terraform-provider-github icon indicating copy to clipboard operation
terraform-provider-github copied to clipboard

Published 20 hours ago verified publisher icon integrations

[BUG]: V5.44.0 breaks `github_branch_protection_v3`

Open brett-swan-sh opened this issue 1 year ago • 7 comments

Expected Behavior

Branch protection should be created. If I had to guess, this is likely related to the bump in go-github that went out in the most recent release. Pinning the provider version to v5.43.0 resolved the issue.

Actual Behavior

Plan: 1 to add, 0 to change, 0 to destroy.
module.repositories["repo"].github_branch_protection_v3.this[0]: Creating...

Error: PUT https://api.github.com/repos/<org>/<repo>/branches/main/protection: 422 Invalid request.

No subschema in "anyOf" matched.
No subschema in "oneOf" matched.
Not all subschemas of "allOf" matched.
For 'anyOf/1', {"strict"=>true} is not a null. []

  with module.repositories["repo"].github_branch_protection_v3.this[0],
  on ../../terraform_modules/GithubRepo/main.tf line [68](https://github.com/xxxxxxxxxxxx/actions/runs/xxxxxxxxx/job/xxxxxxxx#step:6:69), in resource "github_branch_protection_v3" "this":
  68: resource "github_branch_protection_v3" "this" {

Terraform Version

Terraform 1.6.6, integrations/github 5.44.0

Affected Resource(s)

  • github_branch_protection_v3

Terraform Configuration Files

resource "github_branch_protection_v3" "this" {
  count = var.protect_default_branch ? 1 : 0
  repository = github_repository.this.name
  branch = github_branch.default.branch
  enforce_admins = false
  require_conversation_resolution = var.require_conversation_resolution
  
  required_status_checks {
    strict = true
    checks = length(var.required_ci_checks) > 0 ? var.required_ci_checks : null
  }
}

Steps to Reproduce

terraform apply

Debug Output

No response

Panic Output

No response

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

brett-swan-sh avatar Jan 11 '24 22:01 brett-swan-sh

I can confirm that. Thanks for reporting it.

SkYNewZ avatar Jan 12 '24 15:01 SkYNewZ

I'd like to point out that we ran into this issue with 6.0.0 as well – 5.43.0 is still the latest working version

awendt avatar Mar 06 '24 14:03 awendt

This is also happening in 6.2.0, currently pinned to the latest working version 5.42:

No subschema in "oneOf" matched.
Not all subschemas of "allOf" matched.
For 'anyOf/1', {"strict"=>true} is not a null. []

jakubslonxlab avatar Mar 27 '24 13:03 jakubslonxlab

I'm sure it's already assumed but just an FYI, issue is still occurring in v6.2.1:

Error: PUT https://api.github.com/repos/<org>/<repo/branches/main/protection: 422 Invalid request.
No subschema in "anyOf" matched.
No subschema in "oneOf" matched.
Not all subschemas of "allOf" matched.
For 'anyOf/1', {"strict"=>true} is not a null. []

sam-netlogix avatar Apr 03 '24 19:04 sam-netlogix

I can confirm this is still broken in v6.2.2

awendt avatar Jul 10 '24 12:07 awendt

My colleague @fmasuhr noticed that we're running into this problem because of our configuration. 🎉 We were using required_status_checks with strict = true but without any checks attribute:

resource "github_branch_protection_v3" "example" {
  repository     = github_repository.example.name
  branch         = github_branch_default.example.branch
  enforce_admins = true

  required_status_checks {
    strict = true
  }

  required_pull_request_reviews {
    required_approving_review_count = 1
  }
}

When we removed required_status_checks entirely (because strict = true has no effect), we were able to create branch protections with the latest version. This is aligned with the UI description for branch protections:

This ensures pull requests targeting a matching branch have been tested with the latest code. This setting will not take effect unless at least one status check is enabled (see below).

I suspect the condition in the OP's configuration at checks is false, and that's what's causing the error.

awendt avatar Jul 11 '24 08:07 awendt