Add resource for Organization Actions Workflow Permissions

deiga · deiga · commit c4572b64b268 · 2026-01-07T19:56:12.000+02:00
Signed-off-by: Timo Sand &lt;timo.sand@f-secure.com&gt;
diff --git a/github/provider.go b/github/provider.go
@@ -210,6 +210,7 @@ func Provider() *schema.Provider {
 			"github_enterprise_organization":                                        resourceGithubEnterpriseOrganization(),
 			"github_enterprise_actions_runner_group":                                resourceGithubActionsEnterpriseRunnerGroup(),
 			"github_enterprise_actions_workflow_permissions":                        resourceGithubEnterpriseActionsWorkflowPermissions(),
+			"github_actions_organization_workflow_permissions":                      resourceGithubActionsOrganizationWorkflowPermissions(),
 			"github_enterprise_security_analysis_settings":                          resourceGithubEnterpriseSecurityAnalysisSettings(),
 			"github_workflow_repository_permissions":                                resourceGithubWorkflowRepositoryPermissions(),
 		},
diff --git a/github/resource_github_actions_organization_workflow_permissions.go b/github/resource_github_actions_organization_workflow_permissions.go
@@ -0,0 +1,146 @@
+package github
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+
+	"github.com/google/go-github/v67/github"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+type GithubActionsOrganizationWorkflowPermissionsErrorResponse struct {
+	Message          string `json:"message"`
+	Errors           string `json:"errors"`
+	DocumentationURL string `json:"documentation_url"`
+	Status           string `json:"status"`
+}
+
+func resourceGithubActionsOrganizationWorkflowPermissions() *schema.Resource {
+	return &schema.Resource{
+		Description:   "GitHub Actions Organization Workflow Permissions management.",
+		CreateContext: resourceGithubActionsOrganizationWorkflowPermissionsCreateOrUpdate,
+		ReadContext:   resourceGithubActionsOrganizationWorkflowPermissionsRead,
+		UpdateContext: resourceGithubActionsOrganizationWorkflowPermissionsCreateOrUpdate,
+		DeleteContext: resourceGithubActionsOrganizationWorkflowPermissionsDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"organization_slug": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The slug of the Organization.",
+			},
+			"default_workflow_permissions": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Default:      "read",
+				Description:  "The default workflow permissions granted to the GITHUB_TOKEN when running workflows in any repository in the organization. Can be 'read' or 'write'.",
+				ValidateFunc: validation.StringInSlice([]string{"read", "write"}, false),
+			},
+			"can_approve_pull_request_reviews": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "Whether GitHub Actions can approve pull request reviews in any repository in the organization.",
+			},
+		},
+	}
+}
+
+func handleEditWorkflowPermissionsError(err error, resp *github.Response) diag.Diagnostics {
+	var ghErr *github.ErrorResponse
+	if errors.As(err, &ghErr) {
+		if ghErr.Response.StatusCode == http.StatusConflict {
+			errorResponse := &GithubActionsOrganizationWorkflowPermissionsErrorResponse{}
+			data, readError := io.ReadAll(resp.Body)
+			if readError == nil && data != nil {
+				unmarshalError := json.Unmarshal(data, errorResponse)
+				if unmarshalError != nil {
+					return diag.FromErr(unmarshalError)
+				}
+			}
+			return diag.FromErr(fmt.Errorf("you are trying to modify a value restricted by the Enterprise's settings.\n Message: %s\n Errors: %s\n Documentation URL: %s\n Status: %s\nerr: %w", errorResponse.Message, errorResponse.Errors, errorResponse.DocumentationURL, errorResponse.Status, err))
+		}
+	}
+	return diag.FromErr(err)
+}
+
+func resourceGithubActionsOrganizationWorkflowPermissionsCreateOrUpdate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	client := meta.(*Owner).v3client
+
+	organizationSlug := d.Get("organization_slug").(string)
+	d.SetId(organizationSlug)
+
+	workflowPerms := github.DefaultWorkflowPermissionOrganization{}
+
+	if v, ok := d.GetOk("default_workflow_permissions"); ok {
+		workflowPerms.DefaultWorkflowPermissions = github.String(v.(string))
+	}
+
+	if v, ok := d.GetOk("can_approve_pull_request_reviews"); ok {
+		workflowPerms.CanApprovePullRequestReviews = github.Bool(v.(bool))
+	}
+
+	log.Printf("[DEBUG] Updating workflow permissions for Organization: %s", organizationSlug)
+	_, resp, err := client.Actions.EditDefaultWorkflowPermissionsInOrganization(ctx, organizationSlug, workflowPerms)
+	if err != nil {
+		return handleEditWorkflowPermissionsError(err, resp)
+	}
+
+	// Calling read is necessary as the Update API returns 204 with Empty Body on success
+	return resourceGithubActionsOrganizationWorkflowPermissionsRead(ctx, d, meta)
+}
+
+func resourceGithubActionsOrganizationWorkflowPermissionsRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	client := meta.(*Owner).v3client
+
+	organizationSlug := d.Id()
+	log.Printf("[DEBUG] Reading workflow permissions for Organization: %s", organizationSlug)
+
