feat: add fork-PR contributor approval resources and data sources

docs/data-sources/actions_organization_fork_pr_contributor_approval.md

@@ -0,0 +1,23 @@
+---
+page_title: "github_actions_organization_fork_pr_contributor_approval (Data Source) - GitHub"
+description: |-
+  Read the organization-wide fork PR contributor approval policy
+---
+
+# github_actions_organization_fork_pr_contributor_approval (Data Source)
+
+Use this data source to retrieve the current organization-wide fork pull request contributor approval policy.
+
+## Example Usage
+
+```terraform
+data "github_actions_organization_fork_pr_contributor_approval" "example" {}
+```
+
+## Argument Reference
+
+This data source takes no arguments. The organization is determined by the provider configuration.
+
+## Attributes Reference
+
+- `approval_policy` - The organization-wide fork PR contributor approval policy currently configured. One of `first_time_contributors_new_to_github`, `first_time_contributors`, or `all_external_contributors`.

docs/data-sources/actions_repository_fork_pr_contributor_approval.md

@@ -0,0 +1,25 @@
+---
+page_title: "github_actions_repository_fork_pr_contributor_approval (Data Source) - GitHub"
+description: |-
+  Read the fork PR contributor approval policy for a GitHub repository
+---
+
+# github_actions_repository_fork_pr_contributor_approval (Data Source)
+
+Use this data source to retrieve the current fork pull request contributor approval policy configured on a GitHub repository.
+
+## Example Usage
+
+```terraform
+data "github_actions_repository_fork_pr_contributor_approval" "example" {
+  repository = "my-repository"
+}
+```
+
+## Argument Reference
+
+- `repository` - (Required) The GitHub repository.
+
+## Attributes Reference
+
+- `approval_policy` - The fork PR contributor approval policy currently configured on the repository. One of `first_time_contributors_new_to_github`, `first_time_contributors`, or `all_external_contributors`.

docs/resources/actions_organization_fork_pr_contributor_approval.md

@@ -0,0 +1,35 @@
+---
+page_title: "github_actions_organization_fork_pr_contributor_approval (Resource) - GitHub"
+description: |-
+  Manages the organization-wide fork PR contributor approval policy
+---
+
+# github_actions_organization_fork_pr_contributor_approval (Resource)
+
+This resource allows you to set the organization-wide fork pull request contributor approval policy. This controls which fork PR contributors need maintainer approval before their workflows can run on any public repository in the organization. You must be an organization owner to use this resource.
+
+Repositories may override this policy at the repository level (see [`github_actions_repository_fork_pr_contributor_approval`](actions_repository_fork_pr_contributor_approval.md)). Setting the policy at the organization level only establishes the default for repositories that do not have a repository-level override.
+
+The GitHub API for this setting does not expose an "off" state — the policy is always set to one of the three strictness values. If you remove this resource, the policy is reset to GitHub's documented default (`first_time_contributors`).
+
+## Example Usage
+
+```terraform
+resource "github_actions_organization_fork_pr_contributor_approval" "test" {
+  approval_policy = "all_external_contributors"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- `approval_policy` - (Required) The organization-wide policy controlling which fork PR contributors need maintainer approval. Possible values are `first_time_contributors_new_to_github`, `first_time_contributors`, or `all_external_contributors`.
+
+## Import
+
+This resource can be imported using the name of the organization:
+
+```shell
+terraform import github_actions_organization_fork_pr_contributor_approval.test my-organization
+```

docs/resources/actions_repository_fork_pr_contributor_approval.md

@@ -0,0 +1,42 @@
+---
+page_title: "github_actions_repository_fork_pr_contributor_approval (Resource) - GitHub"
+description: |-
+  Manages the fork PR contributor approval policy for a GitHub repository
+---
+
+# github_actions_repository_fork_pr_contributor_approval (Resource)
+
+This resource allows you to set the fork pull request contributor approval policy on a GitHub repository. This controls which fork PR contributors need maintainer approval before their workflows can run on the repository. You must have admin access to a repository to use this resource.
+
+This setting governs fork PRs from outside contributors. On private repositories, the [`fork-pr-workflows-private-repos`](https://docs.github.com/en/rest/actions/permissions?apiVersion=2022-11-28#set-private-repo-fork-pr-workflow-settings-for-a-repository) org/repo settings control whether fork PR workflows run at all; if fork PR workflows are disabled at that level, configuring `approval_policy` via this resource may return `422 Unprocessable Entity`.
+
+The GitHub API for this setting does not expose an "off" state — the policy is always one of the three strictness values. On Delete, this resource resets the policy to GitHub's documented default (`first_time_contributors`).
+
+## Example Usage
+
+```terraform
+resource "github_repository" "example" {
+  name       = "my-repository"
+  visibility = "public"
+}
+
+resource "github_actions_repository_fork_pr_contributor_approval" "test" {
+  approval_policy = "all_external_contributors"
+  repository      = github_repository.example.name
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- `repository` - (Required) The GitHub repository.
+- `approval_policy` - (Required) The policy controlling which fork PR contributors need maintainer approval. Possible values are `first_time_contributors_new_to_github`, `first_time_contributors`, or `all_external_contributors`.
+
+## Import
+
+This resource can be imported using the name of the GitHub repository:
+
+```shell
+terraform import github_actions_repository_fork_pr_contributor_approval.test my-repository
+```

examples/data-sources/actions_organization_fork_pr_contributor_approval/example_1.tf

