From 6e23078bb1da3c1784f0e0eff7914438ac67ee8e Mon Sep 17 00:00:00 2001
From: Leonard Sheng Sheng Lee <leonard.sheng.sheng.lee@gmail.com>
Date: Mon, 1 Dec 2025 10:46:00 +0100
Subject: [PATCH] feat(actions_permissions): sha_pinning_required

Fix https://github.com/integrations/terraform-provider-github/issues/2869.

Signed-off-by: Leonard Sheng Sheng Lee <leonard.sheng.sheng.lee@gmail.com>
---
 ...github_actions_organization_permissions.go | 26 +++++++++++++++++++
 ...b_actions_organization_permissions_test.go |  4 ++-
 ...e_github_actions_repository_permissions.go | 10 +++++++
 ...hub_actions_repository_permissions_test.go |  4 ++-
 go.mod                                        |  1 +
 go.sum                                        |  2 ++
 vendor/modules.txt                            |  2 ++
 7 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/github/resource_github_actions_organization_permissions.go b/github/resource_github_actions_organization_permissions.go
index c12654f35e..1f7c36f3b3 100644
--- a/github/resource_github_actions_organization_permissions.go
+++ b/github/resource_github_actions_organization_permissions.go
@@ -57,6 +57,11 @@ func resourceGithubActionsOrganizationPermissions() *schema.Resource {
 							Optional:    true,
 							Description: "Whether actions in GitHub Marketplace from verified creators are allowed. Set to 'true' to allow all GitHub Marketplace actions by verified creators.",
 						},
+						"sha_pinning_required": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in an organization.",
+						},
 					},
 				},
 			},
@@ -96,6 +101,10 @@ func resourceGithubActionsOrganizationAllowedObject(d *schema.ResourceData) *git
 			allowed.VerifiedAllowed = &x
 		}
 
+		if v, ok := data["sha_pinning_required"]; ok {
+			allowed.SHAPinningRequired = github.Bool(v.(bool))
+		}
+
 		patternsAllowed := []string{}
 
 		switch t := data["patterns_allowed"].(type) {
@@ -226,6 +235,7 @@ func resourceGithubActionsOrganizationPermissionsRead(d *schema.ResourceData, me
 					"github_owned_allowed": actionsAllowed.GetGithubOwnedAllowed(),
 					"patterns_allowed":     actionsAllowed.PatternsAllowed,
 					"verified_allowed":     actionsAllowed.GetVerifiedAllowed(),
+					"sha_pinning_required": actionsAllowed.GetShaPinningRequired(),
 				},
 			}); err != nil {
 				return err
@@ -306,3 +316,19 @@ func resourceGithubActionsOrganizationPermissionsDelete(d *schema.ResourceData,
 
 	return nil
 }
+
+func flattenActionsAllowed(d *schema.ResourceData, actionsAllowed *github.ActionsAllowed) error {
+	if actionsAllowed != nil {
+		config := make(map[string]interface{})
+		config["github_owned_allowed"] = actionsAllowed.GetGithubOwnedAllowed()
+		config["verified_allowed"] = actionsAllowed.GetVerifiedAllowed()
+		config["patterns_allowed"] = schema.NewSet(schema.HashString, interfaceSlice(actionsAllowed.GetPatternsAllowed()))
+		config["sha_pinning_required"] = actionsAllowed.GetShaPinningRequired()
+
+		if err := d.Set("allowed_actions_config", []interface{}{config}); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/github/resource_github_actions_organization_permissions_test.go b/github/resource_github_actions_organization_permissions_test.go
index 5f7bf2b20d..a3802811d7 100644
--- a/github/resource_github_actions_organization_permissions_test.go
+++ b/github/resource_github_actions_organization_permissions_test.go
@@ -52,6 +52,7 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
 		enabledRepositories := "selected"
 		githubOwnedAllowed := true
 		verifiedAllowed := true
+		shaPinningRequired := true
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 
 		config := fmt.Sprintf(`
@@ -68,12 +69,13 @@ func TestAccGithubActionsOrganizationPermissions(t *testing.T) {
 					github_owned_allowed = %t
 					patterns_allowed     = ["actions/cache@*", "actions/checkout@*"]
 					verified_allowed     = %t
+					sha_pinning_required = %t
 				}
 				enabled_repositories_config {
 					repository_ids       = [github_repository.test.repo_id]
 				}
 			}
-		`, randomID, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed)
+		`, randomID, allowedActions, enabledRepositories, githubOwnedAllowed, verifiedAllowed, shaPinningRequired)
 
