Merge remote-tracking branch 'origin/cost-centers' into release-v6.9

Author: github-actions[bot]

.github/workflows/ci.yaml

@@ -1,4 +1,4 @@
-name: GitHub Actions CI
+name: CI
 
 on:
   push:
@@ -21,11 +21,11 @@ jobs:
   ci:
     name: Continuous Integration
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         shell: bash
-    env:
-      GITHUB_TEST_ORGANIZATION: kfcampbell-terraform-provider
     steps:
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -35,7 +35,7 @@ jobs:
           go-version-file: go.mod
           cache: true
       - run: make tools
-      - run: make lint
+      - run: make lintcheck
       - run: make website-lint
       - run: make build
       - run: make test

GNUmakefile

@@ -8,17 +8,18 @@ tools:
 	go install github.com/client9/misspell/cmd/misspell@v0.3.4
 	go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.6.0
 
-build: fmtcheck
+build: lintcheck
 	CGO_ENABLED=0 go build -ldflags="-s -w" ./...
 
 fmt:
 	@echo "==> Fixing source code with golangci-lint..."
 	golangci-lint fmt ./...
 
-fmtcheck:
-	@sh -c "'$(CURDIR)/scripts/gofmtcheck.sh'"
-
 lint:
+	@echo "==> Checking source code against linters and fixing..."
+	golangci-lint run --fix ./...
+
+lintcheck:
 	@echo "==> Checking source code against linters..."
 	golangci-lint run ./...
 
@@ -55,4 +56,4 @@ ifeq (,$(wildcard $(GOPATH)/src/$(WEBSITE_REPO)))
 endif
 	@$(MAKE) -C $(GOPATH)/src/$(WEBSITE_REPO) website-provider-test PROVIDER_PATH=$(shell pwd) PROVIDER_NAME=$(PKG_NAME)
 
-.PHONY: build test testacc fmt fmtcheck lint tools test-compile website website-lint website-test
+.PHONY: build test testacc fmt lint lintcheck tools test-compile website website-lint website-test

examples/cost_centers/main.tf

@@ -0,0 +1,103 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+  }
+}
+
+provider "github" {
+  token = var.github_token
+}
+
+variable "github_token" {
+  description = "GitHub classic personal access token (PAT) for an enterprise admin"
+  type        = string
+  sensitive   = true
+}
+
+variable "enterprise_slug" {
+  description = "The GitHub Enterprise slug"
+  type        = string
+}
+
+variable "cost_center_name" {
+  description = "Name for the cost center"
+  type        = string
+}
+
+variable "users" {
+  description = "Usernames to assign to the cost center"
+  type        = list(string)
+  default     = []
+}
+
+variable "organizations" {
+  description = "Organization logins to assign to the cost center"
+  type        = list(string)
+  default     = []
+}
+
+variable "repositories" {
+  description = "Repositories (full name, e.g. org/repo) to assign to the cost center"
+  type        = list(string)
+  default     = []
+}
+
+resource "github_enterprise_cost_center" "example" {
+  enterprise_slug = var.enterprise_slug
+  name            = var.cost_center_name
+}
+
+# Authoritative assignments: Terraform will add/remove to match these lists.
+resource "github_enterprise_cost_center_resources" "example" {
+  enterprise_slug = var.enterprise_slug
+  cost_center_id  = github_enterprise_cost_center.example.id
+
+  users         = var.users
+  organizations = var.organizations
+  repositories  = var.repositories
+}
+
+data "github_enterprise_cost_center" "by_id" {
+  enterprise_slug = var.enterprise_slug
+  cost_center_id  = github_enterprise_cost_center.example.id
+
+  depends_on = [github_enterprise_cost_center_resources.example]
+}
+
+data "github_enterprise_cost_centers" "active" {
+  enterprise_slug = var.enterprise_slug
+  state           = "active"
+
+  depends_on = [github_enterprise_cost_center.example]
+}
+
+output "cost_center" {
+  description = "Created cost center"
+  value = {
+    id                 = github_enterprise_cost_center.example.id
+    name               = github_enterprise_cost_center.example.name
+    state              = github_enterprise_cost_center.example.state
+    azure_subscription = github_enterprise_cost_center.example.azure_subscription
+  }
+}
+
+output "cost_center_resources" {
+  description = "Effective assignments (read from API)"
+  value = {
+    users         = sort(tolist(github_enterprise_cost_center_resources.example.users))
+    organizations = sort(tolist(github_enterprise_cost_center_resources.example.organizations))
+    repositories  = sort(tolist(github_enterprise_cost_center_resources.example.repositories))
+  }
+}
+
+output "cost_center_from_data_source" {
+  description = "Cost center fetched by data source"
+  value = {
+    id    = data.github_enterprise_cost_center.by_id.cost_center_id
+    name  = data.github_enterprise_cost_center.by_id.name
+    state = data.github_enterprise_cost_center.by_id.state
+  }
+}

