[BUG]: github_repository_ruleset protecting tags regression as of 6.5.0 #2560

faust64 · 2025-02-08T10:46:20Z

Expected Behavior

Hello,

We are using the GitHub provider configuring repository settings.
We recently introduced the following:

resource "github_repository_ruleset" "image_tags" {
  for_each    = local.images_repos
  name        = "dont-tag-before-ci-done-building-snapshot"
  repository  = github_repository.repo[each.key].name
  target      = "tag"
  enforcement = "active"

  conditions {
    ref_name {
      exclude = []
      include = ["~ALL"]
    }
  }

  rules {
    creation                = false
    update                  = true
    deletion                = true
    non_fast_forward        = true
    required_linear_history = false
    required_signatures     = false

    required_status_checks {
      required_check {
        context = "image/ready-to-release"
      }

      # not used when protecting tags?
      # https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_ruleset#strict_required_status_checks_policy-1
      strict_required_status_checks_policy = false
    }
  }
}

Using version 6.4.0 of github provider, I was able to set those up:

Terraform will perform the following actions:

  # module.protect.module.protect[0].github_repository_ruleset.image_tags["my-golang-images"] will be created
  + resource "github_repository_ruleset" "image_tags" {
      + enforcement = "active"
      + etag        = (known after apply)
      + id          = (known after apply)
      + name        = "dont-tag-before-ci-done-building-snapshot"
      + node_id     = (known after apply)
      + repository  = "my-golang-images"
      + ruleset_id  = (known after apply)
      + target      = "tag"

      + conditions {
          + ref_name {
              + exclude = []
              + include = [
                  + "~ALL",
                ]
            }
        }

      + rules {
          + creation                      = false
          + deletion                      = true
          + non_fast_forward              = true
          + required_linear_history       = false
          + required_signatures           = false
          + update                        = true
          + update_allows_fetch_and_merge = false

          + required_status_checks {
              + strict_required_status_checks_policy = false

              + required_check {
                  + context        = "image/ready-to-release"
                  + integration_id = 0
                }
            }
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
...

$> tf apply plan
module.protect.module.protect[0].github_repository_ruleset.image_tags["my-golang-images"]: Creating...
module.protect.module.protect[0].github_repository_ruleset.image_tags["my-golang-images"]: Creation complete after 1s [id=295]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Actual Behavior

Before my attempt downgrading to 6.4.0, I was trying that out using 6.5.0.
We can see about that new do_not_enforce_on_create setting, defaults to false ... So do enforce on create, which is what I want, should be fine, then?

# module.protect.module.protect[0].github_repository_ruleset.image_tags["my-golang-images"] will be created
+ resource "github_repository_ruleset" "image_tags" {
    + enforcement = "active"
    + etag        = (known after apply)
    + id          = (known after apply)
    + name        = "dont-tag-before-ci-done-building-snapshot"
    + node_id     = (known after apply)
    + repository  = "my-golang-images"
    + ruleset_id  = (known after apply)
    + target      = "tag"

    + conditions {
        + ref_name {
            + exclude = []
            + include = [
                + "~ALL",
              ]
          }
      }

    + rules {
        + creation                      = false
        + deletion                      = true
        + non_fast_forward              = true
        + required_linear_history       = false
        + required_signatures           = false
        + update                        = true
        + update_allows_fetch_and_merge = false

        + required_status_checks {
            + do_not_enforce_on_create             = false
            + strict_required_status_checks_policy = false

            + required_check {
                + context        = "image/ready-to-release"
                + integration_id = 0
              }
          }
      }
  }

Yet apply fails with the following:

module.protect.module.protect[0].github_repository_ruleset.image_tags["my-golang-images"]: Creating...

Error: POST https://github.example.com/api/v3/repos/xxx/my-golang-images/rulesets: 422 Validation Failed [{Resource: Field: Code: Message:Invalid rules: 'Required status checks'}]

  with module.protect.module.protect[0].github_repository_ruleset.image_tags["my-golang-images"],
  on .terraform/modules/protect/modules/repos.protect/tag_protection.tf line 1, in resource "github_repository_ruleset" "image_tags":
   1: resource "github_repository_ruleset" "image_tags" {

Terraform Version

Terraform v1.9.8
on linux_amd64

provider registry.terraform.io/hashicorp/external v2.3.4
provider registry.terraform.io/hashicorp/http v3.4.5
provider registry.terraform.io/hashicorp/local v2.5.2
provider registry.terraform.io/integrations/github v6.5.0

Affected Resource(s)

github_repository_ruleset

Terraform Configuration Files

resource "github_repository_ruleset" "image_tags" {
  for_each    = local.images_repos
  name        = "dont-tag-before-ci-done-building-snapshot"
  repository  = github_repository.repo[each.key].name
  target      = "tag"
  enforcement = "active"

  conditions {
    ref_name {
      exclude = []
      include = ["~ALL"]
    }
  }

  rules {
    creation                = false
    update                  = true
    deletion                = true
    non_fast_forward        = true
    required_linear_history = false
    required_signatures     = false

    required_status_checks {
      required_check {
        context = "image/ready-to-release"
      }
      strict_required_status_checks_policy = false
    }
  }
}

Steps to Reproduce

terraform plan, terraform apply

Debug Output

Panic Output

Code of Conduct

I agree to follow this project's Code of Conduct

The text was updated successfully, but these errors were encountered:

faust64 added Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented labels Feb 8, 2025

octokitbot added this to 🧰 Octokit Active Feb 8, 2025

github-project-automation bot moved this to 🆕 Triage in 🧰 Octokit Active Feb 8, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG]: github_repository_ruleset protecting tags regression as of 6.5.0 #2560

[BUG]: github_repository_ruleset protecting tags regression as of 6.5.0 #2560

faust64 commented Feb 8, 2025 •

edited

Loading

[BUG]: github_repository_ruleset protecting tags regression as of 6.5.0 #2560

[BUG]: github_repository_ruleset protecting tags regression as of 6.5.0 #2560

Comments

faust64 commented Feb 8, 2025 • edited Loading

Expected Behavior

Actual Behavior

Terraform Version

Affected Resource(s)

Terraform Configuration Files

Steps to Reproduce

Debug Output

Panic Output

Code of Conduct

faust64 commented Feb 8, 2025 •

edited

Loading