[BUG]: `github_actions_environment_secret` resource fails on 404 error

[YElyousfi]

trafficstars

It seems that the resource doesn't work at all. The terraform apply step fails with 404 error. Upon further investigation it seems like the URL in the GET request of the error message doesn't seem to match the GitHub API docs for creating an environment secret.

Can anyone take a look and confirm? Anyone successfully using this resource?

I've included the terraform apply log below and it fails trying to access the following URL:

• https://api.github.com/repos//hello-world

Instead of what should probably be (according to the API docs):

• https://api.github.com/repositories/REPOSITORY_ID/environments/ENVIRONMENT_NAME/secrets/SECRET_NAME
• Docs link: https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#create-or-update-an-environment-secret

Terraform will perform the following actions:

  # github_actions_environment_secret.organization_service_account_token["prod"] will be created
  + resource "github_actions_environment_secret" "api_token" {
      + created_at      = (known after apply)
      + environment     = "prod"
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + repository      = "hello-world"
      + secret_name     = "PROD_API_TOKEN"
      + updated_at      = (known after apply)
    }

  # github_actions_environment_secret.api_token["uat"] will be created
  + resource "github_actions_environment_secret" "api_token" {
      + created_at      = (known after apply)
      + environment     = "uat"
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + repository      = "hello-world"
      + secret_name     = "UAT_API_TOKEN"
      + updated_at      = (known after apply)
    }

  # github_actions_environment_secret.api_token["dev"] will be created
  + resource "github_actions_environment_secret" "api_token" {
      + created_at      = (known after apply)
      + environment     = "dev"
      + id              = (known after apply)
      + plaintext_value = (sensitive value)
      + repository      = "hello-world"
      + secret_name     = "DEV_API_TOKEN"
      + updated_at      = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.
github_actions_environment_secret.api_token["dev"]: Creating...
github_actions_environment_secret.api_token["prod"]: Creating...
github_actions_environment_secret.api_token["uat"]: Creating...
╷
│ Error: GET https://api.github.com/repos//hello-world: 404 Not Found []
│
│   with github_actions_environment_secret.api_token["uat"],
│   on github-actions-environment-secrets.tf line 1, in resource "github_actions_environment_secret" "api_token":
│    1: resource "github_actions_environment_secret" "api_token" {
│
╵
╷
│ Error: GET https://api.github.com/repos//hello-world: 404 Not Found []
│
│   with github_actions_environment_secret.api_token["dev"],
│   on github-actions-environment-secrets.tf line 1, in resource "github_actions_environment_secret" "api_token":
│    1: resource "github_actions_environment_secret" "api_token" {
│
╵
╷
│ Error: GET https://api.github.com/repos//hello-world: 404 Not Found []
│
│   with github_actions_environment_secret.api_token["prod"],
│   on github-actions-environment-secrets.tf line 1, in resource "github_actions_environment_secret" "api_token":
│    1: resource "github_actions_environment_secret" "api_token" {
│
╵

[kfcampbell]

@YElyousfi in general, URL errors such as the one you're seeing are due to incorrect authentication. What form of auth are you using and how are you setting it up?

[YElyousfi]

@YElyousfi in general, URL errors such as the one you're seeing are due to incorrect authentication. What form of auth are you using and how are you setting it up?

I see, I'm using GitHub App authentication. Curious though, why does that affect things? The URL endpoint in the error is different than the URL from the docs

[kfcampbell]

It's likely your App doesn't have the correct permissions for this operation. The URL is different because the provider begins with a GET request to the repo itself before performing operations on the environment secrets.

[rtsisyk]

Hello, I have the same issue with PAT

[sachasmart-weavik]

Any solution for this? Currently running into this.

[atrull]

I'm seeing similar errors - the provider seems to think the environment was created, but when trying to put secrets, it doesn't find the public key with which to encrypt the secrets... and when I look in the repo config for the environment it doesn't exist.

Even when I apply more 'config' via arguments, to the environment being made, like a wait ttl or some branch protection boolean bits, it doesn't actually create the env.

If I create the environment via the github GUI then the secrets get there successfully on the next apply.

[dwwhitlock]

Echoing @atrull . If the github_repository_environment is created via the GUI instead of a terraform resource, both github_actions_environment_variable and github_actions_environment_secret work.

[rtsisyk]

Echoing @atrull . If the github_repository_environment is created via the GUI instead of a terraform resource, both github_actions_environment_variable and github_actions_environment_secret work.

I have github_repository_environment create via GUI and it doesn't help. Are you sure?

[h3nryza]

Has anyone had a resolution on this one? I have confirmed that it is most definitely not permissions by creating it via the api direct. Then trying with the same PAT with TF Provider (6.0). I managed to pull a funny one and added ../org/repo and the URL came back correct, but I suspect that its just malformed as I still get a 404

[github-actions[bot]]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!