github/apps.go

@@ -9,7 +9,6 @@ import (
 	"io"
 	"net/http"
 	"net/url"
-	"path"
 	"time"
 
 	"github.com/go-jose/go-jose/v3"
@@ -18,29 +17,22 @@ import (
 
 // GenerateOAuthTokenFromApp generates a GitHub OAuth access token from a set of valid GitHub App credentials.
 // The returned token can be used to interact with both GitHub's REST and GraphQL APIs.
-func GenerateOAuthTokenFromApp(baseURL *url.URL, appID, appInstallationID, pemData string) (string, error) {
+func GenerateOAuthTokenFromApp(apiURL *url.URL, appID, appInstallationID, pemData string) (string, error) {
 	appJWT, err := generateAppJWT(appID, time.Now(), []byte(pemData))
 	if err != nil {
 		return "", err
 	}
 
-	token, err := getInstallationAccessToken(baseURL, appJWT, appInstallationID)
+	token, err := getInstallationAccessToken(apiURL, appJWT, appInstallationID)
 	if err != nil {
 		return "", err
 	}
 
 	return token, nil
 }
 
-func getInstallationAccessToken(baseURL *url.URL, jwt, installationID string) (string, error) {
-	hostname := baseURL.Hostname()
-	if hostname != DotComHost && !GHECDataResidencyHostMatch.MatchString(hostname) {
-		baseURL.Path = path.Join(baseURL.Path, "api/v3/")
-	}
-
-	baseURL.Path = path.Join(baseURL.Path, "app/installations/", installationID, "access_tokens")
-
-	req, err := http.NewRequest(http.MethodPost, baseURL.String(), nil)
+func getInstallationAccessToken(apiURL *url.URL, jwt, installationID string) (string, error) {
+	req, err := http.NewRequest(http.MethodPost, apiURL.JoinPath("app/installations", installationID, "access_tokens").String(), nil)
 	if err != nil {
 		return "", err
 	}

github/apps_test.go

@@ -146,7 +146,7 @@ func TestGetInstallationAccessToken(t *testing.T) {
 
 	ts := githubApiMock([]*mockResponse{
 		{
-			ExpectedUri: fmt.Sprintf("/api/v3/app/installations/%s/access_tokens", testGitHubAppInstallationID),
+			ExpectedUri: fmt.Sprintf("/app/installations/%s/access_tokens", testGitHubAppInstallationID),
 			ExpectedHeaders: map[string]string{
 				"Accept":        "application/vnd.github.v3+json",
 				"Authorization": fmt.Sprintf("Bearer %s", fakeJWT),

github/config.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"path"
 	"regexp"
 	"strings"
 	"time"
@@ -19,7 +18,8 @@ import (
 type Config struct {
 	Token            string
 	Owner            string
-	BaseURL          string
+	BaseURL          *url.URL
+	IsGHES           bool
 	Insecure         bool
 	WriteDelay       time.Duration
 	ReadDelay        time.Duration
@@ -38,12 +38,23 @@ type Owner struct {
 	IsOrganization bool
 }
 
-// DotComHost is the hostname for GitHub.com API.
-const DotComHost = "api.github.com"
+const (
+	// DotComAPIURL is the base API URL for github.com.
+	DotComAPIURL = "https://api.github.com/"
+	// DotComHost is the hostname for github.com.
+	DotComHost = "github.com"
+	// DotComAPIHost is the API hostname for github.com.
+	DotComAPIHost = "api.github.com"
+	// GHESRESTAPISuffix is the rest api suffix for GitHub Enterprise Server.
+	GHESRESTAPIPath = "api/v3/"
+)
 
