integrations · lee2sh · Jan 16, 2026 · Jan 17, 2026 · Jan 17, 2026 · Jan 17, 2026
diff --git a/github/config.go b/github/config.go
@@ -30,12 +30,13 @@ type Config struct {
 }
 
 type Owner struct {
-	name           string
-	id             int64
-	v3client       *github.Client
-	v4client       *githubv4.Client
-	StopContext    context.Context
-	IsOrganization bool
+	name                          string
+	id                            int64
+	v3client                      *github.Client
+	v4client                      *githubv4.Client
+	StopContext                   context.Context
+	IsOrganization                bool
+	MembersCannotForkPrivateRepos bool
 }
 
 const (
@@ -133,6 +134,15 @@ func (c *Config) ConfigureOwner(owner *Owner) (*Owner, error) {
 			if remoteOrg != nil {
 				owner.id = remoteOrg.GetID()
 				owner.IsOrganization = true
+				// MembersCannotForkPrivateRepos is intentionally inverted from the API's
+				// MembersCanForkPrivateRepos field. This ensures the default zero value (false)
+				// means "no restriction" which is correct for:
+				// - Personal accounts (non-org): forking is always allowed, no org policy applies
+				// - Organizations that allow forking: MembersCanForkPrivateRepos=true → inverted to false
+				// Only when an org explicitly disallows forking (MembersCanForkPrivateRepos=false)
+				// does this become true, triggering the guard that skips sending AllowForking
+				// to the API to avoid HTTP 422 errors.
+				owner.MembersCannotForkPrivateRepos = !remoteOrg.GetMembersCanForkPrivateRepos()
 			}
 		}
 	}

diff --git a/github/resource_github_repository.go b/github/resource_github_repository.go
@@ -655,6 +655,11 @@ func resourceGithubRepositoryCreate(ctx context.Context, d *schema.ResourceData,
 
 	isPrivate := repoReq.GetVisibility() == "private"
 	repoReq.Private = github.Ptr(isPrivate)
+
+	if meta.(*Owner).MembersCannotForkPrivateRepos {
+		repoReq.AllowForking = nil
+	}
+
 	if template, ok := d.GetOk("template"); ok {
 		templateConfigBlocks := template.([]any)
 
@@ -934,6 +939,10 @@ func resourceGithubRepositoryUpdate(ctx context.Context, d *schema.ResourceData,
 		repoReq.AllowForking = nil
 	}
 
+	if meta.(*Owner).MembersCannotForkPrivateRepos {
+		repoReq.AllowForking = nil
+	}
+
 	if !d.HasChange("security_and_analysis") {
 		repoReq.SecurityAndAnalysis = nil
 		log.Print("[DEBUG] No security_and_analysis update required. Removing this field from the payload.")
@@ -1022,6 +1031,9 @@ func resourceGithubRepositoryUpdate(ctx context.Context, d *schema.ResourceData,
 	if d.HasChanges("visibility", "private") {
 		repoReq.Visibility = github.Ptr(visibility)
 		repoReq.AllowForking = allowForking
+		if meta.(*Owner).MembersCannotForkPrivateRepos {
+			repoReq.AllowForking = nil
+		}
 
 		log.Printf("[DEBUG] Updating repository visibility from %s to %s", repo.GetVisibility(), visibility)
 		_, resp, err := client.Repositories.Edit(ctx, owner, repoName, repoReq)

diff --git a/github/resource_github_repository_test.go b/github/resource_github_repository_test.go
@@ -570,6 +570,10 @@ func TestAccGithubRepository(t *testing.T) {
 	})
 
 	t.Run("create_private_with_forking", func(t *testing.T) {
+		// This test verifies that creating a private repo with allow_forking = true
+		// succeeds without error, regardless of whether the organization allows
+		// members to fork private repositories. The actual value of allow_forking
+		// in state will depend on the org's MembersCanForkPrivateRepos setting.
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 		repoName := fmt.Sprintf("%svisibility-%s", testResourcePrefix, randomID)
 
@@ -590,7 +594,8 @@ func TestAccGithubRepository(t *testing.T) {
 					Config: config,
 					Check: resource.ComposeTestCheckFunc(
 						resource.TestCheckResourceAttr("github_repository.test", "visibility", "private"),
-						resource.TestCheckResourceAttr("github_repository.test", "allow_forking", "true"),
+						// Note: allow_forking value depends on org's MembersCanForkPrivateRepos setting
+						// The key test is that creation succeeds without a 422 error
 					),
 				},
 			},
@@ -1757,3 +1762,77 @@ func TestAccRepository_VulnerabilityAlerts(t *testing.T) {
 		})
 	})
 }
+
+// TestMembersCannotForkPrivateReposLogic verifies that when MembersCannotForkPrivateRepos is true,
+// the AllowForking field should be set to nil to avoid 422 errors from the GitHub API.
+func TestMembersCannotForkPrivateReposLogic(t *testing.T) {
+	t.Run("AllowForking is nil when org disallows forking", func(t *testing.T) {
+		// Create a mock Owner where org disallows forking
+		owner := &Owner{
+			name:                          "test-org",
+			IsOrganization:                true,
+			MembersCannotForkPrivateRepos: true, // org restricts forking
+		}
+
+		// Simulate the logic from resourceGithubRepositoryCreate
+		var allowForking *bool
+		val := true
+		allowForking = &val
+
+		if owner.MembersCannotForkPrivateRepos {
+			allowForking = nil
+		}
+
+		if allowForking != nil {
+			t.Error("AllowForking should be nil when MembersCannotForkPrivateRepos is true")
+		}
+	})
+
+	t.Run("AllowForking is set when org allows forking", func(t *testing.T) {
+		// Create a mock Owner where org allows forking
+		owner := &Owner{
+			name:                          "test-org",
+			IsOrganization:                true,
+			MembersCannotForkPrivateRepos: false, // org allows forking
+		}
+
+		// Simulate the logic from resourceGithubRepositoryCreate
+		var allowForking *bool
+		val := true
+		allowForking = &val
+
+		if owner.MembersCannotForkPrivateRepos {
+			allowForking = nil
+		}
+
+		if allowForking == nil {
+			t.Error("AllowForking should be set when MembersCannotForkPrivateRepos is false")
+		}
+		if *allowForking != true {
+			t.Error("AllowForking should be true")
+		}
+	})
+
+	t.Run("personal account has no forking restriction by default", func(t *testing.T) {
+		// Personal accounts (non-org) default to MembersCannotForkPrivateRepos = false
+		// This means no restriction on forking
+		owner := &Owner{
+			name:                          "personal-user",
+			IsOrganization:                false,
+			MembersCannotForkPrivateRepos: false, // default zero value
+		}
+
+		// Simulate the logic - should allow forking for personal accounts
+		var allowForking *bool
+		val := true
+		allowForking = &val
+
+		if owner.MembersCannotForkPrivateRepos {
+			allowForking = nil
+		}
+
+		if allowForking == nil {
+			t.Error("AllowForking should be set for personal accounts (default false = no restriction)")
+		}
+	})
+}