[Feature Request] Add support for branch protection required_status_check 'checks' object

[david-bain]

Github has updated protected branches to include an app_id along with the status_check context as a new object named checks. This has depreciated context at the higher level and is required to be able to set the source of a required status check. Is it possible to get an update to the branch_protection resource and utils to add support for this in the graphQL call?

I believe we could make the app_id optional as it is currently optional on the REST API call, and therefore could come in as a minor update.

[ardakuyumcu]

I took a stab at implementing this locally, but there are some decisions to be made around how to implement this new field in the state file. Below are my notes:

• The GitHub API does not allow you to pass both the contexts field and the checks field together in an update API call, you have to pass only one of the two.

Error: PUT https://api.github.com/repos/ardakuyumcuorg/tf-acc-test-6emb0/branches/main/protection: 422 Invalid request.

        No subschema in "anyOf" matched.
        More than one subschema in "oneOf" matched.
        Not all subschemas of "allOf" matched.
        For 'anyOf/1', {"strict"=>true, "contexts"=>["github/foo", "github/bar"], "checks"=>[{"context"=>"github/foo"}, {"context"=>"github/bar", "app_id"=>-1}]} is not a null. []

• Even if you set only the checks field in the Terraform resource definition, when reading back the resource from GitHub both the contexts field and the checks field are populated, as they are the same from GitHub's perspective. This causes issues with the terraform plan output when you try to apply the same resource definition twice:

➜  ~ curl -L -H "Authorization: token $GITHUB_TOKEN" -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/ardakuyumcuorg/tf-acc-test-oqozw/branches/main/protection
...
  "required_status_checks": {
    "url": "https://api.github.com/repos/ardakuyumcuorg/tf-acc-test-oqozw/branches/main/protection/required_status_checks",
    "strict": true,
    "contexts": [
      "github/foo"
    ],
    "contexts_url": "https://api.github.com/repos/ardakuyumcuorg/tf-acc-test-oqozw/branches/main/protection/required_status_checks/contexts",
    "checks": [
      {
        "context": "github/foo",
        "app_id": null
      }
    ]
  },
...

• The app_id field of the checks object is optional. However, there are special cases to handle here:
  • If you omit the app_id, the default behavior is to require the check from the last GitHub App which set the context on a commit in that repository. If that context was never set by any app before, the default behavior is to require it from any source, e.g. app_id = null from GitHub's perspective.
  • If you pass in -1 as the app_id, the behavior is to require it from any source again, e.g. app_id = null from GitHub's perspective.

[luisdavim]

see: https://github.com/integrations/terraform-provider-github/issues/1147, https://github.com/google/go-github/issues/2467 and https://github.com/orgs/community/discussions/24642 The contexts field is deprecated and checks should be used instead.

[JaSiLez]

Not working in version provider 5.1.0

[github-actions[bot]]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!