[MAINT]: Public Repositories do not play well with Advanced Security settings

[lbordowitz]

Describe the need

First of all, thank you very much for adding the GitHub Advanced Security settings in terraform, see #1104 . This has been a boon to our organization, and we've used it to track and add settings to every repository using a common setup module.

Most of our repositories are private, but one of them is public. I've tried a dynamic setting to remove the advanced_security block from the public repository, but now, trying to remove it, I get the message 422 Advanced security is always available for public repos [].

I do want to keep other security settings, like "Secret scanning", without having a required block specifying advanced security for the public repo. Please advise if there's a better way to go about this, otherwise, let me know if this is something that can be adjusted in the security_and_analysis block.

SDK Version

No response

API Version

No response

Relevant log output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[davidkelliott]

We are having a similar issue when enabling this for a public repo, with the following configuration block -

  security_and_analysis {
    advanced_security {
      status = "enabled"
    }
    secret_scanning {
      status = "enabled"
    }
    secret_scanning_push_protection {
      status = "enabled"
    }
  }

We get the error:

Error: PATCH https://api.github.com/repos/ministryofjustice/modernisation-platform: 422 Advanced security is always available for public repos []

I've tried setting status to null, and also tried removing the status (advanced_security {})but neither are allowed.

[kfcampbell]

Ideally, this sort of thing wouldn't throw a 422 at the API level. In the provider, perhaps an inelegant solution would be ignoring 422s for those specific requests.

[sethvargo]

Hey @nickfloyd - could we rollback #1304 and release a new version? This unintentionally introduced a breaking change. By sending these values in API calls to public repos, GitHub rejects them.

I think we should only add these fields to the API if they are explicitly supplied, or rollback and explore a different engineering option. For now, pinning to 5.10 is a workaround, but this is a fairly serious bug as it makes github_repository completely unusable in 5.11 and 5.12 and introduced a breaking change.

/cc @marzvrover @kfcampbell

[kuhlman-labs]

@sethvargo I'll take a look, I have some ideas of how to handle.

[kfcampbell]

Thank you @kuhlman-labs! I appreciate it.