Merge branch 'main' into main

Author: kfcampbell

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ jobs:
       GITHUB_TEST_ORGANIZATION: 'kfcampbell-terraform-provider'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true

.github/workflows/codeql.yml

@@ -27,21 +27,21 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dotcom-acceptance-tests-all.yml

@@ -20,7 +20,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -38,7 +38,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -71,7 +71,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true

.github/workflows/dotcom-acceptance-tests-manual.yml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -52,7 +52,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -89,7 +89,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true

.github/workflows/dotcom-acceptance-tests.yml

@@ -28,7 +28,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -48,7 +48,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true

.github/workflows/ghes-acceptance-tests-all.yml

@@ -32,7 +32,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -51,7 +51,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -86,7 +86,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true

.github/workflows/ghes-acceptance-tests.yml

@@ -27,7 +27,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -46,7 +46,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -67,7 +67,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           fetch-depth: 2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true

.github/workflows/release.yml

@@ -22,7 +22,7 @@ jobs:
           # Allow goreleaser to access older tag information.
           fetch-depth: 0
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true

CONTRIBUTING.md

@@ -81,7 +81,7 @@ Setting a `processId` of 0 allows a dropdown to select the process of the provid
 
 0. Add a sleep call (e.g. `time.Sleep(10 * time.Second)`) in the [`func providerConfigure(p *schema.Provider) schema.ConfigureFunc`](https://github.com/integrations/terraform-provider-github/blob/cec7e175c50bb091feecdc96ba117067c35ee351/github/provider.go#L274C1-L274C64) before the immediate `return` call. This will allow time to connect the debugger while the provider is initializing, before any critical logic happens.
 
-0. Build the terraform provider with debug flags enabled and copy it to the appropriate bin folder with a command like `go build -gcflags="all=-N -l" -o ~/go/bin`.
+0. Build the terraform provider with debug flags enabled and copy it to the appropriate bin folder with a command like `go build -gcflags="all=-N -l" -o ~/go/bin/`.
 
 0. Create or edit a `dev.tfrc` that points toward the newly-built binary, and export the `TF_CLI_CONFIG_FILE` variable to point to it. Further instructions on this process may be found in the [Building the provider](#using-a-local-version-of-the-provider) section.
 
@@ -99,7 +99,7 @@ Manual testing should be performed on each PR opened in order to validate the pr
 Build the provider and specify the output directory:
 
 ```sh
-$ go build -gcflags="all=-N -l" -o ~/go/bin
+$ go build -gcflags="all=-N -l" -o ~/go/bin/
 ```
 
 This enables verifying your locally built provider using examples available in the `examples/` directory.

examples/organization_security_manager/README.md

@@ -0,0 +1,22 @@
+# Organization Security Manager Example
+
+This example demonstrates creating an organization security manager team.
+
+It will:
+- Create a team with the specified `team_name` in the specified `owner` organization
+- Assign the organization security manager role to the team
+
+The GitHub token must have the `admin:org` scope.
+
+```console
+export GITHUB_OWNER=my-organization
+export GITHUB_TOKEN=ghp_###
+export GITHUB_TEAM_NAME="My Security Manager Team"
+```
+
+```console
+terraform apply \
+  -var "owner=${GITHUB_OWNER}" \
+  -var "github_token=${GITHUB_TOKEN}" \
+  -var "team_name=${GITHUB_TEAM_NAME}"
+```

examples/organization_security_manager/main.tf

@@ -0,0 +1,8 @@
+resource "github_team" "security_managers" {
+  name        = var.team_name
+  description = "A team of organization security managers"
+}
+
+resource "github_organization_security_manager" "security_managers" {
+  team_slug = github_team.security_managers.slug
+}

examples/organization_security_manager/output.tf

@@ -0,0 +1,4 @@
+output "github_security_managers_team" {
+  description = "The organization security managers team"
+  value       = github_organization_security_manager.security_managers
+}

examples/organization_security_manager/providers.tf

@@ -0,0 +1,12 @@
+provider "github" {
+  owner = var.owner
+  token = var.github_token
+}
+
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+    }
+  }
+}

