From 425085ce162089f89fa275c891ff196104578a5d Mon Sep 17 00:00:00 2001
From: Timo Sand <timo.sand@f-secure.com>
Date: Thu, 1 Jan 2026 23:21:41 +0200
Subject: [PATCH 1/3] Separate Unit tests to own Test func

Signed-off-by: Timo Sand <timo.sand@f-secure.com>
---
 github/resource_github_actions_organization_secret_test.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/github/resource_github_actions_organization_secret_test.go b/github/resource_github_actions_organization_secret_test.go
index 70ccaa5511..6ef0609e37 100644
--- a/github/resource_github_actions_organization_secret_test.go
+++ b/github/resource_github_actions_organization_secret_test.go
@@ -143,8 +143,9 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 			},
 		})
 	})
+}
 
-	// Unit tests for drift detection behavior
+func TestGithubActionsOrganizationSecret_DestroyOnDrift(t *testing.T) {
 	t.Run("destroyOnDrift false clears sensitive values instead of recreating", func(t *testing.T) {
 		originalTimestamp := "2023-01-01T00:00:00Z"
 		newTimestamp := "2023-01-02T00:00:00Z"

From 6b67f5d5bfad7b15c1a56391451ff3d5ed42272e Mon Sep 17 00:00:00 2001
From: Timo Sand <timo.sand@f-secure.com>
Date: Thu, 1 Jan 2026 23:24:23 +0200
Subject: [PATCH 2/3] Add test to ensure that `destroy_on_drift` and
 `ignore_changes` together prevents replacement of externally modified secret

Signed-off-by: Timo Sand <timo.sand@f-secure.com>
---
 ...github_actions_organization_secret_test.go | 105 ++++++++++++++++--
 1 file changed, 98 insertions(+), 7 deletions(-)

diff --git a/github/resource_github_actions_organization_secret_test.go b/github/resource_github_actions_organization_secret_test.go
index 6ef0609e37..8fed83bc67 100644
--- a/github/resource_github_actions_organization_secret_test.go
+++ b/github/resource_github_actions_organization_secret_test.go
@@ -6,8 +6,11 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-github/v67/github"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 )
 
 func TestAccGithubActionsOrganizationSecret(t *testing.T) {
@@ -17,16 +20,16 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 
 		config := fmt.Sprintf(`
 			resource "github_actions_organization_secret" "plaintext_secret" {
-			  secret_name      = "test_plaintext_secret"
-			  plaintext_value  = "%s"
-			  visibility       = "private"
+				secret_name      = "test_plaintext_secret"
+				plaintext_value  = "%s"
+				visibility       = "private"
 			}
 
 			resource "github_actions_organization_secret" "encrypted_secret" {
-			  secret_name      = "test_encrypted_secret"
-			  encrypted_value  = "%s"
-			  visibility       = "private"
-			  destroy_on_drift = false
+				secret_name      = "test_encrypted_secret"
+				encrypted_value  = "%s"
+				visibility       = "private"
+				destroy_on_drift = false
 			}
 		`, secretValue, secretValue)
 
@@ -145,6 +148,76 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 	})
 }
 
+func TestAccGithubActionsOrganizationSecret_DestroyOnDrift(t *testing.T) {
+	t.Run("destroyOnDrift false", func(t *testing.T) {
+		destroyOnDrift := false
+		t.Run("should ignore drift when ignore_changes lifecycle is configured", func(t *testing.T) {
+			// Verify https://github.com/integrations/terraform-provider-github/issues/2614
+			randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+			config := fmt.Sprintf(`
+				resource "github_actions_organization_secret" "test_secret" {
+					secret_name = "test_secret_%s"
+					plaintext_value = "test_value"
+					visibility = "private"
+
+					destroy_on_drift = %t
+					lifecycle {
+						ignore_changes = [plaintext_value]
+					}
+				}
+			`, randomID, destroyOnDrift)
+
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessHasOrgs(t) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+					},
+					{
+						Config: config,
+						Check: resource.ComposeTestCheckFunc(
+							func(s *terraform.State) error {
+								rs, ok := s.RootModule().Resources["github_actions_organization_secret.test_secret"]
+								if !ok {
+									t.Errorf("not found: github_actions_organization_secret.test_secret")
+								}
+								// Now that the secret is created, update it to trigger a drift.
+								client := testAccProvider.Meta().(*Owner).v3client
+								owner := testAccProvider.Meta().(*Owner).name
+								ctx := t.Context()
+
+								keyId, publicKey, err := getOrganizationPublicKeyDetails(owner, testAccProvider.Meta().(*Owner))
+								if err != nil {
+									t.Errorf("Failed to get organization public key details: %v", err)
+								}
+
+								encryptedSecret, err := createEncryptedSecret(rs.Primary, "foo", keyId, publicKey)
+								if err != nil {
+									t.Errorf("Failed to create encrypted secret: %v", err)
+								}
+								_, err = client.Actions.CreateOrUpdateOrgSecret(ctx, owner, encryptedSecret)
+								if err != nil {
+									t.Errorf("Failed to create or update organization secret: %v", err)
+								}
+								return err
+							},
+						),
+					},
+					{
+						Config:             config,
+						PlanOnly:           true,
+						ExpectNonEmptyPlan: false,
+					},
+				},
+			})
+		})
+	})
+	// t.Run("destroyOnDrift true", func(t *testing.T) {
+	// 	destroyOnDrift := true
+	// })
+}
+
 func TestGithubActionsOrganizationSecret_DestroyOnDrift(t *testing.T) {
 	t.Run("destroyOnDrift false clears sensitive values instead of recreating", func(t *testing.T) {
 		originalTimestamp := "2023-01-01T00:00:00Z"
@@ -249,3 +322,21 @@ func TestGithubActionsOrganizationSecret_DestroyOnDrift(t *testing.T) {
 		}
 	})
 }
+
+func createEncryptedSecret(is *terraform.InstanceState, plaintextValue, keyId, publicKey string) (*github.EncryptedSecret, error) {
+	secretName := is.Attributes["secret_name"]
+	visibility := is.Attributes["visibility"]
+
+	encryptedBytes, err := encryptPlaintext(plaintextValue, publicKey)
+	if err != nil {
+		return nil, err
+	}
+	encryptedValue := base64.StdEncoding.EncodeToString(encryptedBytes)
+
+	return &github.EncryptedSecret{
+		Name:           secretName,
+		KeyID:          keyId,
+		Visibility:     visibility,
+		EncryptedValue: encryptedValue,
+	}, nil
+}

From e1d4353c3b120ef6f73640d0fc788da3a864d375 Mon Sep 17 00:00:00 2001
From: Timo Sand <timo.sand@f-secure.com>
Date: Wed, 7 Jan 2026 22:30:05 +0200
Subject: [PATCH 3/3] Upgrade to `go-github` v81

Signed-off-by: Timo Sand <timo.sand@f-secure.com>
---
 github/resource_github_actions_organization_secret_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github/resource_github_actions_organization_secret_test.go b/github/resource_github_actions_organization_secret_test.go
index 8fed83bc67..9af4548cb1 100644
--- a/github/resource_github_actions_organization_secret_test.go
+++ b/github/resource_github_actions_organization_secret_test.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/google/go-github/v67/github"
+	"github.com/google/go-github/v81/github"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"