integrations
diff --git a/‎.github/workflows/ci.yml
+1-1 b/‎.github/workflows/ci.yml
+1-1
diff --git a/‎.github/workflows/codeql.yml
+4-4 b/‎.github/workflows/codeql.yml
+4-4
diff --git a/‎.github/workflows/dotcom-acceptance-tests-all.yml
+3-3 b/‎.github/workflows/dotcom-acceptance-tests-all.yml
+3-3
diff --git a/‎.github/workflows/dotcom-acceptance-tests-manual.yml
+3-3 b/‎.github/workflows/dotcom-acceptance-tests-manual.yml
+3-3
diff --git a/‎.github/workflows/dotcom-acceptance-tests.yml
+2-2 b/‎.github/workflows/dotcom-acceptance-tests.yml
+2-2
diff --git a/‎.github/workflows/ghes-acceptance-tests-all.yml
+3-3 b/‎.github/workflows/ghes-acceptance-tests-all.yml
+3-3
diff --git a/‎.github/workflows/ghes-acceptance-tests.yml
+3-3 b/‎.github/workflows/ghes-acceptance-tests.yml
+3-3
diff --git a/‎.github/workflows/release.yml
+1-1 b/‎.github/workflows/release.yml
+1-1
diff --git a/‎CONTRIBUTING.md
+2-2 b/‎CONTRIBUTING.md
+2-2
diff --git a/‎examples/organization_security_manager/README.md
+22 b/‎examples/organization_security_manager/README.md
+22
diff --git a/‎examples/organization_security_manager/main.tf
+8 b/‎examples/organization_security_manager/main.tf
+8
diff --git a/‎examples/organization_security_manager/output.tf
+4 b/‎examples/organization_security_manager/output.tf
+4
diff --git a/‎examples/organization_security_manager/providers.tf
+12 b/‎examples/organization_security_manager/providers.tf
+12
diff --git a/‎examples/organization_security_manager/variables.tf
+14 b/‎examples/organization_security_manager/variables.tf
+14
diff --git a/‎github/resource_github_organization_security_manager.go
+57-20 b/‎github/resource_github_organization_security_manager.go
+57-20
@@ -12,7 +12,7 @@ jobs:
       GITHUB_TEST_ORGANIZATION: 'kfcampbell-terraform-provider'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
 
@@ -27,21 +27,21 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           category: "/language:${{matrix.language}}"
@@ -20,7 +20,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -38,7 +38,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -71,7 +71,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
 
@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -52,7 +52,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -89,7 +89,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
 
@@ -28,7 +28,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -48,7 +48,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
 
@@ -32,7 +32,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -51,7 +51,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -86,7 +86,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
 
@@ -27,7 +27,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -46,7 +46,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -67,7 +67,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
 
@@ -22,7 +22,7 @@ jobs:
           # Allow goreleaser to access older tag information.
           fetch-depth: 0
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
 
@@ -81,7 +81,7 @@ Setting a `processId` of 0 allows a dropdown to select the process of the provid
 
 0. Add a sleep call (e.g. `time.Sleep(10 * time.Second)`) in the [`func providerConfigure(p *schema.Provider) schema.ConfigureFunc`](https://github.com/integrations/terraform-provider-github/blob/cec7e175c50bb091feecdc96ba117067c35ee351/github/provider.go#L274C1-L274C64) before the immediate `return` call. This will allow time to connect the debugger while the provider is initializing, before any critical logic happens.
 
-0. Build the terraform provider with debug flags enabled and copy it to the appropriate bin folder with a command like `go build -gcflags="all=-N -l" -o ~/go/bin`.
+0. Build the terraform provider with debug flags enabled and copy it to the appropriate bin folder with a command like `go build -gcflags="all=-N -l" -o ~/go/bin/`.
 
 0. Create or edit a `dev.tfrc` that points toward the newly-built binary, and export the `TF_CLI_CONFIG_FILE` variable to point to it. Further instructions on this process may be found in the [Building the provider](#using-a-local-version-of-the-provider) section.
 
@@ -99,7 +99,7 @@ Manual testing should be performed on each PR opened in order to validate the pr
 Build the provider and specify the output directory:
 
 ```sh
-$ go build -gcflags="all=-N -l" -o ~/go/bin
+$ go build -gcflags="all=-N -l" -o ~/go/bin/
 ```
 
 This enables verifying your locally built provider using examples available in the `examples/` directory.
 
@@ -0,0 +1,22 @@
+# Organization Security Manager Example
+
+This example demonstrates creating an organization security manager team.
+
+It will:
+- Create a team with the specified `team_name` in the specified `owner` organization
+- Assign the organization security manager role to the team
+
+The GitHub token must have the `admin:org` scope.
+
+```console
+export GITHUB_OWNER=my-organization
+export GITHUB_TOKEN=ghp_###
+export GITHUB_TEAM_NAME="My Security Manager Team"
+```
+
+```console
+terraform apply \
+  -var "owner=${GITHUB_OWNER}" \
+  -var "github_token=${GITHUB_TOKEN}" \
+  -var "team_name=${GITHUB_TEAM_NAME}"
+```
@@ -0,0 +1,8 @@
+resource "github_team" "security_managers" {
+  name        = var.team_name
+  description = "A team of organization security managers"
+}
+
+resource "github_organization_security_manager" "security_managers" {
+  team_slug = github_team.security_managers.slug
+}
@@ -0,0 +1,4 @@
+output "github_security_managers_team" {
+  description = "The organization security managers team"
+  value       = github_organization_security_manager.security_managers
+}
@@ -0,0 +1,12 @@
+provider "github" {
+  owner = var.owner
+  token = var.github_token
+}
+
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+    }
+  }
+}
@@ -0,0 +1,14 @@
+variable "github_token" {
+  description = "GitHub access token used to configure the provider"
+  type        = string
+}
+
+variable "owner" {
+  description = "GitHub owner used to configure the provider"
+  type        = string
+}
+
+variable "team_name" {
+  description = "The name to use for the GitHub team"
+  type        = string
+}
@@ -2,8 +2,8 @@ package github
 
 import (
 	"context"
+	"errors"
 	"log"
-	"net/http"
 	"strconv"
 
