From 32649f3ad63e3066d40547be95d363ed1867d3df Mon Sep 17 00:00:00 2001
From: Danielku15 <danielku15@coderline.net>
Date: Wed, 6 Mar 2024 10:54:24 +0100
Subject: [PATCH] fix: Prevent loading of allowed actions if not configured

---
 ...github_actions_organization_permissions.go |  7 ++-
 ...e_github_actions_repository_permissions.go |  7 ++-
 ...hub_actions_repository_permissions_test.go | 57 +++++++++++++++++++
 3 files changed, 69 insertions(+), 2 deletions(-)

diff --git a/github/resource_github_actions_organization_permissions.go b/github/resource_github_actions_organization_permissions.go
index c79320223d..8c5f010aa2 100644
--- a/github/resource_github_actions_organization_permissions.go
+++ b/github/resource_github_actions_organization_permissions.go
@@ -209,9 +209,14 @@ func resourceGithubActionsOrganizationPermissionsRead(d *schema.ResourceData, me
 	// only load and fill allowed_actions_config if allowed_actions_config is also set
 	// in the TF code. (see #2105)
 	// on initial import there might not be any value in the state, then we have to import the data
+	// -> but we can only load an existing state if the current config is set to "selected" (see #2182)
 	allowedActions := d.Get("allowed_actions").(string)
 	allowedActionsConfig := d.Get("allowed_actions_config").([]interface{})
-	if (allowedActions == "selected" && len(allowedActionsConfig) > 0) || allowedActions == "" {
+
+	serverHasAllowedActionsConfig := actionsPermissions.GetAllowedActions() == "selected"
+	userWantsAllowedActionsConfig := (allowedActions == "selected" && len(allowedActionsConfig) > 0) || allowedActions == ""
+
+	if serverHasAllowedActionsConfig && userWantsAllowedActionsConfig {
 		actionsAllowed, _, err := client.Actions.GetActionsAllowed(ctx, d.Id())
 		if err != nil {
 			return err
diff --git a/github/resource_github_actions_repository_permissions.go b/github/resource_github_actions_repository_permissions.go
index 94392bbe08..8bb66f3957 100644
--- a/github/resource_github_actions_repository_permissions.go
+++ b/github/resource_github_actions_repository_permissions.go
@@ -172,9 +172,14 @@ func resourceGithubActionsRepositoryPermissionsRead(d *schema.ResourceData, meta
 	// only load and fill allowed_actions_config if allowed_actions_config is also set
 	// in the TF code. (see #2105)
 	// on initial import there might not be any value in the state, then we have to import the data
+	// -> but we can only load an existing state if the current config is set to "selected" (see #2182)
 	allowedActions := d.Get("allowed_actions").(string)
 	allowedActionsConfig := d.Get("allowed_actions_config").([]interface{})
-	if (allowedActions == "selected" && len(allowedActionsConfig) > 0) || allowedActions == "" {
+
+	serverHasAllowedActionsConfig := actionsPermissions.GetAllowedActions() == "selected" && actionsPermissions.GetEnabled()
+	userWantsAllowedActionsConfig := (allowedActions == "selected" && len(allowedActionsConfig) > 0) || allowedActions == ""
+
+	if serverHasAllowedActionsConfig && userWantsAllowedActionsConfig {
 		actionsAllowed, _, err := client.Repositories.GetActionsAllowed(ctx, owner, repoName)
 		if err != nil {
 			return err
diff --git a/github/resource_github_actions_repository_permissions_test.go b/github/resource_github_actions_repository_permissions_test.go
index 5cb3a03188..7df2eb8f99 100644
--- a/github/resource_github_actions_repository_permissions_test.go
+++ b/github/resource_github_actions_repository_permissions_test.go
@@ -294,4 +294,61 @@ func TestAccGithubActionsRepositoryPermissions(t *testing.T) {
 		})
 
 	})
+
+	// https://github.com/integrations/terraform-provider-github/issues/2182
+	t.Run("test load with disabled actions", func(t *testing.T) {
+		randomID := acctest.RandStringFromCharSet(5, acctest.CharSetAlphaNum)
+
+		config := fmt.Sprintf(`
+			locals {
+				actions_enabled = false
+			}
+
+			resource "github_repository" "test" {
+				name        = "tf-acc-test-actions-permissions-%[1]s"
+				description = "Terraform acceptance tests %[1]s"
+				topics		= ["terraform", "testing"]
+			}
+
+			resource "github_actions_repository_permissions" "test" {
+				repository = github_repository.test.name
+				enabled         = local.actions_enabled
+				allowed_actions = local.actions_enabled ? "all" : null
+			}
+		`, randomID)
+
+		check := resource.ComposeTestCheckFunc(
+			resource.TestCheckResourceAttr(
+				"github_actions_repository_permissions.test", "enabled", "false",
+			),
+			resource.TestCheckResourceAttr(
+				"github_actions_repository_permissions.test", "allowed_actions.#", "0",
+			),
+		)
+
+		testCase := func(t *testing.T, mode string) {
+			resource.Test(t, resource.TestCase{
+				PreCheck:  func() { skipUnlessMode(t, mode) },
+				Providers: testAccProviders,
+				Steps: []resource.TestStep{
+					{
+						Config: config,
+						Check:  check,
+					},
+				},
+			})
+		}
+
+		t.Run("with an anonymous account", func(t *testing.T) {
+			t.Skip("anonymous account not supported for this operation")
+		})
+
+		t.Run("with an individual account", func(t *testing.T) {
+			testCase(t, individual)
+		})
+
+		t.Run("with an organization account", func(t *testing.T) {
+			testCase(t, organization)
+		})
+	})
 }