@@ -0,0 +1 @@
+data "github_actions_organization_fork_pr_contributor_approval" "example" {}

examples/data-sources/actions_repository_fork_pr_contributor_approval/example_1.tf

@@ -0,0 +1,3 @@
+data "github_actions_repository_fork_pr_contributor_approval" "example" {
+  repository = "my-repository"
+}

examples/resources/actions_organization_fork_pr_contributor_approval/example_1.tf

@@ -0,0 +1,3 @@
+resource "github_actions_organization_fork_pr_contributor_approval" "test" {
+  approval_policy = "all_external_contributors"
+}

examples/resources/actions_repository_fork_pr_contributor_approval/example_1.tf

@@ -0,0 +1,9 @@
+resource "github_repository" "example" {
+  name       = "my-repository"
+  visibility = "public"
+}
+
+resource "github_actions_repository_fork_pr_contributor_approval" "test" {
+  approval_policy = "all_external_contributors"
+  repository      = github_repository.example.name
+}

github/data_source_github_actions_organization_fork_pr_contributor_approval.go

@@ -0,0 +1,43 @@
+package github
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceGithubActionsOrganizationForkPRContributorApproval() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: dataSourceGithubActionsOrganizationForkPRContributorApprovalRead,
+
+		Schema: map[string]*schema.Schema{
+			"approval_policy": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The organization-wide fork PR contributor approval policy currently configured. One of 'first_time_contributors_new_to_github', 'first_time_contributors', or 'all_external_contributors'.",
+			},
+		},
+	}
+}
+
+func dataSourceGithubActionsOrganizationForkPRContributorApprovalRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	if err := checkOrganization(meta); err != nil {
+		return diag.FromErr(err)
+	}
+
+	client := meta.(*Owner).v3client
+	orgName := meta.(*Owner).name
+
+	policy, _, err := client.Actions.GetOrganizationForkPRContributorApprovalPermissions(ctx, orgName)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(orgName)
+	if err := d.Set("approval_policy", policy.ApprovalPolicy); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}

github/data_source_github_actions_organization_fork_pr_contributor_approval_test.go

@@ -0,0 +1,44 @@
+package github
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccGithubActionsOrganizationForkPRContributorApprovalDataSource(t *testing.T) {
+	t.Run("read the organization fork PR contributor approval policy", func(t *testing.T) {
+		approvalPolicy := "all_external_contributors"
+
+		config := `
+			resource "github_actions_organization_fork_pr_contributor_approval" "test" {
+				approval_policy = "all_external_contributors"
+			}
+		`
+
+		config2 := config + `
+			data "github_actions_organization_fork_pr_contributor_approval" "test" {}
+		`
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr(
+				"data.github_actions_organization_fork_pr_contributor_approval.test", "approval_policy", approvalPolicy,
+			),
+		)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessHasOrgs(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check:  resource.ComposeTestCheckFunc(),
+				},
+				{
+					Config: config2,
+					Check:  check,
+				},
+			},
+		})
+	})
+}

github/data_source_github_actions_repository_fork_pr_contributor_approval.go

@@ -0,0 +1,45 @@
+package github
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceGithubActionsRepositoryForkPRContributorApproval() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: dataSourceGithubActionsRepositoryForkPRContributorApprovalRead,
+
+		Schema: map[string]*schema.Schema{
+			"repository": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The GitHub repository.",
+			},
+			"approval_policy": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The fork PR contributor approval policy currently configured on the repository. One of 'first_time_contributors_new_to_github', 'first_time_contributors', or 'all_external_contributors'.",
+			},
+		},
+	}
+}
+
+func dataSourceGithubActionsRepositoryForkPRContributorApprovalRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	client := meta.(*Owner).v3client
+	owner := meta.(*Owner).name
+	repository := d.Get("repository").(string)
+
+	policy, _, err := client.Actions.GetForkPRContributorApprovalPermissions(ctx, owner, repository)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(repository)
+	if err := d.Set("approval_policy", policy.ApprovalPolicy); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}

github/data_source_github_actions_repository_fork_pr_contributor_approval_test.go

