From a81c4b804c3522837c3e59070caa63b4fea24a2d Mon Sep 17 00:00:00 2001 From: Leonard Sheng Sheng Lee Date: Mon, 1 Dec 2025 10:46:00 +0100 Subject: [PATCH] feat(actions_permissions): sha_pinning_required Fix https://github.com/integrations/terraform-provider-github/issues/2869. Signed-off-by: Leonard Sheng Sheng Lee Signed-off-by: Leonard Sheng Sheng Lee <305414+sheeeng@users.noreply.github.com> --- ...github_actions_organization_permissions.go | 24 +++++++++++++++---- ...b_actions_organization_permissions_test.go | 4 +++- ...e_github_actions_repository_permissions.go | 14 +++++++++++ ...hub_actions_repository_permissions_test.go | 4 +++- 4 files changed, 40 insertions(+), 6 deletions(-) diff --git a/github/resource_github_actions_organization_permissions.go b/github/resource_github_actions_organization_permissions.go index 0e7754c4c9..5106fec01a 100644 --- a/github/resource_github_actions_organization_permissions.go +++ b/github/resource_github_actions_organization_permissions.go @@ -76,6 +76,12 @@ func resourceGithubActionsOrganizationPermissions() *schema.Resource { }, }, }, + "sha_pinning_required": { + Type: schema.TypeBool, + Optional: true, + Computed: true, + Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in an organization.", + }, }, } } @@ -147,12 +153,18 @@ func resourceGithubActionsOrganizationPermissionsCreateOrUpdate(d *schema.Resour allowedActions := d.Get("allowed_actions").(string) enabledRepositories := d.Get("enabled_repositories").(string) + actionsPermissions := github.ActionsPermissions{ + AllowedActions: &allowedActions, + EnabledRepositories: &enabledRepositories, + } + + if v, ok := d.GetOk("sha_pinning_required"); ok { + actionsPermissions.SHAPinningRequired = github.Ptr(v.(bool)) + } + _, _, err = client.Actions.UpdateActionsPermissions(ctx, orgName, - github.ActionsPermissions{ - AllowedActions: &allowedActions, - EnabledRepositories: &enabledRepositories, - }) + actionsPermissions) if err != nil { return err } @@ -280,6 +292,10 @@ func resourceGithubActionsOrganizationPermissionsRead(d *schema.ResourceData, me return err } + if err = d.Set("sha_pinning_required", actionsPermissions.GetSHAPinningRequired()); err != nil { + return err + } + return nil } diff --git a/github/resource_github_actions_organization_permissions_test.go b/github/resource_github_actions_organization_permissions_test.go index 4fa46ecba2..11253569d2 100644 --- a/github/resource_github_actions_organization_permissions_test.go +++ b/github/resource_github_actions_organization_permissions_test.go @@ -46,6 +46,7 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) { enabledRepositories := "selected" githubOwnedAllowed := true verifiedAllowed := true + shaPinningRequired := true randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum) repoName := fmt.Sprintf("%srepo-act-org-perm-%s", testResourcePrefix, randomID) @@ -64,11 +65,12 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) { patterns_allowed = ["actions/cache@*", "actions/checkout@*"] verified_allowed = %t } + sha_pinning_required = %t enabled_repositories_config { repository_ids = [github_repository.test.repo_id] } } - `, repoName, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed) + `, repoName, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed, shaPinningRequired) check := resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr( diff --git a/github/resource_github_actions_repository_permissions.go b/github/resource_github_actions_repository_permissions.go index 5710251a7e..57cbace461 100644 --- a/github/resource_github_actions_repository_permissions.go +++ b/github/resource_github_actions_repository_permissions.go @@ -65,6 +65,12 @@ func resourceGithubActionsRepositoryPermissions() *schema.Resource { Description: "The GitHub repository.", ValidateDiagFunc: toDiagFunc(validation.StringLenBetween(1, 100), "repository"), }, + "sha_pinning_required": { + Type: schema.TypeBool, + Optional: true, + Computed: true, + Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in a repository.", + }, }, } } @@ -125,6 +131,10 @@ func resourceGithubActionsRepositoryPermissionsCreateOrUpdate(d *schema.Resource repoActionPermissions.AllowedActions = &allowedActions } + if v, ok := d.GetOk("sha_pinning_required"); ok { + repoActionPermissions.SHAPinningRequired = github.Ptr(v.(bool)) + } + _, _, err := client.Repositories.UpdateActionsPermissions(ctx, owner, repoName, @@ -210,6 +220,10 @@ func resourceGithubActionsRepositoryPermissionsRead(d *schema.ResourceData, meta return err } + if err = d.Set("sha_pinning_required", actionsPermissions.GetSHAPinningRequired()); err != nil { + return err + } + return nil } diff --git a/github/resource_github_actions_repository_permissions_test.go b/github/resource_github_actions_repository_permissions_test.go index a04f556aab..caada9479b 100644 --- a/github/resource_github_actions_repository_permissions_test.go +++ b/github/resource_github_actions_repository_permissions_test.go @@ -49,6 +49,7 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) { allowedActions := "selected" githubOwnedAllowed := true verifiedAllowed := true + shaPinningRequired := true randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum) repoName := fmt.Sprintf("%srepo-act-perms-%s", testResourcePrefix, randomID) @@ -66,9 +67,10 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) { patterns_allowed = ["actions/cache@*", "actions/checkout@*"] verified_allowed = %t } + sha_pinning_required = %t repository = github_repository.test.name } - `, repoName, allowedActions, githubOwnedAllowed, verifiedAllowed) + `, repoName, allowedActions, githubOwnedAllowed, verifiedAllowed, shaPinningRequired) check := resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(