[BUG] github_actions_repository_permissions to play nicer in Enterprise Cloud setup

djonser commented 1 year ago

Terraform Version

v1.3.9

Provider Version

v5.18.0

Affected Resource(s)

github_actions_repository_permissions

GitHub Setup

GitHub Enterprise Cloud
Actions Permissions configured at Enterprise:
- Allow enterprise, and select non-enterprise, actions and re-usable workflows
- Allow actions created by GitHub - Active
- Allow actions by Marketplace verified creators - Active
- Allow specific actions and reusable workflows:
- list of entries...

Problem description

When actions have been configured at the Enterprise as listed above, it prevents any changes being applied to allowed_actions_config at the organisation or repository level.

It's not possible to ignore allowed_actions_config in the lifecycle and if attempting to manage allowed_actions_config with a dynamic block, it throws 409 Conflict error when enabled is set to true.

Outcome I would be hopeful for is the when this resource is used and when setting allowed_actions to selected, allowed_actions_config shall be optional. Sort of a toggle on/off on repository level.

Terraform Configuration Files

variable "use_actions" {
  type = bool
  default = true
}

resource "github_repository" "repository" {
  name       = "my-repository"
  visibility = "internal"
  auto_init  = true
}

resource "github_actions_repository_permissions" "actions" {
  repository      = github_repository.repository.name

  enabled    = var.use_actions

  allowed_actions = "selected"

  // Config 1
  lifecycle {
    ignore_changes = [allowed_actions_config]
  }

  // Config 2
  dynamic "allowed_actions_config" {
    for_each = var.use_actions ? [1] : []
    content {
      github_owned_allowed = true
      verified_allowed     = true
    }
  }

}

Debug Output

Config 1: When using lifecycle and ignoring:

Error: the allowed_actions_config {} block must be specified if allowed_actions == 'selected'

Config 2: When using dynamic block and enabling actions:

Error: PUT https://api.github.com/repos/my-org/my-repo/actions/permissions: 409 Conflict []

API Behaviour

Using this API call it's possible to toggle on/off without having to specify further configuration.

curl \
  -X PUT \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer token-here"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/my-org/my-repo/actions/permissions \
  -d '{"enabled":true,"allowed_actions":"selected"}'

Additional Notes

I've not tested if similar issues would occur on github_actions_organization_permissions.

kfcampbell commented 1 year ago

@cormack agreed we should handle this better. This is an issue we have across many facets of GHES and GHEC compatibility. Do you have any interest in opening up a PR to correct this behavior in the github_actions_repository_permissions resource?

tgharold commented 1 year ago

You can also run into this when you have GitHub Team plan and private repos. When you're on the GitHub Teams plan, your private repos are not allowed to specify patterns_allowed. Doing so results in the "409 Conflict" error.

github-actions[bot] commented 5 months ago

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

integrations / terraform-provider-github