fix: handle sha_pinning_required=false

sheeeng · sheeeng · commit 5b44ee6b8efd · 2026-02-28T10:14:40.000+01:00
Split `CreateOrUpdate` into separate `Create` and `Update` functions to properly handle the `sha_pinning_required` boolean field's zero-value problem: - Use `d.GetOkExists()` in `Create` to only send the field when the user explicitly sets it in config, even to `false`. - Use `d.HasChange()` in `Update` to detect when the value changes and `d.Get()` to read the new value. Keep schema as `Optional` + `Computed` (not `Default: false`) so the resource inherits the organization-level setting when not explicitly configured. This follows the same pattern used by `allow_forking` in `resource_github_repository.go`. Fixes #3223
diff --git a/github/resource_github_actions_organization_permissions.go b/github/resource_github_actions_organization_permissions.go
@@ -12,9 +12,9 @@ import (
 
 func resourceGithubActionsOrganizationPermissions() *schema.Resource {
 	return &schema.Resource{
-		Create: resourceGithubActionsOrganizationPermissionsCreateOrUpdate,
+		Create: resourceGithubActionsOrganizationPermissionsCreate,
 		Read:   resourceGithubActionsOrganizationPermissionsRead,
-		Update: resourceGithubActionsOrganizationPermissionsCreateOrUpdate,
+		Update: resourceGithubActionsOrganizationPermissionsUpdate,
 		Delete: resourceGithubActionsOrganizationPermissionsDelete,
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
@@ -137,13 +137,10 @@ func resourceGithubActionsEnabledRepositoriesObject(d *schema.ResourceData) ([]i
 	return enabled, nil
 }
 
-func resourceGithubActionsOrganizationPermissionsCreateOrUpdate(d *schema.ResourceData, meta any) error {
+func resourceGithubActionsOrganizationPermissionsCreate(d *schema.ResourceData, meta any) error {
 	client := meta.(*Owner).v3client
 	orgName := meta.(*Owner).name
 	ctx := context.Background()
-	if !d.IsNewResource() {
-		ctx = context.WithValue(ctx, ctxId, d.Id())
-	}
 
 	err := checkOrganization(meta)
 	if err != nil {
@@ -158,7 +155,7 @@ func resourceGithubActionsOrganizationPermissionsCreateOrUpdate(d *schema.Resour
 		EnabledRepositories: &enabledRepositories,
 	}
 
-	if v, ok := d.GetOk("sha_pinning_required"); ok {
+	if v, ok := d.GetOkExists("sha_pinning_required"); ok { //nolint:staticcheck,SA1019 // Use `GetOkExists` to detect explicit false for booleans.
 		actionsPermissions.SHAPinningRequired = github.Ptr(v.(bool))
 	}
 
@@ -201,6 +198,67 @@ func resourceGithubActionsOrganizationPermissionsCreateOrUpdate(d *schema.Resour
 	return resourceGithubActionsOrganizationPermissionsRead(d, meta)
 }
 
+func resourceGithubActionsOrganizationPermissionsUpdate(d *schema.ResourceData, meta any) error {
+	client := meta.(*Owner).v3client
+	orgName := meta.(*Owner).name
+	ctx := context.WithValue(context.Background(), ctxId, d.Id())
+
+	err := checkOrganization(meta)
+	if err != nil {
+		return err
+	}
+
+	allowedActions := d.Get("allowed_actions").(string)
+	enabledRepositories := d.Get("enabled_repositories").(string)
+
+	actionsPermissions := github.ActionsPermissions{
+		AllowedActions:      &allowedActions,
+		EnabledRepositories: &enabledRepositories,
+	}
+
+	if d.HasChange("sha_pinning_required") {
+		actionsPermissions.SHAPinningRequired = github.Ptr(d.Get("sha_pinning_required").(bool))
+	}
+
+	_, _, err = client.Actions.UpdateActionsPermissions(ctx,
+		orgName,
+		actionsPermissions)
+	if err != nil {
+		return err
+	}
+
+	if allowedActions == "selected" {
+		actionsAllowedData := resourceGithubActionsOrganizationAllowedObject(d)
+		if actionsAllowedData != nil {
+			log.Printf("[DEBUG] Update `actionsAllowedData` configuration.")
+			_, _, err = client.Actions.UpdateActionsAllowed(ctx,
+				orgName,
+				*actionsAllowedData)
+			if err != nil {
+				return err
+			}
+		} else {
+			log.Printf("[DEBUG] Skip updating `actionsAllowedData` because no configuration is set.")
+		}
+	}
+
+	if enabledRepositories == "selected" {
+		enabledReposData, err := resourceGithubActionsEnabledRepositoriesObject(d)
+		if err != nil {
+			return err
+		}
+		_, err = client.Actions.SetEnabledReposInOrg(ctx,
+			orgName,
+			enabledReposData)
+		if err != nil {
+			return err
+		}
+	}
+
+	d.SetId(orgName)
+	return resourceGithubActionsOrganizationPermissionsRead(d, meta)
+}
+
 func resourceGithubActionsOrganizationPermissionsRead(d *schema.ResourceData, meta any) error {
 	client := meta.(*Owner).v3client
 	ctx := context.Background()
diff --git a/github/resource_github_actions_organization_permissions_test.go b/github/resource_github_actions_organization_permissions_test.go
@@ -6,6 +6,9 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 )
 
