Skip to content

Fix Support for Github Environment Secrets' Lifecycle Ignore Changes#2651

Merged
nickfloyd merged 3 commits intointegrations:mainfrom
bshore-bf:support-environment-secrets-lifecycle-ignore-changes
Nov 10, 2025
Merged

Fix Support for Github Environment Secrets' Lifecycle Ignore Changes#2651
nickfloyd merged 3 commits intointegrations:mainfrom
bshore-bf:support-environment-secrets-lifecycle-ignore-changes

Conversation

@bshore-bf
Copy link
Contributor

@bshore-bf bshore-bf commented May 3, 2025
edited
Loading

Resolves #2288

Before the change?

Modifying a Github Environment Secret value from Terraform OR Externally in Github while using a lifecycle ignore_changes block always results in Secret creation.

After the change?

Modifying a Github Environment Secret value from Terraform OR Externally in Github no longer causes Secret creation, and the lifecycle ignore_changes block is respected.

Notably, with this change a terraform plan without the ignore_changes now appropriately states that a Github Environment Secret value must be replaced rather than just "created".

Terraform will perform the following actions:

  # github_actions_environment_secret.no_ignore must be replaced
-/+ resource "github_actions_environment_secret" "no_ignore" {
      ~ created_at      = "2025-05-03 18:42:21 +0000 UTC" -> (known after apply)
      + encrypted_value = (sensitive value) # forces replacement
      ~ id              = "gh-provider-tf-testing:test-environment:SECRET_WITHOUT_IGNORE" -> (known after apply)
      ~ updated_at      = "2025-05-03 18:42:21 +0000 UTC" -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Pull request checklist

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • Yes
  • No

Manual test Terraform code (expand)

 
terraform {
  required_providers {
    github = {
      source                = "integrations/github"
      version               = ">=6.6"
      configuration_aliases = [github.primary]
    }
  }
  required_version = "~>1.7"
}

provider "github" {
  alias = "primary"
  owner = "your owner config name here"
}

resource "github_repository" "repository" {
  provider = github.primary

  name        = "gh-provider-tf-testing"
  description = "Testing stuff with the GitHub TF Provider."

  visibility = "private"
}

resource "github_repository_environment" "environment" {
  provider = github.primary

  environment = "test-environment"
  repository  = github_repository.repository.name
}

resource "github_actions_environment_secret" "ignore" {
  provider = github.primary

  repository      = github_repository.repository.name
  environment     = github_repository_environment.environment.environment
  secret_name     = "SECRET_WITH_IGNORE"
  encrypted_value = base64sha256("placeholder")

  lifecycle {
    ignore_changes = [encrypted_value]
  }
}

resource "github_actions_environment_secret" "no_ignore" {
  provider = github.primary

  repository      = github_repository.repository.name
  environment     = github_repository_environment.environment.environment
  secret_name     = "SECRET_WITHOUT_IGNORE"
  encrypted_value = base64sha256("placeholder")
}

@github-project-automation github-project-automation bot moved this to 🆕 Triage in 🧰 Octokit Active May 3, 2025
@bshore-bf bshore-bf force-pushed the support-environment-secrets-lifecycle-ignore-changes branch from 64d236b to 70adeac Compare May 7, 2025 21:57
@nickfloyd nickfloyd moved this from 🆕 Triage to 📆 Monthly in 🧰 Octokit Active May 30, 2025
@thisispr
Copy link
Contributor

thisispr commented Aug 11, 2025

+1

@nbali
Copy link

nbali commented Aug 12, 2025

unlike #2499 this only handles a single type of secret

github/resource_github_actions_environment_secret.go

vs

github/resource_github_actions_environment_secret.go
github/resource_github_actions_organization_secret.go
github/resource_github_actions_secret.go
github/resource_github_codespaces_organization_secret.go
github/resource_github_codespaces_secret.go
github/resource_github_codespaces_user_secret.go
github/resource_github_dependabot_organization_secret.go
github/resource_github_dependabot_secret.go

(although this has test/doc changes, and that one doesn't, I would still prefer a complete global fix, but I'm also just a random guy waiting for someone to actually review any of them with proper merge rights)

@bshore-bf
Copy link
Contributor Author

bshore-bf commented Aug 12, 2025

@nbali I was hopeful a more targeted PR with tests/docs might seem easier to merge from the Approver/Maintainer perspective.

@nbali
Copy link

nbali commented Aug 12, 2025

@bshore-bf well there seems to a general lack of attention regarding this repo nowadays, I mean the last meaningful commit happened in February

@thisispr
Copy link
Contributor

thisispr commented Nov 4, 2025

@nickfloyd any chance to rev these PR and #2499 ?

@github-actions github-actions bot added the Type: Documentation Improvements or additions to documentation label Nov 10, 2025
@nickfloyd
Copy link
Member

nickfloyd commented Nov 10, 2025

@nickfloyd any chance to rev these PR and #2499 ?

Hey @thisispr I'm taking a look at this right now.. it looks like #2499 has some merge conflicts. Let me know if you can get to those and I'll work on getting that reviewed and merged in before the next release. ❤️

@nickfloyd nickfloyd moved this from Backlog to In Review in Terraform Provider Nov 10, 2025
@nickfloyd nickfloyd added the Type: Bug Something isn't working as documented label Nov 10, 2025
nickfloyd
nickfloyd approved these changes Nov 10, 2025
View reviewed changes
Copy link
Member

@nickfloyd nickfloyd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️ We recently dealt with this for org and repo secrets, thank you for doing this!

@nickfloyd nickfloyd merged commit 4af3fd3 into integrations:main Nov 10, 2025
4 checks passed
@github-project-automation github-project-automation bot moved this from 📆 Monthly to ✅ Done in 🧰 Octokit Active Nov 10, 2025
@github-project-automation github-project-automation bot moved this from In Review to Done in Terraform Provider Nov 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickfloyd nickfloyd nickfloyd approved these changes

Assignees

No one assigned

Labels

Type: Bug Something isn't working as documented Type: Documentation Improvements or additions to documentation

Projects

Terraform Provider
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG]: github_actions_environment_secret to be created again if secret value had been changed UI

5 participants

@bshore-bf @thisispr @nbali @nickfloyd @octokitbot