Merge branch 'main' into develop

github-actions[bot] · github-actions[bot] · commit fa7d381062e8 · 2026-01-09T10:28:26.000+01:00
diff --git a/github/data_source_github_repository.go b/github/data_source_github_repository.go
@@ -61,8 +61,9 @@ func dataSourceGithubRepository() *schema.Resource {
 				Computed: true,
 			},
 			"has_downloads": {
-				Type:     schema.TypeBool,
-				Computed: true,
+				Type:       schema.TypeBool,
+				Computed:   true,
+				Deprecated: "This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See https://github.com/orgs/community/discussions/102145#discussioncomment-8351756",
 			},
 			"has_wiki": {
 				Type:     schema.TypeBool,
diff --git a/github/resource_github_actions_organization_secret_test.go b/github/resource_github_actions_organization_secret_test.go
@@ -6,8 +6,11 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-github/v81/github"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 )
 
 func TestAccGithubActionsOrganizationSecret(t *testing.T) {
@@ -17,16 +20,16 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 
 		config := fmt.Sprintf(`
 			resource "github_actions_organization_secret" "plaintext_secret" {
-			  secret_name      = "test_plaintext_secret"
-			  plaintext_value  = "%s"
-			  visibility       = "private"
+				secret_name      = "test_plaintext_secret"
+				plaintext_value  = "%s"
+				visibility       = "private"
 			}
 
 			resource "github_actions_organization_secret" "encrypted_secret" {
-			  secret_name      = "test_encrypted_secret"
-			  encrypted_value  = "%s"
-			  visibility       = "private"
-			  destroy_on_drift = false
+				secret_name      = "test_encrypted_secret"
+				encrypted_value  = "%s"
+				visibility       = "private"
+				destroy_on_drift = false
 			}
 		`, secretValue, secretValue)
 
@@ -143,8 +146,79 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 			},
 		})
 	})
+}
+
+func TestAccGithubActionsOrganizationSecret_DestroyOnDrift(t *testing.T) {
+	t.Run("destroyOnDrift false", func(t *testing.T) {
+		destroyOnDrift := false
+		t.Run("should ignore drift when ignore_changes lifecycle is configured", func(t *testing.T) {
+			// Verify https://github.com/integrations/terraform-provider-github/issues/2614
+			randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+			config := fmt.Sprintf(`
+				resource "github_actions_organization_secret" "test_secret" {
+					secret_name = "test_secret_%s"
+					plaintext_value = "test_value"
+					visibility = "private"
+
+					destroy_on_drift = %t
+					lifecycle {
+						ignore_changes = [plaintext_value]
+					}
+				}
+			`, randomID, destroyOnDrift)
+
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessHasOrgs(t) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+					},
+					{
+						Config: config,
+						Check: resource.ComposeTestCheckFunc(
+							func(s *terraform.State) error {
+								rs, ok := s.RootModule().Resources["github_actions_organization_secret.test_secret"]
+								if !ok {
+									t.Errorf("not found: github_actions_organization_secret.test_secret")
+								}
+								// Now that the secret is created, update it to trigger a drift.
+								client := testAccProvider.Meta().(*Owner).v3client
+								owner := testAccProvider.Meta().(*Owner).name
+								ctx := t.Context()
+
+								keyId, publicKey, err := getOrganizationPublicKeyDetails(owner, testAccProvider.Meta().(*Owner))
+								if err != nil {
+									t.Errorf("Failed to get organization public key details: %v", err)
+								}
 
