diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
new file mode 100644
index 0000000000..18329ab34a
--- /dev/null
+++ b/.github/workflows/acceptance-tests.yml
@@ -0,0 +1,53 @@
+name: Acceptance Tests
+
+on:
+  pull_request:
+    types: [labeled]
+
+jobs:
+  acceptance-tests:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Parse Context From Environment
+        run: |
+          echo ::set-env name=HEAD_SHA::$(
+            jq -rc '.pull_request.head.sha' $GITHUB_EVENT_PATH
+          )
+          echo ::set-env name=LABEL_NAME::$(
+            jq -rc .label.name $GITHUB_EVENT_PATH
+          )
+
+      - name: Parse Arguments From Label Name
+        run: |
+          echo ::set-env name=RUN_FILTER::$(
+            echo $LABEL_NAME | cut -d/ -f 2
+          )
+
+      - name: Match expected prefix or exit
+        run: echo ${LABEL_NAME} | egrep -q "^acceptance-test/"
+
+      - name: Checkout
+        uses: actions/checkout@v2.0.0
+        with:
+          ref: ${{ env.HEAD_SHA }}
+
+      - name: Generate Test Fixtures
+        run: |
+          openssl req -x509 -newkey rsa:4096 -days 1 -nodes \
+            -subj "/C=US/ST=CA/L=San Francisco/O=HashiCorp, Inc./CN=localhost" \
+            -keyout github/test-fixtures/key.pem -out github/test-fixtures/cert.pem
+
+      - name: Acceptance Tests
+        uses: terraformtesting/acceptance-tests@v1.2.0
+        with:
+          RUN_FILTER: ${{ env.RUN_FILTER }}
+          GITHUB_ORGANIZATION: terraformtesting
+          GITHUB_TEST_USER: github-terraform-test-user
+          GITHUB_TEST_USER_NAME: "Test User"
+          GITHUB_TEST_USER_EMAIL: 60107403+github-terraform-test-user@users.noreply.github.com
+          GITHUB_TEST_USER_TOKEN: ${{ secrets.GITHUB_TEST_USER_TOKEN }}
+          GITHUB_TEST_COLLABORATOR: github-terraform-test-collaborator
+          GITHUB_TEST_COLLABORATOR_TOKEN: ${{ secrets.GITHUB_TEST_COLLABORATOR_TOKEN }}
+          GITHUB_TEMPLATE_REPOSITORY: terraform-template-module
+          GITHUB_TEMPLATE_REPOSITORY_RELEASE_ID: 23826477
diff --git a/github/resource_github_branch_protection.go b/github/resource_github_branch_protection.go
index 0d301909b7..1042d8a30f 100644
--- a/github/resource_github_branch_protection.go
+++ b/github/resource_github_branch_protection.go
@@ -123,6 +123,11 @@ func resourceGithubBranchProtection() *schema.Resource {
 							Optional: true,
 							Elem:     &schema.Schema{Type: schema.TypeString},
 						},
+						"apps": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+						},
 					},
 				},
 			},
@@ -473,10 +478,18 @@ func flattenAndSetRestrictions(d *schema.ResourceData, protection *github.Protec
 			}
 		}
 
+		apps := make([]interface{}, 0, len(restrictions.Apps))
+		for _, t := range restrictions.Apps {
+			if t.Slug != nil {
+				apps = append(apps, *t.Slug)
+			}
+		}
+
 		return d.Set("restrictions", []interface{}{
 			map[string]interface{}{
 				"users": schema.NewSet(schema.HashString, users),
 				"teams": schema.NewSet(schema.HashString, teams),
+				"apps":  schema.NewSet(schema.HashString, apps),
 			},
 		})
 	}
@@ -557,6 +570,7 @@ func expandRestrictions(d *schema.ResourceData) (*github.BranchRestrictionsReque
 			if v == nil {
 				restrictions.Users = []string{}
 				restrictions.Teams = []string{}
+				restrictions.Apps = []string{}
 				return restrictions, nil
 			}
 			m := v.(map[string]interface{})
@@ -565,6 +579,8 @@ func expandRestrictions(d *schema.ResourceData) (*github.BranchRestrictionsReque
 			restrictions.Users = users
 			teams := expandNestedSet(m, "teams")
 			restrictions.Teams = teams
+			apps := expandNestedSet(m, "apps")
+			restrictions.Apps = apps
 		}
 		return restrictions, nil
 	}
diff --git a/website/docs/r/branch_protection.html.markdown b/website/docs/r/branch_protection.html.markdown
index 1d9a39be07..9ee7c85104 100644
--- a/website/docs/r/branch_protection.html.markdown
+++ b/website/docs/r/branch_protection.html.markdown
@@ -9,7 +9,7 @@ description: |-
 
 Protects a GitHub branch.
 
-This resource allows you to configure branch protection for repositories in your organization. When applied, the branch will be protected from forced pushes and deletion. Additional constraints, such as required status checks or restrictions on users and teams, can also be configured.
+This resource allows you to configure branch protection for repositories in your organization. When applied, the branch will be protected from forced pushes and deletion. Additional constraints, such as required status checks or restrictions on users, teams, and apps, can also be configured.
 
 ## Example Usage
 
@@ -36,6 +36,7 @@ resource "github_branch_protection" "example" {
   restrictions {
     users = ["foo-user"]
     teams = ["${github_team.example.slug}"]
+    apps  = ["foo-app"]
   }
 }
 
@@ -86,6 +87,7 @@ The following arguments are supported:
 
 * `users`: (Optional) The list of user logins with push access.
 * `teams`: (Optional) The list of team slugs with push access.
+* `apps`: (Optional) The list of app slugs with push access.
   Always use `slug` of the team, **not** its name. Each team already **has** to have access to the repository.
 
 `restrictions` is only available for organization-owned repositories.