examples/organization_security_manager/variables.tf

@@ -0,0 +1,14 @@
+variable "github_token" {
+  description = "GitHub access token used to configure the provider"
+  type        = string
+}
+
+variable "owner" {
+  description = "GitHub owner used to configure the provider"
+  type        = string
+}
+
+variable "team_name" {
+  description = "The name to use for the GitHub team"
+  type        = string
+}

github/apps.go

@@ -31,7 +31,7 @@ func GenerateOAuthTokenFromApp(baseURL, appID, appInstallationID, pemData string
 }
 
 func getInstallationAccessToken(baseURL string, jwt string, installationID string) (string, error) {
-	if baseURL != "https://api.github.com/" {
+	if baseURL != "https://api.github.com/" && !GHECDataResidencyMatch.MatchString(baseURL) {
 		baseURL += "api/v3/"
 	}
 

github/config.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"regexp"
 	"strings"
 	"time"
 
@@ -36,6 +37,10 @@ type Owner struct {
 	IsOrganization bool
 }
 
+// GHECDataResidencyMatch is a regex to match a GitHub Enterprise Cloud data residency URL:
+// https://[hostname].ghe.com instances expect paths that behave similar to GitHub.com, not GitHub Enterprise Server.
+var GHECDataResidencyMatch = regexp.MustCompile(`^https:\/\/[a-zA-Z0-9.\-]*\.ghe\.com$`)
+
 func RateLimitedHTTPClient(client *http.Client, writeDelay time.Duration, readDelay time.Duration, retryDelay time.Duration, parallelRequests bool, retryableErrors map[int]bool, maxRetries int) *http.Client {
 
 	client.Transport = NewEtagTransport(client.Transport)
@@ -80,7 +85,7 @@ func (c *Config) NewGraphQLClient(client *http.Client) (*githubv4.Client, error)
 		return nil, err
 	}
 
-	if uv4.String() != "https://api.github.com/" {
+	if uv4.String() != "https://api.github.com/" && !GHECDataResidencyMatch.MatchString(uv4.String()) {
 		uv4.Path = path.Join(uv4.Path, "api/graphql/")
 	} else {
 		uv4.Path = path.Join(uv4.Path, "graphql")
@@ -96,7 +101,7 @@ func (c *Config) NewRESTClient(client *http.Client) (*github.Client, error) {
 		return nil, err
 	}
 
-	if uv3.String() != "https://api.github.com/" {
+	if uv3.String() != "https://api.github.com/" && !GHECDataResidencyMatch.MatchString(uv3.String()) {
 		uv3.Path = uv3.Path + "api/v3/"
 	}
 

github/config_test.go

@@ -7,6 +7,64 @@ import (
 	"github.com/shurcooL/githubv4"
 )
 
+func TestGHECDataResidencyMatch(t *testing.T) {
+	testCases := []struct {
+		url         string
+		matches     bool
+		description string
+	}{
+		{
+			url:         "https://customer.ghe.com",
+			matches:     true,
+			description: "GHEC data residency URL with customer name",
+		},
+		{
+			url:         "https://customer-name.ghe.com",
+			matches:     true,
+			description: "GHEC data residency URL with hyphenated name",
+		},
+		{
+			url:         "https://api.github.com",
+			matches:     false,
+			description: "GitHub.com API URL",
+		},
+		{
+			url:         "https://github.com",
+			matches:     false,
+			description: "GitHub.com URL",
+		},
+		{
+			url:         "https://example.com",
+			matches:     false,
+			description: "Generic URL",
+		},
+		{
+			url:         "http://customer.ghe.com",
+			matches:     false,
+			description: "Non-HTTPS GHEC URL",
+		},
+		{
+			url:         "https://customer.ghe.com/api/v3",
+			matches:     false,
+			description: "GHEC URL with path",
+		},
+		{
+			url:         "https://ghe.com",
+			matches:     false,
+			description: "GHEC domain without subdomain",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			matches := GHECDataResidencyMatch.MatchString(tc.url)
+			if matches != tc.matches {
+				t.Errorf("URL %q: expected match=%v, got %v", tc.url, tc.matches, matches)
+			}
+		})
+	}
+}
+
 func TestAccConfigMeta(t *testing.T) {
 
 	// FIXME: Skip test runs during travis lint checking