feat: support internal visibility for repositories created by a template (#3123)

* feat: support internal visibility for repositories created by a template

* fix: update handling of internal visibility for repositories created from templates

* fix: update test to reflect internal repository visibility as private

Author: puneet-arora15

github/resource_github_repository.go

@@ -650,8 +650,6 @@ func resourceGithubRepositoryCreate(ctx context.Context, d *schema.ResourceData,
 	owner := meta.(*Owner).name
 	repoName := repoReq.GetName()
 
-	isPrivate := repoReq.GetVisibility() == "private"
-	repoReq.Private = github.Ptr(isPrivate)
 	if template, ok := d.GetOk("template"); ok {
 		templateConfigBlocks := template.([]any)
 
@@ -665,11 +663,14 @@ func resourceGithubRepositoryCreate(ctx context.Context, d *schema.ResourceData,
 			templateRepoOwner := templateConfigMap["owner"].(string)
 			includeAllBranches := templateConfigMap["include_all_branches"].(bool)
 
+			// Template API only supports Private boolean, so treat "internal" as private, then update via PATCH.
+			private := repoReq.GetVisibility() != "public"
+
 			templateRepoReq := github.TemplateRepoRequest{
 				Name:               &repoName,
 				Owner:              &owner,
 				Description:        github.Ptr(d.Get("description").(string)),
-				Private:            github.Ptr(isPrivate),
+				Private:            github.Ptr(private),
 				IncludeAllBranches: github.Ptr(includeAllBranches),
 			}
 

github/resource_github_repository_test.go

@@ -1202,15 +1202,15 @@ resource "github_repository" "test" {
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 		testRepoName := fmt.Sprintf("%svisibility-internal-%s", testResourcePrefix, randomID)
 		config := fmt.Sprintf(`
-			resource "github_repository" "internal" {
+			resource "github_repository" "test" {
 				name       = "%s"
 				visibility = "internal"
 			}
 		`, testRepoName)
 
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(
-				"github_repository.internal", "visibility",
+				"github_repository.test", "visibility",
 				"internal",
 			),
 		)
@@ -1399,6 +1399,35 @@ resource "github_repository" "test" {
 			},
 		})
 	})
+
+	t.Run("create_internal_repo_from_template", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		testRepoName := fmt.Sprintf("%s%s", testResourcePrefix, randomID)
+		config := fmt.Sprintf(`
+            resource "github_repository" "test" {  
+				name       = "%s"
+				visibility = "internal"
+				template {
+					owner      = "%s"
+					repository = "%s"
+				}
+			}
+		`, testRepoName, testAccConf.testPublicTemplateRepositoryOwner, testAccConf.testPublicTemplateRepository)
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnlessMode(t, enterprise) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check: resource.ComposeTestCheckFunc(
+						resource.TestCheckResourceAttr("github_repository.test", "visibility", "internal"),
+						resource.TestCheckResourceAttr("github_repository.test", "private", "true"),
+					),
+				},
+			},
+		})
+	})
 }
 
 func Test_expandPages(t *testing.T) {

website/docs/r/repository.html.markdown

@@ -214,6 +214,8 @@ The `advanced_security` block supports the following:
 * `repository`: The name of the template repository.
 * `include_all_branches`: Whether the new repository should include all the branches from the template repository (defaults to false, which includes only the default branch from the template).
 
+~> **Note on `internal` visibility with templates**: When creating a repository from a template with `visibility = "internal"`, the provider uses a two-step process due to GitHub API limitations. The template creation API only supports a `private` boolean parameter. Therefore, repositories with `visibility = "internal"` are initially created as private and then immediately updated to internal visibility. This ensures internal repositories are never exposed publicly during creation.
+
 ## Attributes Reference
 
 The following additional attributes are exported: