Add pull_request_creation_policy to github_repository

Author: RoFz

github/resource_github_repository.go

@@ -284,6 +284,13 @@ func resourceGithubRepository() *schema.Resource {
 				Default:     false,
 				Description: "Automatically delete head branch after a pull request is merged. Defaults to 'false'.",
 			},
+			"pull_request_creation_policy": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Computed:         true,
+				ValidateDiagFunc: validation.ToDiagFunc(validation.StringInSlice([]string{"all", "collaborators_only"}, false)),
+				Description:      "Controls who can create pull requests in the repository. Can be `all` or `collaborators_only`.",
+			},
 			"web_commit_signoff_required": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -870,6 +877,19 @@ func resourceGithubRepositoryRead(ctx context.Context, d *schema.ResourceData, m
 		}
 	}
 
+	pullRequestCreationPolicy, err := getRepositoryPullRequestCreationPolicy(ctx, owner, repoName, meta)
+	if err != nil {
+		if isUnsupportedPullRequestCreationPolicyError(err) {
+			log.Printf("[DEBUG] Skipping pull_request_creation_policy read for %s/%s: %s", owner, repoName, err)
+		} else {
+			return diag.Errorf("error reading repository pull request creation policy: %s", err.Error())
+		}
+	} else {
+		if err = d.Set("pull_request_creation_policy", pullRequestCreationPolicy); err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
 	// Set fork information if this is a fork
 	if repo.GetFork() {
 		_ = d.Set("fork", "true")
@@ -995,6 +1015,19 @@ func resourceGithubRepositoryUpdate(ctx context.Context, d *schema.ResourceData,
 		}
 	}
 
+	if d.IsNewResource() || d.HasChange("pull_request_creation_policy") {
+		if v, ok := d.GetOk("pull_request_creation_policy"); ok {
+			repositoryID, err := getRepositoryID(repo.GetName(), meta)
+			if err != nil {
+				return diag.Errorf("error resolving repository id for pull request creation policy update: %s", err.Error())
+			}
+
+			if err := updateRepositoryPullRequestCreationPolicy(ctx, repositoryID, v.(string), meta); err != nil {
+				return diag.Errorf("error updating repository pull request creation policy: %s", err.Error())
+			}
+		}
+	}
+
 	if d.IsNewResource() || d.HasChange("vulnerability_alerts") {
 		if v, ok := d.GetOkExists("vulnerability_alerts"); ok { //nolint:staticcheck // SA1019 // We sometimes need to use GetOkExists for booleans
 			if val, ok := v.(bool); ok {

github/resource_github_repository_test.go

@@ -1334,6 +1334,43 @@ resource "github_repository" "test" {
 		})
 	})
 
+	t.Run("check_pull_request_creation_policy", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		testRepoName := fmt.Sprintf("%spr-policy-%s", testResourcePrefix, randomID)
+		config := `
+			resource "github_repository" "test" {
+				name                         = "%s"
+				visibility                   = "%s"
+				pull_request_creation_policy = "%s"
+			}
+		`
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: fmt.Sprintf(config, testRepoName, testAccConf.testRepositoryVisibility, "collaborators_only"),
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr("github_repository.test", "pull_request_creation_policy", "collaborators_only"),
+					),
+				},
+				{
+					Config: fmt.Sprintf(config, testRepoName, testAccConf.testRepositoryVisibility, "all"),
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr("github_repository.test", "pull_request_creation_policy", "all"),
+					),
+				},
+				{
+					ResourceName:            "github_repository.test",
+					ImportState:             true,
+					ImportStateVerify:       true,
+					ImportStateVerifyIgnore: []string{"auto_init", "vulnerability_alerts", "ignore_vulnerability_alerts_during_read"},
+				},
+			},
+		})
+	})
+
 	t.Run("check_web_commit_signoff_required_organization_enabled_but_not_set", func(t *testing.T) {
 		t.Skip("This test should be run manually after confirming that the test organization has 'Require contributors to sign off on web-based commits' enabled under Organizations -> Settings -> Repository -> Repository defaults.")
 

github/util_v4_repository.go

@@ -4,10 +4,31 @@ import (
 	"context"
 	"encoding/base64"
 	"errors"
+	"fmt"
+	"strings"
 
 	"github.com/shurcooL/githubv4"
 )
 
+// PullRequestCreationPolicy mirrors the GitHub GraphQL enum type of the same
+// name so we can query and mutate the field even when the vendored client
+// model lags behind the live schema.
+type PullRequestCreationPolicy string
+
+const (
+	PullRequestCreationPolicyAll               PullRequestCreationPolicy = "ALL"
+	PullRequestCreationPolicyCollaboratorsOnly PullRequestCreationPolicy = "COLLABORATORS_ONLY"
+)
+
+// UpdateRepositoryInput intentionally mirrors the GitHub GraphQL input type
+// name so the graphql client emits the correct variable type in mutations.
+// We only model the fields needed for pullRequestCreationPolicy updates.
+type UpdateRepositoryInput struct {
+	RepositoryID              githubv4.ID                `json:"repositoryId"`
+	PullRequestCreationPolicy *PullRequestCreationPolicy `json:"pullRequestCreationPolicy,omitempty"`
+	ClientMutationID          *githubv4.String           `json:"clientMutationId,omitempty"`
+}
+
 func getRepositoryID(name string, meta any) (githubv4.ID, error) {
 	// Interpret `name` as a node ID
 	exists, nodeIDerr := repositoryNodeIDExists(name, meta)
@@ -65,6 +86,88 @@ func repositoryNodeIDExists(name string, meta any) (bool, error) {
 	return query.Node.ID.(string) == name, nil
 }
 
+func flattenPullRequestCreationPolicy(policy PullRequestCreationPolicy) (string, error) {
+	switch policy {
+	case PullRequestCreationPolicyAll:
+		return "all", nil
+	case PullRequestCreationPolicyCollaboratorsOnly:
+		return "collaborators_only", nil
+	case "":
+		return "", nil
+	default:
+		return "", fmt.Errorf("unsupported GraphQL pull request creation policy %q", policy)
+	}
+}
+
+func expandPullRequestCreationPolicy(policy string) (PullRequestCreationPolicy, error) {
+	switch policy {
+	case "all":
+		return PullRequestCreationPolicyAll, nil
+	case "collaborators_only":
+		return PullRequestCreationPolicyCollaboratorsOnly, nil
+	default:
+		return "", fmt.Errorf("unsupported Terraform pull request creation policy %q", policy)
+	}
+}
+
+func isUnsupportedPullRequestCreationPolicyError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	message := strings.ToLower(err.Error())
+
+	return strings.Contains(message, "pullrequestcreationpolicy") &&
+		(strings.Contains(message, "doesn't exist") ||
+			strings.Contains(message, "does not exist") ||
+			strings.Contains(message, "undefined field") ||
+			strings.Contains(message, "unknown argument") ||
+			strings.Contains(message, "cannot query field"))
+}
+
+func getRepositoryPullRequestCreationPolicy(ctx context.Context, owner, name string, meta any) (string, error) {
+	var query struct {
+		Repository struct {
+			PullRequestCreationPolicy PullRequestCreationPolicy
+		} `graphql:"repository(owner:$owner, name:$name)"`
+	}
+
+	variables := map[string]any{
+		"owner": githubv4.String(owner),
+		"name":  githubv4.String(name),
+	}
+
+	client := meta.(*Owner).v4client
+	if err := client.Query(ctx, &query, variables); err != nil {
+		return "", err
+	}
+
+	return flattenPullRequestCreationPolicy(query.Repository.PullRequestCreationPolicy)
+}
+
+func updateRepositoryPullRequestCreationPolicy(ctx context.Context, repositoryID githubv4.ID, policy string, meta any) error {
+	expandedPolicy, err := expandPullRequestCreationPolicy(policy)
+	if err != nil {
+		return err
+	}
+
+	input := UpdateRepositoryInput{
+		RepositoryID:              repositoryID,
+		PullRequestCreationPolicy: &expandedPolicy,
+	}
+
+	var mutation struct {
+		UpdateRepository struct {
+			Repository struct {
+				ID githubv4.ID
+			}
+		} `graphql:"updateRepository(input:$input)"`
+	}
+
+	client := meta.(*Owner).v4client
+	return client.Mutate(ctx, &mutation, input, nil)
+}
+
 // Maintain compatibility with deprecated Global ID format
 // https://github.blog/2021-02-10-new-global-id-format-coming-to-graphql/
 func repositoryLegacyNodeIDExists(name string, meta any) (bool, error) {

github/util_v4_repository_test.go

@@ -2,6 +2,8 @@ package github
 
 import (
 	"bytes"
+	"context"
+	"errors"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -191,6 +193,142 @@ func TestGetRepositoryIDPositiveMatches(t *testing.T) {
 	}
 }
 
