upgrade@20044535066

.github/workflows/apply.yml

@@ -23,11 +23,20 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Discover workspaces
         id: workspaces
         run: echo "this=$(ls github | jq --raw-input '[.[0:-4]]' | jq -sc add)" >> $GITHUB_OUTPUT
-      - run: npm ci && npm run build
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - name: Use Node.js lts/*
+        uses: actions/setup-node@v6
+        with:
+          node-version: lts/*
+          cache: ''
+      - run: pnpm install --frozen-lockfile && pnpm run build
         working-directory: scripts
       - name: Find sha for plan
         id: sha
@@ -65,11 +74,11 @@ jobs:
         working-directory: terraform
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: 1.2.9
+          terraform_version: 1.12.0
           terraform_wrapper: false
       - name: Initialize terraform
         run: terraform init

.github/workflows/clean.yml

@@ -30,7 +30,7 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Discover workspaces
         id: workspaces
         env:
@@ -69,11 +69,11 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: 1.2.9
+          terraform_version: 1.12.0
           terraform_wrapper: false
       - name: Initialize terraform
         run: terraform init -upgrade

.github/workflows/cleanup.yml

@@ -37,9 +37,18 @@ jobs:
       TF_WORKSPACE: ${{ github.repository_owner }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - name: Use Node.js lts/*
+        uses: actions/setup-node@v6
+        with:
+          node-version: lts/*
+          cache: ''
       - name: Initialize scripts
-        run: npm install && npm run build
+        run: pnpm install --frozen-lockfile && pnpm run build
         working-directory: scripts
       - name: Remove inactive members
         run: node lib/actions/remove-inactive-members.js

.github/workflows/fix.yml

@@ -35,7 +35,7 @@ jobs:
       skip-fix: ${{ steps.skip-fix.outputs.this }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - if: github.event_name == 'pull_request_target'
         env:
           NUMBER: ${{ github.event.pull_request.number }}
@@ -82,7 +82,7 @@ jobs:
       TF_VAR_write_delay_ms: 300
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - if: github.event_name == 'pull_request_target'
         env:
           NUMBER: ${{ github.event.pull_request.number }}
@@ -95,13 +95,22 @@ jobs:
       - name: Setup terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: 1.2.9
+          terraform_version: 1.12.0
           terraform_wrapper: false
       - name: Initialize terraform
         run: terraform init
         working-directory: terraform
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - name: Use Node.js lts/*
+        uses: actions/setup-node@v6
+        with:
+          node-version: lts/*
+          cache: ''
       - name: Initialize scripts
-        run: npm ci && npm run build
+        run: pnpm install --frozen-lockfile && pnpm run build
         working-directory: scripts
       - name: Fix
         id: fix
@@ -117,7 +126,7 @@ jobs:
       # NOTE(galargh, 2024-02-15): This will only work if GitHub as Code is used for a single organization
       - name: Comment on pull request
         if: github.event_name == 'pull_request_target' && steps.fix.outputs.comment
-        uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
         with:
           header: fix
           number: ${{ github.event.pull_request.number }}
@@ -142,22 +151,24 @@ jobs:
           installation_retrieval_payload: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
           private_key: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
           token: ${{ steps.token.outputs.token }}
           path: head
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: base
       - name: Download YAML configs
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           path: artifacts
       - name: Copy YAML configs
-        run: cp artifacts/**/*.yml head/github
+        run: |
+          shopt -s globstar
+          cp artifacts/**/*.yml head/github
       - name: Check if github was modified
         id: github-modified
         run: |

.github/workflows/labels.yml

@@ -35,9 +35,18 @@ jobs:
       TF_WORKSPACE: ${{ github.repository_owner }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - name: Use Node.js lts/*
+        uses: actions/setup-node@v6
+        with:
+          node-version: lts/*
+          cache: ''
       - name: Initialize scripts
-        run: npm install && npm run build
+        run: pnpm install --frozen-lockfile && pnpm run build
         working-directory: scripts
       - name: Sync
         run: node lib/actions/sync-labels.js

.github/workflows/plan.yml

@@ -25,7 +25,7 @@ jobs:
       workspaces: ${{ steps.workspaces.outputs.this }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - if: github.event_name == 'pull_request_target'
         env:
           NUMBER: ${{ github.event.pull_request.number }}
@@ -70,7 +70,7 @@ jobs:
       TF_VAR_write_delay_ms: 300
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - if: github.event_name == 'pull_request_target'
         env:
           NUMBER: ${{ github.event.pull_request.number }}
@@ -82,7 +82,7 @@ jobs:
       - name: Setup terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: 1.2.9
+          terraform_version: 1.12.0
           terraform_wrapper: false
       - name: Initialize terraform
         run: terraform init
@@ -112,7 +112,7 @@ jobs:
       AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - if: github.event_name == 'pull_request_target'
         env:
           NUMBER: ${{ github.event.pull_request.number }}
@@ -124,13 +124,13 @@ jobs:
       - name: Setup terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: 1.2.9
+          terraform_version: 1.12.0
           terraform_wrapper: false
       - name: Initialize terraform
         run: terraform init
         working-directory: terraform
       - name: Download terraform plans
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           path: terraform
       - name: Show terraform plans
@@ -157,7 +157,7 @@ jobs:
           echo 'EOF' >> $GITHUB_ENV
         working-directory: terraform
       - name: Comment on pull request
-        uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
         with:
           header: plan
           number: ${{ github.event.pull_request.number }}