-	// Unit tests for drift detection behavior
+								encryptedSecret, err := createEncryptedSecret(rs.Primary, "foo", keyId, publicKey)
+								if err != nil {
+									t.Errorf("Failed to create encrypted secret: %v", err)
+								}
+								_, err = client.Actions.CreateOrUpdateOrgSecret(ctx, owner, encryptedSecret)
+								if err != nil {
+									t.Errorf("Failed to create or update organization secret: %v", err)
+								}
+								return err
+							},
+						),
+					},
+					{
+						Config:             config,
+						PlanOnly:           true,
+						ExpectNonEmptyPlan: false,
+					},
+				},
+			})
+		})
+	})
+	// t.Run("destroyOnDrift true", func(t *testing.T) {
+	// 	destroyOnDrift := true
+	// })
+}
+
+func TestGithubActionsOrganizationSecret_DestroyOnDrift(t *testing.T) {
 	t.Run("destroyOnDrift false clears sensitive values instead of recreating", func(t *testing.T) {
 		originalTimestamp := "2023-01-01T00:00:00Z"
 		newTimestamp := "2023-01-02T00:00:00Z"
@@ -248,3 +322,21 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 		}
 	})
 }
+
+func createEncryptedSecret(is *terraform.InstanceState, plaintextValue, keyId, publicKey string) (*github.EncryptedSecret, error) {
+	secretName := is.Attributes["secret_name"]
+	visibility := is.Attributes["visibility"]
+
+	encryptedBytes, err := encryptPlaintext(plaintextValue, publicKey)
+	if err != nil {
+		return nil, err
+	}
+	encryptedValue := base64.StdEncoding.EncodeToString(encryptedBytes)
+
+	return &github.EncryptedSecret{
+		Name:           secretName,
+		KeyID:          keyId,
+		Visibility:     visibility,
+		EncryptedValue: encryptedValue,
+	}, nil
+}
diff --git a/github/resource_github_organization_ruleset_test.go b/github/resource_github_organization_ruleset_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
-func TestGithubOrganizationRulesets(t *testing.T) {
+func TestAccGithubOrganizationRuleset(t *testing.T) {
 	t.Run("create_branch_ruleset", func(t *testing.T) {
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 
diff --git a/github/resource_github_repository.go b/github/resource_github_repository.go
@@ -211,6 +211,7 @@ func resourceGithubRepository() *schema.Resource {
 				Type:        schema.TypeBool,
 				Optional:    true,
 				Description: "Set to 'true' to enable the (deprecated) downloads features on the repository.",
+				Deprecated:  "This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See https://github.com/orgs/community/discussions/102145#discussioncomment-8351756",
 			},
 			"has_wiki": {
 				Type:        schema.TypeBool,
@@ -249,7 +250,7 @@ func resourceGithubRepository() *schema.Resource {
 			"allow_forking": {
 				Type:        schema.TypeBool,
 				Optional:    true,
-				Default:     false,
+				Computed:    true,
 				Description: "Set to 'true' to allow private forking on the repository; this is only relevant if the repository is owned by an organization and is private or internal.",
 			},
 			"squash_merge_commit_title": {
@@ -580,11 +581,13 @@ func calculateSecurityAndAnalysis(d *schema.ResourceData) *github.SecurityAndAna
 }
 
 func resourceGithubRepositoryObject(d *schema.ResourceData) *github.Repository {
+	visibility := calculateVisibility(d)
+
 	repository := &github.Repository{
 		Name:                     github.Ptr(d.Get("name").(string)),
 		Description:              github.Ptr(d.Get("description").(string)),
 		Homepage:                 github.Ptr(d.Get("homepage_url").(string)),
-		Visibility:               github.Ptr(calculateVisibility(d)),
+		Visibility:               github.Ptr(visibility),
 		HasDownloads:             github.Ptr(d.Get("has_downloads").(bool)),
 		HasIssues:                github.Ptr(d.Get("has_issues").(bool)),
 		HasDiscussions:           github.Ptr(d.Get("has_discussions").(bool)),
@@ -595,7 +598,6 @@ func resourceGithubRepositoryObject(d *schema.ResourceData) *github.Repository {
 		AllowSquashMerge:         github.Ptr(d.Get("allow_squash_merge").(bool)),
 		AllowRebaseMerge:         github.Ptr(d.Get("allow_rebase_merge").(bool)),
 		AllowAutoMerge:           github.Ptr(d.Get("allow_auto_merge").(bool)),
-		AllowForking:             github.Ptr(d.Get("allow_forking").(bool)),
 		DeleteBranchOnMerge:      github.Ptr(d.Get("delete_branch_on_merge").(bool)),
 		WebCommitSignoffRequired: github.Ptr(d.Get("web_commit_signoff_required").(bool)),
 		AutoInit:                 github.Ptr(d.Get("auto_init").(bool)),
@@ -625,6 +627,12 @@ func resourceGithubRepositoryObject(d *schema.ResourceData) *github.Repository {
 		}
 	}
 
+	// only configure allow forking if repository is not public
+	allowForking, ok := d.Get("allow_forking").(bool)
+	if ok && visibility != "public" {
+		repository.AllowForking = github.Ptr(allowForking)
+	}
+
 	return repository
 }
 
