[BUG]: sha_pinning_required = false is silently ignored due to d.GetOk() zero-value bug

[sheeeng]

Expected Behavior

Setting sha_pinning_required = false on github_actions_organization_permissions (or github_actions_repository_permissions) should send false to the GitHub API and disable SHA pinning enforcement.

After terraform apply, the state should converge and subsequent terraform plan should show no changes.

Actual Behavior

Setting sha_pinning_required = false is silently ignored. The if v, ok := d.GetOk("sha_pinning_required"); ok guard in resourceGithubActionsOrganizationPermissionsCreateOrUpdate returns ok = false when the value is false (the zero value for bool), so SHAPinningRequired is never set on the API request payload. The GitHub API receives no value and leaves the existing setting unchanged.

This causes perpetual drift: every terraform plan shows sha_pinning_required = true -> false, but terraform apply never actually changes it.

The same bug exists in resource_github_actions_repository_permissions.go with the identical d.GetOk pattern.

Terraform Version

Terraform v1.14.3
on darwin_arm64
+ provider registry.terraform.io/integrations/github v6.11.0

Affected Resource(s)

• github_actions_organization_permissions
• github_actions_repository_permissions

Terraform Configuration Files

resource "github_actions_organization_permissions" "actions_permissions" {
  allowed_actions      = "all"
  enabled_repositories = "all"
  sha_pinning_required = false
}

Steps to Reproduce

1. Have an organization where sha_pinning_required is currently true (e.g. set via the UI or a previous apply with true).
2. Set sha_pinning_required = false in the Terraform configuration.
3. Run terraform plan — it correctly shows sha_pinning_required = true -> false.
4. Run terraform apply — it reports success.
5. Run terraform plan again — it shows the same true -> false diff again (perpetual drift).

Debug Output

The root cause is in resource_github_actions_organization_permissions.go (introduced in #2870):

// Bug: d.GetOk() returns ok=false for zero-value bools (false),
// so sha_pinning_required=false is never sent to the API.
if v, ok := d.GetOk("sha_pinning_required"); ok {
    actionsPermissions.SHAPinningRequired = github.Ptr(v.(bool))
}

This is the well-known Terraform SDK GetOk + zero-value footgun. A fix would be:

if d.HasChange("sha_pinning_required") || d.IsNewResource() {
    actionsPermissions.SHAPinningRequired = github.Ptr(d.Get("sha_pinning_required").(bool))
}

The identical pattern exists in resource_github_actions_repository_permissions.go and needs the same fix.

Panic Output

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