+	workflowPerms, _, err := client.Actions.GetDefaultWorkflowPermissionsInOrganization(ctx, organizationSlug)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	if err := d.Set("organization_slug", organizationSlug); err != nil {
+		return diag.FromErr(err)
+	}
+	if err := d.Set("default_workflow_permissions", workflowPerms.DefaultWorkflowPermissions); err != nil {
+		return diag.FromErr(err)
+	}
+	if err := d.Set("can_approve_pull_request_reviews", workflowPerms.CanApprovePullRequestReviews); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
+
+func resourceGithubActionsOrganizationWorkflowPermissionsDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	client := meta.(*Owner).v3client
+
+	organizationSlug := d.Id()
+	log.Printf("[DEBUG] Resetting workflow permissions to defaults for Organization: %s", organizationSlug)
+
+	// Reset to safe defaults
+	workflowPerms := github.DefaultWorkflowPermissionOrganization{
+		DefaultWorkflowPermissions:   github.String("read"),
+		CanApprovePullRequestReviews: github.Bool(false),
+	}
+
+	_, resp, err := client.Actions.EditDefaultWorkflowPermissionsInOrganization(ctx, organizationSlug, workflowPerms)
+	if err != nil {
+		return handleEditWorkflowPermissionsError(err, resp)
+	}
+
+	return nil
+}
diff --git a/github/resource_github_actions_organization_workflow_permissions_test.go b/github/resource_github_actions_organization_workflow_permissions_test.go
@@ -0,0 +1,137 @@
+package github
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccGithubActionsOrganizationWorkflowPermissions(t *testing.T) {
+	t.Run("creates organization workflow permissions without error", func(t *testing.T) {
+		config := fmt.Sprintf(`
+		resource "github_actions_organization_workflow_permissions" "test" {
+			organization_slug = "%s"
+
+			default_workflow_permissions = "read"
+			can_approve_pull_request_reviews = false
+		}
+		`, testOrganization)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr("github_actions_organization_workflow_permissions.test", "organization_slug", testOrganization),
+			resource.TestCheckResourceAttr("github_actions_organization_workflow_permissions.test", "default_workflow_permissions", "read"),
+			resource.TestCheckResourceAttr("github_actions_organization_workflow_permissions.test", "can_approve_pull_request_reviews", "false"),
+		)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  check,
+					},
+				},
+			})
+		}
+
+		t.Run("with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+	})
+
+	t.Run("updates organization workflow permissions without error", func(t *testing.T) {
+		configs := map[string]string{
+			"before": fmt.Sprintf(`
+			resource "github_actions_organization_workflow_permissions" "test" {
+				organization_slug = "%s"
+
+				default_workflow_permissions = "read"
+				can_approve_pull_request_reviews = false
+			}
+			`, testOrganization),
+
+			"after": fmt.Sprintf(`
+			resource "github_actions_organization_workflow_permissions" "test" {
+				organization_slug = "%s"
+
+				default_workflow_permissions = "write" // This change might be restricted by the Enterprise's settings
+				can_approve_pull_request_reviews = true
+			}
+			`, testOrganization),
+		}
+
+		checks := map[string]resource.TestCheckFunc{
+			"before": resource.ComposeTestCheckFunc(
+				resource.TestCheckResourceAttr("github_actions_organization_workflow_permissions.test", "default_workflow_permissions", "read"),
+				resource.TestCheckResourceAttr("github_actions_organization_workflow_permissions.test", "can_approve_pull_request_reviews", "false"),
+			),
+			"after": resource.ComposeTestCheckFunc(
+				resource.TestCheckResourceAttr("github_actions_organization_workflow_permissions.test", "default_workflow_permissions", "write"),
+				resource.TestCheckResourceAttr("github_actions_organization_workflow_permissions.test", "can_approve_pull_request_reviews", "true"),
+			),
+		}
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: configs["before"],
+						Check:  checks["before"],
+					},
+					{
+						Config: configs["after"],
+						Check:  checks["after"],
+					},
+				},
+			})
+		}
+
+		t.Run("with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+	})
+
+	t.Run("imports enterprise workflow permissions without error", func(t *testing.T) {
+		config := fmt.Sprintf(`
+		resource "github_actions_organization_workflow_permissions" "test" {
+			organization_slug = "%s"
+
+			default_workflow_permissions = "read"
+			can_approve_pull_request_reviews = false
+		}
+		`, testOrganization)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr("github_actions_organization_workflow_permissions.test", "organization_slug", testOrganization),
+			resource.TestCheckResourceAttr("github_actions_organization_workflow_permissions.test", "default_workflow_permissions", "read"),
+			resource.TestCheckResourceAttr("github_actions_organization_workflow_permissions.test", "can_approve_pull_request_reviews", "false"),
+		)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  check,
+					},
+					{
+						ResourceName:      "github_actions_organization_workflow_permissions.test",
+						ImportState:       true,
+						ImportStateVerify: true,
+					},
+				},
+			})
+		}
+
+		t.Run("with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+	})
+}