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(
diff --git a/github/resource_github_actions_repository_permissions.go b/github/resource_github_actions_repository_permissions.go
index 01ae5f0b9c..130390ac7f 100644
--- a/github/resource_github_actions_repository_permissions.go
+++ b/github/resource_github_actions_repository_permissions.go
@@ -50,6 +50,11 @@ func resourceGithubActionsRepositoryPermissions() *schema.Resource {
 							Optional:    true,
 							Description: "Whether actions in GitHub Marketplace from verified creators are allowed. Set to 'true' to allow all GitHub Marketplace actions by verified creators.",
 						},
+						"sha_pinning_required": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: "Whether pinning to a specific SHA is required for all actions and reusable workflows in a repository.",
+						},
 					},
 				},
 			},
@@ -85,6 +90,10 @@ func resourceGithubActionsRepositoryAllowedObject(d *schema.ResourceData) *githu
 			allowed.VerifiedAllowed = &x
 		}
 
+		if v, ok := data["sha_pinning_required"]; ok {
+			allowed.SHAPinningRequired = github.Bool(v.(bool))
+		}
+
 		patternsAllowed := []string{}
 
 		switch t := data["patterns_allowed"].(type) {
@@ -189,6 +198,7 @@ func resourceGithubActionsRepositoryPermissionsRead(d *schema.ResourceData, meta
 					"github_owned_allowed": actionsAllowed.GetGithubOwnedAllowed(),
 					"patterns_allowed":     actionsAllowed.PatternsAllowed,
 					"verified_allowed":     actionsAllowed.GetVerifiedAllowed(),
+					"sha_pinning_required": actionsAllowed.GetShaPinningRequired(),
 				},
 			}); err != nil {
 				return err
diff --git a/github/resource_github_actions_repository_permissions_test.go b/github/resource_github_actions_repository_permissions_test.go
index ab046661c8..baf09aba7f 100644
--- a/github/resource_github_actions_repository_permissions_test.go
+++ b/github/resource_github_actions_repository_permissions_test.go
@@ -62,6 +62,7 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 		allowedActions := "selected"
 		githubOwnedAllowed := true
 		verifiedAllowed := true
+		shaPinningRequired := true
 		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
 
 		config := fmt.Sprintf(`
@@ -77,10 +78,11 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 					github_owned_allowed = %t
 					patterns_allowed     = ["actions/cache@*", "actions/checkout@*"]
 					verified_allowed     = %t
+					sha_pinning_required = %t
 				}
 				repository = github_repository.test.name
 			}
-		`, randomID, allowedActions, githubOwnedAllowed, verifiedAllowed)
+		`, randomID, allowedActions, githubOwnedAllowed, verifiedAllowed, shaPinningRequired)
 
 		check := resource.ComposeTestCheckFunc(
 			resource.TestCheckResourceAttr(
diff --git a/go.mod b/go.mod
index ce64ff38d8..6a0e3702a8 100644
--- a/go.mod
+++ b/go.mod
@@ -105,6 +105,7 @@ require (
 	github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e // indirect
 	github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-github/v79 v79.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/gordonklaus/ineffassign v0.2.0 // indirect
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
diff --git a/go.sum b/go.sum
index 3e0e41bd61..0b7c2989ce 100644
--- a/go.sum
+++ b/go.sum
@@ -334,6 +334,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-github/v67 v67.0.0 h1:g11NDAmfaBaCO8qYdI9fsmbaRipHNWRIU/2YGvlh4rg=
 github.com/google/go-github/v67 v67.0.0/go.mod h1:zH3K7BxjFndr9QSeFibx4lTKkYS3K9nDanoI1NjaOtY=
+github.com/google/go-github/v79 v79.0.0 h1:MdodQojuFPBhmtwHiBcIGLw/e/wei2PvFX9ndxK0X4Y=
+github.com/google/go-github/v79 v79.0.0/go.mod h1:OAFbNhq7fQwohojb06iIIQAB9CBGYLq999myfUFnrS4=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 25fe595288..b101914dbc 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -564,6 +564,8 @@ github.com/google/go-cmp/cmp/internal/value
 # github.com/google/go-github/v67 v67.0.0
 ## explicit; go 1.21
 github.com/google/go-github/v67/github
+# github.com/google/go-github/v79 v79.0.0
+## explicit; go 1.24.0
 # github.com/google/go-querystring v1.1.0
 ## explicit; go 1.10
 github.com/google/go-querystring/query