@@ -637,27 +645,10 @@ func resourceGithubRepositoryCreate(ctx context.Context, d *schema.ResourceData,
 
 	repoReq := resourceGithubRepositoryObject(d)
 	owner := meta.(*Owner).name
-
 	repoName := repoReq.GetName()
 
-	// determine if repository should be private. assume public to start
-	isPrivate := false
-
-	// prefer visibility to private flag since private flag is deprecated
-	privateKeyword, ok := d.Get("private").(bool)
-	if ok {
-		isPrivate = privateKeyword
-	}
-
-	visibility, ok := d.Get("visibility").(string)
-	if ok {
-		if visibility == "private" || visibility == "internal" {
-			isPrivate = true
-		}
-	}
-
+	isPrivate := repoReq.GetVisibility() == "private"
 	repoReq.Private = github.Ptr(isPrivate)
-
 	if template, ok := d.GetOk("template"); ok {
 		templateConfigBlocks := template.([]any)
 
@@ -928,8 +919,15 @@ func resourceGithubRepositoryUpdate(ctx context.Context, d *schema.ResourceData,
 	repoReq := resourceGithubRepositoryObject(d)
 
 	// handle visibility updates separately from other fields
+	visibility := repoReq.GetVisibility()
 	repoReq.Visibility = nil
 
+	// This change needs to be made with the correct visibility
+	allowForking := repoReq.AllowForking
+	if d.HasChanges("visibility", "private") {
+		repoReq.AllowForking = nil
+	}
+
 	if !d.HasChange("security_and_analysis") {
 		repoReq.SecurityAndAnalysis = nil
 		log.Print("[DEBUG] No security_and_analysis update required. Removing this field from the payload.")
@@ -1015,32 +1013,17 @@ func resourceGithubRepositoryUpdate(ctx context.Context, d *schema.ResourceData,
 		}
 	}
 
-	if d.HasChange("visibility") {
-		o, n := d.GetChange("visibility")
-		repoReq.Visibility = github.Ptr(n.(string))
-		log.Printf("[DEBUG] Updating repository visibility from %s to %s", o, n)
-		_, resp, err := client.Repositories.Edit(ctx, owner, repoName, repoReq)
-		if err != nil {
-			if resp.StatusCode != 422 || !strings.Contains(err.Error(), fmt.Sprintf("Visibility is already %s", n.(string))) {
-				return diag.FromErr(err)
-			}
-		}
-	} else {
-		log.Printf("[DEBUG] No visibility update required. visibility: %s", d.Get("visibility"))
-	}
+	if d.HasChanges("visibility", "private") {
+		repoReq.Visibility = github.Ptr(visibility)
+		repoReq.AllowForking = allowForking
 
-	if d.HasChange("private") {
-		o, n := d.GetChange("private")
-		repoReq.Private = github.Ptr(n.(bool))
-		log.Printf("[DEBUG] Updating repository privacy from %v to %v", o, n)
-		_, _, err = client.Repositories.Edit(ctx, owner, repoName, repoReq)
+		log.Printf("[DEBUG] Updating repository visibility from %s to %s", repo.GetVisibility(), visibility)
+		_, resp, err := client.Repositories.Edit(ctx, owner, repoName, repoReq)
 		if err != nil {
-			if !strings.Contains(err.Error(), "422 Privacy is already set") {
+			if resp.StatusCode != 422 || !strings.Contains(err.Error(), fmt.Sprintf("Visibility is already %s", visibility)) {
 				return diag.FromErr(err)
 			}
 		}
-	} else {
-		log.Printf("[DEBUG] No privacy update required. private: %v", d.Get("private"))
 	}
 
 	return resourceGithubRepositoryRead(ctx, d, meta)
diff --git a/github/resource_github_repository_ruleset_test.go b/github/resource_github_repository_ruleset_test.go
@@ -12,7 +12,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 )
 
-func TestGithubRepositoryRulesets(t *testing.T) {
+func TestAccGithubRepositoryRuleset(t *testing.T) {
 	t.Run("create_branch_ruleset", func(t *testing.T) {
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 
@@ -501,7 +501,7 @@ resource "github_repository_ruleset" "test" {
 	})
 }
 
