unable to update branch_protections for github repos

[balusarakesh]

Hi there,

We were trying to enable enforce_admins = true and we see a TF plan like the following but when we apply we get an error. As you can see below there are no changes to required_status_checks but we are not able to apply it.

  # module.repositories.github_branch_protection_v3.managed["REPO_NAME:BRANCH_NAME"] will be updated in-place
  ~ resource "github_branch_protection_v3" "managed" {
      ~ enforce_admins                  = false -> true
        id                              = "REPO_NAME:BRANCH_NAME"
        # (5 unchanged attributes hidden)


        # (2 unchanged blocks hidden)
    }

Terraform Version

• 1.0.9
• terraform-provider-github: v4.24.1

Affected Resource(s)

Please list the resources as a list, for example:

• github_branch_protection_v3

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "github_branch_protection_v3" "example" {
  repository     = github_repository.example.name
  branch         = "main"
  enforce_admins = true

  required_status_checks {
    strict   = true
    contexts = []
  }

}

Debug Output

unfortunately I'm not allowed to share full debug output due to company policy, here's some relevant debug logs:

2022-05-12T09:24:17.198-0700 [DEBUG] provider.terraform-provider-github_v4.24.1: {
2022-05-12T09:24:17.198-0700 [DEBUG] provider.terraform-provider-github_v4.24.1:  "message": "Invalid request.\n\nNo subschema in \"anyOf\" matched.\nNo subschema in \"oneOf\" matched.\nNot all subschemas of \"allOf\" matched.\nFor 'anyOf/1', {\"strict\"=>true} is not a null.",
2022-05-12T09:24:17.198-0700 [DEBUG] provider.terraform-provider-github_v4.24.1:  "documentation_url": "https://docs.github.com/rest/reference/repos#update-branch-protection"
2022-05-12T09:24:17.198-0700 [DEBUG] provider.terraform-provider-github_v4.24.1: }

│ Error: PUT https://api.github.com/repos/ORG_NAME/REPO_NAME/branches/BRANCH_NAME/protection: 422 Invalid request.
│
│ No subschema in "anyOf" matched.
│ No subschema in "oneOf" matched.
│ Not all subschemas of "allOf" matched.
│ For 'anyOf/1', {"strict"=>true} is not a null. []
│
│   with module.repositories.github_branch_protection_v3.managed["REPO_NAME:BRANCH_NAME"],
│   on ../../../modules/repositories/repository-branch-protection.tf line 1, in resource "github_branch_protection_v3" "managed":
│    1: resource "github_branch_protection_v3" "managed" {
│
╵

Expected Behavior

• able to update branch protection

Actual Behavior

• seeing above errors

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

• we use atlantis but the same error happens locally as well

[caylent-mariano-sanfilippo]

I was facing the same issue a few moments ago. Try adding context.
required_status_checks { strict = true contexts = [ "acontext" ] }

[stanislavsapov]

@balusarakesh if you don't need to enable checks, then you can try to provide null instead of an empty list.

resource "github_branch_protection_v3" "example" {
  repository     = github_repository.example.name
  branch         = "main"
  enforce_admins = true

  required_status_checks {
    strict   = true
    contexts = null
  }

}

[iniinikoski]

@balusarakesh if you don't need to enable checks, then you can try to provide null instead of an empty list.

resource "github_branch_protection_v3" "example" {
  repository     = github_repository.example.name
  branch         = "main"
  enforce_admins = true

  required_status_checks {
    strict   = true
    contexts = null
  }

}

I'm not sure if this works, here's the full (non-working) example:

resource "github_repository" "example" {
  name        = "terraform-test-repo"
  description = "Terraform acceptance tests"

  auto_init = true
}

resource "github_branch_protection_v3" "example" {
  repository = github_repository.example.name
  # branch         = "main"
  branch         = github_repository.example.default_branch
  enforce_admins = true

  required_status_checks {
    strict   = true
    contexts = null
  }

}

I'm also a bit puzzled what broke here (why did this surface now; did GitHub update their API on this or what). The best option for us to get this sorted seems to just create the required_status_checks block with dynamic now - but only when the "contexts" have been configured - as otherwise - for reason X - GitHub gives the error.

But, we should be able to set the "strict" without the "contexts" - so - it seems to be a bug...

[balusarakesh]

FYI: it's not the contexts variable, it's strict variable which is having issues as you ca see from the logs

│ For 'anyOf/1', {"strict"=>true} is not a null. []

[TheJackson]

I'm also experiencing this issue at my organisation, out of no-where much like @iniinikoski.

Has anyone had much success at a workaround or fix?

Unsure if this is related, but in the GitHub API docs under the "Body Parameters" section, it states that the contexts property is both REQUIRED and DEPRECATED (which seems contradictory) and has been replaced by checks. Is this a recent change?

[geancarlo]

Having the same issue over here. Apparently it worked fine 21 days ago from our terraform/CI logs...

[highb]

I'm also seeing this issue. My data point that I can contribute is that updated my pinned version for the provider from version ~> 4.19.2 to ~> 4.26.1. I'm not sure if that is directly related or a red herring.

[highb]

We downgraded the provider to 4.22.0 and it appears to have resolved the issue for us. Hopefully that helps you git bisect it. :)

[luisdavim]

This seems to be a problem with github.com/google/go-github/v47

[luisdavim]

This seems to be a problem with github.com/google/go-github/v47

Actually, it seems like github.com/google/go-github/v47 is used in other parts of this provider, but the branch protection uses github.com/shurcooL/githubv4, I've opened a PR to fix the issue on github.com/google/go-github/v47 (google/go-github#2468) the fix on the other lib is probably similar, removing omitempty from https://github.com/shurcooL/githubv4/blob/master/input.go#L604

update: actually, there are 2 versions of the resource, one uses github.com/google/go-github/v47 (https://github.com/integrations/terraform-provider-github/blob/main/github/resource_github_branch_protection_v3.go) the other uses github.com/shurcooL/githubv4 (https://github.com/integrations/terraform-provider-github/blob/main/github/resource_github_branch_protection.go)

[gfoligna-nyshex]

@luisdavim which version can we use meanwhile this gets resolved? I'm using github_branch_protection_v3 with provider version ~> 4.0

[luisdavim]

I think 4.22.0 should work.

[grrywlsn]

Can confirm, we're using 4.22.0 and the branch protection error doesn't appear.