feat: add fork-PR contributor approval resources and data sources

Wrap the GitHub REST `actions/permissions/fork-pr-contributor-approval`
endpoints (repo + org) in four new Terraform building blocks:

- resource `github_actions_repository_fork_pr_contributor_approval`
- resource `github_actions_organization_fork_pr_contributor_approval`
- data source `github_actions_repository_fork_pr_contributor_approval`
- data source `github_actions_organization_fork_pr_contributor_approval`

Each accepts `approval_policy` in the three GitHub-documented enum values
(`first_time_contributors_new_to_github`, `first_time_contributors`,
`all_external_contributors`).

The API has no "off" state for this policy. On Delete, the resource resets
the policy to GitHub's documented default (`first_time_contributors`) to
avoid leaving non-default residual state, matching the precedent set by
`github_actions_organization_permissions` Delete (which resets to `all`).

go-github already exposes the matching service methods on `*ActionsService`
(GetForkPRContributorApprovalPermissions / Update... and the Organization*
variants), so this is purely a provider-side wrapper.

New resources are implemented with context-aware CRUD functions
(`CreateContext` / `ReadContext` / `UpdateContext` / `DeleteContext`
returning `diag.Diagnostics`) per the migration tracked in #2996, rather
than copying the legacy pattern from the nearby `access_level` and
`organization_permissions` resources that are themselves on that
migration's to-do list.

Acceptance test notes:
- Repo-level tests use `visibility = "public"` because configuring
  `fork-pr-contributor-approval` on private repos returns 422 when the
  org's `fork-pr-workflows-private-repos` setting has fork-PR workflows
  disabled. Public repos exercise the endpoint without that prerequisite.
- The repo-level test allows both `individual` and `organization` auth
  modes so it can be exercised against an org-scoped test token.

Doc generation was authored against `make generatedocs` templates and the
rendered output is included; `make validatedocs` was not run locally because
the dev environment lacks a `terraform` binary. CI will validate.

Author: donicrosby

docs/data-sources/actions_organization_fork_pr_contributor_approval.md

@@ -0,0 +1,23 @@
+---
+page_title: "github_actions_organization_fork_pr_contributor_approval (Data Source) - GitHub"
+description: |-
+  Read the organization-wide fork PR contributor approval policy
+---
+
+# github_actions_organization_fork_pr_contributor_approval (Data Source)
+
+Use this data source to retrieve the current organization-wide fork pull request contributor approval policy.
+
+## Example Usage
+
+```terraform
+data "github_actions_organization_fork_pr_contributor_approval" "example" {}
+```
+
+## Argument Reference
+
+This data source takes no arguments. The organization is determined by the provider configuration.
+
+## Attributes Reference
+
+- `approval_policy` - The organization-wide fork PR contributor approval policy currently configured. One of `first_time_contributors_new_to_github`, `first_time_contributors`, or `all_external_contributors`.

docs/data-sources/actions_repository_fork_pr_contributor_approval.md

@@ -0,0 +1,25 @@
+---
+page_title: "github_actions_repository_fork_pr_contributor_approval (Data Source) - GitHub"
+description: |-
+  Read the fork PR contributor approval policy for a GitHub repository
+---
+
+# github_actions_repository_fork_pr_contributor_approval (Data Source)
+
+Use this data source to retrieve the current fork pull request contributor approval policy configured on a GitHub repository.
+
+## Example Usage
+
+```terraform
+data "github_actions_repository_fork_pr_contributor_approval" "example" {
+  repository = "my-repository"
+}
+```
+
+## Argument Reference
+
+- `repository` - (Required) The GitHub repository.
+
+## Attributes Reference
+
+- `approval_policy` - The fork PR contributor approval policy currently configured on the repository. One of `first_time_contributors_new_to_github`, `first_time_contributors`, or `all_external_contributors`.

docs/resources/actions_organization_fork_pr_contributor_approval.md

@@ -0,0 +1,35 @@
+---
+page_title: "github_actions_organization_fork_pr_contributor_approval (Resource) - GitHub"
+description: |-
+  Manages the organization-wide fork PR contributor approval policy
+---
+
+# github_actions_organization_fork_pr_contributor_approval (Resource)
+
+This resource allows you to set the organization-wide fork pull request contributor approval policy. This controls which fork PR contributors need maintainer approval before their workflows can run on any public repository in the organization. You must be an organization owner to use this resource.
+
+Repositories may override this policy at the repository level (see [`github_actions_repository_fork_pr_contributor_approval`](actions_repository_fork_pr_contributor_approval.md)). Setting the policy at the organization level only establishes the default for repositories that do not have a repository-level override.
+
+The GitHub API for this setting does not expose an "off" state — the policy is always set to one of the three strictness values. If you remove this resource, the policy is reset to GitHub's documented default (`first_time_contributors`).
+
+## Example Usage
+
+```terraform
+resource "github_actions_organization_fork_pr_contributor_approval" "test" {
+  approval_policy = "all_external_contributors"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- `approval_policy` - (Required) The organization-wide policy controlling which fork PR contributors need maintainer approval. Possible values are `first_time_contributors_new_to_github`, `first_time_contributors`, or `all_external_contributors`.
+
+## Import
+
+This resource can be imported using the name of the organization:
+
+```shell
+terraform import github_actions_organization_fork_pr_contributor_approval.test my-organization
+```