 func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
@@ -104,6 +107,62 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
 		})
 	})
 
+	t.Run("test setting sha_pinning_required to true", func(t *testing.T) {
+		enabledRepositories := "all"
+
+		config := fmt.Sprintf(`
+			resource "github_actions_organization_permissions" "test" {
+				allowed_actions      = "all"
+				enabled_repositories = "%s"
+				sha_pinning_required = true
+			}
+		`, enabledRepositories)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_organization_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(true)),
+					},
+				},
+			},
+		})
+	})
+
+	t.Run("test setting sha_pinning_required to false", func(t *testing.T) {
+		enabledRepositories := "all"
+
+		configTmpl := `
+			resource "github_actions_organization_permissions" "test" {
+				allowed_actions      = "all"
+				enabled_repositories = "%s"
+				sha_pinning_required = %t
+			}
+		`
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: fmt.Sprintf(configTmpl, enabledRepositories, true),
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_organization_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(true)),
+					},
+				},
+				{
+					Config: fmt.Sprintf(configTmpl, enabledRepositories, false),
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_organization_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(false)),
+					},
+				},
+			},
+		})
+	})
+
 	t.Run("test setting of organization allowed actions", func(t *testing.T) {
 		allowedActions := "selected"
 		enabledRepositories := "all"
diff --git a/github/resource_github_actions_repository_permissions.go b/github/resource_github_actions_repository_permissions.go
@@ -11,9 +11,9 @@ import (
 
 func resourceGithubActionsRepositoryPermissions() *schema.Resource {
 	return &schema.Resource{
-		Create: resourceGithubActionsRepositoryPermissionsCreateOrUpdate,
+		Create: resourceGithubActionsRepositoryPermissionsCreate,
 		Read:   resourceGithubActionsRepositoryPermissionsRead,
-		Update: resourceGithubActionsRepositoryPermissionsCreateOrUpdate,
+		Update: resourceGithubActionsRepositoryPermissionsUpdate,
 		Delete: resourceGithubActionsRepositoryPermissionsDelete,
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
@@ -108,15 +108,12 @@ func resourceGithubActionsRepositoryAllowedObject(d *schema.ResourceData) *githu
 	return allowed
 }
 
-func resourceGithubActionsRepositoryPermissionsCreateOrUpdate(d *schema.ResourceData, meta any) error {
+func resourceGithubActionsRepositoryPermissionsCreate(d *schema.ResourceData, meta any) error {
 	client := meta.(*Owner).v3client
 
 	owner := meta.(*Owner).name
 	repoName := d.Get("repository").(string)
 	ctx := context.Background()
-	if !d.IsNewResource() {
-		ctx = context.WithValue(ctx, ctxId, d.Id())
-	}
 
 	allowedActions := d.Get("allowed_actions").(string)
 	enabled := d.Get("enabled").(bool)
@@ -131,7 +128,7 @@ func resourceGithubActionsRepositoryPermissionsCreateOrUpdate(d *schema.Resource
 		repoActionPermissions.AllowedActions = &allowedActions
 	}
 
-	if v, ok := d.GetOk("sha_pinning_required"); ok {
+	if v, ok := d.GetOkExists("sha_pinning_required"); ok { //nolint:staticcheck,SA1019 // Use `GetOkExists` to detect explicit false for booleans.
 		repoActionPermissions.SHAPinningRequired = github.Ptr(v.(bool))
 	}
 
