From 1bbc69f8b7d27d842e54d63318312d33e50d724e Mon Sep 17 00:00:00 2001 From: Leonard Sheng Sheng Lee Date: Mon, 1 Dec 2025 10:46:00 +0100 Subject: [PATCH 1/3] feat(actions_permissions): sha_pinning_required Fix https://github.com/integrations/terraform-provider-github/issues/2869. Signed-off-by: Leonard Sheng Sheng Lee Signed-off-by: Leonard Sheng Sheng Lee <305414+sheeeng@users.noreply.github.com> --- ...github_actions_organization_permissions.go | 26 +++++++++++++++++++ ...b_actions_organization_permissions_test.go | 4 ++- ...e_github_actions_repository_permissions.go | 10 +++++++ ...hub_actions_repository_permissions_test.go | 4 ++- 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/github/resource_github_actions_organization_permissions.go b/github/resource_github_actions_organization_permissions.go index ca035d483a..27fdc7a96b 100644 --- a/github/resource_github_actions_organization_permissions.go +++ b/github/resource_github_actions_organization_permissions.go @@ -57,6 +57,11 @@ func resourceGithubActionsOrganizationPermissions() *schema.Resource { Optional: true, Description: "Whether actions in GitHub Marketplace from verified creators are allowed. Set to 'true' to allow all GitHub Marketplace actions by verified creators.", }, + "sha_pinning_required": { + Type: schema.TypeBool, + Optional: true, + Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in an organization.", + }, }, }, }, @@ -96,6 +101,10 @@ func resourceGithubActionsOrganizationAllowedObject(d *schema.ResourceData) *git allowed.VerifiedAllowed = &x } + if v, ok := data["sha_pinning_required"]; ok { + allowed.SHAPinningRequired = github.Bool(v.(bool)) + } + patternsAllowed := []string{} switch t := data["patterns_allowed"].(type) { @@ -226,6 +235,7 @@ func resourceGithubActionsOrganizationPermissionsRead(d *schema.ResourceData, me "github_owned_allowed": actionsAllowed.GetGithubOwnedAllowed(), "patterns_allowed": actionsAllowed.PatternsAllowed, "verified_allowed": actionsAllowed.GetVerifiedAllowed(), + "sha_pinning_required": actionsAllowed.GetShaPinningRequired(), }, }); err != nil { return err @@ -306,3 +316,19 @@ func resourceGithubActionsOrganizationPermissionsDelete(d *schema.ResourceData, return nil } + +func flattenActionsAllowed(d *schema.ResourceData, actionsAllowed *github.ActionsAllowed) error { + if actionsAllowed != nil { + config := make(map[string]interface{}) + config["github_owned_allowed"] = actionsAllowed.GetGithubOwnedAllowed() + config["verified_allowed"] = actionsAllowed.GetVerifiedAllowed() + config["patterns_allowed"] = schema.NewSet(schema.HashString, interfaceSlice(actionsAllowed.GetPatternsAllowed())) + config["sha_pinning_required"] = actionsAllowed.GetShaPinningRequired() + + if err := d.Set("allowed_actions_config", []interface{}{config}); err != nil { + return err + } + } + + return nil +} diff --git a/github/resource_github_actions_organization_permissions_test.go b/github/resource_github_actions_organization_permissions_test.go index 0197a83463..c36eb872f2 100644 --- a/github/resource_github_actions_organization_permissions_test.go +++ b/github/resource_github_actions_organization_permissions_test.go @@ -46,6 +46,7 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) { enabledRepositories := "selected" githubOwnedAllowed := true verifiedAllowed := true + shaPinningRequired := true randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum) config := fmt.Sprintf(` @@ -62,12 +63,13 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) { github_owned_allowed = %t patterns_allowed = ["actions/cache@*", "actions/checkout@*"] verified_allowed = %t + sha_pinning_required = %t } enabled_repositories_config { repository_ids = [github_repository.test.repo_id] } } - `, randomID, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed) + `, randomID, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed, shaPinningRequired) check := resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr( diff --git a/github/resource_github_actions_repository_permissions.go b/github/resource_github_actions_repository_permissions.go index 2c45a62d36..f4328e5987 100644 --- a/github/resource_github_actions_repository_permissions.go +++ b/github/resource_github_actions_repository_permissions.go @@ -50,6 +50,11 @@ func resourceGithubActionsRepositoryPermissions() *schema.Resource { Optional: true, Description: "Whether actions in GitHub Marketplace from verified creators are allowed. Set to 'true' to allow all GitHub Marketplace actions by verified creators.", }, + "sha_pinning_required": { + Type: schema.TypeBool, + Optional: true, + Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in a repository.", + }, }, }, }, @@ -85,6 +90,10 @@ func resourceGithubActionsRepositoryAllowedObject(d *schema.ResourceData) *githu allowed.VerifiedAllowed = &x } + if v, ok := data["sha_pinning_required"]; ok { + allowed.SHAPinningRequired = github.Bool(v.