terraform-provider-github icon indicating copy to clipboard operation
terraform-provider-github copied to clipboard
verified publisher icon integrations

[BUG]: Removing bypass actors from Rulesets does not have any effect

Open yamatt opened this issue 1 month ago • 6 comments

Expected Behavior

When removing bypass_actors from a github_organization_ruleset this is recognised in the plan and removed from the rulsets.

Actual Behavior

When removing bypass_actors from a github_organization_ruleset this is recognised in the plan but not removed from the rulsets.

Terraform Version

Terraform v1.14.0 on windows_amd64

  • provider registry.terraform.io/hashicorp/azurerm v4.49.0
  • provider registry.terraform.io/hashicorp/time v0.13.1
  • provider registry.terraform.io/integrations/github v6.8.3

Affected Resource(s)

  • github_organization_ruleset

Terraform Configuration Files

resource "github_organization_ruleset" "review_required_protected_branches" {
  name        = "Review required on protected branches"
  enforcement = "active"
  target      = "branch"

  conditions {
    ref_name {
      exclude = []
      include = [
        "~DEFAULT_BRANCH",
        "refs/heads/main",
      ]
    }
    repository_name {
      exclude   = []
      include   = local.repos
      protected = false
    }
  }

  rules {
    creation                = false
    deletion                = true
    non_fast_forward        = true
    required_linear_history = false
    required_signatures     = false
    update                  = false

    pull_request {
      dismiss_stale_reviews_on_push     = true
      require_code_owner_review         = true
      require_last_push_approval        = true
      required_approving_review_count   = 1
      required_review_thread_resolution = true
    }
  }

  lifecycle {
    prevent_destroy = true
  }
}

Steps to Reproduce

Running Terraform plan in my pipeline I can see this output

# github_organization_rulesetreview_required_protected_branches will be updated in-place
  ~ resource "github_organization_ruleset" "review_required_protected_branches" {
        id          = "8406***"
        name        = "Git Flow: Review required on protected branches"
        # (5 unchanged attributes hidden)

      - bypass_actors {
          - actor_id    = 13588*** -> null
          - actor_type  = "Team" -> null
          - bypass_mode = "always" -> null
        }
      - bypass_actors {
          - actor_id    = 13588*** -> null
          - actor_type  = "Team" -> null
          - bypass_mode = "always" -> null
        }

        # (2 unchanged blocks hidden)
    }

And in the apply:

github_organization_ruleset.review_required_protected_branches: Modifying... [id=8406***]
...
github_organization_ruleset.review_required_protected_branches: Modifications complete after 4s [id=8406***]

But checking the Ruleset the bypass_actors are still there

Debug Output

Panic Output

Code of Conduct

  • [x] I agree to follow this project's Code of Conduct

yamatt avatar Nov 26 '25 16:11 yamatt

I was wondering if #2929 was related

yamatt avatar Nov 26 '25 16:11 yamatt

+1, I've also observed this.

Celdir avatar Dec 03 '25 23:12 Celdir

It looks like the organization role doesn't currently support removing the bypass actors.

stevehipwell avatar Dec 05 '25 11:12 stevehipwell

I've just looked at the code and this requires a newer version of the SDK so we'll have to pick this up as part of the v7 release.

stevehipwell avatar Dec 05 '25 12:12 stevehipwell

Understood. I saw on another PR that's in the works. Thanks for looking into it.

yamatt avatar Dec 05 '25 12:12 yamatt

Yes, this is possibly addressed in https://github.com/integrations/terraform-provider-github/pull/2958

deiga avatar Dec 05 '25 12:12 deiga