[BUG]: V5.44.0 breaks `github_branch_protection_v3`

[brett-swan-sh]

Expected Behavior

Branch protection should be created. If I had to guess, this is likely related to the bump in go-github that went out in the most recent release. Pinning the provider version to v5.43.0 resolved the issue.

Actual Behavior

Plan: 1 to add, 0 to change, 0 to destroy.
module.repositories["repo"].github_branch_protection_v3.this[0]: Creating...

Error: PUT https://api.github.com/repos/<org>/<repo>/branches/main/protection: 422 Invalid request.

No subschema in "anyOf" matched.
No subschema in "oneOf" matched.
Not all subschemas of "allOf" matched.
For 'anyOf/1', {"strict"=>true} is not a null. []

  with module.repositories["repo"].github_branch_protection_v3.this[0],
  on ../../terraform_modules/GithubRepo/main.tf line [68](https://github.com/xxxxxxxxxxxx/actions/runs/xxxxxxxxx/job/xxxxxxxx#step:6:69), in resource "github_branch_protection_v3" "this":
  68: resource "github_branch_protection_v3" "this" {

Terraform Version

Terraform 1.6.6, integrations/github 5.44.0

Affected Resource(s)

• github_branch_protection_v3

Terraform Configuration Files

resource "github_branch_protection_v3" "this" {
  count = var.protect_default_branch ? 1 : 0
  repository = github_repository.this.name
  branch = github_branch.default.branch
  enforce_admins = false
  require_conversation_resolution = var.require_conversation_resolution

  required_status_checks {
    strict = true
    checks = length(var.required_ci_checks) > 0 ? var.required_ci_checks : null
  }
}

Steps to Reproduce

terraform apply

Debug Output

No response

Panic Output

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[SkYNewZ]

I can confirm that. Thanks for reporting it.

[awendt]

I'd like to point out that we ran into this issue with 6.0.0 as well – 5.43.0 is still the latest working version

[jakubslonxlab]

This is also happening in 6.2.0, currently pinned to the latest working version 5.42:

No subschema in "oneOf" matched.
Not all subschemas of "allOf" matched.
For 'anyOf/1', {"strict"=>true} is not a null. []

[sam-netlogix]

I'm sure it's already assumed but just an FYI, issue is still occurring in v6.2.1:

Error: PUT https://api.github.com/repos/<org>/<repo/branches/main/protection: 422 Invalid request.
No subschema in "anyOf" matched.
No subschema in "oneOf" matched.
Not all subschemas of "allOf" matched.
For 'anyOf/1', {"strict"=>true} is not a null. []

[awendt]

I can confirm this is still broken in v6.2.2

[awendt]

My colleague @fmasuhr noticed that we're running into this problem because of our configuration. 🎉 We were using required_status_checks with strict = true but without any checks attribute:

resource "github_branch_protection_v3" "example" {
  repository     = github_repository.example.name
  branch         = github_branch_default.example.branch
  enforce_admins = true

  required_status_checks {
    strict = true
  }

  required_pull_request_reviews {
    required_approving_review_count = 1
  }
}

When we removed required_status_checks entirely (because strict = true has no effect), we were able to create branch protections with the latest version. This is aligned with the UI description for branch protections:

This ensures pull requests targeting a matching branch have been tested with the latest code. This setting will not take effect unless at least one status check is enabled (see below).

I suspect the condition in the OP's configuration at checks is false, and that's what's causing the error.

[rsi-mrobinson]

This is super annoying. My organization is stuck on v5.43 of this provider due to this issue and unable to leverage updated functionality because of it.

Going to take a look at @awendt solution and see if that resolves things.