fix: avoid 422 when enterprise policy controls org fork setting

andrewesweet · claude · andrewesweet · commit 08b4cec4b611 · 2026-04-22T14:54:57.000+01:00
Remove Default: false from members_can_fork_private_repositories schema to prevent the field from being sent to the API when not explicitly set by the user. When an enterprise-level policy locks this setting, sending any value causes a 422 validation error. Without a default, the field is only included in API calls when the user explicitly configures it, matching the behavior of members_can_create_internal_repositories (enterprise-only field). Fixes #2689 Relates to #1333 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/github/resource_github_organization_settings.go b/github/resource_github_organization_settings.go
@@ -119,8 +119,7 @@ func resourceGithubOrganizationSettings() *schema.Resource {
 			"members_can_fork_private_repositories": {
 				Type:        schema.TypeBool,
 				Optional:    true,
-				Default:     false,
-				Description: "Whether or not organization members can fork private repositories.",
+				Description: "Whether or not organization members can fork private repositories. When an enterprise policy controls this setting, omit this attribute to avoid API validation errors.",
 			},
 			"web_commit_signoff_required": {
 				Type:        schema.TypeBool,
diff --git a/website/docs/r/organization_settings.html.markdown b/website/docs/r/organization_settings.html.markdown
@@ -64,7 +64,7 @@ The following arguments are supported:
 * `members_can_create_pages` - (Optional) Whether or not organization members can create new pages. Defaults to `true`.
 * `members_can_create_public_pages` - (Optional) Whether or not organization members can create new public pages. Defaults to `true`.
 * `members_can_create_private_pages` - (Optional) Whether or not organization members can create new private pages. Defaults to `true`.
-* `members_can_fork_private_repositories` - (Optional) Whether or not organization members can fork private repositories. Defaults to `false`.
+* `members_can_fork_private_repositories` - (Optional) Whether or not organization members can fork private repositories. When an enterprise policy controls this setting, omit this attribute to avoid API validation errors.
 * `web_commit_signoff_required` - (Optional) Whether or not commit signatures are required for commits to the organization. Defaults to `false`.
 * `advanced_security_enabled_for_new_repositories` - (Optional) Whether or not advanced security is enabled for new repositories. Defaults to `false`.
 * `dependabot_alerts_enabled_for_new_repositories` - (Optional) Whether or not dependabot alerts are enabled for new repositories. Defaults to `false`.
