fix: upgrade go-github v84, address remaining PR integrations#3143 review feedback

- Upgrade go-github imports from v83 to v84 across all feature files
- Remove secret_scanning_delegated_bypass from enterprise resource (org-only API)
- Fix reviewer_type enum casing to TEAM/ROLE to match GitHub API
- Wire expandSecretScanningDelegatedBypass into org Create/Update
- Remove hardcoded "disabled" defaults for code_security/secret_protection
- Use GetOk for description field in expand (consistency with other Optional fields)
- Add unit tests for all flatten utility functions (deiga requested)
- Add missing ImportState steps to acceptance tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sprioriello

github/resource_github_enterprise_security_configuration.go

@@ -7,7 +7,7 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/google/go-github/v83/github"
+	"github.com/google/go-github/v84/github"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -192,45 +192,6 @@ func resourceGithubEnterpriseSecurityConfiguration() *schema.Resource {
 					"enabled", "disabled", "not_set",
 				}, false)),
 			},
-			"secret_scanning_delegated_bypass": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Computed:    true,
-				Description: "The secret scanning delegated bypass configuration for the code security configuration. Can be one of 'enabled', 'disabled', 'not_set'.",
-				ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{
-					"enabled", "disabled", "not_set",
-				}, false)),
-			},
-			"secret_scanning_delegated_bypass_options": {
-				Type:        schema.TypeList,
-				Optional:    true,
-				MaxItems:    1,
-				Description: "The secret scanning delegated bypass options for the code security configuration.",
-				Elem: &schema.Resource{
-					Schema: map[string]*schema.Schema{
-						"reviewers": {
-							Type:        schema.TypeList,
-							Optional:    true,
-							Description: "The bypass reviewers for the secret scanning delegated bypass.",
-							Elem: &schema.Resource{
-								Schema: map[string]*schema.Schema{
-									"reviewer_id": {
-										Type:        schema.TypeInt,
-										Required:    true,
-										Description: "The ID of the bypass reviewer.",
-									},
-									"reviewer_type": {
-										Type:             schema.TypeString,
-										Required:         true,
-										Description:      "The type of the bypass reviewer. Can be one of 'Team', 'Role'.",
-										ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"Team", "Role"}, false)),
-									},
-								},
-							},
-						},
-					},
-				},
-			},
 			"secret_scanning_validity_checks": {
 				Type:        schema.TypeString,
 				Optional:    true,

github/resource_github_enterprise_security_configuration_test.go

@@ -174,45 +174,13 @@ func TestAccGithubEnterpriseSecurityConfiguration(t *testing.T) {
 							tfjsonpath.New("target_type"), knownvalue.NotNull()),
 					},
 				},
-			},
-		})
-	})
-
-	t.Run("creates enterprise security configuration with delegated bypass options", func(t *testing.T) {
-		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
-		configName := fmt.Sprintf("test-config-bypass-%s", randomID)
-
-		config := fmt.Sprintf(`
-		resource "github_enterprise_security_configuration" "test" {
-			enterprise_slug = "%s"
-			name = "%s"
-			description = "Test configuration with delegated bypass"
-			advanced_security = "enabled"
-			secret_scanning = "enabled"
-			secret_scanning_push_protection = "enabled"
-			secret_scanning_delegated_bypass = "enabled"
-			secret_scanning_delegated_bypass_options {
-				reviewers {
-					reviewer_id   = 1
-					reviewer_type = "Team"
-				}
-			}
-		}`, testAccConf.enterpriseSlug, configName)
-
-		resource.Test(t, resource.TestCase{
-			PreCheck:          func() { skipUnlessEnterprise(t) },
-			ProviderFactories: providerFactories,
-			Steps: []resource.TestStep{
 				{
-					Config: config,
-					ConfigStateChecks: []statecheck.StateCheck{
-						statecheck.ExpectKnownValue("github_enterprise_security_configuration.test",
-							tfjsonpath.New("secret_scanning_delegated_bypass"), knownvalue.StringExact("enabled")),
-						statecheck.ExpectKnownValue("github_enterprise_security_configuration.test",
-							tfjsonpath.New("secret_scanning_delegated_bypass_options").AtSliceIndex(0).AtMapKey("reviewers").AtSliceIndex(0).AtMapKey("reviewer_type"), knownvalue.StringExact("Team")),
-					},
+					ResourceName:      "github_enterprise_security_configuration.test",
+					ImportState:       true,
+					ImportStateVerify: true,
 				},
 			},
 		})
 	})
+
 }

