fix: do not update/create rulesets on archived repository (#2460)

* fix: do not update/create rulesets on archived repository

At the moment, provider would attempt to update `github_repository_ruleset` on archived repository resulting in 403 from GitHub API.
Provider should not attempt updating this attribute when repository is archived (read-only).

* Align with upstream

* Fix linter

* Cleanup

* Actually skip ruleset create/update attempt

* Add tests for resource_github_repository_ruleset

* fmt

fmt

Author: scadu

github/resource_github_repository_ruleset.go

@@ -604,8 +604,16 @@ func resourceGithubRepositoryRulesetCreate(d *schema.ResourceData, meta any) err
 	repoName := d.Get("repository").(string)
 	ctx := context.Background()
 
+	// Check if repository is archived - cannot create rulesets on archived repos (attempts PUT on read-only resource)
+	repo, _, err := client.Repositories.Get(ctx, owner, repoName)
+	if err != nil {
+		return err
+	}
+	if repo.GetArchived() {
+		return fmt.Errorf("cannot create ruleset on archived repository %s/%s", owner, repoName)
+	}
+
 	var ruleset *github.Ruleset
-	var err error
 
 	ruleset, _, err = client.Repositories.CreateRuleset(ctx, owner, repoName, rulesetReq)
 	if err != nil {
@@ -687,6 +695,16 @@ func resourceGithubRepositoryRulesetUpdate(d *schema.ResourceData, meta any) err
 
 	ctx := context.WithValue(context.Background(), ctxId, rulesetID)
 
+	// Check if repository is archived - skip update if it is
+	repo, _, err := client.Repositories.Get(ctx, owner, repoName)
+	if err != nil {
+		return err
+	}
+	if repo.GetArchived() {
+		log.Printf("[INFO] Repository %s/%s is archived, skipping ruleset update", owner, repoName)
+		return nil
+	}
+
 	var ruleset *github.Ruleset
 	// Use UpdateRulesetNoBypassActor here instead of UpdateRuleset *if* bypass_actors has changed.
 	// UpdateRuleset uses `omitempty` on BypassActors, causing empty arrays to be omitted from the JSON.
@@ -718,7 +736,7 @@ func resourceGithubRepositoryRulesetDelete(d *schema.ResourceData, meta any) err
 
 	log.Printf("[DEBUG] Deleting repository ruleset: %s/%s: %d", owner, repoName, rulesetID)
 	_, err = client.Repositories.DeleteRuleset(ctx, owner, repoName, rulesetID)
-	return err
+	return handleArchivedRepoDelete(err, "repository ruleset", fmt.Sprintf("%d", rulesetID), owner, repoName)
 }
 
 func resourceGithubRepositoryRulesetImport(d *schema.ResourceData, meta any) ([]*schema.ResourceData, error) {

github/resource_github_repository_ruleset_test.go

@@ -3,6 +3,7 @@ package github
 import (
 	"fmt"
 	"log"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -1085,6 +1086,62 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 	})
 }
 
+func TestGithubRepositoryRulesetArchived(t *testing.T) {
+	randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+
+	t.Run("skips update and delete on archived repository", func(t *testing.T) {
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name      = "tf-acc-test-archive-%s"
+				auto_init = true
+				archived  = false
+			}
+			resource "github_repository_ruleset" "test" {
+				name        = "test"
+				repository  = github_repository.test.name
+				target      = "branch"
+				enforcement = "active"
+				rules { creation = true }
+			}
+		`, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:  func() { skipUnlessMode(t, individual) },
+			Providers: testAccProviders,
+			Steps: []resource.TestStep{
+				{Config: config},
+				{Config: strings.Replace(config, "archived  = false", "archived  = true", 1)},
+				{Config: strings.Replace(strings.Replace(config, "archived  = false", "archived  = true", 1), `enforcement = "active"`, `enforcement = "disabled"`, 1)},
+			},
+		})
+	})
+
+	t.Run("prevents creating ruleset on archived repository", func(t *testing.T) {
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name      = "tf-acc-test-archive-create-%s"
+				auto_init = true
+				archived  = true
+			}
+			resource "github_repository_ruleset" "test" {
+				name       = "test"
+				repository = github_repository.test.name
+				target     = "branch"
+				enforcement = "active"
+				rules { creation = true }
+			}
+		`, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:  func() { skipUnlessMode(t, individual) },
+			Providers: testAccProviders,
+			Steps: []resource.TestStep{
+				{Config: config, ExpectError: regexp.MustCompile("cannot create ruleset on archived repository")},
+			},
+		})
+	})
+}
+
 func importRepositoryRulesetByResourcePaths(repoLogicalName, rulesetLogicalName string) resource.ImportStateIdFunc {
 	// test importing using an ID of the form <repo-node-id>:<ruleset-id>
 	return func(s *terraform.State) (string, error) {