@@ -164,6 +161,59 @@ func resourceGithubActionsRepositoryPermissionsCreateOrUpdate(d *schema.Resource
 	return resourceGithubActionsRepositoryPermissionsRead(d, meta)
 }
 
+func resourceGithubActionsRepositoryPermissionsUpdate(d *schema.ResourceData, meta any) error {
+	client := meta.(*Owner).v3client
+
+	owner := meta.(*Owner).name
+	repoName := d.Get("repository").(string)
+	ctx := context.WithValue(context.Background(), ctxId, d.Id())
+
+	allowedActions := d.Get("allowed_actions").(string)
+	enabled := d.Get("enabled").(bool)
+	log.Printf("[DEBUG] The `enabled` value of `allowedActions` is %t.", enabled)
+
+	repoActionPermissions := github.ActionsPermissionsRepository{
+		Enabled: &enabled,
+	}
+
+	// Specify `allowed_actions` only if actions are enabled.
+	if enabled {
+		repoActionPermissions.AllowedActions = &allowedActions
+	}
+
+	if d.HasChange("sha_pinning_required") {
+		repoActionPermissions.SHAPinningRequired = github.Ptr(d.Get("sha_pinning_required").(bool))
+	}
+
+	_, _, err := client.Repositories.UpdateActionsPermissions(ctx,
+		owner,
+		repoName,
+		repoActionPermissions,
+	)
+	if err != nil {
+		return err
+	}
+
+	if allowedActions == "selected" {
+		actionsAllowedData := resourceGithubActionsRepositoryAllowedObject(d)
+		if actionsAllowedData != nil {
+			log.Printf("[DEBUG] Update `actionsAllowedData` configuration.")
+			_, _, err = client.Repositories.EditActionsAllowed(ctx,
+				owner,
+				repoName,
+				*actionsAllowedData)
+			if err != nil {
+				return err
+			}
+		} else {
+			log.Printf("[DEBUG] Skip updating `actionsAllowedData` because no configuration is set.")
+		}
+	}
+
+	d.SetId(repoName)
+	return resourceGithubActionsRepositoryPermissionsRead(d, meta)
+}
+
 func resourceGithubActionsRepositoryPermissionsRead(d *schema.ResourceData, meta any) error {
 	client := meta.(*Owner).v3client
 
diff --git a/github/resource_github_actions_repository_permissions_test.go b/github/resource_github_actions_repository_permissions_test.go
@@ -6,6 +6,9 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 )
 
 func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
@@ -98,6 +101,76 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 		})
 	})
 
+	t.Run("test setting sha_pinning_required to true", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		repoName := fmt.Sprintf("%srepo-act-perms-%s", testResourcePrefix, randomID)
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name        = "%[1]s"
+				description = "Set sha_pinning_required to true for github_repository, %[1]s."
+				topics		= ["terraform", "testing"]
+			}
+
+			resource "github_actions_repository_permissions" "test" {
+				allowed_actions      = "all"
+				repository           = github_repository.test.name
+				sha_pinning_required = true
+			}
+		`, repoName)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_repository_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(true)),
+					},
+				},
+			},
+		})
+	})
+
+	t.Run("test setting sha_pinning_required to false", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		repoName := fmt.Sprintf("%srepo-act-perms-%s", testResourcePrefix, randomID)
+
+		configTmpl := `
+			resource "github_repository" "test" {
+				name        = "%[1]s"
+				description = "Set sha_pinning_required to false for github_repository, %[1]s."
+				topics		= ["terraform", "testing"]
+			}
+
+			resource "github_actions_repository_permissions" "test" {
+				allowed_actions      = "all"
+				repository           = github_repository.test.name
+				sha_pinning_required = %[2]t
+			}
+		`
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: fmt.Sprintf(configTmpl, repoName, true),
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_repository_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(true)),
+					},
+				},
+				{
+					Config: fmt.Sprintf(configTmpl, repoName, false),
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_repository_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(false)),
+					},
+				},
+			},
+		})
+	})
+
 	t.Run("test setting of repository allowed actions", func(t *testing.T) {
 		allowedActions := "selected"
 		githubOwnedAllowed := true
