Fixes merge drift issues with both org secrets and actions secrets

nickfloyd · nickfloyd · commit 6537a52da0e5 · 2025-10-28T15:04:06.000-05:00
diff --git a/github/resource_github_actions_organization_secret.go b/github/resource_github_actions_organization_secret.go
@@ -228,10 +228,11 @@ func resourceGithubActionsOrganizationSecretRead(d *schema.ResourceData, meta in
 	if updatedAt, ok := d.GetOk("updated_at"); ok && destroyOnDrift && updatedAt != secret.UpdatedAt.String() {
 		log.Printf("[INFO] The secret %s has been externally updated in GitHub", d.Id())
 		d.SetId("")
-	} else if !ok {
-		if err = d.Set("updated_at", secret.UpdatedAt.String()); err != nil {
-			return err
-		}
+	}
+
+	// Always update the timestamp to prevent repeated drift detection
+	if err = d.Set("updated_at", secret.UpdatedAt.String()); err != nil {
+		return err
 	}
 
 	return nil
diff --git a/github/resource_github_actions_organization_secret_drift_test.go b/github/resource_github_actions_organization_secret_drift_test.go
@@ -0,0 +1,86 @@
+package github
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+// Test for the organization secret drift detection fix
+func TestGithubActionsOrganizationSecretDriftDetectionFix(t *testing.T) {
+	t.Run("always updates timestamp regardless of drift detection", func(t *testing.T) {
+		// This test verifies the fix for the issue where updated_at was not
+		// being set when drift was detected, causing repeated drift detection
+
+		d := schema.TestResourceDataRaw(t, resourceGithubActionsOrganizationSecret().Schema, map[string]interface{}{
+			"secret_name":      "test-secret",
+			"plaintext_value":  "test-value",
+			"visibility":       "private",
+			"destroy_on_drift": true,
+			"updated_at":       "2023-01-01T00:00:00Z", // Old timestamp
+		})
+		d.SetId("test-secret")
+
+		// Simulate the updated_at logic from the read function
+		// This is what the actual GitHub API would return (newer timestamp)
+		newTimestamp := "2023-01-01T12:00:00Z"
+
+		// Simulate the drift detection logic from resourceGithubActionsOrganizationSecretRead
+		destroyOnDrift := d.Get("destroy_on_drift").(bool)
+		if updatedAt, ok := d.GetOk("updated_at"); ok && destroyOnDrift && updatedAt != newTimestamp {
+			// This would log the drift and clear the ID
+			d.SetId("")
+		}
+
+		// This is the key fix - always update the timestamp
+		err := d.Set("updated_at", newTimestamp)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Verify that the timestamp was updated even though drift was detected
+		if d.Get("updated_at").(string) != newTimestamp {
+			t.Error("Expected updated_at to be set to new timestamp after drift detection")
+		}
+
+		// Verify that the ID was cleared due to drift detection
+		if d.Id() != "" {
+			t.Error("Expected ID to be cleared due to drift detection with destroy_on_drift=true")
+		}
+	})
+
+	t.Run("does not clear ID when destroy_on_drift is false", func(t *testing.T) {
+		d := schema.TestResourceDataRaw(t, resourceGithubActionsOrganizationSecret().Schema, map[string]interface{}{
+			"secret_name":      "test-secret",
+			"plaintext_value":  "test-value",
+			"visibility":       "private",
+			"destroy_on_drift": false,
+			"updated_at":       "2023-01-01T00:00:00Z", // Old timestamp
+		})
+		d.SetId("test-secret")
+
+		newTimestamp := "2023-01-01T12:00:00Z"
+
+		// Simulate the drift detection logic
+		destroyOnDrift := d.Get("destroy_on_drift").(bool)
+		if updatedAt, ok := d.GetOk("updated_at"); ok && destroyOnDrift && updatedAt != newTimestamp {
+			d.SetId("")
+		}
+
+		// Always update the timestamp
+		err := d.Set("updated_at", newTimestamp)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Verify that the ID was NOT cleared when destroy_on_drift=false
+		if d.Id() != "test-secret" {
+			t.Error("Expected ID to remain when destroy_on_drift=false")
+		}
+
+		// Verify that the timestamp was still updated
+		if d.Get("updated_at").(string) != newTimestamp {
+			t.Error("Expected updated_at to be updated even when destroy_on_drift=false")
+		}
+	})
+}
diff --git a/github/resource_github_actions_secret.go b/github/resource_github_actions_secret.go
@@ -170,15 +170,11 @@ func resourceGithubActionsSecretRead(d *schema.ResourceData, meta interface{}) e
 	if updatedAt, ok := d.GetOk("updated_at"); ok && destroyOnDrift && updatedAt != secret.UpdatedAt.String() {
 		log.Printf("[INFO] The secret %s has been externally updated in GitHub", d.Id())
 		d.SetId("")
-	} else if updatedAt, ok := d.GetOk("updated_at"); ok && !destroyOnDrift && updatedAt != secret.UpdatedAt.String() {
-		log.Printf("[INFO] The secret %s has been externally updated in GitHub, updating timestamp without recreating", d.Id())
-		if err = d.Set("updated_at", secret.UpdatedAt.String()); err != nil {
-			return err
-		}
-	} else if !ok {
-		if err = d.Set("updated_at", secret.UpdatedAt.String()); err != nil {
-			return err
-		}
+	}
+
+	// Always update the timestamp to prevent repeated drift detection
+	if err = d.Set("updated_at", secret.UpdatedAt.String()); err != nil {
+		return err
 	}
 
 	return nil