github/resource_github_organization_security_configuration.go

@@ -6,7 +6,7 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/google/go-github/v83/github"
+	"github.com/google/go-github/v84/github"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -215,8 +215,8 @@ func resourceGithubOrganizationSecurityConfiguration() *schema.Resource {
 									"reviewer_type": {
 										Type:             schema.TypeString,
 										Required:         true,
-										Description:      "The type of the bypass reviewer. Can be one of 'Team', 'Role'.",
-										ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"Team", "Role"}, false)),
+										Description:      "The type of the bypass reviewer. Can be one of 'TEAM', 'ROLE'.",
+										ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"TEAM", "ROLE"}, false)),
 									},
 								},
 							},
@@ -311,6 +311,7 @@ func resourceGithubOrganizationSecurityConfigurationCreate(ctx context.Context,
 	})
 
 	config := expandCodeSecurityConfigurationCommon(d)
+	expandSecretScanningDelegatedBypass(d, &config)
 
 	configuration, _, err := client.Organizations.CreateCodeSecurityConfiguration(ctx, org, config)
 	if err != nil {
@@ -383,6 +384,12 @@ func resourceGithubOrganizationSecurityConfigurationRead(ctx context.Context, d
 	if diags := setCodeSecurityConfigurationState(d, configuration); diags != nil {
 		return diags
 	}
+	if err = d.Set("secret_scanning_delegated_bypass", configuration.GetSecretScanningDelegatedBypass()); err != nil {
+		return diag.FromErr(err)
+	}
+	if err = d.Set("secret_scanning_delegated_bypass_options", flattenSecretScanningDelegatedBypassOptions(configuration.SecretScanningDelegatedBypassOptions)); err != nil {
+		return diag.FromErr(err)
+	}
 
 	tflog.Trace(ctx, "Successfully read organization code security configuration", map[string]any{
 		"organization": org,
@@ -407,6 +414,7 @@ func resourceGithubOrganizationSecurityConfigurationUpdate(ctx context.Context,
 	})
 
 	config := expandCodeSecurityConfigurationCommon(d)
+	expandSecretScanningDelegatedBypass(d, &config)
 
 	_, _, err = client.Organizations.UpdateCodeSecurityConfiguration(ctx, org, id, config)
 	if err != nil {

github/resource_github_organization_security_configuration_test.go

@@ -195,7 +195,7 @@ func TestAccGithubOrganizationSecurityConfiguration(t *testing.T) {
 			secret_scanning_delegated_bypass_options {
 				reviewers {
 					reviewer_id   = 1
-					reviewer_type = "Team"
+					reviewer_type = "TEAM"
 				}
 			}
 		}`, configName)
@@ -210,9 +210,14 @@ func TestAccGithubOrganizationSecurityConfiguration(t *testing.T) {
 						statecheck.ExpectKnownValue("github_organization_security_configuration.test",
 							tfjsonpath.New("secret_scanning_delegated_bypass"), knownvalue.StringExact("enabled")),
 						statecheck.ExpectKnownValue("github_organization_security_configuration.test",
-							tfjsonpath.New("secret_scanning_delegated_bypass_options").AtSliceIndex(0).AtMapKey("reviewers").AtSliceIndex(0).AtMapKey("reviewer_type"), knownvalue.StringExact("Team")),
+							tfjsonpath.New("secret_scanning_delegated_bypass_options").AtSliceIndex(0).AtMapKey("reviewers").AtSliceIndex(0).AtMapKey("reviewer_type"), knownvalue.StringExact("TEAM")),
 					},
 				},
+				{
+					ResourceName:      "github_organization_security_configuration.test",
+					ImportState:       true,
+					ImportStateVerify: true,
+				},
 			},
 		})
 	})

