feat(actions_permissions): sha_pinning_required

sheeeng · sheeeng · commit 49ad20122e07 · 2025-11-08T23:30:32.000+01:00
Signed-off-by: Leonard Sheng Sheng Lee &lt;leonard.sheng.sheng.lee@gmail.com&gt;
diff --git a/github/resource_github_actions_organization_permissions.go b/github/resource_github_actions_organization_permissions.go
@@ -57,6 +57,11 @@ func resourceGithubActionsOrganizationPermissions() *schema.Resource {
 							Optional:    true,
 							Description: "Whether actions in GitHub Marketplace from verified creators are allowed. Set to 'true' to allow all GitHub Marketplace actions by verified creators.",
 						},
+						"sha_pinning_required": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in an organization.",
+						},
 					},
 				},
 			},
@@ -96,6 +101,10 @@ func resourceGithubActionsOrganizationAllowedObject(d *schema.ResourceData) (*gi
 			allowed.VerifiedAllowed = &x
 		}
 
+		if v, ok := data["sha_pinning_required"]; ok {
+			allowed.SHAPinningRequired = github.Bool(v.(bool))
+		}
+
 		patternsAllowed := []string{}
 
 		switch t := data["patterns_allowed"].(type) {
@@ -229,6 +238,7 @@ func resourceGithubActionsOrganizationPermissionsRead(d *schema.ResourceData, me
 					"github_owned_allowed": actionsAllowed.GetGithubOwnedAllowed(),
 					"patterns_allowed":     actionsAllowed.PatternsAllowed,
 					"verified_allowed":     actionsAllowed.GetVerifiedAllowed(),
+					"sha_pinning_required": actionsAllowed.GetShaPinningRequired(),
 				},
 			}); err != nil {
 				return err
@@ -309,3 +319,19 @@ func resourceGithubActionsOrganizationPermissionsDelete(d *schema.ResourceData,
 
 	return nil
 }
+
+func flattenActionsAllowed(d *schema.ResourceData, actionsAllowed *github.ActionsAllowed) error {
+	if actionsAllowed != nil {
+		config := make(map[string]interface{})
+		config["github_owned_allowed"] = actionsAllowed.GetGithubOwnedAllowed()
+		config["verified_allowed"] = actionsAllowed.GetVerifiedAllowed()
+		config["patterns_allowed"] = schema.NewSet(schema.HashString, interfaceSlice(actionsAllowed.GetPatternsAllowed()))
+		config["sha_pinning_required"] = actionsAllowed.GetShaPinningRequired()
+
+		if err := d.Set("allowed_actions_config", []interface{}{config}); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/github/resource_github_actions_organization_permissions_test.go b/github/resource_github_actions_organization_permissions_test.go
@@ -55,6 +55,7 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
 		enabledRepositories := "selected"
 		githubOwnedAllowed := true
 		verifiedAllowed := true
+		shaPinningRequired := true
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 
 		config := fmt.Sprintf(`
@@ -71,12 +72,13 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
 					github_owned_allowed = %t
 					patterns_allowed     = ["actions/cache@*", "actions/checkout@*"]
 					verified_allowed     = %t
+					sha_pinning_required = %t
 				}
 				enabled_repositories_config {
 					repository_ids       = [github_repository.test.repo_id]
 				}
 			}
-		`, randomID, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed)
+		`, randomID, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed, shaPinningRequired)
 
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(
diff --git a/github/resource_github_actions_repository_permissions.go b/github/resource_github_actions_repository_permissions.go
@@ -50,6 +50,11 @@ func resourceGithubActionsRepositoryPermissions() *schema.Resource {
 							Optional:    true,
 							Description: "Whether actions in GitHub Marketplace from verified creators are allowed. Set to 'true' to allow all GitHub Marketplace actions by verified creators.",
 						},
+						"sha_pinning_required": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in a repository.",
+						},
 					},
 				},
 			},
@@ -85,6 +90,10 @@ func resourceGithubActionsRepositoryAllowedObject(d *schema.ResourceData) (*gith
 			allowed.VerifiedAllowed = &x
 		}
 
+		if v, ok := data["sha_pinning_required"]; ok {
+			allowed.SHAPinningRequired = github.Bool(v.(bool))
+		}
+
 		patternsAllowed := []string{}
 
 		switch t := data["patterns_allowed"].(type) {
@@ -192,6 +201,7 @@ func resourceGithubActionsRepositoryPermissionsRead(d *schema.ResourceData, meta
 					"github_owned_allowed": actionsAllowed.GetGithubOwnedAllowed(),
 					"patterns_allowed":     actionsAllowed.PatternsAllowed,
 					"verified_allowed":     actionsAllowed.GetVerifiedAllowed(),
+					"sha_pinning_required": actionsAllowed.GetShaPinningRequired(),
 				},
 			}); err != nil {
 				return err
diff --git a/github/resource_github_actions_repository_permissions_test.go b/github/resource_github_actions_repository_permissions_test.go
@@ -66,6 +66,7 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 		allowedActions := "selected"
 		githubOwnedAllowed := true
 		verifiedAllowed := true
+		shaPinningRequired := true
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 
 		config := fmt.Sprintf(`
@@ -81,10 +82,11 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 					github_owned_allowed = %t
 					patterns_allowed     = ["actions/cache@*", "actions/checkout@*"]
 					verified_allowed     = %t
+					sha_pinning_required = %t
 				}
 				repository = github_repository.test.name
 			}
-		`, randomID, allowedActions, githubOwnedAllowed, verifiedAllowed)
+		`, randomID, allowedActions, githubOwnedAllowed, verifiedAllowed, shaPinningRequired)
 
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(
diff --git a/go.mod b/go.mod
@@ -1,8 +1,6 @@
 module github.com/integrations/terraform-provider-github/v6
 
-go 1.21
-
-toolchain go1.22.4
+go 1.24.0
 
 require (
 	github.com/client9/misspell v0.3.4
@@ -87,7 +85,8 @@ require (
 	github.com/golangci/plugin-module-register v0.1.1 // indirect
 	github.com/golangci/revgrep v0.5.3 // indirect
 	github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-github/v78 v78.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/gordonklaus/ineffassign v0.1.0 // indirect
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
diff --git a/go.sum b/go.sum
@@ -290,8 +290,11 @@ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-github/v67 v67.0.0 h1:g11NDAmfaBaCO8qYdI9fsmbaRipHNWRIU/2YGvlh4rg=
 github.com/google/go-github/v67 v67.0.0/go.mod h1:zH3K7BxjFndr9QSeFibx4lTKkYS3K9nDanoI1NjaOtY=
+github.com/google/go-github/v78 v78.0.0 h1:b1tytzFE8i//lRVDx5Qh/EdJbtTPtSVD3nF7hraEs9w=
+github.com/google/go-github/v78 v78.0.0/go.mod h1:Uxvdzy82AkNlC6JQ57se9TqvmgBT7RF0ouHDNg2jd6g=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
