Merge branch 'main' into feat/github-app-for-users

Author: nickfloyd

.github/workflows/labeler.yml

@@ -15,4 +15,4 @@ jobs:
       - name: Run Labeler
         uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
-          sync-labels: true # Whether or not to remove labels when matching files are reverted or no longer changed by the PR
+          sync-labels: false # Whether or not to remove labels when matching files are reverted or no longer changed by the PR

github/data_source_github_actions_environment_public_key.go

@@ -0,0 +1,64 @@
+package github
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceGithubActionsEnvironmentPublicKey() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceGithubActionsEnvironmentPublicKeyRead,
+
+		Schema: map[string]*schema.Schema{
+			"repository": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"environment": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"key_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"key": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func dataSourceGithubActionsEnvironmentPublicKeyRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Owner).v3client
+	owner := meta.(*Owner).name
+	repository := d.Get("repository").(string)
+
+	envName := d.Get("environment").(string)
+	escapedEnvName := url.PathEscape(envName)
+
+	repo, _, err := client.Repositories.Get(context.TODO(), owner, repository)
+	if err != nil {
+		return err
+	}
+
+	publicKey, _, err := client.Actions.GetEnvPublicKey(context.TODO(), int(repo.GetID()), escapedEnvName)
+	if err != nil {
+		return err
+	}
+
+	d.SetId(publicKey.GetKeyID())
+	err = d.Set("key_id", publicKey.GetKeyID())
+	if err != nil {
+		return err
+	}
+	err = d.Set("key", publicKey.GetKey())
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

github/data_source_github_actions_environment_public_key_test.go

@@ -0,0 +1,65 @@
+package github
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccGithubActionsEnvironmentPublicKeyDataSource(t *testing.T) {
+
+	randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+
+	t.Run("queries a repository environment public key without error", func(t *testing.T) {
+
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name = "tf-acc-test-%[1]s"
+				auto_init = true
+			}
+
+			resource "github_repository_environment" "test" {
+				repository = github_repository.test.name
+				environment = "tf-acc-test-%[1]s"
+			}
+
+			data "github_actions_environment_public_key" "test" {
+				repository = github_repository.test.name
+				environment = github_repository_environment.test.environment
+			}`, randomID)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttrSet(
+				"data.github_actions_environment_public_key.test", "key",
+			),
+		)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  check,
+					},
+				},
+			})
+		}
+
+		t.Run("with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+
+		t.Run("with an individual account", func(t *testing.T) {
+			testCase(t, individual)
+		})
+
+		t.Run("with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+
+	})
+}

github/provider.go

@@ -202,9 +202,11 @@ func Provider() *schema.Provider {
 			"github_user_ssh_key":                                                   resourceGithubUserSshKey(),
 			"github_enterprise_organization":                                        resourceGithubEnterpriseOrganization(),
 			"github_enterprise_actions_runner_group":                                resourceGithubActionsEnterpriseRunnerGroup(),
+			"github_workflow_repository_permissions":                                resourceGithubWorkflowRepositoryPermissions(),
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{
+			"github_actions_environment_public_key":                                 dataSourceGithubActionsEnvironmentPublicKey(),
 			"github_actions_environment_secrets":                                    dataSourceGithubActionsEnvironmentSecrets(),
 			"github_actions_environment_variables":                                  dataSourceGithubActionsEnvironmentVariables(),
 			"github_actions_organization_oidc_subject_claim_customization_template": dataSourceGithubActionsOrganizationOIDCSubjectClaimCustomizationTemplate(),

