terraform-provider-github: Data source github_actions_public_key returns a 404

I was able to solve this by setting these ENV variables. export GITHUB_TOKEN=<Personal Access Token with write permissions> export GITHUB_OWNER=<owner_name>

github_actions_public_key data source is failing because my github organization requires SAML auth:

404/Not Found when sending requests without SSO Auth Token as header:

curl -i https://api.github.com/repos/myrepo/actions/secrets/public-key

{
  "message": "Not Found",
  "documentation_url": "https://docs.github.com/rest"
}

Successful response when providing an SSO-enabled Github Personal Access Token (PAT) as an Authorization header.

curl -i -H "Authorization: token myuser-github-token" https://api.github.com/repos/myrepo/actions/secrets/public-key

{
  "key_id": "<>",
  "key": "<>"
}

There is no way I can see using to authenticate to Github organizations requiring SAML auth in the github_actions_public_key data source.

–

Alternate question, I possess the public key value which the github_actions_public_key data source wishes to retrieve. Am I able to set this variable in TF so the github_actions_secret resource can use it? I’ve tried plugging it into local variables named github_actions_public_key and that does not work.

Your PAT token needs to have the read:public_key permissions under admin:public_key.

tried everything in this thread, nothing work. Does anybody know about cause of this ?

actions/secrets/public-key: 404 Not Found []

Based on the @iskarconsulting config (huge thanks!), I believe the following causes the 404 error: Secret’s repository field should be just repo name without the owner part. For instance, it should be “test” instead of “aderesh/test”. it works even without providing “owner” in the provider configuration for me.

Full solution:

github_token = "github_pat_1*****"
github_repo  = "aderesh/test"

provider "github" {
  token = var.github_token 
}

variable "github_repo" {
  type = string
}

resource "github_actions_secret" "TF_TEST" {
  repository      = split("/", var.github_repo)[1]
  secret_name     = "TF_TEST"
  plaintext_value = "secret"
}

PAT: Fine-grained with Secrets:Read and Write, scoped to test repo.

It would be nice to know if there are terms/names for “REPO” and “OWNER/REPO” (e.g. repository vs full_repository_name)? It’s been always confusing to me when to use which…

I got this working with the following configuration:

Configure a fine-grained PAT with secrets.write permission.

GitHub Actions Workflow:

...

jobs:
  terraform:
    name: 'Terraform'
    runs-on: ubuntu-latest

    env:
      TF_VAR_github_repository: ${{ github.repository }}
      TF_VAR_github_token: ${{ secrets.GH_REPOSITORY_SECRETS_PAT }}

...

main.tf

...

provider "github" {
  owner = split("/", var.github_repository)[0]
  token = var.github_token
}

...

secret.tf

...

resource "github_actions_secret" "secret" {
  repository      = split("/", var.github_repository)[1]
  secret_name     = "SECRET_NAME"
  plaintext_value = <secret>
}

...

Note: I tried to get this working with the built in GitHub Actions GITHUB_TOKEN but was getting the response:

403 Resource not accessible by integration []

Unfortunately, there doesn’t seem to be a way to assign secrets.write to the GITHUB_TOKEN. Ideally, I’d like to avoid using a PAT as it’s another secret to manage (it’ll expire and will need rotating).

hey all; after combing through the different replies here, and trying a bunch of different things, I simplest way I could get this to work is to leave the provider config empty, and just pass these two env vars when calling the terraform CLI:

GITHUB_OWNER=<gh org name> GITHUB_TOKEN=<gh access token> terraform apply

There are, ofc, different ways to achieve this, but I just wanted to leave this as a one-line copy/paste-able workaround to this problem. hope it helps others until the underlying issue is fixed.

Migrating to integrations/github from hashicorp/github and using latest does not seem to resolve this issue. Did anyone have any recent success?

I’m using PAT that generated from org owner account, I’m trying to use TF to push and manage orgnization secret for one private repo github actions, below is how I get it working. I noticed there is a Warning message from terraform when I used organization in my provider block. The message said:

Warning: “organization”: [DEPRECATED] Use owner (or GITHUB_OWNER) instead of organization (or GITHUB_ORGANIZATION) │ │ with provider[“registry.terraform.io/integrations/github”], │ on providers.tf line 237, in provider “github”: │ 237: provider “github” {

So I followed the warning, instead of using organization I used GITHUB_ORGANIZATION. so my provider block looks like this: provider “github” { GITHUB_ORGANIZATION = var.github_org token = (sensitive(aws_ssm_parameter.githubtfctoken.value)) } my resource block looks like this: data “github_repository” “my_private_repo” { full_name = “<org_name>/<my_private_repo_name>” }

resource “github_actions_organization_secret” “org_secret_test” { secret_name = “terraform_test” visibility = “selected” encrypted_value = “terraformtestsecretvalue” selected_repository_ids = [data.github_repository.my_private_repo.repo_id] }

I checked from github actions on that repo and found this secret created there:

Hi, is there a work around for this as I am getting the double slash in my get request url when using the github_actions_secret resource and I’ve not found a way to fix it.

I can swear that I had this working yesterday but I changed my terraform module structure and now there’s a double slash there 😦

I can confirm @paullatzelsperger’s observation:

$ curl   -H "Accept: application/vnd.github+json"   -H "Authorization: Bearer $TOKEN"   https://api.github.com/repos/$ORG/$REPO/actions/secrets/public-key 
{
  "key_id": "REDACTED",
  "key": "ESPECIALLY_REDACTED"
}
$ curl   -H "Accept: application/vnd.github+json"   -H "Authorization: Bearer $TOKEN"   https://api.github.com/repos//$ORG/$REPO/actions/secrets/public-key
{
  "message": "Not Found",
  "documentation_url": "https://docs.github.com/rest"
}

just found out that there may be a typo in the terraform provider. Terraform reports an error: GET https://api.github.com/repos//<ORG>/<REPO>/actions/secrets/public-key note the double forward slashes. They get added, regardless whether I prefix the repository string or not.