Skip to content

feat: activate RepositoryPermissions MRD for actions SHA-pinning policy#2250

Merged
devantler merged 1 commit into
mainfrom
feat/activate-actions-repository-permissions
Jun 23, 2026
Merged

feat: activate RepositoryPermissions MRD for actions SHA-pinning policy#2250
devantler merged 1 commit into
mainfrom
feat/activate-actions-repository-permissions

Conversation

@devantler

@devantler devantler commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Draft — gated on crossplane-contrib/provider-upjet-github#288. Do not promote/merge until a provider release embedding terraform-provider-github ≥ 6.11.0 is pinned in provider.yaml.

What

Activates repositorypermissions.actions.github.m.upbound.io in the
github-config ManagedResourceActivationPolicy, so the org's per-repo
Require actions to be pinned to a full-length commit SHA policy
(sha_pinning_required) can be reconciled declaratively.

Why

provider-upjet-github declares SafeStart — its Actions managed resources ship
Inactive; only those named in the MRAP become CRDs. The companion
devantler-tech/.github change (deploy/actions-permissions/) declares a
RepositoryPermissions per managed repo asserting shaPinningRequired: true;
those need this MRD active to reconcile.

The github-config tenant Role already grants the actions.github.m.upbound.io
API group, so no RBAC change is needed.

Gating

sha_pinning_required is absent from the deployed provider v0.19.1 (pins
terraform-provider-github 6.6.0); it landed in the TF provider in v6.11.0 and is
unavailable until a provider release embedding ≥ 6.11.0 is pinned here. Tracked
by crossplane-contrib/provider-upjet-github#288.

Validation

kubectl kustomize k8s/providers/hetzner/infrastructure/crossplane builds; the
MRAP activate list now includes repositorypermissions.actions.github.m.upbound.io.

Companion

devantler-tech/.github#67deploy/actions-permissions/ (the RepositoryPermissions resources).

🤖 Generated with Claude Code

Activate repositorypermissions.actions.github.m.upbound.io in the
github-config MRAP so the org's "Require actions to be pinned to a
full-length commit SHA" policy can be reconciled declaratively from
devantler-tech/.github deploy/actions-permissions/.

The github-config tenant Role already grants the actions.github.m.upbound.io
group, so no RBAC change is needed.

Gated on a provider-upjet-github release embedding terraform-provider-github
>= 6.11.0 (sha_pinning_required); absent in the deployed v0.19.1 (TF 6.6.0).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@devantler devantler marked this pull request as ready for review June 23, 2026 22:33
@devantler devantler added this pull request to the merge queue Jun 23, 2026
Merged via the queue into main with commit b274621 Jun 23, 2026
10 checks passed
@devantler devantler deleted the feat/activate-actions-repository-permissions branch June 23, 2026 22:57
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jun 23, 2026
@botantler-1

botantler-1 Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.77.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@botantler-1 botantler-1 Bot added the released label Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

1 participant