fix: handle sha_pinning_required=false

Replace d.GetOk() with d.HasChange() || d.IsNewResource() to
properly handle boolean false values. The GetOk() method returns
ok=false for zero-value booleans, causing sha_pinning_required=false
to be silently ignored and never sent to the GitHub API.

This fix ensures both true and false values are correctly applied,
eliminating perpetual drift when disabling SHA pinning enforcement.

Affects github_actions_organization_permissions and
github_actions_repository_permissions resources.

Fix #3223.

Author: sheeeng

github/resource_github_actions_organization_permissions.go

@@ -158,8 +158,8 @@ func resourceGithubActionsOrganizationPermissionsCreateOrUpdate(d *schema.Resour
 		EnabledRepositories: &enabledRepositories,
 	}
 
-	if v, ok := d.GetOk("sha_pinning_required"); ok {
-		actionsPermissions.SHAPinningRequired = github.Ptr(v.(bool))
+	if d.HasChange("sha_pinning_required") || d.IsNewResource() {
+		actionsPermissions.SHAPinningRequired = github.Ptr(d.Get("sha_pinning_required").(bool))
 	}
 
 	_, _, err = client.Actions.UpdateActionsPermissions(ctx,

github/resource_github_actions_organization_permissions_test.go

@@ -104,6 +104,76 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
 		})
 	})
 
+	t.Run("test setting sha_pinning_required to true", func(t *testing.T) {
+		enabledRepositories := "all"
+
+		config := fmt.Sprintf(`
+			resource "github_actions_organization_permissions" "test" {
+				allowed_actions      = "all"
+				enabled_repositories = "%s"
+				sha_pinning_required = true
+			}
+		`, enabledRepositories)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr(
+							"github_actions_organization_permissions.test", "sha_pinning_required", "true",
+						),
+					),
+				},
+			},
+		})
+	})
+
+	t.Run("test setting sha_pinning_required to false", func(t *testing.T) {
+		enabledRepositories := "all"
+
+		configTrue := fmt.Sprintf(`
+			resource "github_actions_organization_permissions" "test" {
+				allowed_actions      = "all"
+				enabled_repositories = "%s"
+				sha_pinning_required = true
+			}
+		`, enabledRepositories)
+
+		configFalse := fmt.Sprintf(`
+			resource "github_actions_organization_permissions" "test" {
+				allowed_actions      = "all"
+				enabled_repositories = "%s"
+				sha_pinning_required = false
+			}
+		`, enabledRepositories)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: configTrue,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr(
+							"github_actions_organization_permissions.test", "sha_pinning_required", "true",
+						),
+					),
+				},
+				{
+					Config: configFalse,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr(
+							"github_actions_organization_permissions.test", "sha_pinning_required", "false",
+						),
+					),
+				},
+			},
+		})
+	})
+
 	t.Run("test setting of organization allowed actions", func(t *testing.T) {
 		allowedActions := "selected"
 		enabledRepositories := "all"

github/resource_github_actions_repository_permissions.go

@@ -131,8 +131,8 @@ func resourceGithubActionsRepositoryPermissionsCreateOrUpdate(d *schema.Resource
 		repoActionPermissions.AllowedActions = &allowedActions
 	}
 
-	if v, ok := d.GetOk("sha_pinning_required"); ok {
-		repoActionPermissions.SHAPinningRequired = github.Ptr(v.(bool))
+	if d.HasChange("sha_pinning_required") || d.IsNewResource() {
+		repoActionPermissions.SHAPinningRequired = github.Ptr(d.Get("sha_pinning_required").(bool))
 	}
 
 	_, _, err := client.Repositories.UpdateActionsPermissions(ctx,

github/resource_github_actions_repository_permissions_test.go

@@ -98,6 +98,96 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 		})
 	})
 
+	t.Run("test setting sha_pinning_required to true", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		repoName := fmt.Sprintf("%srepo-act-perms-%s", testResourcePrefix, randomID)
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name        = "%[1]s"
+				description = "Terraform acceptance tests %[1]s"
+				topics		= ["terraform", "testing"]
+			}
+
+			resource "github_actions_repository_permissions" "test" {
+				allowed_actions      = "all"
+				repository           = github_repository.test.name
+				sha_pinning_required = true
+			}
+		`, repoName)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr(
+							"github_actions_repository_permissions.test", "sha_pinning_required", "true",
+						),
+					),
+				},
+			},
+		})
+	})
+
+	t.Run("test setting sha_pinning_required to false", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		repoName := fmt.Sprintf("%srepo-act-perms-%s", testResourcePrefix, randomID)
+
+		configTrue := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name        = "%[1]s"
+				description = "Terraform acceptance tests %[1]s"
+				topics		= ["terraform", "testing"]
+			}
+
+			resource "github_actions_repository_permissions" "test" {
+				allowed_actions      = "all"
+				repository           = github_repository.test.name
+				sha_pinning_required = true
+			}
+		`, repoName)
+
+		configFalse := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name        = "%[1]s"
+				description = "Terraform acceptance tests %[1]s"
+				topics		= ["terraform", "testing"]
+			}
+
+			resource "github_actions_repository_permissions" "test" {
+				allowed_actions      = "all"
+				repository           = github_repository.test.name
+				sha_pinning_required = false
+			}
+		`, repoName)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: configTrue,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr(
+							"github_actions_repository_permissions.test", "sha_pinning_required", "true",
+						),
+					),
+				},
+				{
+					Config: configFalse,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr(
+							"github_actions_repository_permissions.test", "sha_pinning_required", "false",
+						),
+					),
+				},
+			},
+		})
+	})
+
 	t.Run("test setting of repository allowed actions", func(t *testing.T) {
 		allowedActions := "selected"
 		githubOwnedAllowed := true