terraform-provider-github/github/data_source_github_actions_organization_permissions.go at bd9f72911659b478bc57c6ba1f26d968b8a7fb60 · integrations/terraform-provider-github · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
package github

import (
	"context"

	"github.com/google/go-github/v88/github"
	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
)

func dataSourceGithubActionsOrganizationPermissions() *schema.Resource {
	return &schema.Resource{
		ReadContext: dataSourceGithubActionsOrganizationPermissionsRead,

		Schema: map[string]*schema.Schema{
			"allowed_actions": {
				Type:        schema.TypeString,
				Computed:    true,
				Description: "The permissions policy that controls the actions that are allowed to run. Can be one of: 'all', 'local_only', or 'selected'.",
			},
			"enabled_repositories": {
				Type:        schema.TypeString,
				Computed:    true,
				Description: "The policy that controls the repositories in the organization that are allowed to run GitHub Actions. Can be one of: 'all', 'none', or 'selected'.",
			},
			"allowed_actions_config": {
				Type:        schema.TypeList,
				Computed:    true,
				Description: "The actions that are allowed in the organization when 'allowed_actions' is 'selected'.",
				Elem: &schema.Resource{
					Schema: map[string]*schema.Schema{
						"github_owned_allowed": {
							Type:        schema.TypeBool,
							Computed:    true,
							Description: "Whether GitHub-owned actions are allowed in the organization.",
						},
						"patterns_allowed": {
							Type:        schema.TypeSet,
							Computed:    true,
							Description: "Specifies a list of string-matching patterns to allow specific action(s). Wildcards, tags, and SHAs are allowed.",
							Elem:        &schema.Schema{Type: schema.TypeString},
						},
						"verified_allowed": {
							Type:        schema.TypeBool,
							Computed:    true,
							Description: "Whether actions in GitHub Marketplace from verified creators are allowed.",
						},
					},
				},
			},
			"enabled_repositories_config": {
				Type:        schema.TypeList,
				Computed:    true,
				Description: "The list of selected repositories that are enabled for GitHub Actions when 'enabled_repositories' is 'selected'.",
				Elem: &schema.Resource{
					Schema: map[string]*schema.Schema{
						"repository_ids": {
							Type:        schema.TypeSet,
							Computed:    true,
							Description: "List of repository IDs enabled for GitHub Actions.",
							Elem:        &schema.Schema{Type: schema.TypeInt},
						},
					},
				},
			},
			"sha_pinning_required": {
				Type:        schema.TypeBool,
				Computed:    true,
				Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in an organization.",
			},
		},
	}
}

func dataSourceGithubActionsOrganizationPermissionsRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
	err := checkOrganization(meta)
	if err != nil {
		return diag.FromErr(err)
	}

	client := meta.(*Owner).v3client
	owner := meta.(*Owner).name

	actionsPermissions, _, err := client.Actions.GetActionsPermissions(ctx, owner)
	if err != nil {
		return diag.FromErr(err)
	}

	if actionsPermissions.GetAllowedActions() == "selected" {
		actionsAllowed, _, err := client.Actions.GetActionsAllowed(ctx, owner)
		if err != nil {
			return diag.FromErr(err)
		}

		if actionsAllowed != nil {
			if err = d.Set("allowed_actions_config", []any{
				map[string]any{
					"github_owned_allowed": actionsAllowed.GetGithubOwnedAllowed(),
					"patterns_allowed":     actionsAllowed.PatternsAllowed,
					"verified_allowed":     actionsAllowed.GetVerifiedAllowed(),
				},
			}); err != nil {
				return diag.FromErr(err)
			}
		}
	}

	if actionsPermissions.GetEnabledRepositories() == "selected" {
		opts := github.ListOptions{PerPage: 10, Page: 1}
		var repoList []int64
		var allRepos []*github.Repository

		for {
			enabledRepos, resp, err := client.Actions.ListEnabledReposInOrg(ctx, owner, &opts)
			if err != nil {
				return diag.FromErr(err)
			}
			allRepos = append(allRepos, enabledRepos.Repositories...)
			opts.Page = resp.NextPage
			if resp.NextPage == 0 {
				break
			}
		}

		for _, repo := range allRepos {
			repoList = append(repoList, *repo.ID)
		}

		if allRepos != nil {
			if err = d.Set("enabled_repositories_config", []any{
				map[string]any{
					"repository_ids": repoList,
				},
			}); err != nil {
				return diag.FromErr(err)
			}
		}
	}

	if err = d.Set("allowed_actions", actionsPermissions.GetAllowedActions()); err != nil {
		return diag.FromErr(err)
	}
	if err = d.Set("enabled_repositories", actionsPermissions.GetEnabledRepositories()); err != nil {
		return diag.FromErr(err)
	}
	if err = d.Set("sha_pinning_required", actionsPermissions.GetSHAPinningRequired()); err != nil {
		return diag.FromErr(err)
	}

	d.SetId(owner)
	return nil
}