fix: handle sha_pinning_required=false#3224
fix: handle sha_pinning_required=false#3224sheeeng wants to merge 1 commit intointegrations:mainfrom
sha_pinning_required=false#3224Conversation
|
👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with |
sheeeng
force-pushed
the
fix/sha-pinning-required-false-ignored
branch
from
0dee61f to
3067dd7
Compare
sheeeng
changed the title
sha_pinning_required=falsesha_pinning_required = false
sheeeng
changed the title
sha_pinning_required = falsesha_pinning_required=false
github/resource_github_actions_organization_permissions_test.go
Outdated
Show resolved
Hide resolved
github/resource_github_actions_organization_permissions_test.go
Outdated
Show resolved
Hide resolved
sheeeng
force-pushed
the
fix/sha-pinning-required-false-ignored
branch
from
3067dd7 to
fd7ac91
Compare
deiga
left a comment
deiga
left a comment
There was a problem hiding this comment.
LGTM! @stevehipwell WDYT?
stevehipwell
left a comment
stevehipwell
left a comment
There was a problem hiding this comment.
@sheeeng I thought the whole point here was that SHA pinning was dependent on organization configuration? This change would not fix the issue, but would break this resource.
I'm not sure how I missed this in review, but I'll repeat my suggestion to look at how allow_forking works in the repository resource. To fix this you should split the create and update functions in the resource to simplify the logic. Then in create you can use d.GetOkExists() to see if it should be sent. In update you need to check d.Changed() and if it has changed you need to use d.Get() and then send that value.
sheeeng
force-pushed
the
fix/sha-pinning-required-false-ignored
branch
14 times, most recently
from
e5919ce to
fef996b
Compare
Split `CreateOrUpdate` into separate `Create` and `Update` functions to properly handle the `sha_pinning_required` boolean field's zero-value problem: - Use `d.GetOkExists()` in `Create` to only send the field when the user explicitly sets it in config, even to `false`. - Use `d.HasChange()` in `Update` to detect when the value changes and `d.Get()` to read the new value. Keep schema as `Optional` + `Computed` (not `Default: false`) so the resource inherits the organization-level setting when not explicitly configured. This follows the same pattern used by `allow_forking` in `resource_github_repository.go`. Fixes integrations#3223
sheeeng
force-pushed
the
fix/sha-pinning-required-false-ignored
branch
from
fef996b to
5b44ee6
Compare
deiga
left a comment
deiga
left a comment
There was a problem hiding this comment.
Partial review. Apply comments suggestions to all applicable sections
| Create: resourceGithubActionsOrganizationPermissionsCreateOrUpdate, | ||
| Create: resourceGithubActionsOrganizationPermissionsCreate, | ||
| Read: resourceGithubActionsOrganizationPermissionsRead, | ||
| Update: resourceGithubActionsOrganizationPermissionsCreateOrUpdate, | ||
| Update: resourceGithubActionsOrganizationPermissionsUpdate, | ||
| Delete: resourceGithubActionsOrganizationPermissionsDelete, |
There was a problem hiding this comment.
While you're in here, please refactor these to use the Context-aware functions
| if allowedActions == "selected" { | ||
| actionsAllowedData := resourceGithubActionsOrganizationAllowedObject(d) | ||
| if actionsAllowedData != nil { | ||
| log.Printf("[DEBUG] Update `actionsAllowedData` configuration.") |
There was a problem hiding this comment.
Please use tflog.Debug instead
| } | ||
| } | ||
|
|
||
| d.SetId(orgName) |
There was a problem hiding this comment.
Update should not be updating resource Id
| } | ||
|
|
||
| d.SetId(orgName) | ||
| return resourceGithubActionsOrganizationPermissionsRead(d, meta) |
There was a problem hiding this comment.
Please set any computed fields in Update, instead of calling Read
| return resourceGithubActionsOrganizationPermissionsRead(d, meta) | |
| return nil |
| Create: resourceGithubActionsRepositoryPermissionsCreateOrUpdate, | ||
| Create: resourceGithubActionsRepositoryPermissionsCreate, | ||
| Read: resourceGithubActionsRepositoryPermissionsRead, | ||
| Update: resourceGithubActionsRepositoryPermissionsCreateOrUpdate, | ||
| Update: resourceGithubActionsRepositoryPermissionsUpdate, | ||
| Delete: resourceGithubActionsRepositoryPermissionsDelete, |
There was a problem hiding this comment.
Please refactor to use the Context-aware functions
3 participants
Replace
Computed: truewithDefault: falseon thesha_pinning_requiredschema field and send it unconditionallyvia
d.Get()on every API call. The previousd.GetOk()approachreturned
ok=falsefor zero-value booleans, causingsha_pinning_required=falseto be silently ignored.This ensures both true and false values are correctly applied,
eliminating perpetual drift when disabling SHA pinning enforcement.
Affects
github_actions_organization_permissionsandgithub_actions_repository_permissionsresources.Update tests to use
ConfigStateCheckswithstatecheckpackageinstead of deprecated
Checkfield, and consolidate duplicateconfig templates into single reusable template strings.
Fix #3223.
Resolve #3223.
Before the change?
sha_pinning_required = falseapplied successfully in Terraform, but not actually changed in GitHub resources itself.After the change?
sha_pinning_required = falseapplied successfully in Terraform, and actually changed in GitHub resources itself.Pull request checklist
Does this introduce a breaking change?
Please see our docs on breaking changes to help!