Merge branch 'main' into fix/enterprise-org-saml-create-taint

Author: nickfloyd

github/data_source_github_repository.go

@@ -61,8 +61,9 @@ func dataSourceGithubRepository() *schema.Resource {
 				Computed: true,
 			},
 			"has_downloads": {
-				Type:     schema.TypeBool,
-				Computed: true,
+				Type:       schema.TypeBool,
+				Computed:   true,
+				Deprecated: "This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See https://github.com/orgs/community/discussions/102145#discussioncomment-8351756",
 			},
 			"has_wiki": {
 				Type:     schema.TypeBool,

github/resource_github_actions_organization_secret_test.go

@@ -6,8 +6,11 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-github/v81/github"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 )
 
 func TestAccGithubActionsOrganizationSecret(t *testing.T) {
@@ -17,16 +20,16 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 
 		config := fmt.Sprintf(`
 			resource "github_actions_organization_secret" "plaintext_secret" {
-			  secret_name      = "test_plaintext_secret"
-			  plaintext_value  = "%s"
-			  visibility       = "private"
+				secret_name      = "test_plaintext_secret"
+				plaintext_value  = "%s"
+				visibility       = "private"
 			}
 
 			resource "github_actions_organization_secret" "encrypted_secret" {
-			  secret_name      = "test_encrypted_secret"
-			  encrypted_value  = "%s"
-			  visibility       = "private"
-			  destroy_on_drift = false
+				secret_name      = "test_encrypted_secret"
+				encrypted_value  = "%s"
+				visibility       = "private"
+				destroy_on_drift = false
 			}
 		`, secretValue, secretValue)
 
@@ -143,8 +146,79 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 			},
 		})
 	})
+}
+
+func TestAccGithubActionsOrganizationSecret_DestroyOnDrift(t *testing.T) {
+	t.Run("destroyOnDrift false", func(t *testing.T) {
+		destroyOnDrift := false
+		t.Run("should ignore drift when ignore_changes lifecycle is configured", func(t *testing.T) {
+			// Verify https://github.com/integrations/terraform-provider-github/issues/2614
+			randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+			config := fmt.Sprintf(`
+				resource "github_actions_organization_secret" "test_secret" {
+					secret_name = "test_secret_%s"
+					plaintext_value = "test_value"
+					visibility = "private"
+
+					destroy_on_drift = %t
+					lifecycle {
+						ignore_changes = [plaintext_value]
+					}
+				}
+			`, randomID, destroyOnDrift)
+
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessHasOrgs(t) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+					},
+					{
+						Config: config,
+						Check: resource.ComposeTestCheckFunc(
+							func(s *terraform.State) error {
+								rs, ok := s.RootModule().Resources["github_actions_organization_secret.test_secret"]
+								if !ok {
+									t.Errorf("not found: github_actions_organization_secret.test_secret")
+								}
+								// Now that the secret is created, update it to trigger a drift.
+								client := testAccProvider.Meta().(*Owner).v3client
+								owner := testAccProvider.Meta().(*Owner).name
+								ctx := t.Context()
+
+								keyId, publicKey, err := getOrganizationPublicKeyDetails(owner, testAccProvider.Meta().(*Owner))
+								if err != nil {
+									t.Errorf("Failed to get organization public key details: %v", err)
+								}
 