+func TestPullRequestCreationPolicyMapping(t *testing.T) {
+	t.Run("flatten GraphQL values", func(t *testing.T) {
+		cases := []struct {
+			name    string
+			input   PullRequestCreationPolicy
+			want    string
+			wantErr bool
+		}{
+			{name: "all", input: PullRequestCreationPolicyAll, want: "all"},
+			{name: "collaborators_only", input: PullRequestCreationPolicyCollaboratorsOnly, want: "collaborators_only"},
+			{name: "empty", input: "", want: ""},
+			{name: "invalid", input: PullRequestCreationPolicy("NOPE"), wantErr: true},
+		}
+
+		for _, tc := range cases {
+			got, err := flattenPullRequestCreationPolicy(tc.input)
+			if tc.wantErr {
+				if err == nil {
+					t.Fatalf("%s: expected error, got nil", tc.name)
+				}
+				continue
+			}
+			if err != nil {
+				t.Fatalf("%s: unexpected error: %v", tc.name, err)
+			}
+			if got != tc.want {
+				t.Fatalf("%s: got %q want %q", tc.name, got, tc.want)
+			}
+		}
+	})
+
+	t.Run("expand Terraform values", func(t *testing.T) {
+		cases := []struct {
+			name    string
+			input   string
+			want    PullRequestCreationPolicy
+			wantErr bool
+		}{
+			{name: "all", input: "all", want: PullRequestCreationPolicyAll},
+			{name: "collaborators_only", input: "collaborators_only", want: PullRequestCreationPolicyCollaboratorsOnly},
+			{name: "invalid", input: "everyone", wantErr: true},
+		}
+
+		for _, tc := range cases {
+			got, err := expandPullRequestCreationPolicy(tc.input)
+			if tc.wantErr {
+				if err == nil {
+					t.Fatalf("%s: expected error, got nil", tc.name)
+				}
+				continue
+			}
+			if err != nil {
+				t.Fatalf("%s: unexpected error: %v", tc.name, err)
+			}
+			if got != tc.want {
+				t.Fatalf("%s: got %q want %q", tc.name, got, tc.want)
+			}
+		}
+	})
+}
+
+func TestRepositoryPullRequestCreationPolicyGraphQL(t *testing.T) {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/graphql", func(w http.ResponseWriter, req *http.Request) {
+		body := mustRead(req.Body)
+		w.Header().Set("Content-Type", "application/json")
+
+		switch {
+		case strings.Contains(body, "repository(owner:$owner, name:$name){pullRequestCreationPolicy}"):
+			if !strings.Contains(body, `"owner":"integrations"`) {
+				t.Fatalf("expected resolved owner in GraphQL body, got %s", body)
+			}
+			mustWrite(w, `{"data":{"repository":{"pullRequestCreationPolicy":"COLLABORATORS_ONLY"}}}`)
+		case strings.Contains(body, "mutation($input:UpdateRepositoryInput!){updateRepository(input:$input){repository{id}}}"):
+			mustWrite(w, `{"data":{"updateRepository":{"repository":{"id":"R_kgDOGGmaaw"}}}}`)
+		default:
+			t.Fatalf("unexpected GraphQL body: %s", body)
+		}
+	})
+
+	meta := Owner{
+		v4client: githubv4.NewClient(&http.Client{Transport: localRoundTripper{handler: mux}}),
+		name:     "integrations",
+	}
+
+	ctx := context.Background()
+
+	got, err := getRepositoryPullRequestCreationPolicy(ctx, "integrations", "terraform-provider-github", &meta)
+	if err != nil {
+		t.Fatalf("unexpected read error: %v", err)
+	}
+	if got != "collaborators_only" {
+		t.Fatalf("got %q want %q", got, "collaborators_only")
+	}
+
+	if err := updateRepositoryPullRequestCreationPolicy(ctx, githubv4.ID("R_kgDOGGmaaw"), "all", &meta); err != nil {
+		t.Fatalf("unexpected update error: %v", err)
+	}
+}
+
+func TestIsUnsupportedPullRequestCreationPolicyError(t *testing.T) {
+	cases := []struct {
+		name string
+		err  error
+		want bool
+	}{
+		{
+			name: "missing field",
+			err:  errors.New(`Field 'pullRequestCreationPolicy' doesn't exist on type 'Repository'`),
+			want: true,
+		},
+		{
+			name: "cannot query field",
+			err:  errors.New(`Cannot query field "pullRequestCreationPolicy" on type "Repository".`),
+			want: true,
+		},
+		{
+			name: "unrelated graphql error",
+			err:  errors.New(`Could not resolve to a Repository with the name 'integrations/terraform-provider-github'.`),
+			want: false,
+		},
+		{
+			name: "nil",
+			err:  nil,
+			want: false,
+		},
+	}
+
+	for _, tc := range cases {
+		got := isUnsupportedPullRequestCreationPolicyError(tc.err)
+		if got != tc.want {
+			t.Fatalf("%s: got %t want %t", tc.name, got, tc.want)
+		}
+	}
+}
+
 // localRoundTripper is an http.RoundTripper that executes HTTP transactions
 // by using handler directly, instead of going over an HTTP connection.
 type localRoundTripper struct {

website/docs/r/repository.html.markdown

@@ -112,6 +112,8 @@ The following arguments are supported:
 
 - `delete_branch_on_merge` - (Optional) Automatically delete head branch after a pull request is merged. Defaults to `false`.
 
+- `pull_request_creation_policy` - (Optional) Controls who can create pull requests in the repository. Can be `all` or `collaborators_only`. If omitted, the provider reads the current remote value and does not impose a provider-side default.
+
 - `web_commit_signoff_required` - (Optional) Require contributors to sign off on web-based commits. See more in the [GitHub documentation](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-commit-signoff-policy-for-your-repository).
 
 - `has_downloads` - (**DEPRECATED**) (Optional) Set to `true` to enable the (deprecated) downloads features on the repository. This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See [this discussion](https://github.com/orgs/community/discussions/102145#discussioncomment-8351756).