false -> null
      - has_issues                  = false -> null
      - has_projects                = false -> null
      - has_wiki                    = false -> null
      - html_url                    = "https://github.com/makeitworkcloud/shared-workflows" -> null
      - http_clone_url              = "https://github.com/makeitworkcloud/shared-workflows.git" -> null
      - id                          = "shared-workflows" -> null
      - is_template                 = false -> null
      - merge_commit_message        = "PR_TITLE" -> null
      - merge_commit_title          = "MERGE_MESSAGE" -> null
      - name                        = "shared-workflows" -> null
      - node_id                     = "R_kgDOQsfaHg" -> null
      - private                     = false -> null
      - repo_id                     = 1120393758 -> null
      - squash_merge_commit_message = "COMMIT_MESSAGES" -> null
      - squash_merge_commit_title   = "COMMIT_OR_PR_TITLE" -> null
      - ssh_clone_url               = "git@github.com:makeitworkcloud/shared-workflows.git" -> null
      - svn_url                     = "https://github.com/makeitworkcloud/shared-workflows" -> null
      - topics                      = [] -> null
      - visibility                  = "public" -> null
      - vulnerability_alerts        = false -> null
      - web_commit_signoff_required = false -> null

      - security_and_analysis {
          - secret_scanning {
              - status = "disabled" -> null
            }
          - secret_scanning_push_protection {
              - status = "disabled" -> null
            }
        }
    }

Plan: 0 to add, 0 to change, 2 to destroy.

[github-actions]

OpenTofu Plan

No changes. Your infrastructure matches the configuration.

OpenTofu has compared your real infrastructure against your configuration and