-	// Unit tests for drift detection behavior
+								encryptedSecret, err := createEncryptedSecret(rs.Primary, "foo", keyId, publicKey)
+								if err != nil {
+									t.Errorf("Failed to create encrypted secret: %v", err)
+								}
+								_, err = client.Actions.CreateOrUpdateOrgSecret(ctx, owner, encryptedSecret)
+								if err != nil {
+									t.Errorf("Failed to create or update organization secret: %v", err)
+								}
+								return err
+							},
+						),
+					},
+					{
+						Config:             config,
+						PlanOnly:           true,
+						ExpectNonEmptyPlan: false,
+					},
+				},
+			})
+		})
+	})
+	// t.Run("destroyOnDrift true", func(t *testing.T) {
+	// 	destroyOnDrift := true
+	// })
+}
+
+func TestGithubActionsOrganizationSecret_DestroyOnDrift(t *testing.T) {
 	t.Run("destroyOnDrift false clears sensitive values instead of recreating", func(t *testing.T) {
 		originalTimestamp := "2023-01-01T00:00:00Z"
 		newTimestamp := "2023-01-02T00:00:00Z"
@@ -248,3 +322,21 @@ func TestAccGithubActionsOrganizationSecret(t *testing.T) {
 		}
 	})
 }
+
+func createEncryptedSecret(is *terraform.InstanceState, plaintextValue, keyId, publicKey string) (*github.EncryptedSecret, error) {
+	secretName := is.Attributes["secret_name"]
+	visibility := is.Attributes["visibility"]
+
+	encryptedBytes, err := encryptPlaintext(plaintextValue, publicKey)
+	if err != nil {
+		return nil, err
+	}
+	encryptedValue := base64.StdEncoding.EncodeToString(encryptedBytes)
+
+	return &github.EncryptedSecret{
+		Name:           secretName,
+		KeyID:          keyId,
+		Visibility:     visibility,
+		EncryptedValue: encryptedValue,
+	}, nil
+}

github/resource_github_organization_ruleset_test.go

@@ -9,7 +9,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
-func TestGithubOrganizationRulesets(t *testing.T) {
+func TestAccGithubOrganizationRuleset(t *testing.T) {
 	t.Run("create_branch_ruleset", func(t *testing.T) {
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 

github/resource_github_repository.go

@@ -211,6 +211,7 @@ func resourceGithubRepository() *schema.Resource {
 				Type:        schema.TypeBool,
 				Optional:    true,
 				Description: "Set to 'true' to enable the (deprecated) downloads features on the repository.",
+				Deprecated:  "This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See https://github.com/orgs/community/discussions/102145#discussioncomment-8351756",
 			},
 			"has_wiki": {
 				Type:        schema.TypeBool,

github/resource_github_repository_ruleset_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 )
 
-func TestGithubRepositoryRulesets(t *testing.T) {
+func TestAccGithubRepositoryRuleset(t *testing.T) {
 	t.Run("create_branch_ruleset", func(t *testing.T) {
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 
@@ -501,7 +501,7 @@ resource "github_repository_ruleset" "test" {
 	})
 }
 
-func TestGithubRepositoryRulesetArchived(t *testing.T) {
+func TestAccGithubRepositoryRulesetArchived(t *testing.T) {
 	randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 
 	t.Run("skips update and delete on archived repository", func(t *testing.T) {

website/docs/d/repository.html.markdown

@@ -67,7 +67,7 @@ The following arguments are supported:
 
 * `merge_commit_message` - The default value for a merge commit message.
 
-* `has_downloads` - Whether the repository has Downloads feature enabled.
+* `has_downloads` - (**DEPRECATED**) Whether the repository has Downloads feature enabled. This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See [this discussion](https://github.com/orgs/community/discussions/102145#discussioncomment-8351756).
 
 * `default_branch` - The name of the default branch of the repository.
 

website/docs/r/repository.html.markdown

@@ -114,7 +114,7 @@ The following arguments are supported:
 
 * `web_commit_signoff_required` - (Optional) Require contributors to sign off on web-based commits. See more [here](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-commit-signoff-policy-for-your-repository). Defaults to `false`.
 
-* `has_downloads` - (Optional) Set to `true` to enable the (deprecated) downloads features on the repository.
+* `has_downloads` - (**DEPRECATED**) (Optional) Set to `true` to enable the (deprecated) downloads features on the repository. This attribute is no longer in use, but it hasn't been removed yet. It will be removed in a future version. See [this discussion](https://github.com/orgs/community/discussions/102145#discussioncomment-8351756).
 
 * `auto_init` - (Optional) Set to `true` to produce an initial commit in the repository.