[BUG]: Template-generated repositories default to public visibility in > 6.9.1

[mdjward]

Expected Behavior

1. Creating a GitHub repository from a template with "internal" visibility clones the new repository as private; subsequent update attempts to update the visibility to "internal" (if supported - i.e. when org is part of an enterprise).
2. This is treated as a single atomic operation. If any constituent part of the operation fails, rollback ensures the new repository is destroyed.

Actual Behavior

Cloned repository is created as public, unless visibility is set to private. internal is ignored entirely.

If the organization rulesets feature (currently in preview) is enabled with a rule in force to prohibit creation of public repositories, this will prevent the repository from being created.

Otherwise, the repository is created initially as public. In scenarios where illegal settings (for example, explicitly disabling GHAS) for public repositories are applied:

1. The underlying CRUD operation will fail;
2. The failure cascades to the whole apply operation;
3. The repository is not deleted
4. The repository - intended for internal use - is left as public. If an internal/private template was used, there exists a risk of compromised material (however limited the form or scope).

Terraform Version

Terraform v1.14.3
on linux_x64
Provider version 6.10.2

Affected Resource(s)

• github_repository

Terraform Configuration Files

# This will fail if organization rulesets are in play
resource "github_repository" "default" {
  name = "my-repo"
  template {
    owner = "my-org"
    repository = "example-template"
  }
  visibility = "internal"
}

# If appropriate organization ruleset rules are not enforced
# this will fail regardless
# leaving a public clone of the template repository
resource "github_repository" "default" {
  name = "my-repo"
  template {
    owner = "my-org"
    repository = "example-template"
  }
  visibility = "internal"

  security_and_analysis {
    advanced_security {
      status = "disabled"
    }
    secret_scanning {
      status = "disabled"
    }
    secret_scanning_push_protection {
      status = "disabled"
    }
  }
}

Steps to Reproduce

Apply one of the scenario configurations shown above (subject to appropriate organization rulesets being in place), then:

$ terraform apply

Debug Output

Panic Output

# In case of the organisation ruleset
╷
│ Error: POST https://api.github.com/repos/my-org/example-template/generate: 422 Could not clone: Repository Due to policy, repository visibility can not be set to public [{Resource: Field: Code: Message:Could not clone: Repository Due to policy, repository visibility can not be set to public}]
│ 
│   with module.common-repo.github_repository.default,
│   on ../../modules/common-repo/main.tf line 7, in resource "github_repository" "default":
│    7: resource "github_repository" "default" {
│ 
╵

# Otherwise, an HTTP 422 when attempting to disable GHAS
# (I can't reproduce this without creating another compromised repository within my org - which policy that I am not removing now prevents)

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[texonidas]

We are experiencing the same issue, however its occurring when we create a fresh repo. We are running under GHE, trying to create with internal visibility. We believe from our investigations that it may be due to visibility now being a computed property, as it appears it is not being sent in the http request at all.

[stevehipwell]

This will be fixed by #3123.