Merge branch 'main' into can-push-deploy-keys

# Conflicts:
#	docs/resources/deploy_key.md

Author: Shocktrooper

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,61 @@
+name: 🐞 Bug Report
+description: File a bug report
+labels: ["bug", "needs-triage"]
+# assignees:
+#   - octocat
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Hi there 👋,
+
+        Thank you for reporting the bug! Completing all sections of this form will help us find a solution quickly.
+
+        If the problem is a missing feature, then please use a [Feature Request](https://github.com/gitlabhq/terraform-provider-gitlab/issues/new?template=FEATURE_REQUEST.yml) instead.
+  - type: input
+    id: provider-version
+    attributes:
+      label: GitLab Provider version
+      description: What version of the `gitlabhq/gitlab` provider are you using? (This is usually found in any `terraform` command output.)
+      placeholder: "X.X.X"
+    validations:
+      required: false
+  - type: input
+    id: gitlab-version
+    attributes:
+      label: GitLab version
+      description: What version and edition of GitLab are you using? (This can be found in the "Help" section in GitLab.)
+      placeholder: "GitLab XXXXX Edition X.X"
+    validations:
+      required: false
+  - type: input
+    id: terraform-version
+    attributes:
+      label: Terraform version
+      description: What version of terraform are you using?
+      placeholder: "Please paste the output of `terraform -v` here"
+    validations:
+      required: false
+  - type: textarea
+    id: configuration
+    attributes:
+      label: Relevant Terraform Configuration
+      description: Please copy and paste the relevant Terraform Configuration here. This will be automatically formatted into code, so no need for backticks.
+      render: hcl
+    validations:
+      required: false
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: shell
+  - type: textarea
+    id: problem-description
+    attributes:
+      label: Description
+      description: |
+        Please describe the problem you are experiencing and what you would have expected to see.
+        Make sure to include important factoids or special steps someones needs to reproduce the issue.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/BUG_REPORT.yml

@@ -0,0 +1,26 @@
+name: ✨ Feature Request
+description: Request a new feature
+labels: ["enhancement", "needs-triage"]
+# assignees:
+#   - octocat
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Hi there 👋,
+
+        Thank you for requesting a new feature!
+  - type: textarea
+    id: description
+    attributes:
+      label: Feature Description
+      description: Please describe your feature ideas in as much detail as possible, including an example configuration.
+    validations:
+      required: true
+  - type: checkboxes
+    id: contribution-willingness
+    attributes:
+      label: Do you want to implement this?
+      options:
+        - label: I would like to implement this myself 👷
+          required: false

.github/ISSUE_TEMPLATE/FEATURE_REQUEST.yml

@@ -16,14 +16,14 @@ linter:
 
 provider:
   - '.go-version'
-  - 'gitlab/**/*'
+  - 'internal/provider/**/*'
   - 'main.go'
 
 resource:
-  - 'gitlab/resource_*.go'
+  - 'internal/provider/resource_*.go'
 
 data-source:
-  - 'gitlab/data_source_*.go'
+  - 'internal/provider/data_source_*.go'
 
 tests:
   - '**/*_test.go'

.github/labeler-pr-triage.yml

@@ -2,16 +2,17 @@
 
 <!-- Which issue/s does this PR close? Is there any more context you can give the reviewer? -->
 
-## PR Checklist
+### PR Checklist Acknowledgement
 
-<!-- For a smooth review process, please run through this checklist before submitting a PR. -->
+<!-- For a smooth review process, please run through this checklist before submitting a PR, and check the box when done. -->
 
-- [ ] Resource attributes match 1:1 the names and structure of the API resource in [the GitLab API documentation](https://docs.gitlab.com/ee/api/).
-- [ ] [Examples](/examples) are updated with:
+- [ ] I acknowledge that all of the following items are true, where applicable:
+  - Resource attributes match 1:1 the names and structure of the API resource in [the GitLab API documentation](https://docs.gitlab.com/ee/api/).
+  - [Examples](https://github.com/gitlabhq/terraform-provider-gitlab/tree/main/examples) are updated with:
     - A \*.tf file for the resource/s with at least one usage example
     - A \*.sh file for the resource/s with an import example (if applicable)
-- [ ] New resources have at minimum a basic test with three steps:
+  - New resources have at minimum a basic test with three steps:
     - Create the resource
     - Update the attributes
     - Import the resource
-- [ ] No new `//lintignore` comments that came from copied code. Linter rules are meant to be enforced on new code.
+  - No new `//lintignore` comments were copied from existing code. (Linter rules are meant to be enforced on new code.)

