[BUG]: github_actions_organization_permissions shouldn't omit empty patterns_allowed for selected Actions policy

[deltreey]

Expected Behavior

The provider should send this selected-actions payload:

{
  "github_owned_allowed": true,
  "verified_allowed": true,
  "patterns_allowed": []
}

An explicit empty patterns_allowed array is meaningful: it says no repository/action patterns are allowed beyond the other selected policy flags.

Actual Behavior

The provider sends a payload that omits patterns_allowed entirely:

{
  "github_owned_allowed": true,
  "verified_allowed": true
}

In our testing, this caused GitHub to preserve/ignore the existing selected-actions pattern state instead of applying the intended empty allowlist cleanly.

Terraform Version

Terraform v1.15.0
on darwin_arm64

GitHub Installation Type

• GitHub.com (Free, Pro, or Team)
• GitHub Enterprise Server (on-premises)
• GitHub Enterprise Cloud with Personal Accounts (github.com)
• GitHub Enterprise Cloud with Managed Users/EMU (github.com)
• GitHub Enterprise Cloud with Data Residency (*.ghe.com)
• I don't know

Affected Resource(s)

• github_actions_organization_permissions

Terraform Configuration Files

resource "github_actions_organization_permissions" "test" {
  enabled_repositories = "all"
  allowed_actions      = "selected"
  sha_pinning_required = true

  allowed_actions_config {
    github_owned_allowed = true
    verified_allowed     = true
    patterns_allowed     = []
  }
}

Steps to Reproduce

$ terraform apply

Debug Output

I reproduced this with a focused unit test that captures the selected-actions request body.

 Use a provider-local request type for the selected-actions update so `patterns_allowed` is always serialized when the Terraform config supplies it.

Sketch:


type actionsAllowedRequest struct {
    GithubOwnedAllowed *bool    `json:"github_owned_allowed,omitempty"`
    VerifiedAllowed    *bool    `json:"verified_allowed,omitempty"`
    PatternsAllowed    []string `json:"patterns_allowed"`
}


Then send the request directly:


u := fmt.Sprintf("orgs/%v/actions/permissions/selected-actions", orgName)
req, err := client.NewRequest(ctx, "PUT", u, actionsAllowed)
if err != nil {
    return err
}

respActionsAllowed := &github.ActionsAllowed{}
_, err = client.Do(req, respActionsAllowed)
return err


 Before the fix, the test fails because `patterns_allowed` is omitted.

After the fix, the provider sends:


{
  "github_owned_allowed": true,
  "verified_allowed": true,
  "patterns_allowed": []
}

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[stevehipwell]

This looks like an issue in go-github, please open an issue/PR there and we will take the fix when it's released.