github/resource_github_actions_environment_secret.go

@@ -172,16 +172,15 @@ func resourceGithubActionsEnvironmentSecretRead(d *schema.ResourceData, meta int
 	//
 	// If the resource is changed externally in the meantime then reading back
 	// the last update timestamp will return a result different than the
-	// timestamp we've persisted in the state. In that case, we can no longer
-	// trust that the value (which we don't see) is equal to what we've declared
-	// previously.
+	// timestamp we've persisted in the state. In this case, we can no longer
+	// trust that the value matches what is in the state file.
 	//
-	// The only solution to enforce consistency between is to mark the resource
-	// as deleted (unset the ID) in order to fix potential drift by recreating
-	// the resource.
+	// To solve this, we must unset the values and allow Terraform to decide whether or
+	// not this resource should be modified or left as-is (ignore_changes).
 	if updatedAt, ok := d.GetOk("updated_at"); ok && updatedAt != secret.UpdatedAt.String() {
 		log.Printf("[INFO] The environment secret %s has been externally updated in GitHub", d.Id())
-		d.SetId("")
+		d.Set("encrypted_value", "")
+		d.Set("plaintext_value", "")
 	} else if !ok {
 		if err = d.Set("updated_at", secret.UpdatedAt.String()); err != nil {
 			return err

github/resource_github_actions_environment_secret_test.go

@@ -166,5 +166,136 @@ func TestAccGithubActionsEnvironmentSecret(t *testing.T) {
 		})
 
 	})
+}
+
+func TestAccGithubActionsEnvironmentSecretIgnoreChanges(t *testing.T) {
+	randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+
+	t.Run("creates environment secrets using lifecycle ignore_changes", func(t *testing.T) {
+		secretValue := base64.StdEncoding.EncodeToString([]byte("super_secret_value"))
+		modifiedSecretValue := base64.StdEncoding.EncodeToString([]byte("a_modified_super_secret_value"))
+
+		configFmtStr := `
+			resource "github_repository" "test" {
+				name = "tf-acc-test-%s"
+
+				# TODO: provider appears to have issues destroying repositories while running the tests.
+				#
+				# Even with Organization Admin an error is seen:
+				# Error: DELETE https://api.<cut>/tf-acc-test-<id>: "403 Must have admin rights to Repository. []"
+				#
+				# Workaround to using 'archive_on_destroy' instead.
+				archive_on_destroy = true
+				
+				visibility = "private"
+			}
+	
+			resource "github_repository_environment" "test" {
+				repository       = github_repository.test.name
+				environment      = "environment / test"
+			}
+	
+			resource "github_actions_environment_secret" "plaintext_secret" {
+				repository       = github_repository.test.name
+				environment      = github_repository_environment.test.environment
+				secret_name      = "test_plaintext_secret_name"
+				plaintext_value  = "%s"
+	
+				lifecycle {
+					ignore_changes = [plaintext_value]
+				}
+			}
+	
+			resource "github_actions_environment_secret" "encrypted_secret" {
+				repository       = github_repository.test.name
+				environment      = github_repository_environment.test.environment
+				secret_name      = "test_encrypted_secret_name"
+				encrypted_value  = "%s"
+	
+				lifecycle {
+					ignore_changes = [encrypted_value]
+				}
+			}
+		`
+
+		checks := map[string]resource.TestCheckFunc{
+			"before": resource.ComposeTestCheckFunc(
+				resource.TestCheckResourceAttr(
+					"github_actions_environment_secret.plaintext_secret", "plaintext_value",
+					secretValue,
+				),
+				resource.TestCheckResourceAttr(
+					"github_actions_environment_secret.encrypted_secret", "encrypted_value",
+					secretValue,
+				),
+				resource.TestCheckResourceAttrSet(
+					"github_actions_environment_secret.plaintext_secret", "created_at",
+				),
+				resource.TestCheckResourceAttrSet(
+					"github_actions_environment_secret.plaintext_secret", "updated_at",
+				),
+			),
+			"after": resource.ComposeTestCheckFunc(
+				resource.TestCheckResourceAttr(
+					"github_actions_environment_secret.plaintext_secret", "plaintext_value",
+					secretValue,
+				),
+				resource.TestCheckResourceAttr(
+					"github_actions_environment_secret.encrypted_secret", "encrypted_value",
+					secretValue,
+				),
+				resource.TestCheckResourceAttrSet(
+					"github_actions_environment_secret.plaintext_secret", "created_at",
+				),
+				resource.TestCheckResourceAttrSet(
+					"github_actions_environment_secret.plaintext_secret", "updated_at",
+				),
+			),
+		}
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: fmt.Sprintf(configFmtStr, randomID, secretValue, secretValue),
+						Check:  checks["before"],
+					},
+					{
+						Config: fmt.Sprintf(configFmtStr, randomID, secretValue, secretValue),
+						Check:  checks["after"],
+					},
+					{
+						// In this case the values change in the config, but the lifecycle ignore_changes should
+						// not cause the actual values to be updated. This would also be the case when a secret
+						// is externally modified (when what is in state does not match what is given).
+						Config: fmt.Sprintf(configFmtStr, randomID, modifiedSecretValue, modifiedSecretValue),
+						Check: resource.ComposeTestCheckFunc(
+							resource.TestCheckResourceAttr(
+								"github_actions_environment_secret.plaintext_secret", "plaintext_value",
+								secretValue, // Should still have the original value in state.
+							),
+							resource.TestCheckResourceAttr(
+								"github_actions_environment_secret.encrypted_secret", "encrypted_value",
+								secretValue, // Should still have the original value in state.
+							),
+						),
+					},
+				},
+			})
+		}
+
+		t.Run("with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+
+		t.Run("with an individual account", func(t *testing.T) {
+			testCase(t, individual)
+		})
 
