feat(actions_permissions): sha_pinning_required

github/resource_github_actions_organization_permissions.go

@@ -76,6 +76,11 @@ func resourceGithubActionsOrganizationPermissions() *schema.Resource {
 					},
 				},
 			},
+			"sha_pinning_required": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in an organization.",
+			},
 		},
 	}
 }
@@ -147,12 +152,18 @@ func resourceGithubActionsOrganizationPermissionsCreateOrUpdate(d *schema.Resour
 	allowedActions := d.Get("allowed_actions").(string)
 	enabledRepositories := d.Get("enabled_repositories").(string)
 
+	actionsPermissions := github.ActionsPermissions{
+		AllowedActions:      &allowedActions,
+		EnabledRepositories: &enabledRepositories,
+	}
+
+	if v, ok := d.GetOk("sha_pinning_required"); ok {
+		actionsPermissions.SHAPinningRequired = github.Ptr(v.(bool))
+	}
+
 	_, _, err = client.Actions.UpdateActionsPermissions(ctx,
 		orgName,
-		github.ActionsPermissions{
-			AllowedActions:      &allowedActions,
-			EnabledRepositories: &enabledRepositories,
-		})
+		actionsPermissions)
 	if err != nil {
 		return err
 	}
@@ -280,6 +291,10 @@ func resourceGithubActionsOrganizationPermissionsRead(d *schema.ResourceData, me
 		return err
 	}
 
+	if err = d.Set("sha_pinning_required", actionsPermissions.GetSHAPinningRequired()); err != nil {
+		return err
+	}
+
 	return nil
 }
 

github/resource_github_actions_organization_permissions_test.go

@@ -46,6 +46,7 @@
 		enabledRepositories := "selected"
 		githubOwnedAllowed := true
 		verifiedAllowed := true
+		shaPinningRequired := true
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 		repoName := fmt.Sprintf("%srepo-act-org-perm-%s", testResourcePrefix, randomID)
 
@@ -63,6 +64,7 @@
 					github_owned_allowed = %t
 					patterns_allowed     = ["actions/cache@*", "actions/checkout@*"]
 					verified_allowed     = %t
+					sha_pinning_required = %t
 				}
 				enabled_repositories_config {
 					repository_ids       = [github_repository.test.repo_id]

github/resource_github_actions_repository_permissions.go

@@ -65,6 +65,11 @@ func resourceGithubActionsRepositoryPermissions() *schema.Resource {
 				Description:      "The GitHub repository.",
 				ValidateDiagFunc: toDiagFunc(validation.StringLenBetween(1, 100), "repository"),
 			},
+			"sha_pinning_required": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in a repository.",
+			},
 		},
 	}
 }
@@ -125,6 +130,10 @@ func resourceGithubActionsRepositoryPermissionsCreateOrUpdate(d *schema.Resource
 		repoActionPermissions.AllowedActions = &allowedActions
 	}
 
+	if v, ok := d.GetOk("sha_pinning_required"); ok {
+		repoActionPermissions.SHAPinningRequired = github.Ptr(v.(bool))
+	}
+
 	_, _, err := client.Repositories.UpdateActionsPermissions(ctx,
 		owner,
 		repoName,
@@ -210,6 +219,10 @@ func resourceGithubActionsRepositoryPermissionsRead(d *schema.ResourceData, meta
 		return err
 	}
 
+	if err = d.Set("sha_pinning_required", actionsPermissions.GetSHAPinningRequired()); err != nil {
+		return err
+	}
+
 	return nil
 }
 

github/resource_github_actions_repository_permissions_test.go

@@ -49,6 +49,7 @@
 		allowedActions := "selected"
 		githubOwnedAllowed := true
 		verifiedAllowed := true
+		shaPinningRequired := true
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 		repoName := fmt.Sprintf("%srepo-act-perms-%s", testResourcePrefix, randomID)
 
@@ -65,6 +66,7 @@
 					github_owned_allowed = %t
 					patterns_allowed     = ["actions/cache@*", "actions/checkout@*"]
 					verified_allowed     = %t
+					sha_pinning_required = %t
 				}
 				repository = github_repository.test.name
 			}