-// GHECDataResidencyHostMatch is a regex to match a GitHub Enterprise Cloud data residency host:
-// https://[hostname].ghe.com/ instances expect paths that behave similar to GitHub.com, not GitHub Enterprise Server.
-var GHECDataResidencyHostMatch = regexp.MustCompile(`^[a-zA-Z0-9.\-]+\.ghe\.com\/?$`)
+var (
+	// GHECHostMatch is a regex to match GitHub Enterprise Cloud hosts.
+	GHECHostMatch = regexp.MustCompile(`\.ghe\.com$`)
+	// GHECAPIHostMatch is a regex to match GitHub Enterprise Cloud API hosts.
+	GHECAPIHostMatch = regexp.MustCompile(`^api\.[a-zA-Z0-9-]+\.ghe\.com$`)
+)
 
 func RateLimitedHTTPClient(client *http.Client, writeDelay, readDelay, retryDelay time.Duration, parallelRequests bool, retryableErrors map[int]bool, maxRetries int) *http.Client {
 	client.Transport = NewEtagTransport(client.Transport)
@@ -81,38 +92,24 @@ func (c *Config) AnonymousHTTPClient() *http.Client {
 }
 
 func (c *Config) NewGraphQLClient(client *http.Client) (*githubv4.Client, error) {
-	uv4, err := url.Parse(c.BaseURL)
-	if err != nil {
-		return nil, err
-	}
-
-	hostname := uv4.Hostname()
-	if hostname != DotComHost && !GHECDataResidencyHostMatch.MatchString(hostname) {
-		uv4.Path = path.Join(uv4.Path, "api/graphql/")
+	var path string
+	if c.IsGHES {
+		path = "api/graphql"
 	} else {
-		uv4.Path = path.Join(uv4.Path, "graphql")
+		path = "graphql"
 	}
 
-	return githubv4.NewEnterpriseClient(uv4.String(), client), nil
+	return githubv4.NewEnterpriseClient(c.BaseURL.JoinPath(path).String(), client), nil
 }
 
 func (c *Config) NewRESTClient(client *http.Client) (*github.Client, error) {
-	uv3, err := url.Parse(c.BaseURL)
-	if err != nil {
-		return nil, err
+	path := ""
+	if c.IsGHES {
+		path = GHESRESTAPIPath
 	}
 
-	hostname := uv3.Hostname()
-	if hostname != DotComHost && !GHECDataResidencyHostMatch.MatchString(hostname) {
-		uv3.Path = fmt.Sprintf("%s/", path.Join(uv3.Path, "api/v3"))
-	}
-
-	v3client, err := github.NewClient(client).WithEnterpriseURLs(uv3.String(), "")
-	if err != nil {
-		return nil, err
-	}
-
-	v3client.BaseURL = uv3
+	v3client := github.NewClient(client)
+	v3client.BaseURL = c.BaseURL.JoinPath(path)
 
 	return v3client, nil
 }
@@ -199,3 +196,45 @@ func (injector *previewHeaderInjectorTransport) RoundTrip(req *http.Request) (*h
 	}
 	return injector.rt.RoundTrip(req)
 }
+
+// getBaseURL returns a correctly configured base URL and a bool as to if this is GitHub Enterprise Server.
+func getBaseURL(s string) (*url.URL, bool, error) {
+	if len(s) == 0 {
+		s = DotComAPIURL
+	}
+
+	u, err := url.Parse(s)
+	if err != nil {
+		return nil, false, err
+	}
+
+	if !u.IsAbs() {
+		return nil, false, fmt.Errorf("base url must be absolute")
+	}
+
+	u = u.JoinPath("/")
+
+	switch {
+	case u.Host == DotComAPIHost:
+	case u.Host == DotComHost:
+		u.Host = DotComAPIHost
+	case GHECAPIHostMatch.MatchString(u.Host):
+	case GHECHostMatch.MatchString(u.Host):
+		u.Host = fmt.Sprintf("api.%s", u.Host)
+	default:
+		u.Path = strings.TrimSuffix(u.Path, GHESRESTAPIPath)
+		return u, true, nil
+	}
+
+	if u.Scheme != "https" {
+		return nil, false, fmt.Errorf("base url for github.com or ghe.com must use the https scheme")
+	}
+
+	if len(u.Path) > 1 {
+		return nil, false, fmt.Errorf("base url for github.com or ghe.com must not contain a path, got %s", u.Path)
+	}
+
+	u.Path = "/"
+
+	return u, false, nil
+}