-func TestGithubRepositoryRulesetArchived(t *testing.T) {
+func TestAccGithubRepositoryRulesetArchived(t *testing.T) {
 	randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 
 	t.Run("skips update and delete on archived repository", func(t *testing.T) {
diff --git a/github/resource_github_repository_test.go b/github/resource_github_repository_test.go
@@ -1061,6 +1061,60 @@ func TestAccGithubRepository(t *testing.T) {
 		})
 	})
 
+	t.Run("update_public_to_private_allow_forking", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name       = "tf-acc-test-%s"
+				visibility = "public"
+			}
+		`, randomID)
+
+		configPrivate := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name          = "tf-acc-test-%s"
+				visibility    = "private"
+				allow_forking = false
+			}
+		`, randomID)
+
+		configPrivateForking := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name          = "tf-acc-test-%s"
+				visibility    = "private"
+				allow_forking = true
+			}
+		`, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr("github_repository.test", "visibility", "public"),
+						resource.TestCheckResourceAttr("github_repository.test", "allow_forking", "true"),
+					),
+				},
+				{
+					Config: configPrivate,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr("github_repository.test", "visibility", "private"),
+						resource.TestCheckResourceAttr("github_repository.test", "allow_forking", "false"),
+					),
+				},
+				{
+					Config: configPrivateForking,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr("github_repository.test", "visibility", "private"),
+						resource.TestCheckResourceAttr("github_repository.test", "allow_forking", "true"),
+					),
+				},
+			},
+		})
+	})
+
 	t.Run("updates repos to public visibility", func(t *testing.T) {
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 		config := fmt.Sprintf(`
diff --git a/website/docs/d/repository.html.markdown b/website/docs/d/repository.html.markdown
@@ -67,7 +67,7 @@ The following arguments are supported:
 
 * `merge_commit_message` - The default value for a merge commit message.
 
-* `has_downloads` - Whether the repository has Downloads feature enabled.
+* `has_downloads` - (**DEPRECATED**) Whether the repository has Downloads feature enabled. This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See [this discussion](https://github.com/orgs/community/discussions/102145#discussioncomment-8351756).
 
 * `default_branch` - The name of the default branch of the repository.
 
diff --git a/website/docs/r/repository.html.markdown b/website/docs/r/repository.html.markdown
@@ -114,7 +114,7 @@ The following arguments are supported:
 
 * `web_commit_signoff_required` - (Optional) Require contributors to sign off on web-based commits. See more [here](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-commit-signoff-policy-for-your-repository). Defaults to `false`.
 
-* `has_downloads` - (Optional) Set to `true` to enable the (deprecated) downloads features on the repository.
+* `has_downloads` - (**DEPRECATED**) (Optional) Set to `true` to enable the (deprecated) downloads features on the repository. This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See [this discussion](https://github.com/orgs/community/discussions/102145#discussioncomment-8351756).
 
 * `auto_init` - (Optional) Set to `true` to produce an initial commit in the repository.
 

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ import (`
`9`	`9`	`"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"`
`10`	`10`	`)`
`11`	`11`
`12`		`-func TestGithubOrganizationRulesets(t *testing.T) {`
	`12`	`+func TestAccGithubOrganizationRuleset(t *testing.T) {`
`13`	`13`	`t.Run("create_branch_ruleset", func(t *testing.T) {`
`14`	`14`	`randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)`
`15`	`15`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ import (`
`12`	`12`	`"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"`
`13`	`13`	`)`
`14`	`14`
`15`		`-func TestGithubRepositoryRulesets(t *testing.T) {`
	`15`	`+func TestAccGithubRepositoryRuleset(t *testing.T) {`
`16`	`16`	`t.Run("create_branch_ruleset", func(t *testing.T) {`
`17`	`17`	`randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)`
`18`	`18`
`@@ -501,7 +501,7 @@ resource "github_repository_ruleset" "test" {`
`501`	`501`	`})`
`502`	`502`	`}`
`503`	`503`
`504`		`-func TestGithubRepositoryRulesetArchived(t *testing.T) {`
	`504`	`+func TestAccGithubRepositoryRulesetArchived(t *testing.T) {`
`505`	`505`	`randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)`
`506`	`506`
`507`	`507`	`t.Run("skips update and delete on archived repository", func(t *testing.T) {`