Skip to content

Commit 935246a

Browse files
authored
feat(actions_permissions): sha_pinning_required (#2870)
Fix #2869. Signed-off-by: Leonard Sheng Sheng Lee <leonard.sheng.sheng.lee@gmail.com> Signed-off-by: Leonard Sheng Sheng Lee <305414+sheeeng@users.noreply.github.com>
1 parent ff4889f commit 935246a

4 files changed

+40
-6
lines changed

github/resource_github_actions_organization_permissions.go

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,12 @@ func resourceGithubActionsOrganizationPermissions() *schema.Resource {
7676
},
7777
},
7878
},
79+
"sha_pinning_required": {
80+
Type: schema.TypeBool,
81+
Optional: true,
82+
Computed: true,
83+
Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in an organization.",
84+
},
7985
},
8086
}
8187
}
@@ -147,12 +153,18 @@ func resourceGithubActionsOrganizationPermissionsCreateOrUpdate(d *schema.Resour
147153
allowedActions := d.Get("allowed_actions").(string)
148154
enabledRepositories := d.Get("enabled_repositories").(string)
149155

156+
actionsPermissions := github.ActionsPermissions{
157+
AllowedActions: &allowedActions,
158+
EnabledRepositories: &enabledRepositories,
159+
}
160+
161+
if v, ok := d.GetOk("sha_pinning_required"); ok {
162+
actionsPermissions.SHAPinningRequired = github.Ptr(v.(bool))
163+
}
164+
150165
_, _, err = client.Actions.UpdateActionsPermissions(ctx,
151166
orgName,
152-
github.ActionsPermissions{
153-
AllowedActions: &allowedActions,
154-
EnabledRepositories: &enabledRepositories,
155-
})
167+
actionsPermissions)
156168
if err != nil {
157169
return err
158170
}
@@ -280,6 +292,10 @@ func resourceGithubActionsOrganizationPermissionsRead(d *schema.ResourceData, me
280292
return err
281293
}
282294

295+
if err = d.Set("sha_pinning_required", actionsPermissions.GetSHAPinningRequired()); err != nil {
296+
return err
297+
}
298+
283299
return nil
284300
}
285301

github/resource_github_actions_organization_permissions_test.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
4646
enabledRepositories := "selected"
4747
githubOwnedAllowed := true
4848
verifiedAllowed := true
49+
shaPinningRequired := true
4950
randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
5051
repoName := fmt.Sprintf("%srepo-act-org-perm-%s", testResourcePrefix, randomID)
5152

@@ -64,11 +65,12 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
6465
patterns_allowed = ["actions/cache@*", "actions/checkout@*"]
6566
verified_allowed = %t
6667
}
68+
sha_pinning_required = %t
6769
enabled_repositories_config {
6870
repository_ids = [github_repository.test.repo_id]
6971
}
7072
}
71-
`, repoName, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed)
73+
`, repoName, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed, shaPinningRequired)
7274

7375
check := resource.ComposeTestCheckFunc(
7476
resource.TestCheckResourceAttr(

github/resource_github_actions_repository_permissions.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,12 @@ func resourceGithubActionsRepositoryPermissions() *schema.Resource {
6565
Description: "The GitHub repository.",
6666
ValidateDiagFunc: toDiagFunc(validation.StringLenBetween(1, 100), "repository"),
6767
},
68+
"sha_pinning_required": {
69+
Type: schema.TypeBool,
70+
Optional: true,
71+
Computed: true,
72+
Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in a repository.",
73+
},
6874
},
6975
}
7076
}
@@ -125,6 +131,10 @@ func resourceGithubActionsRepositoryPermissionsCreateOrUpdate(d *schema.Resource
125131
repoActionPermissions.AllowedActions = &allowedActions
126132
}
127133

134+
if v, ok := d.GetOk("sha_pinning_required"); ok {
135+
repoActionPermissions.SHAPinningRequired = github.Ptr(v.(bool))
136+
}
137+
128138
_, _, err := client.Repositories.UpdateActionsPermissions(ctx,
129139
owner,
130140
repoName,
@@ -210,6 +220,10 @@ func resourceGithubActionsRepositoryPermissionsRead(d *schema.ResourceData, meta
210220
return err
211221
}
212222

223+
if err = d.Set("sha_pinning_required", actionsPermissions.GetSHAPinningRequired()); err != nil {
224+
return err
225+
}
226+
213227
return nil
214228
}
215229

github/resource_github_actions_repository_permissions_test.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
4949
allowedActions := "selected"
5050
githubOwnedAllowed := true
5151
verifiedAllowed := true
52+
shaPinningRequired := true
5253
randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
5354
repoName := fmt.Sprintf("%srepo-act-perms-%s", testResourcePrefix, randomID)
5455

@@ -66,9 +67,10 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
6667
patterns_allowed = ["actions/cache@*", "actions/checkout@*"]
6768
verified_allowed = %t
6869
}
70+
sha_pinning_required = %t
6971
repository = github_repository.test.name
7072
}
71-
`, repoName, allowedActions, githubOwnedAllowed, verifiedAllowed)
73+
`, repoName, allowedActions, githubOwnedAllowed, verifiedAllowed, shaPinningRequired)
7274

7375
check := resource.ComposeTestCheckFunc(
7476
resource.TestCheckResourceAttr(

0 commit comments

Comments
 (0)