feat: Expose secret_scanning_push_protection_custom_link on github_organization_settings#3433
Open
JamBalaya56562 wants to merge 1 commit into
Conversation
…ganization_settings Add two new boolean / string fields to the `github_organization_settings` resource and the `github_organization` data source: - `secret_scanning_push_protection_custom_link_enabled` (bool) - `secret_scanning_push_protection_custom_link` (string) These map to `Organization.SecretScanningPushProtectionCustomLinkEnabled` and `Organization.SecretScanningPushProtectionCustomLink` in go-github v86 (added in google/go-github#4188). The diff mirrors the existing `members_can_fork_private_repositories` pattern (schema, build, debug log, read) plus the per-org test cases, docs, templates, and example HCL. The link allows organization admins to direct contributors blocked by push protection to a custom URL with bypass / triage instructions. When set, it overrides the enterprise-level value managed via `github_enterprise_security_analysis_settings`.
|
👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two new fields to
github_organization_settings(resource) andgithub_organization(data source):secret_scanning_push_protection_custom_link_enabled(bool,Optional + Computed) — toggles whether a custom URL is shown tocontributors who try to push a secret.
secret_scanning_push_protection_custom_link(string,Optional + Computed) — the URL itself.The diff follows the existing
members_can_fork_private_repositoriespattern (schema,
buildOrganizationSettings, debug log, read) plustest cases, docs, templates, and example HCL.
Upstream wiring
Both fields map to new properties on the
Organizationstruct ingo-github v86, added in
google/go-github#4188:
Organization.SecretScanningPushProtectionCustomLinkEnabledOrganization.SecretScanningPushProtectionCustomLinkThis repo picked up v86 in #3413, so no dependency change is needed.
API status — please read
These two fields are not currently listed in the public REST docs
for Update an organization,
but they are returned by
GET /orgs/{org}and accepted byPATCH /orgs/{org}in production. The upstream go-github PRexplicitly notes "observed but undocumented" and was reviewed/merged
under that understanding.
Verified end-to-end against a real org (
aletheia-works) whiletesting the go-github PR — both GET and PATCH responses include both
fields.
I am opening this here so terraform users can manage the setting
they already see in the GitHub UI. Happy to hold the PR until the
REST docs catch up if maintainers prefer.
Relationship to enterprise resource
There is already a
secret_scanning_push_protection_custom_link(string only, no
_enabledtoggle) ongithub_enterprise_security_analysis_settings. The two settingscontrol different scopes:
the enterprise.
org and adds an explicit
_enabledtoggle that the API surfacesseparately.
If both resources manage the same org, the org-level value wins. This
is documented in the new
secret_scanning_push_protection_custom_link_enableddescription.
Schema choice
Both fields are
Optional + Computedwith noDefault, matching theconservative pattern used in #3389 and #3432: if the user does not
configure the field, the provider reads the org's current value and
does not silently write anything. Happy to switch to
Default: falsefor the bool if reviewers prefer.
Intentionally not in this PR
CustomizeDiffto reject_enabled = truewith empty URL, or vice versa). The existingenterprise-level resource has no such validation; matching it for
now. Can be added in a follow-up once API rejection behavior is
characterized.
ValidateFunc). Same rationale.Test plan
go build ./...go vet ./...go test -run TestNeverMatch ./github/...(compile-level checkfor the new test assertions; acceptance tests need
TF_ACC=1+ tokens and were not run locally)
Related
deploy_keys_enabled_for_repositories) — sibling field fromthe same upstream go-github PR. Independent scope, opened separately
so it can land without being held up by the undocumented-API
discussion here.
(
default_repository_branch,secret_scanning_validity_checks_enabled).Independent scope, not touched.