[BUG]: False diff for `merge_commit_message` etc. with unprivileged token

[lens0021]

Expected Behavior

No diff when running tofu plan with a GITHUB_TOKEN that cannot read (squash or rebase) merge settings,¹ similar to how vulnerability_alerts was fixed in #3144.

Actual Behavior

tofu plan reports changes for merge_commit_message, merge_commit_title, squash_merge_commit_message, and squash_merge_commit_title on every run.

Perhaps the provider cannot read these fields with an unprivileged token, so it gets null. It then compares those unknown values against the config and plans to set them to provider default (PR_TITLE, MERGE_MESSAGE, etc.).

Terraform Version

OpenTofu
integrations/github v6.11.1

Affected Resource(s)

• github_repository

Terraform Configuration Files

import {
  id = "amber-script-action"
  to = github_repository.this
}
resource "github_repository" "this" {
  allow_merge_commit          = false
  allow_squash_merge          = false
  merge_commit_message        = null
  merge_commit_title          = null
  squash_merge_commit_message = null
  squash_merge_commit_title   = null
  # ...
}

The full code: https://github.com/lens0021/amber-script-action/blob/dca2d0e3ee1d4cebcf50287e43c8894a72d9f10a/.github/tf/repository.tf

Steps to Reproduce

1. Use a GITHUB_TOKEN with only Contents: read, Metadata: read.
2. Run tofu plan.
3. Plan shows changes.

The full code: https://github.com/lens0021/amber-script-action/blob/dca2d0e3ee1d4cebcf50287e43c8894a72d9f10a/.github/workflows/tf.yaml#L22-L39

Debug Output

##[debug]Set output stdout = github_repository.this: Preparing import... [id=amber-script-action]
##[debug]github_repository.this: Refreshing state... [id=amber-script-action]
##[debug]github_repository_ruleset.default: Preparing import... [id=amber-script-action:6070737]
##[debug]github_repository_ruleset.default: Refreshing state... [id=6070737]
##[debug]
##[debug]OpenTofu used the selected providers to generate the following execution
##[debug]plan. Resource actions are indicated with the following symbols:
##[debug]  ~ update in-place (current -> planned)
##[debug]
##[debug]OpenTofu will perform the following actions:
##[debug]
##[debug]  # github_repository.this will be updated in-place
##[debug]  # (imported from "amber-script-action")
##[debug]  ~ resource "github_repository" "this" {
##[debug]        allow_auto_merge            = false
...

Panic Output

Code of Conduct

• I agree to follow this project's Code of Conduct

Footnotes

1. The reason I tried this was I wanted a GitHub Actions run without PAT. ↩

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[lens0021]

Sorry, I will try the below.

To view merge-related settings, you must have the contents:read and contents:write permissions.