feat: support internal visibility for repositories created by a template

[puneet-arora15]

Resolves #925
Resolves #3134

---

Before the change?

• When creating a repository from a template with visibility = "internal", the repository was created as public due to incorrect handling of the Private boolean field
• The code only set Private=true when visibility == "private", causing visibility = "internal" to default to Private=false (public)
• This resulted in repositories being temporarily exposed publicly before being updated to internal visibility
• Security Impact: Repositories intended to be internal to an organization were briefly accessible to the public, potentially exposing sensitive data

After the change?

• Modified the isPrivate logic to set Private=true for both "private" and "internal" visibility values
• Repositories with visibility = "internal" are now correctly created as private initially
• The visibility is then properly updated to "internal" via the existing PATCH request in resourceGithubRepositoryUpdate()
• Security Fixed: No public exposure window - repositories remain private/internal throughout the entire creation process
• Added inline comment explaining the API limitation and two-step process

Pull request checklist

• Schema migrations have been created if needed (example)
• Tests for the changes have been added (for bug fixes / features)
• Docs have been reviewed and added / updated if needed (for bug fixes / features)

Note on checklist items:

• Schema migrations: Not needed - no schema changes required
• Tests: Added new test case "sets internal visibility for repositories created by a template" that verifies repositories created from templates with visibility = "internal" are correctly created as internal
• Docs: No documentation updates needed - this is a bug fix that makes the existing documented behavior work correctly

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

• Yes
• No

This is a bug fix that corrects the existing behavior to match the documented and expected functionality. Users who specify visibility = "internal" for template-based repositories will now get the correct behavior without any changes to their Terraform configurations.

---

Technical Details

Root Cause: The GitHub template creation API (POST /repos/{template_owner}/{template_repo}/generate) only accepts a private boolean parameter and does not support the visibility parameter directly.

Code Change (line ~660 in github/resource_github_repository.go):

// Before:
isPrivate := repoReq.GetVisibility() == "private"

// After:
// Template API only supports Private boolean, so treat "internal" as private, then update via PATCH.
isPrivate := repoReq.GetVisibility() == "private" || repoReq.GetVisibility() == "internal"

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[deiga]

Please mark this as resolving #925

AFAIK these changes break the allow_forking tests, please address those as well
Apparently those tests are broken on main

[stevehipwell]

Thanks for the PR @puneet-arora15. As well as the suggested changes this PR is going to need some docs changes (they're currently handwritten) to explain the updated behaviour.

[puneet-arora15]

Please mark this as resolving #925

AFAIK these changes break the allow_forking tests, please address those as well Apparently those tests are broken on main

Thanks @deiga, I have updated the description for it.

[puneet-arora15]

Thanks for the PR @puneet-arora15. As well as the suggested changes this PR is going to need some docs changes (they're currently handwritten) to explain the updated behaviour.

Thanks @stevehipwell for detailed updates to the PR, those changes have now been merged.

[stevehipwell]

Thanks for the quick response @puneet-arora15. Have you run the new test locally?

[puneet-arora15]

I have now (screenshot attached), also changed test assertion from private = "false" to private = "true" for internal repositories.

This matches GitHub API's actual response where internal repositories have the private field set to true, aligning with the fix that treats internal repos as private during template creation.

[stevehipwell]

LGTM

[stevehipwell]

@puneet-arora15 could you please rebase this PR?