.github/pull_request_template.md

@@ -12,8 +12,19 @@ permissions:
 jobs:
   remove-labels:
     runs-on: ubuntu-latest
+    # This job contains steps which are expected to fail.
+    continue-on-error: true
     steps:
+      - name: Is comment from a collaborator?
+        uses: octokit/[email protected]
+        with:
+          route: GET /repos/${{ github.repository }}/collaborators/${{ github.event.sender.login }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # Only remove labels if they are NOT a collaborator.
+      # Reason being, a collaborator may post a comment and add a waiting-response label.
       - uses: actions-ecosystem/action-remove-labels@v1
+        if: ${{ failure() }}
         with:
           labels: |
             stale

.github/terraform_logo.svg

@@ -12,9 +12,21 @@ permissions:
 jobs:
   add-labels:
     runs-on: ubuntu-latest
+    # This job contains steps which are expected to fail.
+    continue-on-error: true
     steps:
-      - uses: actions/checkout@v2
+      - name: Is opened by a collaborator?
+        uses: octokit/[email protected]
+        with:
+          route: GET /repos/${{ github.repository }}/collaborators/${{ github.event.sender.login }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # Only add triage labels if they are NOT a collaborator.
+      # This prevents the needs-triage label from being added.
+      - uses: actions/checkout@v3
+        if: ${{ failure() }}
       - uses: github/[email protected]
+        if: ${{ failure() }}
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           configuration-path: .github/labeler-issue-triage.yml

.github/workflows/issue-comment-created.yml

@@ -0,0 +1,45 @@
+# This workflow runs acceptance tests on pull requests (CE)
+
+name: pr-acceptance-ce
+
+on:
+  pull_request:
+    # Acceptance tests are unnecessary to run on some types of PRs.
+    paths-ignore:
+      - 'docs/**'
+      - 'examples/**'
+      - 'README.md'
+      - 'CHANGELOG.md'
+      - 'CONTRIBUTING.md'
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  go-version:
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.go-version.outputs.go-version }}
+    steps:
+      - uses: actions/checkout@v3
+      # Read the .go-version file and output it for other jobs to use.
+      - id: go-version
+        run: echo "::set-output name=go-version::$(cat .go-version)"
+
+  acceptance-ce:
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    needs: [go-version]
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ needs.go-version.outputs.go-version }}
+      - uses: actions/checkout@v3
+      # Cache the Go modules.
+      - uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
+      - run: make testacc-up
+      - run: make testacc

.github/workflows/issue-opened.yml

@@ -1,12 +1,15 @@
-# This workflow runs acceptance tests on pull requests (both CE and EE). It needs to be run in the
+# This workflow runs acceptance tests on pull requests (EE). It needs to be run in the
 # target project instead of the fork in order to use secrets. This is why the actions/checkout
 # action regularly has to specify the pull request sha.
 #
 # SECURITY ADVISORY
 # Be careful while making changes to this file.
 # See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+#
+# We are using "persist-credentials: false" on all checkout actions in this workflow as a
+# precaution.
 
-name: pr-acceptance
+name: pr-acceptance-ee
 
 on:
   # The pull_request_target event type fires for pull requests, but in the context of the target
@@ -20,6 +23,9 @@ on:
       - 'CHANGELOG.md'
       - 'CONTRIBUTING.md'
 
+# Disable permissions on the GITHUB_TOKEN for all scopes.
+permissions: {}
+
 concurrency: 
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
@@ -31,9 +37,10 @@ jobs:
       go-version: ${{ steps.go-version.outputs.go-version }}
     steps:
       # Check out the pull request code (as opposed to the target project).
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
       # Read the .go-version file and output it for other jobs to use.
       - id: go-version
         run: echo "::set-output name=go-version::$(cat .go-version)"
@@ -51,28 +58,6 @@ jobs:
         if: ${{ env.LICENSE_ENCRYPTION_PASSWORD != '' }}
         run: echo "::set-output name=defined::true"
 
-  acceptance-ce:
-    timeout-minutes: 60
-    runs-on: ubuntu-latest
-    needs: [go-version]
-    steps:
-      - uses: actions/setup-go@v2
-        with:
-          go-version: ${{ needs.go-version.outputs.go-version }}
-      # Check out the pull request code (as opposed to the target project).
-      - uses: actions/checkout@v2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      # Cache the Go modules.
-      - uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
-      # CAUTION: EXECUTING UNTRUSTED CODE.
-      # This is made safe because we have not referenced any secrets or GitHub tokens.
-      - run: make testacc-up
-      - run: make testacc
-
   acceptance-ee:
     # Only run EE tests if the LICENSE_ENCRYPTION_PASSWORD secret exists, so that the workflow
     # doesn't fail when code is pushed to a fork.
@@ -86,7 +71,10 @@ jobs:
           go-version: ${{ needs.go-version.outputs.go-version }}
       # Check out the target project (as opposed to the pull request code).
       # Yes, this is intentional. We are using trusted code while working with the GitLab license.
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          persist-credentials: false
       - name: Decrypt license
         run: |
           openssl version
@@ -95,15 +83,17 @@ jobs:
       # Check out the pull request code (as opposed to the target project).
       # This overwrites the entire directory and deleted the unencrypted GitLab license file. The
       # service has already started and continues using the license even though the file is deleted.
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
       # Cache the Go modules.
-      - uses: actions/cache@v2
+      - uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
           key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
       # CAUTION: EXECUTING UNTRUSTED CODE.
       # This is made safe because we have already cleaned up the unencrypted GitLab license file,
       # we have no other secrets, and we are not using GitHub tokens.
       - run: make testacc
+