Merge branch 'main' into dependabot/github_actions/github-actions-6e5e59408c

nickfloyd · web-flow · commit 3d59d0e92d47 · 2025-12-03T09:32:23.000-06:00
diff --git a/github/resource_github_organization_ruleset.go b/github/resource_github_organization_ruleset.go
@@ -637,6 +637,7 @@ func resourceGithubOrganizationRulesetRead(d *schema.ResourceData, meta any) err
 				return nil
 			}
 		}
+		return err
 	}
 
 	_ = d.Set("etag", resp.Header.Get("ETag"))
diff --git a/github/resource_github_repository_ruleset.go b/github/resource_github_repository_ruleset.go
@@ -604,8 +604,16 @@ func resourceGithubRepositoryRulesetCreate(d *schema.ResourceData, meta any) err
 	repoName := d.Get("repository").(string)
 	ctx := context.Background()
 
+	// Check if repository is archived - cannot create rulesets on archived repos (attempts PUT on read-only resource)
+	repo, _, err := client.Repositories.Get(ctx, owner, repoName)
+	if err != nil {
+		return err
+	}
+	if repo.GetArchived() {
+		return fmt.Errorf("cannot create ruleset on archived repository %s/%s", owner, repoName)
+	}
+
 	var ruleset *github.Ruleset
-	var err error
 
 	ruleset, _, err = client.Repositories.CreateRuleset(ctx, owner, repoName, rulesetReq)
 	if err != nil {
@@ -649,6 +657,7 @@ func resourceGithubRepositoryRulesetRead(d *schema.ResourceData, meta any) error
 				return nil
 			}
 		}
+		return err
 	}
 
 	if ruleset == nil {
@@ -686,6 +695,16 @@ func resourceGithubRepositoryRulesetUpdate(d *schema.ResourceData, meta any) err
 
 	ctx := context.WithValue(context.Background(), ctxId, rulesetID)
 
+	// Check if repository is archived - skip update if it is
+	repo, _, err := client.Repositories.Get(ctx, owner, repoName)
+	if err != nil {
+		return err
+	}
+	if repo.GetArchived() {
+		log.Printf("[INFO] Repository %s/%s is archived, skipping ruleset update", owner, repoName)
+		return nil
+	}
+
 	var ruleset *github.Ruleset
 	// Use UpdateRulesetNoBypassActor here instead of UpdateRuleset *if* bypass_actors has changed.
 	// UpdateRuleset uses `omitempty` on BypassActors, causing empty arrays to be omitted from the JSON.
@@ -717,7 +736,7 @@ func resourceGithubRepositoryRulesetDelete(d *schema.ResourceData, meta any) err
 
 	log.Printf("[DEBUG] Deleting repository ruleset: %s/%s: %d", owner, repoName, rulesetID)
 	_, err = client.Repositories.DeleteRuleset(ctx, owner, repoName, rulesetID)
-	return err
+	return handleArchivedRepoDelete(err, "repository ruleset", fmt.Sprintf("%d", rulesetID), owner, repoName)
 }
 
 func resourceGithubRepositoryRulesetImport(d *schema.ResourceData, meta any) ([]*schema.ResourceData, error) {
diff --git a/github/resource_github_repository_ruleset_test.go b/github/resource_github_repository_ruleset_test.go
@@ -3,6 +3,7 @@ package github
 import (
 	"fmt"
 	"log"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -1085,6 +1086,62 @@ func TestGithubRepositoryRulesets(t *testing.T) {
 	})
 }
 
+func TestGithubRepositoryRulesetArchived(t *testing.T) {
+	randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+
+	t.Run("skips update and delete on archived repository", func(t *testing.T) {
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name      = "tf-acc-test-archive-%s"
+				auto_init = true
+				archived  = false
+			}
+			resource "github_repository_ruleset" "test" {
+				name        = "test"
+				repository  = github_repository.test.name
+				target      = "branch"
+				enforcement = "active"
+				rules { creation = true }
+			}
+		`, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:  func() { skipUnlessMode(t, individual) },
+			Providers: testAccProviders,
+			Steps: []resource.TestStep{
+				{Config: config},
+				{Config: strings.Replace(config, "archived  = false", "archived  = true", 1)},
+				{Config: strings.Replace(strings.Replace(config, "archived  = false", "archived  = true", 1), `enforcement = "active"`, `enforcement = "disabled"`, 1)},
+			},
+		})
+	})
+
+	t.Run("prevents creating ruleset on archived repository", func(t *testing.T) {
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name      = "tf-acc-test-archive-create-%s"
+				auto_init = true
+				archived  = true
+			}
+			resource "github_repository_ruleset" "test" {
+				name       = "test"
+				repository = github_repository.test.name
+				target     = "branch"
+				enforcement = "active"
+				rules { creation = true }
+			}
+		`, randomID)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:  func() { skipUnlessMode(t, individual) },
+			Providers: testAccProviders,
+			Steps: []resource.TestStep{
+				{Config: config, ExpectError: regexp.MustCompile("cannot create ruleset on archived repository")},
+			},
+		})
+	})
+}
+
 func importRepositoryRulesetByResourcePaths(repoLogicalName, rulesetLogicalName string) resource.ImportStateIdFunc {
 	// test importing using an ID of the form <repo-node-id>:<ruleset-id>
 	return func(s *terraform.State) (string, error) {

Original file line number	Diff line number	Diff line change
`@@ -637,6 +637,7 @@ func resourceGithubOrganizationRulesetRead(d *schema.ResourceData, meta any) err`
`637`	`637`	`return nil`
`638`	`638`	`}`
`639`	`639`	`}`
	`640`	`+ return err`
`640`	`641`	`}`
`641`	`642`
`642`	`643`	`_ = d.Set("etag", resp.Header.Get("ETag"))`