feat: Add the ability to set the action and reusable workflow access level

github/resource_github_actions_repository_permissions.go

@@ -21,6 +21,11 @@ func resourceGithubActionsRepositoryPermissions() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
+			"access_level": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice([]string{"none", "user", "organization", "enterprise"}, false),
+			},
 			"allowed_actions": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -143,6 +148,17 @@ func resourceGithubActionsRepositoryPermissionsCreateOrUpdate(d *schema.Resource
 		}
 	}
 
+	accessLevel, ok := d.GetOk("access_level")
+	if ok && accessLevel != "" {
+		actionsAccess := github.RepositoryActionsAccessLevel{
+			AccessLevel: github.String(accessLevel.(string)),
+		}
+		_, err := client.Repositories.EditActionsAccessLevel(ctx, owner, repoName, actionsAccess)
+		if err != nil {
+			return err
+		}
+	}
+
 	d.SetId(repoName)
 	return resourceGithubActionsRepositoryPermissionsRead(d, meta)
 }
@@ -159,6 +175,15 @@ func resourceGithubActionsRepositoryPermissionsRead(d *schema.ResourceData, meta
 		return err
 	}
 
+	repo, _, _ := client.Repositories.Get(ctx, owner, repoName)
+	if repo.GetVisibility() != "public" {
+		actionsAccess, _, err := client.Repositories.GetActionsAccessLevel(ctx, owner, repoName)
+		if err != nil {
+			return err
+		}
+		d.Set("access_level", actionsAccess.GetAccessLevel())
+	}
+
 	if actionsPermissions.GetAllowedActions() == "selected" {
 		actionsAllowed, _, err := client.Repositories.GetActionsAllowed(ctx, owner, repoName)
 		if err != nil {
@@ -208,5 +233,17 @@ func resourceGithubActionsRepositoryPermissionsDelete(d *schema.ResourceData, me
 		return err
 	}
 
+	repo, _, _ := client.Repositories.Get(ctx, owner, repoName)
+	if repo.GetVisibility() != "public" {
+		// Reset the access level to default
+		accessLevel := github.RepositoryActionsAccessLevel{
+			AccessLevel: github.String("none"),
+		}
+		_, err = client.Repositories.EditActionsAccessLevel(ctx, owner, repoName, accessLevel)
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }

github/resource_github_actions_repository_permissions_test.go

@@ -65,8 +65,9 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 
 		allowedActions := "selected"
 		githubOwnedAllowed := true
-		verifiedAllowed := true
+		verifiedAllowed := false
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		accessLevel := "none"
 
 		config := fmt.Sprintf(`
 			resource "github_repository" "test" {
@@ -79,12 +80,12 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 				allowed_actions = "%s"
 				allowed_actions_config {
 					github_owned_allowed = %t
-					patterns_allowed     = ["actions/cache@*", "actions/checkout@*"]
+					patterns_allowed     = ["monalisa/octocat@*", "docker/*"]
 					verified_allowed     = %t
 				}
 				repository = github_repository.test.name
 			}
-		`, randomID, allowedActions, githubOwnedAllowed, verifiedAllowed)
+		`, randomID, allowedActions, githubOwnedAllowed, verifiedAllowed, accessLevel)
 
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(
@@ -238,4 +239,106 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 		})
 
 	})
+
+	t.Run("Allow access to actions from other repos owned by the same user", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		accessLevel := "user"
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name        = "tf-acc-test-topic-%[1]s"
+				description = "Terraform acceptance tests %[1]s"
+				topics		= ["terraform", "testing"]
+				visibility  = "private"
+			}
+
+			resource "github_actions_repository_permissions" "test" {
+				access_level    = "%s"
+				allowed_actions = "all"
+				repository      = github_repository.test.name
+			}
+		`, randomID, accessLevel)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr(
+				"github_actions_repository_permissions.test", "access_level", accessLevel,
+			),
+		)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  check,
+					},
+				},
+			})
+		}
+
+		t.Run("with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+
+		t.Run("with an individual account", func(t *testing.T) {
+			testCase(t, individual)
+		})
+
+		// User isn't valid for organization, see the organization test for that.
+		t.Run("with an organization account", func(t *testing.T) {
+			t.Skip("organization account not supported for this input")
+		})
+	})
+
+	t.Run("Allow access to actions from within the organization", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+		accessLevel := "organization"
+		config := fmt.Sprintf(`
+			resource "github_repository" "test" {
+				name        = "tf-acc-test-topic-%[1]s"
+				description = "Terraform acceptance tests %[1]s"
+				topics		= ["terraform", "testing"]
+				visibility  = "private"
+			}
+
+			resource "github_actions_repository_permissions" "test" {
+				access_level    = "%s"
+				allowed_actions = "all"
+				repository      = github_repository.test.name
+			}
+		`, randomID, accessLevel)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr(
+				"github_actions_repository_permissions.test", "access_level", accessLevel,
+			),
+		)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  check,
+					},
+				},
+			})
+		}
+
+		t.Run("with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+
+		t.Run("with an individual account", func(t *testing.T) {
+			t.Skip("user account not supported for this input")
+		})
+
+		// User isn't valid for organization, see the organization test for that.
+		t.Run("with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+	})
 }

website/docs/r/actions_repository_permissions.html.markdown

@@ -8,7 +8,7 @@ description: |-
 # github_actions_repository_permissions
 
 This resource allows you to enable and manage GitHub Actions permissions for a given repository.
-You must have admin access to an repository to use this resource.
+You must have admin access to a repository to use this resource.
 
 ## Example Usage
 
@@ -18,6 +18,7 @@ resource "github_repository" "example" {
 }
 
 resource "github_actions_repository_permissions" "test" {
+  access_level    = "user"
   allowed_actions = "selected"
   allowed_actions_config {
     github_owned_allowed = true
@@ -35,7 +36,8 @@ The following arguments are supported:
 * `repository`             - (Required) The GitHub repository
 * `allowed_actions`        - (Optional) The permissions policy that controls the actions that are allowed to run. Can be one of: `all`, `local_only`, or `selected`.
 * `enabled`                - (Optional) Should GitHub actions be enabled on this repository?
-* `allowed_actions_config` - (Optional) Sets the actions that are allowed in an repository. Only available when `allowed_actions` = `selected`. See [Allowed Actions Config](#allowed-actions-config) below for details.
+* `allowed_actions_config` - (Optional) Sets the actions that are allowed in a repository. Only available when `allowed_actions` = `selected`. See [Allowed Actions Config](#allowed-actions-config) below for details.
+* `access_level`           - (Optional) Sets the level of access that workflows outside of this repository have to actions and reusable workflows in this repository.  Can be one of: `none`, `user`, `organization`, or `enterprise`.
 
 ### Allowed Actions Config