(bool)) + } + patternsAllowed := []string{} switch t := data["patterns_allowed"].(type) { @@ -189,6 +198,7 @@ func resourceGithubActionsRepositoryPermissionsRead(d *schema.ResourceData, meta "github_owned_allowed": actionsAllowed.GetGithubOwnedAllowed(), "patterns_allowed": actionsAllowed.PatternsAllowed, "verified_allowed": actionsAllowed.GetVerifiedAllowed(), + "sha_pinning_required": actionsAllowed.GetShaPinningRequired(), }, }); err != nil { return err diff --git a/github/resource_github_actions_repository_permissions_test.go b/github/resource_github_actions_repository_permissions_test.go index 9ab8191ca2..72d7c9bb42 100644 --- a/github/resource_github_actions_repository_permissions_test.go +++ b/github/resource_github_actions_repository_permissions_test.go @@ -48,6 +48,7 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) { allowedActions := "selected" githubOwnedAllowed := true verifiedAllowed := true + shaPinningRequired := true randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum) config := fmt.Sprintf(` @@ -63,10 +64,11 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) { github_owned_allowed = %t patterns_allowed = ["actions/cache@*", "actions/checkout@*"] verified_allowed = %t + sha_pinning_required = %t } repository = github_repository.test.name } - `, randomID, allowedActions, githubOwnedAllowed, verifiedAllowed) + `, randomID, allowedActions, githubOwnedAllowed, verifiedAllowed, shaPinningRequired) check := resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr( From 6d700ff99c897bf2b686ee9ad2b7c3efab651493 Mon Sep 17 00:00:00 2001 From: Leonard Sheng Sheng Lee <305414+sheeeng@users.noreply.github.com> Date: Fri, 9 Jan 2026 19:00:08 +0100 Subject: [PATCH 2/3] feat(actions_permissions): sha_pinning_required Fix https://github.com/integrations/terraform-provider-github/issues/2869. Signed-off-by: Leonard Sheng Sheng Lee <305414+sheeeng@users.noreply.github.com> --- github/resource_github_actions_organization_permissions.go | 2 +- github/resource_github_actions_repository_permissions.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/github/resource_github_actions_organization_permissions.go b/github/resource_github_actions_organization_permissions.go index 27fdc7a96b..1dc0c76f5e 100644 --- a/github/resource_github_actions_organization_permissions.go +++ b/github/resource_github_actions_organization_permissions.go @@ -102,7 +102,7 @@ func resourceGithubActionsOrganizationAllowedObject(d *schema.ResourceData) *git } if v, ok := data["sha_pinning_required"]; ok { - allowed.SHAPinningRequired = github.Bool(v.(bool)) + allowed.SHAPinningRequired = github.Ptr(v.(bool)) } patternsAllowed := []string{} diff --git a/github/resource_github_actions_repository_permissions.go b/github/resource_github_actions_repository_permissions.go index f4328e5987..ff25a0042d 100644 --- a/github/resource_github_actions_repository_permissions.go +++ b/github/resource_github_actions_repository_permissions.go @@ -91,7 +91,7 @@ func resourceGithubActionsRepositoryAllowedObject(d *schema.ResourceData) *githu } if v, ok := data["sha_pinning_required"]; ok { - allowed.SHAPinningRequired = github.Bool(v.(bool)) + allowed.SHAPinningRequired = github.Ptr(v.(bool)) } patternsAllowed := []string{} From 2c4746762d156105144ed9090208a87bf89a148c Mon Sep 17 00:00:00 2001 From: Leonard Sheng Sheng Lee <305414+sheeeng@users.noreply.github.com> Date: Fri, 9 Jan 2026 19:03:45 +0100 Subject: [PATCH 3/3] feat(actions_permissions): sha_pinning_required Fix https://github.com/integrations/terraform-provider-github/issues/2869. Signed-off-by: Leonard Sheng Sheng Lee <305414+sheeeng@users.noreply.github.com> --- ...ce_github_actions_organization_permissions.go | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/github/resource_github_actions_organization_permissions.go b/github/resource_github_actions_organization_permissions.go index 1dc0c76f5e..4b84a44adf 100644 --- a/github/resource_github_actions_organization_permissions.go +++ b/github/resource_github_actions_organization_permissions.go @@ -316,19 +316,3 @@ func resourceGithubActionsOrganizationPermissionsDelete(d *schema.ResourceData, return nil } - -func flattenActionsAllowed(d *schema.ResourceData, actionsAllowed *github.ActionsAllowed) error { - if actionsAllowed != nil { - config := make(map[string]interface{}) - config["github_owned_allowed"] = actionsAllowed.GetGithubOwnedAllowed() - config["verified_allowed"] = actionsAllowed.GetVerifiedAllowed() - config["patterns_allowed"] = schema.NewSet(schema.HashString, interfaceSlice(actionsAllowed.GetPatternsAllowed())) - config["sha_pinning_required"] = actionsAllowed.GetShaPinningRequired() - - if err := d.Set("allowed_actions_config", []interface{}{config}); err != nil { - return err - } - } - - return nil -}