Update security_and_analysis settings only when there are changes

[jamestran201]

The resourceGithubRepositoryUpdate function currently passes the current state of security_and_analysis to the PATCH /repo request. If the repo has an enforced security configuration, this can result in the API returning a 422 response because changing security settings is not allowed in this case. Even though the security_and_analysis settings remain the same, and only some other settings are changed, the request will still fail.

To avoid the request failing when security_and_analysis remains the same, we will only pass it in the request payload when changes have been made.

Resolves #2383

---

Before the change?

Currently, if a repository has Secret Scanning enabled. The payload in the PATCH /repository request will include this data, thus attempts to enable Secret Scanning on the repository again. This can happen even with this template that doesn't modify Secret Scanning

resource "github_repository" "allow_rebase_merge" {
  name               = "test-tf-changes"
  allow_rebase_merge = false
}

After the change?

The request payload for PATCH /repository will only contain the security_and_analysis object when security features are being modified. This means that the value for at least one of the features is being updated: advanced_security, secret_scanning, secret_scanning_push_protection, secret_scanning_non_provider_patterns, secret_scanning_validity_checks. By doing this, we will only attempt to modify these settings when a change is specified by the template.

Pull request checklist

• Tests for the changes have been added (for bug fixes / features)
• Docs have been reviewed and added / updated if needed (for bug fixes / features)

I didn't write an acceptance test for this change because the setup requires applying a security configuration to a repo. I tried the following manual test:

• Create main.tf that looks like

provider "github" {
  token = "<your API token here>"
  owner = "<your org here>"
}

terraform {
  required_providers {
    github = {
      source = "integrations/github"
    }
  }
}
resource "github_repository" "allow_rebase_merge" {
  name               = "manual-pr-test"
  allow_rebase_merge = false
  ignore_vulnerability_alerts_during_read = true
}

• Run terraform apply
• In the GitHub UI, create a security configuration that enforces all security features. Then apply it to the repo above
• Change allow_rebase_merge from false to true in the template
• Run terraform apply again
• The command should complete successfully

ignore_vulnerability_alerts_during_read is set for this test because the terraform state stored locally can be different from the repo's state after a security configuration is applied. This causes the update command to attempt changing Dependabot alerts enablement state, which will fail if the state is enforced by a security configuration.

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

• Yes
• No

---

[arkadiyt]

Would love to see this shipped, it is a very annoying issue for our org