github/util_security_configuration.go

@@ -1,7 +1,7 @@
 package github
 
 import (
-	"github.com/google/go-github/v83/github"
+	"github.com/google/go-github/v84/github"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
@@ -106,11 +106,7 @@ func setCodeSecurityConfigurationState(d *schema.ResourceData, configuration *gi
 	if err := d.Set("code_scanning_options", flattenCodeScanningOptions(configuration.CodeScanningOptions)); err != nil {
 		return diag.FromErr(err)
 	}
-	codeSec := configuration.GetCodeSecurity()
-	if codeSec == "" {
-		codeSec = "disabled"
-	}
-	if err := d.Set("code_security", codeSec); err != nil {
+	if err := d.Set("code_security", configuration.GetCodeSecurity()); err != nil {
 		return diag.FromErr(err)
 	}
 	if err := d.Set("secret_scanning", configuration.GetSecretScanning()); err != nil {
@@ -119,12 +115,6 @@ func setCodeSecurityConfigurationState(d *schema.ResourceData, configuration *gi
 	if err := d.Set("secret_scanning_push_protection", configuration.GetSecretScanningPushProtection()); err != nil {
 		return diag.FromErr(err)
 	}
-	if err := d.Set("secret_scanning_delegated_bypass", configuration.GetSecretScanningDelegatedBypass()); err != nil {
-		return diag.FromErr(err)
-	}
-	if err := d.Set("secret_scanning_delegated_bypass_options", flattenSecretScanningDelegatedBypassOptions(configuration.SecretScanningDelegatedBypassOptions)); err != nil {
-		return diag.FromErr(err)
-	}
 	if err := d.Set("secret_scanning_validity_checks", configuration.GetSecretScanningValidityChecks()); err != nil {
 		return diag.FromErr(err)
 	}
@@ -137,11 +127,7 @@ func setCodeSecurityConfigurationState(d *schema.ResourceData, configuration *gi
 	if err := d.Set("secret_scanning_delegated_alert_dismissal", configuration.GetSecretScanningDelegatedAlertDismissal()); err != nil {
 		return diag.FromErr(err)
 	}
-	secretProt := configuration.GetSecretProtection()
-	if secretProt == "" {
-		secretProt = "disabled"
-	}
-	if err := d.Set("secret_protection", secretProt); err != nil {
+	if err := d.Set("secret_protection", configuration.GetSecretProtection()); err != nil {
 		return diag.FromErr(err)
 	}
 	if err := d.Set("private_vulnerability_reporting", configuration.GetPrivateVulnerabilityReporting()); err != nil {
@@ -160,8 +146,10 @@ func setCodeSecurityConfigurationState(d *schema.ResourceData, configuration *gi
 // Used by both the organization and enterprise security configuration resources.
 func expandCodeSecurityConfigurationCommon(d *schema.ResourceData) github.CodeSecurityConfiguration {
 	config := github.CodeSecurityConfiguration{
-		Name:        d.Get("name").(string),
-		Description: d.Get("description").(string),
+		Name: d.Get("name").(string),
+	}
+	if val, ok := d.GetOk("description"); ok {
+		config.Description = val.(string)
 	}
 
 	if val, ok := d.GetOk("advanced_security"); ok {
@@ -194,9 +182,6 @@ func expandCodeSecurityConfigurationCommon(d *schema.ResourceData) github.CodeSe
 	if val, ok := d.GetOk("secret_scanning_push_protection"); ok {
 		config.SecretScanningPushProtection = github.Ptr(val.(string))
 	}
-	if val, ok := d.GetOk("secret_scanning_delegated_bypass"); ok {
-		config.SecretScanningDelegatedBypass = github.Ptr(val.(string))
-	}
 	if val, ok := d.GetOk("secret_scanning_validity_checks"); ok {
 		config.SecretScanningValidityChecks = github.Ptr(val.(string))
 	}
@@ -252,6 +237,15 @@ func expandCodeSecurityConfigurationCommon(d *schema.ResourceData) github.CodeSe
 		}
 	}
 
+	return config
+}
+
+// expandSecretScanningDelegatedBypass adds secret_scanning_delegated_bypass fields to a CodeSecurityConfiguration.
+// These fields are only supported by the organization API, not the enterprise API.
+func expandSecretScanningDelegatedBypass(d *schema.ResourceData, config *github.CodeSecurityConfiguration) {
+	if val, ok := d.GetOk("secret_scanning_delegated_bypass"); ok {
+		config.SecretScanningDelegatedBypass = github.Ptr(val.(string))
+	}
 	if val, ok := d.GetOk("secret_scanning_delegated_bypass_options"); ok {
 		optionsList := val.([]any)
 		if len(optionsList) > 0 {
@@ -272,6 +266,4 @@ func expandCodeSecurityConfigurationCommon(d *schema.ResourceData) github.CodeSe
 			config.SecretScanningDelegatedBypassOptions = options
 		}
 	}
-
-	return config
 }