docs/resources/actions_repository_fork_pr_contributor_approval.md

@@ -0,0 +1,42 @@
+---
+page_title: "github_actions_repository_fork_pr_contributor_approval (Resource) - GitHub"
+description: |-
+  Manages the fork PR contributor approval policy for a GitHub repository
+---
+
+# github_actions_repository_fork_pr_contributor_approval (Resource)
+
+This resource allows you to set the fork pull request contributor approval policy on a GitHub repository. This controls which fork PR contributors need maintainer approval before their workflows can run on the repository. You must have admin access to a repository to use this resource.
+
+This setting governs fork PRs from outside contributors. On private repositories, the [`fork-pr-workflows-private-repos`](https://docs.github.com/en/rest/actions/permissions?apiVersion=2022-11-28#set-private-repo-fork-pr-workflow-settings-for-a-repository) org/repo settings control whether fork PR workflows run at all; if fork PR workflows are disabled at that level, configuring `approval_policy` via this resource may return `422 Unprocessable Entity`.
+
+The GitHub API for this setting does not expose an "off" state — the policy is always one of the three strictness values. On Delete, this resource resets the policy to GitHub's documented default (`first_time_contributors`).
+
+## Example Usage
+
+```terraform
+resource "github_repository" "example" {
+  name       = "my-repository"
+  visibility = "public"
+}
+
+resource "github_actions_repository_fork_pr_contributor_approval" "test" {
+  approval_policy = "all_external_contributors"
+  repository      = github_repository.example.name
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- `repository` - (Required) The GitHub repository.
+- `approval_policy` - (Required) The policy controlling which fork PR contributors need maintainer approval. Possible values are `first_time_contributors_new_to_github`, `first_time_contributors`, or `all_external_contributors`.
+
+## Import
+
+This resource can be imported using the name of the GitHub repository:
+
+```shell
+terraform import github_actions_repository_fork_pr_contributor_approval.test my-repository
+```

examples/data-sources/actions_organization_fork_pr_contributor_approval/example_1.tf

@@ -0,0 +1 @@
+data "github_actions_organization_fork_pr_contributor_approval" "example" {}

examples/data-sources/actions_repository_fork_pr_contributor_approval/example_1.tf

@@ -0,0 +1,3 @@
+data "github_actions_repository_fork_pr_contributor_approval" "example" {
+  repository = "my-repository"
+}

examples/resources/actions_organization_fork_pr_contributor_approval/example_1.tf

@@ -0,0 +1,3 @@
+resource "github_actions_organization_fork_pr_contributor_approval" "test" {
+  approval_policy = "all_external_contributors"
+}

examples/resources/actions_repository_fork_pr_contributor_approval/example_1.tf

@@ -0,0 +1,9 @@
+resource "github_repository" "example" {
+  name       = "my-repository"
+  visibility = "public"
+}
+
+resource "github_actions_repository_fork_pr_contributor_approval" "test" {
+  approval_policy = "all_external_contributors"
+  repository      = github_repository.example.name
+}

github/data_source_github_actions_organization_fork_pr_contributor_approval.go

@@ -0,0 +1,43 @@
+package github
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceGithubActionsOrganizationForkPRContributorApproval() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: dataSourceGithubActionsOrganizationForkPRContributorApprovalRead,
+
+		Schema: map[string]*schema.Schema{
+			"approval_policy": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The organization-wide fork PR contributor approval policy currently configured. One of 'first_time_contributors_new_to_github', 'first_time_contributors', or 'all_external_contributors'.",
+			},
+		},
+	}
+}
+
+func dataSourceGithubActionsOrganizationForkPRContributorApprovalRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	if err := checkOrganization(meta); err != nil {
+		return diag.FromErr(err)
+	}
+
+	client := meta.(*Owner).v3client
+	orgName := meta.(*Owner).name
+
+	policy, _, err := client.Actions.GetOrganizationForkPRContributorApprovalPermissions(ctx, orgName)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(orgName)
+	if err := d.Set("approval_policy", policy.ApprovalPolicy); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}

github/data_source_github_actions_organization_fork_pr_contributor_approval_test.go

@@ -0,0 +1,44 @@
+package github
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccGithubActionsOrganizationForkPRContributorApprovalDataSource(t *testing.T) {
+	t.Run("read the organization fork PR contributor approval policy", func(t *testing.T) {
+		approvalPolicy := "all_external_contributors"
+
+		config := `
+			resource "github_actions_organization_fork_pr_contributor_approval" "test" {
+				approval_policy = "all_external_contributors"
+			}
+		`
+
+		config2 := config + `
+			data "github_actions_organization_fork_pr_contributor_approval" "test" {}
+		`
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr(
+				"data.github_actions_organization_fork_pr_contributor_approval.test", "approval_policy", approvalPolicy,
+			),
+		)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check:  resource.ComposeTestCheckFunc(),
+				},
+				{
+					Config: config2,
+					Check:  check,
+				},
+			},
+		})
+	})
+}