feat: add fork-PR contributor approval resources and data sources#3446
Open
donicrosby wants to merge 1 commit into
Open
feat: add fork-PR contributor approval resources and data sources#3446donicrosby wants to merge 1 commit into
donicrosby wants to merge 1 commit into
Conversation
|
👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with |
Wrap the GitHub REST `actions/permissions/fork-pr-contributor-approval` endpoints (repo + org) in four new Terraform building blocks: - resource `github_actions_repository_fork_pr_contributor_approval` - resource `github_actions_organization_fork_pr_contributor_approval` - data source `github_actions_repository_fork_pr_contributor_approval` - data source `github_actions_organization_fork_pr_contributor_approval` Each accepts `approval_policy` in the three GitHub-documented enum values (`first_time_contributors_new_to_github`, `first_time_contributors`, `all_external_contributors`). The API has no "off" state for this policy. On Delete, the resource resets the policy to GitHub's documented default (`first_time_contributors`) to avoid leaving non-default residual state, matching the precedent set by `github_actions_organization_permissions` Delete (which resets to `all`). go-github already exposes the matching service methods on `*ActionsService` (GetForkPRContributorApprovalPermissions / Update... and the Organization* variants), so this is purely a provider-side wrapper. New resources are implemented with context-aware CRUD functions (`CreateContext` / `ReadContext` / `UpdateContext` / `DeleteContext` returning `diag.Diagnostics`) per the migration tracked in integrations#2996, rather than copying the legacy pattern from the nearby `access_level` and `organization_permissions` resources that are themselves on that migration's to-do list. Acceptance test notes: - Repo-level tests use `visibility = "public"` because configuring `fork-pr-contributor-approval` on private repos returns 422 when the org's `fork-pr-workflows-private-repos` setting has fork-PR workflows disabled. Public repos exercise the endpoint without that prerequisite. - The repo-level test allows both `individual` and `organization` auth modes so it can be exercised against an org-scoped test token. Doc generation was authored against `make generatedocs` templates and the rendered output is included; `make validatedocs` was not run locally because the dev environment lacks a `terraform` binary. CI will validate.
donicrosby
force-pushed
the
feat/actions-fork-pr-contributor-approval
branch
from
a8495f7 to
4cfdf42
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #3445
Before the change?
The provider has no resource or data source for the GitHub fork PR contributor approval policy ("Fork pull request workflows from outside collaborators" in the Actions general settings UI). The setting can only be managed through the UI or out-of-band
gh apicalls, with no Terraform drift detection.After the change?
Four new building blocks wrap the existing GitHub REST endpoints:
github_actions_repository_fork_pr_contributor_approvalPUT /repos/{owner}/{repo}/actions/permissions/fork-pr-contributor-approvalgithub_actions_organization_fork_pr_contributor_approvalPUT /orgs/{org}/actions/permissions/fork-pr-contributor-approvalgithub_actions_repository_fork_pr_contributor_approvalGET /repos/{owner}/{repo}/actions/permissions/fork-pr-contributor-approvalgithub_actions_organization_fork_pr_contributor_approvalGET /orgs/{org}/actions/permissions/fork-pr-contributor-approvalEach accepts the documented
approval_policyenum:first_time_contributors_new_to_github,first_time_contributors,all_external_contributors.Implementation notes
go-githubv86 already exposes the matching*ActionsServicemethods (GetForkPRContributorApprovalPermissions/Update...and theOrganization*variants). The provider change is a thin wrapper — no SDK work was needed.resource_github_actions_repository_access_level(repo-level) andresource_github_actions_organization_permissions(org-level).Delete, the resource resets to the GitHub-documented default (first_time_contributors), mirroring the precedent ingithub_actions_organization_permissions(which resets toallon Delete).Test results
Acceptance tests run against an
organization-mode test token:TestAccGithubActionsRepositoryForkPRContributorApproval(3 enum cases)TestAccGithubActionsRepositoryForkPRContributorApprovalDataSourceTestAccGithubActionsOrganizationForkPRContributorApproval(3 enum cases)TestAccGithubActionsOrganizationForkPRContributorApprovalDataSourcemake fmt,make lint,go build ./...,go vet ./github/all clean.make validatedocswas not run locally because the dev environment lacks aterraformbinary; rendered docs were authored to match the templates and CI will validate.The repo-level tests use
visibility = "public"because configuringfork-pr-contributor-approvalon private repos returns 422 unless the org'sfork-pr-workflows-private-repossetting has fork-PR workflows enabled. Public repos exercise the documented happy-path without that prerequisite. The behavior is noted in the rendered resource docs with a pointer to the relatedfork-pr-workflows-private-reposendpoint.Pull request checklist
docs/{resources,data-sources}/…+templates/…+examples/…Does this introduce a breaking change?
New resources and data sources; no changes to existing surface area.
AI Use Disclosure
Per the project's AI Use Policy: this PR was implemented with AI assistance. I personally read the SDK signatures, reviewed each file against the existing
access_levelandorganization_permissionspatterns, ran the acceptance test suite end-to-end against a sandbox org I control, and verified the rendered docs match the templates. The motivation came from a real internal need (a Terraform-managed baseline for "external contributor workflows require maintainer approval before they run" on public repos in our org).