feat(actions_permissions): sha_pinning_required (#2870)

sheeeng · web-flow · commit 935246a0ea85 · 2026-01-29T19:04:36.000Z
Fix #2869. Signed-off-by: Leonard Sheng Sheng Lee <leonard.sheng.sheng.lee@gmail.com> Signed-off-by: Leonard Sheng Sheng Lee <305414+sheeeng@users.noreply.github.com>
diff --git a/github/resource_github_actions_organization_permissions.go b/github/resource_github_actions_organization_permissions.go
@@ -76,6 +76,12 @@ func resourceGithubActionsOrganizationPermissions() *schema.Resource {
 					},
 				},
 			},
+			"sha_pinning_required": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+				Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in an organization.",
+			},
 		},
 	}
 }
@@ -147,12 +153,18 @@ func resourceGithubActionsOrganizationPermissionsCreateOrUpdate(d *schema.Resour
 	allowedActions := d.Get("allowed_actions").(string)
 	enabledRepositories := d.Get("enabled_repositories").(string)
 
+	actionsPermissions := github.ActionsPermissions{
+		AllowedActions:      &allowedActions,
+		EnabledRepositories: &enabledRepositories,
+	}
+
+	if v, ok := d.GetOk("sha_pinning_required"); ok {
+		actionsPermissions.SHAPinningRequired = github.Ptr(v.(bool))
+	}
+
 	_, _, err = client.Actions.UpdateActionsPermissions(ctx,
 		orgName,
-		github.ActionsPermissions{
-			AllowedActions:      &allowedActions,
-			EnabledRepositories: &enabledRepositories,
-		})
+		actionsPermissions)
 	if err != nil {
 		return err
 	}
@@ -280,6 +292,10 @@ func resourceGithubActionsOrganizationPermissionsRead(d *schema.ResourceData, me
 		return err
 	}
 
+	if err = d.Set("sha_pinning_required", actionsPermissions.GetSHAPinningRequired()); err != nil {
+		return err
+	}
+
 	return nil
 }
 
diff --git a/github/resource_github_actions_organization_permissions_test.go b/github/resource_github_actions_organization_permissions_test.go
@@ -46,6 +46,7 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
 		enabledRepositories := "selected"
 		githubOwnedAllowed := true
 		verifiedAllowed := true
+		shaPinningRequired := true
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 		repoName := fmt.Sprintf("%srepo-act-org-perm-%s", testResourcePrefix, randomID)
 
@@ -64,11 +65,12 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
 					patterns_allowed     = ["actions/cache@*", "actions/checkout@*"]
 					verified_allowed     = %t
 				}
+				sha_pinning_required = %t
 				enabled_repositories_config {
 					repository_ids       = [github_repository.test.repo_id]
 				}
 			}
-		`, repoName, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed)
+		`, repoName, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed, shaPinningRequired)
 
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(
diff --git a/github/resource_github_actions_repository_permissions.go b/github/resource_github_actions_repository_permissions.go
@@ -65,6 +65,12 @@ func resourceGithubActionsRepositoryPermissions() *schema.Resource {
 				Description:      "The GitHub repository.",
 				ValidateDiagFunc: toDiagFunc(validation.StringLenBetween(1, 100), "repository"),
 			},
+			"sha_pinning_required": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+				Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in a repository.",
+			},
 		},
 	}
 }
@@ -125,6 +131,10 @@ func resourceGithubActionsRepositoryPermissionsCreateOrUpdate(d *schema.Resource
 		repoActionPermissions.AllowedActions = &allowedActions
 	}
 
+	if v, ok := d.GetOk("sha_pinning_required"); ok {
+		repoActionPermissions.SHAPinningRequired = github.Ptr(v.(bool))
+	}
+
 	_, _, err := client.Repositories.UpdateActionsPermissions(ctx,
 		owner,
 		repoName,
@@ -210,6 +220,10 @@ func resourceGithubActionsRepositoryPermissionsRead(d *schema.ResourceData, meta
 		return err
 	}
 
+	if err = d.Set("sha_pinning_required", actionsPermissions.GetSHAPinningRequired()); err != nil {
+		return err
+	}
+
 	return nil
 }
 
diff --git a/github/resource_github_actions_repository_permissions_test.go b/github/resource_github_actions_repository_permissions_test.go
@@ -49,6 +49,7 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 		allowedActions := "selected"
 		githubOwnedAllowed := true
 		verifiedAllowed := true
+		shaPinningRequired := true
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 		repoName := fmt.Sprintf("%srepo-act-perms-%s", testResourcePrefix, randomID)
 
@@ -66,9 +67,10 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 					patterns_allowed     = ["actions/cache@*", "actions/checkout@*"]
 					verified_allowed     = %t
 				}
+				sha_pinning_required = %t
 				repository = github_repository.test.name
 			}
-		`, repoName, allowedActions, githubOwnedAllowed, verifiedAllowed)
+		`, repoName, allowedActions, githubOwnedAllowed, verifiedAllowed, shaPinningRequired)
 
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {`
`46`	`46`	`enabledRepositories := "selected"`
`47`	`47`	`githubOwnedAllowed := true`
`48`	`48`	`verifiedAllowed := true`
	`49`	`+ shaPinningRequired := true`
`49`	`50`	`randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)`
`50`	`51`	`repoName := fmt.Sprintf("%srepo-act-org-perm-%s", testResourcePrefix, randomID)`
`51`	`52`
`@@ -64,11 +65,12 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {`
`64`	`65`	`patterns_allowed = ["actions/cache@", "actions/checkout@"]`
`65`	`66`	`verified_allowed = %t`
`66`	`67`	`}`
	`68`	`+ sha_pinning_required = %t`
`67`	`69`	`enabled_repositories_config {`
`68`	`70`	`repository_ids = [github_repository.test.repo_id]`
`69`	`71`	`}`
`70`	`72`	`}`
`71`		- `, repoName, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed)
	`73`	+ `, repoName, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed, shaPinningRequired)
`72`	`74`
`73`	`75`	`check := resource.ComposeTestCheckFunc(`
`74`	`76`	`resource.TestCheckResourceAttr(`