integrations · stevehipwell · Nov 24, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1,4 +1,4 @@
-name: GitHub Actions CI
+name: CI
 
 on:
   push:
@@ -14,18 +14,17 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read # for actions/checkout
+permissions: read-all
 
 jobs:
   ci:
     name: Continuous Integration
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         shell: bash
-    env:
-      GITHUB_TEST_ORGANIZATION: kfcampbell-terraform-provider
     steps:
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -35,7 +34,7 @@ jobs:
           go-version-file: go.mod
           cache: true
       - run: make tools
-      - run: make lint
+      - run: make lintcheck
       - run: make website-lint
       - run: make build
       - run: make test
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -1,88 +1,88 @@
 name: CodeQL
 
 on:
-    workflow_dispatch:
-    push:
-        branches: ["main"]
-    pull_request:
-        # The branches below must be a subset of the branches above
-        branches: ["main"]
-    schedule:
-        - cron: "16 7 * * 5"
+  workflow_dispatch:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+  schedule:
+    - cron: "16 7 * * 5"
 
 concurrency:
-    group: codeql-${{ github.ref }}
-    cancel-in-progress: true
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions: read-all
 
 jobs:
-    analyze:
-        name: Analyze (${{ matrix.language }})
-        runs-on: ubuntu-latest
-        permissions:
-            actions: read
-            contents: read
-            security-events: write
-        strategy:
-            fail-fast: false
-            matrix:
-                include:
-                    - language: actions
-                      build-mode: none
-                      queries: security-extended # can be 'default' (use empty for 'default'), 'security-and-quality', 'security-extended'
-                    - language: go
-                      build-mode: manual
-                      queries: "" # will be used 'default' queries
-        defaults:
-            run:
-                shell: bash
-        steps:
-            - name: Checkout
-              uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+            queries: security-extended # can be 'default' (use empty for 'default'), 'security-and-quality', 'security-extended'
+          - language: go
+            build-mode: manual
+            queries: "" # will be used 'default' queries
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
-            - name: Set-up Go
-              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
-              if: matrix.language == 'go'
-              with:
-                  go-version-file: go.mod
-                  cache: true
+      - name: Set-up Go
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        if: matrix.language == 'go'
+        with:
+          go-version-file: go.mod
+          cache: true
 
-            - name: Initialize CodeQL
-              uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
-              with:
-                  languages: ${{ matrix.language }}
-                  build-mode: ${{ matrix.build-mode }}
-                  queries: ${{ matrix.queries }}
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: ${{ matrix.queries }}
 
-            - name: Build Go
-              if: ${{ matrix.language == 'go' }}
-              run: go build ./...
+      - name: Build Go
+        if: ${{ matrix.language == 'go' }}
+        run: go build ./...
 
-            - name: Perform CodeQL Analysis
-              uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
-              with:
-                  category: "/language:${{matrix.language}}"
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+        with:
+          category: "/language:${{matrix.language}}"
 
-    check:
-        name: Check CodeQL Analysis
-        if: always() && github.event_name == 'pull_request'
-        needs:
-            - analyze
-        runs-on: ubuntu-latest
-        defaults:
-            run:
-                shell: bash
-        steps:
-            - name: Check
-              env:
-                  INPUT_RESULTS: ${{ join(needs.*.result, ' ') }}
-              run: |
-                  set -euo pipefail
-                  read -a results <<< "${INPUT_RESULTS}"
-                  for result in "${results[@]}"; do
-                    if [[ "${result}" == "failure" ]] || [[ "${result}" == "cancelled" ]]; then
-                      echo "::error::Workflow failed!"
-                      exit 1
-                    fi
-                  done
+  check:
+    name: Check CodeQL Analysis
+    if: always() && github.event_name == 'pull_request'
+    needs:
+      - analyze
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Check
+        env:
+          INPUT_RESULTS: ${{ join(needs.*.result, ' ') }}
+        run: |
+          set -euo pipefail
+          read -a results <<< "${INPUT_RESULTS}"
+          for result in "${results[@]}"; do
+            if [[ "${result}" == "failure" ]] || [[ "${result}" == "cancelled" ]]; then
+              echo "::error::Workflow failed!"
+              exit 1
+            fi
+          done
diff --git a/.github/workflows/dotcom-acceptance-tests.yaml b/.github/workflows/dotcom-acceptance-tests.yaml
@@ -2,25 +2,30 @@ name: Acceptance Tests (github.com)
 
 on:
   workflow_dispatch:
-  # push:
-  #   branches:
-  #     - main
-  #     - release-v*
-  # pull_request_target:
-  #   types:
-  #     - opened
-  #     - synchronize
-  #     - reopened
-  #     - labeled
-  #   branches:
-  #     - main
-  #     - release-v*
+  push:
+    branches:
+      - main
+      - release-v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - labeled
+    branches:
+      - main
+      - release-v*
+
+concurrency:
+  group: acctest-dotcom-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions: read-all
 