+		t.Run("with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+	})
 }

github/resource_github_release.go

@@ -181,19 +181,25 @@ func resourceGithubReleaseCreateUpdate(d *schema.ResourceData, meta interface{})
 		if resp != nil {
 			log.Printf("[DEBUG] Response from creating release: %#v", *resp)
 		}
+		if err != nil {
+			return err
+		}
 	} else {
-		number := d.Get("number").(int64)
+		id, err := strconv.ParseInt(d.Id(), 10, 64)
+		if err != nil {
+			return err
+		}
 		log.Printf("[DEBUG] Updating release: %d:%s (%s/%s)",
-			number, targetCommitish, owner, repoName)
-		release, resp, err = client.Repositories.EditRelease(ctx, owner, repoName, number, req)
+			id, targetCommitish, owner, repoName)
+		release, resp, err = client.Repositories.EditRelease(ctx, owner, repoName, id, req)
 		if resp != nil {
 			log.Printf("[DEBUG] Response from updating release: %#v", *resp)
 		}
+		if err != nil {
+			return err
+		}
 	}
 
-	if err != nil {
-		return err
-	}
 	transformResponseToResourceData(d, release, repoName)
 	return nil
 }

github/resource_github_repository.go

@@ -779,6 +779,20 @@ func resourceGithubRepositoryUpdate(d *schema.ResourceData, meta interface{}) er
 	owner := meta.(*Owner).name
 	ctx := context.WithValue(context.Background(), ctxId, d.Id())
 
+	// When the organization has "Require sign off on web-based commits" enabled,
+	// the API doesn't allow you to send `web_commit_signoff_required` in order to
+	// update the repository with this field or it will throw a 422 error.
+	// As a workaround, we check if the organization requires it, and if so,
+	// we remove the field from the request.
+	if d.HasChange("web_commit_signoff_required") && meta.(*Owner).IsOrganization {
+		organization, _, err := client.Organizations.Get(ctx, owner)
+		if err == nil {
+			if organization != nil && organization.GetWebCommitSignoffRequired() {
+				repoReq.WebCommitSignoffRequired = nil
+			}
+		}
+	}
+
 	repo, _, err := client.Repositories.Edit(ctx, owner, repoName, repoReq)
 	if err != nil {
 		return err
@@ -880,6 +894,8 @@ func resourceGithubRepositoryDelete(d *schema.ResourceData, meta interface{}) er
 				return err
 			}
 			repoReq := resourceGithubRepositoryObject(d)
+			// Always remove `web_commit_signoff_required` when archiving, to avoid 422 error
+			repoReq.WebCommitSignoffRequired = nil
 			log.Printf("[DEBUG] Archiving repository on delete: %s/%s", owner, repoName)
 			_, _, err := client.Repositories.Edit(ctx, owner, repoName, repoReq)
 			return err