[BUG]: `github_codespaces_organization_secret` gets lost from state and recreated after secret value change

[Kairixir]

Expected Behavior

github_codespaces_organization_secret should behave consistently across consecutive tofu plan runs — showing "No changes" when neither the HCL nor the remote resource has changed. Drift behavior should match github_actions_organization_secret (detect metadata drift, ignore value drift since the API doesn't return values).

Actual Behavior

The resource disappears from state during refresh, causing the next plan to show + create instead of "No changes." The pattern is reproducible:

tofu apply — creates the secret successfully
tofu plan — "No changes" ✓
tofu plan (after a change of secret value in UI) — wants to + creates the secret again

This does NOT happen with github_actions_organization_secret or github_dependabot_organization_secret in the same configuration, same provider version, same auth method.

Terraform Version

OpenTofu v1.10.6
on darwin_arm64

• provider registry.opentofu.org/integrations/github v6.11.1

Affected Resource(s)

github_codespaces_organization_secret

Terraform Configuration Files

resource "github_codespaces_organization_secret" "poc_1" {
  secret_name     = "POC_CODESPACES_SECRET"
  plaintext_value = "Testval"
  visibility      = "private"
}

Steps to Reproduce

1. tofu apply — secret is created
2. tofu plan — shows "No changes"
3. Change POC_CODESPACES_SECRET value in UI
4. tofu plan again — shows:

# github_codespaces_organization_secret.poc_1[0] will be created
  + resource "github_codespaces_organization_secret" "poc_1" {
      + created_at      = (known after apply)
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + secret_name     = "POC_CODESPACES_SECRET"
      + updated_at      = (known after apply)
      + visibility      = "private"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

5. tofu apply — re-creates the secret
   Cycle repeats from step 2

Expected cause:
github_actions_organization_secret received a drift detection rework in PR #3069 (by @stevehipwell), adding remote_updated_at, CustomizeDiff with diffSecret, and StateUpgraders. This fix was not applied to github_codespaces_organization_secret, which likely still uses the old pattern where a timestamp mismatch during Read causes the resource to be removed from state instead of triggering an in-place update.
github_dependabot_organization_secret does not exhibit this behavior in my testing — it may have received the fix or uses a different Read implementation.

References:
PR #3069 — fix: Correct secret drift implementation (Actions secrets)

Debug Output

Panic Output

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[stevehipwell]

@Kairixir thanks for the bug report, you are correct that I didn't make any changes to the codespaces secrets when I refactored the other secrets in the provider. I've opened #3368 to track the actual work on this and we'd be happy to take contributions.