fix: handle sha_pinning_required=false

sheeeng · sheeeng · commit fd7ac9183d57 · 2026-02-26T17:07:10.000+01:00
Replace `Computed: true` with `Default: false` on the `sha_pinning_required` schema field and send it unconditionally via `d.Get()` on every API call. The previous `d.GetOk()` approach returned `ok=false` for zero-value booleans, causing `sha_pinning_required=false` to be silently ignored. This ensures both true and false values are correctly applied, eliminating perpetual drift when disabling SHA pinning enforcement. Affects `github_actions_organization_permissions` and `github_actions_repository_permissions` resources. Update tests to use `ConfigStateChecks` with `statecheck` package instead of deprecated `Check` field, and consolidate duplicate config templates into single reusable template strings. Fix #3223.
diff --git a/github/resource_github_actions_organization_permissions.go b/github/resource_github_actions_organization_permissions.go
@@ -79,7 +79,7 @@ func resourceGithubActionsOrganizationPermissions() *schema.Resource {
 			"sha_pinning_required": {
 				Type:        schema.TypeBool,
 				Optional:    true,
-				Computed:    true,
+				Default:     false,
 				Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in an organization.",
 			},
 		},
@@ -158,9 +158,7 @@ func resourceGithubActionsOrganizationPermissionsCreateOrUpdate(d *schema.Resour
 		EnabledRepositories: &enabledRepositories,
 	}
 
-	if v, ok := d.GetOk("sha_pinning_required"); ok {
-		actionsPermissions.SHAPinningRequired = github.Ptr(v.(bool))
-	}
+	actionsPermissions.SHAPinningRequired = github.Ptr(d.Get("sha_pinning_required").(bool))
 
 	_, _, err = client.Actions.UpdateActionsPermissions(ctx,
 		orgName,
diff --git a/github/resource_github_actions_organization_permissions_test.go b/github/resource_github_actions_organization_permissions_test.go
@@ -6,6 +6,9 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 )
 
 func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
@@ -104,6 +107,62 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
 		})
 	})
 
+	t.Run("test setting sha_pinning_required to true", func(t *testing.T) {
+		enabledRepositories := "all"
+
+		config := fmt.Sprintf(`
+			resource "github_actions_organization_permissions" "test" {
+				allowed_actions      = "all"
+				enabled_repositories = "%s"
+				sha_pinning_required = true
+			}
+		`, enabledRepositories)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_organization_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(true)),
+					},
+				},
+			},
+		})
+	})
+
+	t.Run("test setting sha_pinning_required to false", func(t *testing.T) {
+		enabledRepositories := "all"
+
+		configTmpl := `
+			resource "github_actions_organization_permissions" "test" {
+				allowed_actions      = "all"
+				enabled_repositories = "%s"
+				sha_pinning_required = %t
+			}
+		`
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: fmt.Sprintf(configTmpl, enabledRepositories, true),
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_organization_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(true)),
+					},
+				},
+				{
+					Config: fmt.Sprintf(configTmpl, enabledRepositories, false),
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_organization_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(false)),
+					},
+				},
+			},
+		})
+	})
+
 	t.Run("test setting of organization allowed actions", func(t *testing.T) {
 		allowedActions := "selected"
 		enabledRepositories := "all"
diff --git a/github/resource_github_actions_repository_permissions.go b/github/resource_github_actions_repository_permissions.go
@@ -68,7 +68,7 @@ func resourceGithubActionsRepositoryPermissions() *schema.Resource {
 			"sha_pinning_required": {
 				Type:        schema.TypeBool,
 				Optional:    true,
-				Computed:    true,
+				Default:     false,
 				Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in a repository.",
 			},
 		},
@@ -131,9 +131,7 @@ func resourceGithubActionsRepositoryPermissionsCreateOrUpdate(d *schema.Resource
 		repoActionPermissions.AllowedActions = &allowedActions
 	}
 
-	if v, ok := d.GetOk("sha_pinning_required"); ok {
-		repoActionPermissions.SHAPinningRequired = github.Ptr(v.(bool))
-	}
+	repoActionPermissions.SHAPinningRequired = github.Ptr(d.Get("sha_pinning_required").(bool))
 
 	_, _, err := client.Repositories.UpdateActionsPermissions(ctx,
 		owner,
diff --git a/github/resource_github_actions_repository_permissions_test.go b/github/resource_github_actions_repository_permissions_test.go
@@ -6,6 +6,9 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 )
 
 func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
@@ -98,6 +101,76 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 		})
 	})
 
+	t.Run("test setting sha_pinning_required to true", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		repoName := fmt.Sprintf("%srepo-act-perms-%s", testResourcePrefix, randomID)
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name        = "%[1]s"
+				description = "Terraform acceptance tests %[1]s"
+				topics		= ["terraform", "testing"]
+			}
+
+			resource "github_actions_repository_permissions" "test" {
+				allowed_actions      = "all"
+				repository           = github_repository.test.name
+				sha_pinning_required = true
+			}
+		`, repoName)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_repository_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(true)),
+					},
+				},
+			},
+		})
+	})
+
+	t.Run("test setting sha_pinning_required to false", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		repoName := fmt.Sprintf("%srepo-act-perms-%s", testResourcePrefix, randomID)
+
+		configTmpl := `
+			resource "github_repository" "test" {
+				name        = "%[1]s"
+				description = "Terraform acceptance tests %[1]s"
+				topics		= ["terraform", "testing"]
+			}
+
+			resource "github_actions_repository_permissions" "test" {
+				allowed_actions      = "all"
+				repository           = github_repository.test.name
+				sha_pinning_required = %[2]t
+			}
+		`
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: fmt.Sprintf(configTmpl, repoName, true),
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_repository_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(true)),
+					},
+				},
+				{
+					Config: fmt.Sprintf(configTmpl, repoName, false),
+					ConfigStateChecks: []statecheck.StateCheck{
+						statecheck.ExpectKnownValue("github_actions_repository_permissions.test", tfjsonpath.New("sha_pinning_required"), knownvalue.Bool(false)),
+					},
+				},
+			},
+		})
+	})
+
 	t.Run("test setting of repository allowed actions", func(t *testing.T) {
 		allowedActions := "selected"
 		githubOwnedAllowed := true
