fix(github_repository_file): produce signed delete commits via GraphQL

The Contents REST API does not trigger GitHub's server-side web-flow
commit signing on DELETE the way it does on PUT, so deleting a
github_repository_file produces an unsigned commit. When the target
branch is protected by a ruleset that requires signed commits, the
delete is rejected or lands as an unsigned commit on the protected
branch.

Route resourceGithubRepositoryFileDelete through the GraphQL
createCommitOnBranch mutation with a single fileChanges.deletions entry.
That mutation web-flow-signs every commit it produces, regardless of
whether the change is an addition or a deletion, so delete commits are
now signed identically to create/update commits made through the REST
Contents API with unset commit_author/commit_email.

The expected-head oid required by the mutation is fetched via a small
GraphQL query against the target branch just before the mutation, so
the caller does not have to supply it. Archived-repository errors are
still handed to handleArchivedRepoDelete.

Author: LudovicTOURMAN

github/resource_github_repository_file.go

@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/shurcooL/githubv4"
 )
 
 func resourceGithubRepositoryFile() *schema.Resource {
@@ -403,23 +404,92 @@ func resourceGithubRepositoryFileUpdate(ctx context.Context, d *schema.ResourceD
 }
 
 func resourceGithubRepositoryFileDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
-	client := meta.(*Owner).v3client
+	v4 := meta.(*Owner).v4client
 	owner := meta.(*Owner).name
 
 	repo := d.Get("repository").(string)
 	file := d.Get("file").(string)
+	branch := d.Get("branch").(string)
 
-	opts := resourceGithubRepositoryFileOptions(d)
+	ctx = tflog.SetField(ctx, "repository", repo)
+	ctx = tflog.SetField(ctx, "file", file)
+	ctx = tflog.SetField(ctx, "owner", owner)
+	ctx = tflog.SetField(ctx, "branch", branch)
 
-	if *opts.Message == fmt.Sprintf("Add %s", file) {
-		opts.Message = new(fmt.Sprintf("Delete %s", file))
+	// The Contents REST endpoint DELETE /repos/{owner}/{repo}/contents/{path}
+	// does not trigger GitHub's server-side web-flow commit signing, whereas
+	// PUT on the same endpoint does. Using the GraphQL createCommitOnBranch
+	// mutation produces a web-flow signed commit for deletions as well, which
+	// is required by rulesets that enforce signed commits on protected
+	// branches.
+	headOid, err := getBranchHeadOid(ctx, v4, owner, repo, branch)
+	if err != nil {
+		return diag.FromErr(handleArchivedRepoDelete(err, "repository file", file, owner, repo))
 	}
 
-	branch := d.Get("branch").(string)
-	opts.Branch = new(branch)
+	message := fmt.Sprintf("Delete %s", file)
+	if cm, ok := d.GetOk("commit_message"); ok {
+		if v := cm.(string); v != "" && v != fmt.Sprintf("Add %s", file) {
+			message = v
+		}
+	}
 
-	_, _, err := client.Repositories.DeleteFile(ctx, owner, repo, file, opts)
-	return diag.FromErr(handleArchivedRepoDelete(err, "repository file", file, owner, repo))
+	nameWithOwner := githubv4.String(fmt.Sprintf("%s/%s", owner, repo))
+	branchName := githubv4.String(branch)
+	path := githubv4.String(file)
+
+	input := githubv4.CreateCommitOnBranchInput{
+		Branch: githubv4.CommittableBranch{
+			RepositoryNameWithOwner: &nameWithOwner,
+			BranchName:              &branchName,
+		},
+		Message: githubv4.CommitMessage{
+			Headline: githubv4.String(message),
+		},
+		ExpectedHeadOid: githubv4.GitObjectID(headOid),
+		FileChanges: &githubv4.FileChanges{
+			Deletions: &[]githubv4.FileDeletion{{Path: path}},
+		},
+	}
+
+	var mutation struct {
+		CreateCommitOnBranch struct {
+			Commit struct {
+				Oid githubv4.String
+			}
+		} `graphql:"createCommitOnBranch(input: $input)"`
+	}
+
+	if err := v4.Mutate(ctx, &mutation, input, nil); err != nil {
+		return diag.FromErr(handleArchivedRepoDelete(err, "repository file", file, owner, repo))
+	}
+
+	return nil
+}
+
+func getBranchHeadOid(ctx context.Context, client *githubv4.Client, owner, repo, branch string) (string, error) {
+	var query struct {
+		Repository struct {
+			Ref struct {
+				Target struct {
+					Oid githubv4.String
+				}
+			} `graphql:"ref(qualifiedName: $ref)"`
+		} `graphql:"repository(owner: $owner, name: $repo)"`
+	}
+	variables := map[string]any{
+		"owner": githubv4.String(owner),
+		"repo":  githubv4.String(repo),
+		"ref":   githubv4.String("refs/heads/" + branch),
+	}
+	if err := client.Query(ctx, &query, variables); err != nil {
+		return "", err
+	}
+	oid := string(query.Repository.Ref.Target.Oid)
+	if oid == "" {
+		return "", fmt.Errorf("could not resolve HEAD of branch %q on %s/%s", branch, owner, repo)
+	}
+	return oid, nil
 }
 
 func autoBranchDiffSuppressFunc(k, _, _ string, d *schema.ResourceData) bool {

website/docs/r/repository_file.html.markdown

@@ -78,6 +78,8 @@ The following arguments are supported:
 
 - `commit_message` - (Optional) The commit message when creating, updating or deleting the managed file.
 
+~> **Note on signed commits:** delete commits are produced through GitHub's GraphQL `createCommitOnBranch` mutation so they are web-flow signed and satisfy rulesets that require signed commits. Create and update commits go through the REST Contents API, which is web-flow signed only when `commit_author` and `commit_email` are left unset.
+
 - `overwrite_on_create` - (Optional) Enable overwriting existing files. If set to `true` it will overwrite an existing file with the same name. If set to `false` it will fail if there is an existing file with the same name.
 
 - `autocreate_branch` - (Optional) **Deprecated** Automatically create the branch if it could not be found. Defaults to false. Subsequent reads if the branch is deleted will occur from 'autocreate_branch_source_branch'. Use the `github_branch` resource instead.