Pull in latest from upstream

.github/labeler.yml

@@ -1,18 +1,18 @@
 # Configuration for labeler - https://github.com/actions/labeler
 "Type: Breaking change":
-  - head-branch: 
+  - head-branch:
     - '^breaking/'
     - '^breaking-'
 
 "Type: Feature":
-  - head-branch: 
+  - head-branch:
     - '^feat/'
     - '^feat-'
     - '^feature/'
     - '^feature-'
 
 "Type: Bug":
-  - head-branch: 
+  - head-branch:
     - '^fix/'
     - '^fix-'
     - '^bugfix/'
@@ -28,7 +28,7 @@
     - '^deprecation-'
 
 "Type: Maintenance":
-  - head-branch: 
+  - head-branch:
     - '^chore/'
     - '^chore-'
     - '^maintenance/'
@@ -39,18 +39,18 @@
     - '^deps-'
     - '^dependencies/'
     - '^dependencies-'
-  - changed-files:
-    - any-glob-to-any-file: 
-      - .github/workflows/**
-      - .github/labeler.yml
-      - .github/dependabot.yml
-      - .github/release.yml
+  # - changed-files:
+  #   - any-glob-to-any-file: 
+  #     - .github/workflows/**
+  #     - .github/labeler.yml
+  #     - .github/dependabot.yml
+  #     - .github/release.yml
 
 "Type: Documentation":
   - head-branch:
     - '^docs/'
     - '^docs-'
     - '^doc/'
     - '^doc-'
-  - changed-files:
-    - any-glob-to-any-file: 'website/**'
+  # - changed-files:
+  #   - any-glob-to-any-file: 'website/**'

.github/workflows/ci.yml

@@ -5,19 +5,134 @@ on:
     branches: [main]
   pull_request: {}
 
+permissions:
+  contents: read # for actions/checkout
+
+env:
+  test_stacks_directory: test_tf_stacks
+
 jobs:
   ci:
+    name: Continuous Integration
     runs-on: ubuntu-latest
     env:
-      GITHUB_TEST_ORGANIZATION: 'kfcampbell-terraform-provider'
+      GITHUB_TEST_ORGANIZATION: kfcampbell-terraform-provider
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: go.mod
           cache: true
       - run: make tools
       - run: make lint
       - run: make website-lint
       - run: make build
       - run: make test
+
+  generate-matrix:
+    name: Generate matrix for test stacks
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      has-tests: ${{ steps.set-matrix.outputs.has-tests }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Generate matrix
+        id: set-matrix
+        run: |
+          if [ -d "${{ env.test_stacks_directory }}" ]; then
+            # find all directories and validate their names
+            VALID_TESTS=()
+            INVALID_TESTS=()
+
+            while IFS= read -r dir; do
+              dirname=$(basename "$dir")
+              # validate that directory name only contains alphanumeric, hyphens, underscores, and dots
+              if [[ "$dirname" =~ ^[a-zA-Z0-9_.-]+$ ]]; then
+                VALID_TESTS+=("$dirname")
+              else
+                INVALID_TESTS+=("$dirname")
+              fi
+            done < <(find ${{ env.test_stacks_directory }} -mindepth 1 -maxdepth 1 -type d)
+
+            # report invalid directory names if any
+            if [ ${#INVALID_TESTS[@]} -gt 0 ]; then
+              echo "::warning::Invalid test directory names found (must contain only alphanumeric, hyphens, underscores, and dots):"
+              printf ' - %s (will be skipped)\n' "${INVALID_TESTS[@]}"
+            fi
+
+            # create JSON array from valid tests
+            if [ ${#VALID_TESTS[@]} -gt 0 ]; then
+              TESTS=$(printf '%s\n' "${VALID_TESTS[@]}" | jq -R -s -c 'split("\n")[:-1]')
+              echo "matrix=${TESTS}" >> $GITHUB_OUTPUT
+              echo "has-tests=true" >> $GITHUB_OUTPUT
+              echo "Found valid test directories: ${TESTS}"
+            else
+              echo "matrix=[]" >> $GITHUB_OUTPUT
+              echo "has-tests=false" >> $GITHUB_OUTPUT
+              echo "No valid test directories found"
+            fi
+          else
+            echo "Test directory ${{ env.test_stacks_directory }} does not exist"
+            echo "matrix=[]" >> $GITHUB_OUTPUT
+            echo "has-tests=false" >> $GITHUB_OUTPUT
+          fi
+
+  tests:
+    name: Run tests for Terraform test stacks
+    needs: [ci, generate-matrix]
+    if: ${{ needs.generate-matrix.outputs.has-tests == 'true' }} # only run if there are some test stacks
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        tests: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Build provider
+        run: go build -o terraform-provider-github
+
+      - name: Setup dev overrides
+        run: |
+          ROOT_DIR=$(pwd)
+          cat > ~/.terraformrc << EOF
+          provider_installation {
+            dev_overrides {
+              "integrations/github" = "${ROOT_DIR}"
+            }
+            direct {}
+          }
+          EOF
+
+      - name: Verify dev overrides setup
+        run: cat ~/.terraformrc
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_version: 1.x
+
+      - name: Check Terraform version
+        run: terraform version
+
+      - name: Terraform init
+        continue-on-error: true # continue even if init fails
+        run: terraform -chdir=./${{ env.test_stacks_directory }}/${{ matrix.tests }} init
+
+      - name: Terraform validate
+        run: terraform -chdir=./${{ env.test_stacks_directory }}/${{ matrix.tests }} validate
+
+      - name: Clean up
+        run: rm -f ~/.terraformrc terraform-provider-github

