[BUG]: github_branch_protection fails with 'Resource not accessible by integration' when app node_id is in dismissal_restrictions

[pbordo-rtbh]

Expected Behavior

When a GitHub App node ID is included in dismissal_restrictions of github_branch_protection, the provider should be able to read and manage the branch protection rule, including setting app node IDs alongside team node IDs.

Actual Behavior

The provider fails with Resource not accessible by integration during both plan and apply when:

1. An app node ID is specified in dismissal_restrictions in the HCL config, OR
2. An app has been added to dismissal_restrictions via the GitHub API externally (state refresh fails)

This makes it impossible to use Terraform to manage branch protection rules that include GitHub Apps in dismissal restrictions.

Terraform Version

Terraform v1.6.0
+ provider registry.terraform.io/integrations/github v6.x

Affected Resource(s)

• github_branch_protection

Terraform Configuration Files

data "github_team" "maintainers" {
  for_each = {
    for team in var.teams : team.team_slug => team
    if team.role == "maintain" || team.role == "admin"
  }
  slug = each.key
}

resource "github_branch_protection" "this" {
  for_each      = toset(var.protected_branches)
  repository_id = github_repository.this.node_id
  pattern       = each.value

  required_pull_request_reviews {
    dismiss_stale_reviews           = false
    require_code_owner_reviews      = true
    required_approving_review_count = 1
    restrict_dismissals             = true
    dismissal_restrictions = concat(
      [for team_data in data.github_team.maintainers : team_data.node_id],
      ["A_kwPOAAELEM4AECna"]  # GitHub App node ID
    )
  }

  enforce_admins = false
}

Steps to Reproduce

1. Create a github_branch_protection resource with restrict_dismissals = true
2. Include a GitHub App node ID in dismissal_restrictions alongside team node IDs
3. Run terraform plan or terraform apply

Alternative reproduction:

1. Have a working github_branch_protection with only team node IDs in dismissal_restrictions
2. Externally add a GitHub App to dismissal_restrictions via the GitHub REST API:

   PATCH /repos/{owner}/{repo}/branches/{branch}/protection/required_pull_request_reviews
   { "dismissal_restrictions": { "teams": [...], "apps": ["my-app-slug"] } }
   

3. Run terraform plan — fails during state refresh

Error Output

Error: Resource not accessible by integration

  with github_branch_protection.this["main"],
  on repo.tf line 158, in resource "github_branch_protection" "this":
  158: resource "github_branch_protection" "this" {

Additional Context

• The GitHub REST API supports apps in dismissal_restrictions and works correctly with user PATs
• The GitHub App used by the Terraform provider has administration:write permission on the org
• The error occurs even when the app node ID in dismissal_restrictions belongs to a different (non-Terraform) app that is installed on the repository
• This appears to be a provider-level limitation where the GraphQL mutation used for branch protection rules doesn't support app actors in dismissalRestrictionsActorIds, or the provider doesn't properly translate app node IDs for the mutation

Workaround

Currently the only workaround is to manage the app entry in dismissal_restrictions via the GitHub REST API outside of Terraform, and ensure Terraform never touches repos where an app has been added. This is fragile and creates state drift.

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[deiga]

Hey @pbordo-rtbh

Resource not accessible by integration usually means that your Auth method is lacking permissions, though your stated permission should be enough.

Could share DEBUG level logs of the failing terraform run?

[patrickvinograd]

Also seeing this.

The other resource I'm having trouble with is github_app_installation_repository, which I tracked down to being unusable with appAuth, because those APIs are only available via PATs with repo scope.

I wonder if the two are connected, i.e. the branch protection rule API can't interrogate the repo app installations because of the above appAuth vs. PAT limitation? Total hypothesizing on my part...

[deiga]

@patrickvinograd The API for github_branch_protection uses GQL API which doesn't provider clear guidance for what queries/mutations with with GH App tokens :/
https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/choosing-permissions-for-a-github-app#choosing-permissions-for-graphql-api-access

The Rest API endpoints allow GH App Installation Access Tokens, so one would assume that the GQL API does as well.

Maybe you could share TF_LOG=DEBUG terraform ... logs to help us debug this?

[patrickvinograd]

I ran it with TF_LOG=DEBUG, I can't include the full output, but the only lines related to this resource are not that helpful:

module.repos["core"].github_branch_protection.branch_protection[0]: Refreshing state... [id=BPR_kwDOBZN5Js4Bag6N]
2026-03-11T16:41:31.408Z [ERROR] provider.terraform-provider-github_v6.10.2: Response contains error diagnostic: @module=sdk.proto tf_provider_addr=provider tf_req_id=e4796713-fb1f-2326-fc4a-382f28ba348b tf_resource_type=github_bran
ch_protection @caller=github.com/hashicorp/terraform-plugin-go@v0.29.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="Resource not accessible by integration" tf_proto_ver
sion=5.10 tf_rpc=ReadResource timestamp=2026-03-11T16:41:31.408Z
2026-03-11T16:41:31.411Z [ERROR] vertex "module.repos[\"core\"].github_branch_protection.branch_protection[0]" error: Resource not accessible by integration
2026-03-11T16:41:31.411Z [ERROR] vertex "module.repos.github_branch_protection.branch_protection (expand)" error: Resource not accessible by integration

[pbordo-rtbh]

@deiga I dug into the provider source and I believe DEBUG logs won't reveal much beyond what @patrickvinograd already shared. The error comes from the GitHub GraphQL API layer, not from missing permissions on the provider's App.

Root cause: the provider uses GraphQL with inline fragments to read dismissal actors (... on App, ... on Team, ... on User in util_v4_branch_protection.go → setDismissalActorIDs). When the provider authenticates as a GitHub App installation token, the GraphQL API rejects queries that try to resolve other App node IDs — returning Resource not accessible by integration before the provider gets any useful data back. This is a GitHub API-level restriction, not a provider bug.

The provider code itself handles App actors identically to Teams and Users — the logic is there and correct. The problem is that GitHub doesn't allow one private App to introspect another private App's metadata via GraphQL.

This is the same underlying cause as #2236 (open) and #1248 / #1156 (both closed without a real fix).

Possible fix directions:

1. During ReadResource, catch the "not accessible" error when resolving App actors and skip them gracefully instead of failing the entire read — this would at least prevent state refresh from breaking
2. Fall back to the REST API (GET /repos/{owner}/{repo}/branches/{branch}/protection) for reading branch protection rules when GraphQL fails — REST handles App tokens correctly for this endpoint
3. Expose a separate app_ids field in dismissal_restrictions (like bypass_pull_request_allowances does) so the provider can handle App actors through a different code path

Workaround for anyone hitting this: github_repository_ruleset (the newer resource) uses a different API path and may not have this limitation. We've migrated/built some projects with it and haven't seen the same issue.

[deiga]

@pbordo-rtbh thanks for diving into this!

Since GitHub is deprecating branch protection we are also focusing less on those resources. We should document this limitation with GQL and GH Apps.

The recommendation is to use rulesets for actual protection configs and only use the branch protection for the non-migrated functionality (like environment branches)