Skip to content

fix: Add destroy-on-drift property to the GitHub Action Secret resource schema #2832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nickfloyd merged 6 commits into from
Oct 29, 2025
Merged

fix: Add destroy-on-drift property to the GitHub Action Secret resource schema #2832

nickfloyd merged 6 commits into from
Oct 29, 2025
+534 −14

Conversation

@nickfloyd
Copy link
Member

@nickfloyd nickfloyd commented Oct 28, 2025
edited
Loading

Resolves #964
Resolves #2804

NOTE: Intended to be patched into v2.7.1 and merged into main.

Before the change?

  • Prior to this change there was no way to control actions secrets from either being or not being destroyed and created

After the change?

  • We can now use the destroy_on_drift property to indicate if we should recreate if the secret was modified outside of the context of the provider.
  • Fixes the a bug where destroyOnDrift=true (which is the default) and drift is detected, the code sets d.SetId("") but does NOT update the timestamp. This means on the next Terraform run, the old timestamp is still in state, so it will detect drift again, causing an infinite loop of "Provider produced inconsistent result" errors.

Pull request checklist

  • Schema migrations have been created if needed (example)
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • Yes
  • No

@nickfloyd nickfloyd self-assigned this Oct 28, 2025
@nickfloyd nickfloyd added the Type: Bug Something isn't working as documented label Oct 28, 2025
@nickfloyd nickfloyd moved this from Backlog to In Review in Terraform Provider Oct 28, 2025
@nickfloyd nickfloyd mentioned this pull request Oct 28, 2025
Closed
1 task
@nickfloyd nickfloyd changed the title Add destroy-on-drift property to the GitHub Action Secret resource schema fix: Add destroy-on-drift property to the GitHub Action Secret resource schema Oct 28, 2025
@nickfloyd
Copy link
Member Author

nickfloyd commented Oct 28, 2025

cc: @grimm26

@pickgr
Copy link

pickgr commented Oct 29, 2025
edited
Loading

When upgrading the provider from 6.7.1 to 6.7.2, I'm seeing the following error:

╷
│ Error: InternalValidate
│
│   with module.github.provider["registry.terraform.io/integrations/github"],
│   on ../../modules/github/provider-github.tf line 3, in provider "github":
│    3: provider "github" {
│
│ Internal validation of the provider failed! This is always a bug
│ with the provider itself, and not a user issue. Please report
│ this bug:
│
│ resource github_actions_secret: No Update defined, must set ForceNew on: []string{"destroy_on_drift"}
╵

Is there a work-around for this?

@jkstpierre
Copy link
Contributor

jkstpierre commented Oct 29, 2025

Running into the same issue as @pickgr here...

@nickfloyd nickfloyd merged commit 8cda607 into main Oct 29, 2025
3 checks passed
@nickfloyd nickfloyd deleted the 964/add-destroy-on-drift branch October 29, 2025 17:54
@github-project-automation github-project-automation bot moved this from In Review to Done in Terraform Provider Oct 29, 2025
@nickfloyd nickfloyd mentioned this pull request Oct 29, 2025
Merged
@nickfloyd nickfloyd restored the 964/add-destroy-on-drift branch October 29, 2025 17:55
@nickfloyd
Copy link
Member Author

nickfloyd commented Oct 29, 2025
edited
Loading

@pickgr @jkstpierre Closing this PR - let me see if I can track down the issue or come up with a workaround. Apologies for the trouble - it looks like I might've left off the Update function but I need to verify - even though the resource does not have one the interface requires it.

Update:

It appears that I missed it in my cherry pick into the patch. The change is present in this branch but not in the patch.

Org update has the correct fix in the patch here.

@pickgr
Copy link

pickgr commented Oct 29, 2025

@pickgr @jkstpierre Closing this PR - let me see if I can track down the issue or come up with a workaround. Apologies for the trouble - it looks like I might've left off the Update function but I need to verify - even though the resource does not have one the interface requires it.

Update:

It appears that I missed it in my cherry pick into the patch. The change is present in this branch but not in the patch.

Org update has the correct fix in the patch here.

Thanks @nickfloyd ! I just confirmed this is fixed in version 6.7.3

@nnellanspdl
Copy link

nnellanspdl commented Oct 31, 2025

Is this a user-configurable setting? If yes, do the docs need updated? https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret

@oskarsword
Copy link

oskarsword commented Dec 10, 2025

Too bad it was not implemented for github_environment_secrets that are facing the exact same issue.
It even says the resoruce supports ignore_change lifecycle parameter but it still replaces it due to "drift".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hypercycle hypercycle hypercycle approved these changes

@stevehipwell stevehipwell Awaiting requested review from stevehipwell

Assignees

@nickfloyd nickfloyd

Labels

Type: Bug Something isn't working as documented

Projects

Terraform Provider
Status: Done

Milestone

No milestone

7 participants

@nickfloyd @pickgr @jkstpierre @nnellanspdl @oskarsword @hypercycle