examples/enterprise_settings/README.md

@@ -0,0 +1,172 @@
+# GitHub Enterprise Settings Example
+
+This example demonstrates how to configure GitHub Enterprise settings using the Terraform GitHub provider.
+
+## Overview
+
+Manage enterprise-level GitHub Actions settings with focused, composable resources:
+
+- **Actions Permissions**: Control which organizations can use GitHub Actions and what actions are allowed
+- **Workflow Permissions**: Manage default GITHUB_TOKEN permissions and pull request review settings
+
+## Requirements
+
+- GitHub Enterprise account
+- Personal access token with enterprise admin permissions
+- Terraform >= 0.14
+
+## Usage
+
+1. Set your environment variables:
+
+```bash
+export TF_VAR_github_token="your_github_token"
+export TF_VAR_enterprise_slug="your-enterprise-slug"
+```
+
+2. Initialize and apply:
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+## Configuration Examples
+
+### Basic Configuration - Allow All Actions
+
+```terraform
+# Allow all actions for all organizations
+resource "github_enterprise_actions_permissions" "basic" {
+  enterprise_slug = "my-enterprise"
+
+  enabled_organizations = "all"
+  allowed_actions = "all"
+}
+
+# Use restrictive workflow permissions
+resource "github_enterprise_actions_workflow_permissions" "basic" {
+  enterprise_slug = "my-enterprise"
+
+  default_workflow_permissions = "read"
+  can_approve_pull_request_reviews = false
+}
+```
+
+### Advanced Configuration - Selective Permissions
+
+```terraform
+# Selective actions and organizations
+resource "github_enterprise_actions_permissions" "advanced" {
+  enterprise_slug = "my-enterprise"
+
+  enabled_organizations = "selected"
+  allowed_actions = "selected"
+
+  allowed_actions_config {
+    github_owned_allowed = true
+    verified_allowed = true
+    patterns_allowed = [
+      "actions/cache@*",
+      "actions/checkout@*",
+      "my-org/custom-action@v1"
+    ]
+  }
+
+  enabled_organizations_config {
+    organization_ids = [123456, 789012] # Replace with actual org IDs
+  }
+}
+
+# More permissive workflow settings
+resource "github_enterprise_actions_workflow_permissions" "advanced" {
+  enterprise_slug = "my-enterprise"
+
+  default_workflow_permissions = "write"
+  can_approve_pull_request_reviews = true
+}
+```
+
+## Available Enterprise Resources
+
+### Actions & Workflow Management
+- **`github_enterprise_actions_permissions`** - Controls which organizations can use GitHub Actions and which actions are allowed to run
+- **`github_enterprise_actions_workflow_permissions`** - Manages default GITHUB_TOKEN permissions and whether GitHub Actions can approve pull requests
+
+### Security & Analysis
+- **`github_enterprise_security_analysis_settings`** - Manages Advanced Security, secret scanning, and code analysis features for new repositories
+
+### Additional Resources (Available)
+- **`github_enterprise_actions_runner_group`** - Manages enterprise-level runner groups for GitHub Actions
+
+## Security Recommendations
+
+1. Use `"read"` workflow permissions by default
+2. Disable pull request review approvals for security
+3. Use `"selected"` actions policy to limit which actions can run
+4. Store tokens securely using environment variables
+
+## Configuration Reference
+
+### Actions Settings
+
+- **`actions_enabled_organizations`**: Controls which organizations can run GitHub Actions
+  - `"all"` - All organizations in the enterprise
+  - `"none"` - No organizations
+  - `"selected"` - Only specified organizations (requires additional configuration)
+
+- **`actions_allowed_actions`**: Controls which actions can be run
+  - `"all"` - All actions and reusable workflows
+  - `"local_only"` - Only actions and workflows in the same repository/organization
+  - `"selected"` - Only specified actions (requires additional configuration)
+
+When `actions_allowed_actions` is set to `"selected"`, you can specify:
+
+- **`actions_github_owned_allowed`**: Allow GitHub-owned actions (e.g., `actions/checkout`)
+- **`actions_verified_allowed`**: Allow verified Marketplace actions
+- **`actions_patterns_allowed`**: List of specific action patterns to allow
+
+### Workflow Settings
+
+- **`default_workflow_permissions`**: Default permissions for the GITHUB_TOKEN
+  - `"read"` - Read-only permissions (recommended for security)
+  - `"write"` - Read and write permissions
+
+- **`can_approve_pull_request_reviews`**: Whether GitHub Actions can approve pull request reviews
+  - `true` - Actions can approve PR reviews  
+  - `false` - Actions cannot approve PR reviews (recommended for security)
+
+## Security Considerations
+
+1. **Workflow Permissions**: Use `"read"` permissions by default and grant `"write"` only when necessary
+2. **PR Approvals**: Disable `can_approve_pull_request_reviews` to prevent automated approval bypasses
+3. **Action Restrictions**: Use `"selected"` for `actions_allowed_actions` to limit which actions can run
+4. **Token Security**: Store your GitHub token securely and use environment variables
+
+## Limitations
+
+This resource currently supports a subset of enterprise settings available through the GitHub API. Additional settings like fork PR workflows, artifact retention, and self-hosted runner permissions are not yet supported by the go-github version used in this provider and will be added in future versions.
+
+## Import
+
+You can import existing enterprise settings:
+
+```bash
+terraform import github_enterprise_settings.example my-enterprise
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Authentication**: Ensure your token has enterprise admin permissions
+2. **Enterprise Access**: Verify you have access to the specified enterprise
+3. **API Limits**: GitHub API has rate limits; consider adding delays for large configurations
+
+### Verification
+
+After applying, verify settings in the GitHub Enterprise dashboard:
+1. Go to your enterprise settings
+2. Navigate to "Policies" > "Actions"  
+3. Check that the configured settings match your Terraform configuration