 jobs:
   test:
     name: Test ${{ matrix.mode }}
+    if: (github.event_name != 'pull_request' && github.event_name != 'pull_request_target') || contains(github.event.pull_request.labels.*.name, 'acctest')
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -38,8 +43,9 @@ jobs:
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Check secrets
+        if: github.event_name == 'pull_request_target'
         env:
-          INPUT_ALLOWED_SECRETS: ${{ vars.DOTCOM_ACCEPTANCE_TESTS_ALLOWED_SECRETS || 'DOTCOM_TEST_USER_TOKEN' }}
+          INPUT_ALLOWED_SECRETS: ${{ vars.DOTCOM_ACCEPTANCE_TESTS_ALLOWED_SECRETS || 'GH_TEST_TOKEN' }}
           INPUT_SECRETS: ${{ toJSON(secrets) }}
         run: |
           set -eou pipefail
@@ -54,36 +60,70 @@ jobs:
         id: credentials
         if: matrix.mode != 'anonymous'
         env:
-          TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }}
+          GH_TEST_TOKEN: ${{ secrets.GH_TEST_TOKEN }}
         run: |
           set -eou pipefail
 
-          if [[ -z "${TEST_USER_TOKEN}" ]]; then
+          if [[ -z "${GH_TEST_TOKEN}" ]]; then
             echo "::error::Missing credentials"
             exit 1
           fi
 
-          echo "token=${TEST_USER_TOKEN}" >> "${GITHUB_OUTPUT}"
+          echo "token=${GH_TEST_TOKEN}" >> "${GITHUB_OUTPUT}"
 
       - name: Set-up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: go.mod
           cache: true
 
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_version: latest
+          terraform_wrapper: false
+
+      - name: Terraform lookup
+        id: tf
+        run: |
+          set -euo pipefail
+
+          {
+            echo "version=$(terraform version -json | jq --raw-output '.terraform_version')"
+            echo "path=$(command -v terraform || true)"
+          } >> "${GITHUB_OUTPUT}"
+
       - name: Run tests
         env:
+          TF_ACC_PROVIDER_NAMESPACE: ""
+          TF_ACC_TERRAFORM_VERSION: ${{ steps.tf.outputs.version }}
+          TF_ACC_TERRAFORM_PATH: ${{ steps.tf.outputs.path }}
           TF_ACC: "1"
-          TF_LOG: INFO
+          TF_LOG: WARN
           GITHUB_TOKEN: ${{ steps.credentials.outputs.token }}
           GITHUB_BASE_URL: https://api.github.com/
-          GITHUB_TEST_TYPE: ${{ matrix.mode }}
-          GITHUB_OWNER: ${{ (matrix.mode == 'individual' && 'github-terraform-test-user') || (matrix.mode == 'organization' && 'terraformtesting') || '' }}
-          GITHUB_ORGANIZATION: ${{ (matrix.mode == 'organization' && 'terraformtesting') || '' }}
-          GITHUB_TEST_ORGANIZATION: ${{ (matrix.mode == 'individual' && 'terraformtesting') || '' }}
-          GITHUB_TEST_OWNER: ${{ (matrix.mode == 'organization' && 'github-terraform-test-user') || '' }}
-          GITHUB_TEST_USER_TOKEN: ${{ steps.credentials.outputs.token }}
-        run: go test -run "^TestAcc*" ./github -v -race -coverprofile=coverage.txt -covermode=atomic -timeout 120m -count=1
+          GITHUB_OWNER: ${{ (matrix.mode == 'individual' && vars.GH_TEST_LOGIN) || (matrix.mode == 'organization' && vars.GH_TEST_ORG_NAME) || '' }}
+          GITHUB_USERNAME: ${{ vars.GH_TEST_LOGIN }}
+          GITHUB_ENTERPRISE_SLUG: ${{ vars.GH_TEST_ENTERPRISE_SLUG }}
+          GH_TEST_AUTH_MODE: ${{ matrix.mode }}
+          GH_TEST_USER_REPOSITORY: ${{ vars.GH_TEST_USER_REPOSITORY }}
+          GH_TEST_ORG_USER: ${{ vars.GH_TEST_ORG_USER }}
+          GH_TEST_ORG_SECRET_NAME: ${{ vars.GH_TEST_ORG_SECRET_NAME }}
+          GH_TEST_ORG_REPOSITORY: ${{ vars.GH_TEST_ORG_REPOSITORY }}
+          GH_TEST_ORG_TEMPLATE_REPOSITORY: ${{ vars.GH_TEST_ORG_TEMPLATE_REPOSITORY }}
+          GH_TEST_ORG_APP_INSTALLATION_ID: ${{ vars.GH_TEST_ORG_APP_INSTALLATION_ID }}
+          GH_TEST_EXTERNAL_USER: ${{ vars.GH_TEST_EXTERNAL_USER }}
+          GH_TEST_EXTERNAL_USER_TOKEN: ${{ secrets.GH_TEST_EXTERNAL_USER_TOKEN }}
+          GH_TEST_EXTERNAL_USER2: ${{ vars.GH_TEST_EXTERNAL_USER2 }}
+          GH_TEST_ADVANCED_SECURITY: ${{ vars.GH_TEST_ADVANCED_SECURITY || 'false' }}
+        run: |
+          set -eou pipefail
+
+          if [[ "${GH_TEST_AUTH_MODE}" != "anonymous" ]]; then
+            go test ./github -v -sweep=all
+          fi
+
+          go test -run "^TestAcc*" ./github -v -race -coverprofile=coverage.txt -covermode=atomic -timeout 120m -count=1
 
   check:
     name: Check DotCom Acceptance Tests