 	"github.com/google/go-github/v66/github"
@@ -30,6 +30,21 @@ func resourceGithubOrganizationSecurityManager() *schema.Resource {
 	}
 }
 
+func getSecurityManagerRole(client *github.Client, ctx context.Context, orgName string) (*github.CustomOrgRoles, error) {
+	roles, _, err := client.Organizations.ListRoles(ctx, orgName)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, role := range roles.CustomRepoRoles {
+		if *role.Name == "security_manager" {
+			return role, nil
+		}
+	}
+
+	return nil, errors.New("security manager role not found")
+}
+
 func resourceGithubOrganizationSecurityManagerCreate(d *schema.ResourceData, meta interface{}) error {
 	err := checkOrganization(meta)
 	if err != nil {
@@ -44,18 +59,16 @@ func resourceGithubOrganizationSecurityManagerCreate(d *schema.ResourceData, met
 
 	team, _, err := client.Teams.GetTeamBySlug(ctx, orgName, teamSlug)
 	if err != nil {
-		log.Printf("[INFO] Team %s/%s was not found in GitHub", orgName, teamSlug)
 		return err
 	}
 
-	_, err = client.Organizations.AddSecurityManagerTeam(ctx, orgName, teamSlug)
+	smRole, err := getSecurityManagerRole(client, ctx, orgName)
+	if err != nil {
+		return err
+	}
+
+	_, err = client.Organizations.AssignOrgRoleToTeam(ctx, orgName, teamSlug, smRole.GetID())
 	if err != nil {
-		if ghErr, ok := err.(*github.ErrorResponse); ok {
-			if ghErr.Response.StatusCode == http.StatusConflict {
-				log.Printf("[WARN] Organization %s has reached the maximum number of security manager teams", orgName)
-				return nil
-			}
-		}
 		return err
 	}
 
@@ -79,28 +92,42 @@ func resourceGithubOrganizationSecurityManagerRead(d *schema.ResourceData, meta
 	client := meta.(*Owner).v3client
 	ctx := context.WithValue(context.Background(), ctxId, d.Id())
 
-	// There is no endpoint for getting a single security manager team, so get the list and filter.
-	// There is a maximum number of security manager teams (currently 10), so this should be fine.
-	teams, _, err := client.Organizations.ListSecurityManagerTeams(ctx, orgName)
+	smRole, err := getSecurityManagerRole(client, ctx, orgName)
 	if err != nil {
 		return err
 	}
 
-	var team *github.Team
-	for _, t := range teams {
-		if t.GetID() == teamId {
-			team = t
+	// There is no endpoint for getting a single security manager team, so get the list and filter.
+	options := &github.ListOptions{PerPage: 100}
+	var smTeam *github.Team = nil
+	for {
+		smTeams, resp, err := client.Organizations.ListTeamsAssignedToOrgRole(ctx, orgName, smRole.GetID(), options)
+		if err != nil {
+			return err
+		}
+
+		for _, t := range smTeams {
+			if t.GetID() == teamId {
+				smTeam = t
+				break
+			}
+		}
+
+		// Break when we've found the team or there are no more pages.
+		if smTeam != nil || resp.NextPage == 0 {
 			break
 		}
+
+		options.Page = resp.NextPage
 	}
 
-	if team == nil {
+	if smTeam == nil {
 		log.Printf("[WARN] Removing organization security manager team %s from state because it no longer exists in GitHub", d.Id())
 		d.SetId("")
 		return nil
 	}
 
-	if err = d.Set("team_slug", team.GetSlug()); err != nil {
+	if err = d.Set("team_slug", smTeam.GetSlug()); err != nil {
 		return err
 	}
 
@@ -128,8 +155,13 @@ func resourceGithubOrganizationSecurityManagerUpdate(d *schema.ResourceData, met
 		return err
 	}
 
+	smRole, err := getSecurityManagerRole(client, ctx, orgName)
+	if err != nil {
+		return err
+	}
+
 	// Adding the same team is a no-op.
-	_, err = client.Organizations.AddSecurityManagerTeam(ctx, orgName, team.GetSlug())
+	_, err = client.Organizations.AssignOrgRoleToTeam(ctx, orgName, team.GetSlug(), smRole.GetID())
 	if err != nil {
 		return err
 	}
@@ -149,6 +181,11 @@ func resourceGithubOrganizationSecurityManagerDelete(d *schema.ResourceData, met
 	client := meta.(*Owner).v3client
 	ctx := context.WithValue(context.Background(), ctxId, d.Id())
 
-	_, err = client.Organizations.RemoveSecurityManagerTeam(ctx, orgName, teamSlug)
+	smRole, err := getSecurityManagerRole(client, ctx, orgName)
+	if err != nil {
+		return err
+	}
+
+	_, err = client.Organizations.RemoveOrgRoleFromTeam(ctx, orgName, teamSlug, smRole.GetID())
 	return err
 }