@@ -0,0 +1,61 @@
+package github
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccGithubActionsRepositoryForkPRContributorApprovalDataSource(t *testing.T) {
+	t.Run("read the repository fork PR contributor approval policy", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		repoName := fmt.Sprintf("%srepo-fork-pr-approval-ds-%s", testResourcePrefix, randomID)
+		approvalPolicy := "all_external_contributors"
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name        = "%[1]s"
+				description = "Terraform acceptance tests %[1]s"
+				topics		= ["terraform", "testing"]
+				visibility  = "public"
+			}
+
+			resource "github_actions_repository_fork_pr_contributor_approval" "test" {
+				approval_policy = "%[2]s"
+				repository      = github_repository.test.name
+			}
+		`, repoName, approvalPolicy)
+
+		config2 := config + `
+			data "github_actions_repository_fork_pr_contributor_approval" "test" {
+				repository = github_actions_repository_fork_pr_contributor_approval.test.repository
+			}
+		`
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr(
+				"data.github_actions_repository_fork_pr_contributor_approval.test", "approval_policy", approvalPolicy,
+			),
+			resource.TestCheckResourceAttr(
+				"data.github_actions_repository_fork_pr_contributor_approval.test", "repository", repoName,
+			),
+		)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessMode(t, individual, organization) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check:  resource.ComposeTestCheckFunc(),
+				},
+				{
+					Config: config2,
+					Check:  check,
+				},
+			},
+		})
+	})
+}

github/provider.go

@@ -132,6 +132,7 @@ func NewProvider() func() *schema.Provider {
 				"github_enterprise_actions_permissions":                                 resourceGithubActionsEnterprisePermissions(),
 				"github_actions_environment_secret":                                     resourceGithubActionsEnvironmentSecret(),
 				"github_actions_environment_variable":                                   resourceGithubActionsEnvironmentVariable(),
+				"github_actions_organization_fork_pr_contributor_approval":              resourceGithubActionsOrganizationForkPRContributorApproval(),
 				"github_actions_organization_oidc_subject_claim_customization_template": resourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplate(),
 				"github_actions_organization_permissions":                               resourceGithubActionsOrganizationPermissions(),
 				"github_actions_organization_secret":                                    resourceGithubActionsOrganizationSecret(),
@@ -141,6 +142,7 @@ func NewProvider() func() *schema.Provider {
 				"github_actions_organization_variable_repositories":                     resourceGithubActionsOrganizationVariableRepositories(),
 				"github_actions_organization_variable_repository":                       resourceGithubActionsOrganizationVariableRepository(),
 				"github_actions_repository_access_level":                                resourceGithubActionsRepositoryAccessLevel(),
+				"github_actions_repository_fork_pr_contributor_approval":                resourceGithubActionsRepositoryForkPRContributorApproval(),
 				"github_actions_repository_oidc_subject_claim_customization_template":   resourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplate(),
 				"github_actions_repository_permissions":                                 resourceGithubActionsRepositoryPermissions(),
 				"github_actions_runner_group":                                           resourceGithubActionsRunnerGroup(),
@@ -223,13 +225,15 @@ func NewProvider() func() *schema.Provider {
 				"github_actions_environment_public_key":                                 dataSourceGithubActionsEnvironmentPublicKey(),
 				"github_actions_environment_secrets":                                    dataSourceGithubActionsEnvironmentSecrets(),
 				"github_actions_environment_variables":                                  dataSourceGithubActionsEnvironmentVariables(),
+				"github_actions_organization_fork_pr_contributor_approval":              dataSourceGithubActionsOrganizationForkPRContributorApproval(),
 				"github_actions_organization_oidc_subject_claim_customization_template": dataSourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplate(),
 				"github_actions_organization_public_key":                                dataSourceGithubActionsOrganizationPublicKey(),
 				"github_actions_organization_registration_token":                        dataSourceGithubActionsOrganizationRegistrationToken(),
 				"github_actions_organization_secrets":                                   dataSourceGithubActionsOrganizationSecrets(),
 				"github_actions_organization_variables":                                 dataSourceGithubActionsOrganizationVariables(),
 				"github_actions_public_key":                                             dataSourceGithubActionsPublicKey(),
 				"github_actions_registration_token":                                     dataSourceGithubActionsRegistrationToken(),
+				"github_actions_repository_fork_pr_contributor_approval":                dataSourceGithubActionsRepositoryForkPRContributorApproval(),
 				"github_actions_repository_oidc_subject_claim_customization_template":   dataSourceGithubActionsRepositoryOIDCSubjectClaimCustomizationTemplate(),
 				"github_actions_secrets":                                                dataSourceGithubActionsSecrets(),
 				"github_actions_variables":                                              dataSourceGithubActionsVariables(),