.github/workflows/sync.yml

@@ -12,6 +12,10 @@ on:
         description: Whether to acquire terraform state lock during sync
         required: false
         default: "true"
+      refresh:
+        description: Refresh terraform state before sync
+        required: false
+        default: "false"
 
 jobs:
   prepare:
@@ -24,7 +28,7 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Discover workspaces
         id: workspaces
         env:
@@ -63,11 +67,11 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: 1.2.9
+          terraform_version: 1.12.0
           terraform_wrapper: false
       - name: Initialize terraform
         run: terraform init -upgrade
@@ -77,15 +81,30 @@ jobs:
           terraform workspace select "${TF_WORKSPACE_OPT}" || terraform workspace new "${TF_WORKSPACE_OPT}"
           echo "TF_WORKSPACE=${TF_WORKSPACE_OPT}" >> $GITHUB_ENV
         working-directory: terraform
+      - name: Refresh terraform state
+        if: ${{ github.event.inputs.refresh == 'true' }}
+        run: |
+          echo "{}" > $TF_WORKSPACE.tfstate.json
+          terraform apply -refresh-only -auto-approve -lock=$TF_LOCK
+        working-directory: terraform
       - name: Pull terraform state
         run: |
           terraform show -json > $TF_WORKSPACE.tfstate.json
         working-directory: terraform
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - name: Use Node.js lts/*
+        uses: actions/setup-node@v6
+        with:
+          node-version: lts/*
+          cache: ''
       - name: Sync
         run: |
-          npm ci
-          npm run build
-          npm run main
+          pnpm install --frozen-lockfile
+          pnpm run build
+          pnpm run main
         working-directory: scripts
       - uses: ./.github/actions/git-config-user
       - env:
@@ -114,7 +133,7 @@ jobs:
           installation_retrieval_payload: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
           private_key: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           token: ${{ steps.token.outputs.token }}
       - uses: ./.github/actions/git-config-user

.github/workflows/update.yml

@@ -20,8 +20,17 @@ jobs:
       run:
         shell: bash
     steps:
-      - uses: actions/checkout@v4
-      - run: npm ci && npm run build
+      - uses: actions/checkout@v5
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - name: Use Node.js lts/*
+        uses: actions/setup-node@v6
+        with:
+          node-version: lts/*
+          cache: ''
+      - run: pnpm install --frozen-lockfile && pnpm run build
         working-directory: scripts
       - name: Update PRs
         env:

CHANGELOG.md

@@ -23,6 +23,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - new args for repositories and branch protection rules
 
 ### Changed
+- **BREAKING**: added support for efficient labels handling via the `github_issue_labels` resource (please clean `github_issue_label.this.*` from the terraform state and update `locals_override.tf` and `resources_override.tf` before syncing)
+- **BREAKING**: upgraded to terraform 1.12.0 and github provider 6.6.0 (please clean `github_branch_protection.this.*` from the terraform state and update `resources_override.tf` before syncing the upgrade)
 - **BREAKING**: turned scripts into an ESM project (please ensure you remove the following files during the upgrade: `scripts/.eslintignore`, `scripts/.eslintrc.json`, `scripts/jest.config.js`, `jest.d.ts`, `jest.setup.ts`; please update your imports in the `scripts/src/actions/fix-yaml-config.ts` file to include the `.js` extension)
 - **BREAKING**: Updated the signatures of all the shared actions; now the runAction function will persist the changes to disk while action functions will operate on the in-memory state (please update your imports in the `scripts/src/actions/fix-yaml-config.ts` file accordingly)
 - Synchronization script: to use GitHub API directly instead of relying on TF GH Provider's Data Sources
@@ -47,8 +49,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - tf: to prevent destroy of membership and repository resources
 - apply: find sha for plan using proper credentials
 - updated upload and download artifacts actions to v4
+- switched from npm to pnpm
 
 ### Fixed
+- include labels in the config resources only if they are explicitly defined in the config
 - always assert state type when creating resources from state
 - do not break long file content lines
 - source TF_WORKING_DIR from env helper instead of process.env in locals helper

docs/ABOUT.md

@@ -47,7 +47,7 @@ Running the `Sync` GitHub Action workflows refreshes the underlying terraform st
 - [github_team_repository](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_repository)
 - [github_team_membership](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_membership)
 - [github_repository_file](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file)
-- [github_issue_label](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/issue_label)
+- [github_issue_labels](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/issue_labels)
 
 # Config Fix Rules
 

docs/EXAMPLE.yml

@@ -32,7 +32,6 @@ repositories: # This group defines repositories (https://registry.terraform.io/p
         require_conversation_resolution: false
         require_signed_commits: false
         required_linear_history: false
-        push_restrictions: [] # This field accepts node IDs (TODO: make this field accept human friendly names too)
         required_pull_request_reviews:
           dismiss_stale_reviews: false
           dismissal_restrictions: [] # This field accepts node IDs (TODO: make this field accept human friendly names too)