Skip to content

fix: allow empty required_workflow blocks in required_workflows rule#3301

Open
sc0rp10 wants to merge 2 commits intointegrations:mainfrom
sc0rp10:fix/allow-empty-required-workflows
Open

fix: allow empty required_workflow blocks in required_workflows rule#3301
sc0rp10 wants to merge 2 commits intointegrations:mainfrom
sc0rp10:fix/allow-empty-required-workflows

Conversation

@sc0rp10
Copy link

@sc0rp10 sc0rp10 commented Mar 24, 2026
edited
Loading

Resolves #3217

Before the change?

  • The required_workflow sub-block inside required_workflows was defined with Required: true and MinItems: 1, forcing users to specify at least one workflow.
  • This made it impossible to represent or import rulesets created in the GitHub UI with "Require workflows to pass" enabled but no specific workflows configured.

After the change?

  • Changed required_workflow from Required: true to Optional: true and removed the MinItems: 1 constraint.
  • An empty required_workflows {} block (with no required_workflow sub-blocks) is now valid, matching the behavior of the GitHub UI and API.

Pull request checklist

  • Schema migrations have been created if needed (example)
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

  • Yes
  • No

@sc0rp10
fix: allow empty required_workflow blocks in required_workflows rule
fa495b1 
The GitHub UI and API allow creating a required_workflows rule without
specifying any workflows. However, the Terraform schema enforced
MinItems: 1 and Required: true on the required_workflow sub-block,
making it impossible to represent or import such rulesets.

Change required_workflow from Required to Optional and remove the
MinItems constraint so that an empty workflow list is accepted.

Fixes integrations#3217
@github-actions
Copy link

github-actions bot commented Mar 24, 2026

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

@github-actions github-actions bot added the Type: Bug Something isn't working as documented label Mar 24, 2026
@sc0rp10
test: add acceptance test for empty required_workflows
625fa1f 
Validates that a required_workflows rule with no required_workflow
sub-blocks is accepted, matching GitHub UI/API behavior.
@deiga
Copy link
Collaborator

deiga commented Mar 24, 2026

@sc0rp10 Thanks for the PR!

Question: Does the "Require workflows to pass" toggle without specified workflows do anything? AFAIK it only affects specified workflows

@sc0rp10
Copy link
Author

sc0rp10 commented Mar 24, 2026

@deiga Thanks for the review!

You're right that an empty required_workflows rule doesn't actively block anything — with no workflows specified, there's nothing to enforce. However, the GitHub UI and API both allow this state, which creates a practical problem for the provider:

  1. Import failures: A user enables "Require workflows to pass" in the UI without adding specific workflows (e.g., intending to add them later). When they try to terraform import that ruleset, it fails because the provider rejects the empty workflow list.
  2. Plan/apply drift: If a ruleset is managed in Terraform and someone removes all workflows via the UI, terraform plan can't represent the current state, leading to confusing errors.

The provider should faithfully represent any state the API can return. Since the API accepts and returns required_workflows with an empty workflows array, the provider should too.

@sc0rp10
Copy link
Author

sc0rp10 commented Mar 24, 2026

To add more context: the primary use case here is enforcing that PRs have successful checks before merge. The "Require workflows to pass" toggle in rulesets serves as a gate — even without specifying particular workflows, it enforces that PR checks must succeed. Without being able to represent this state in Terraform, users are forced to disable the rule entirely, losing that enforcement.

@deiga
Copy link
Collaborator

deiga commented Mar 24, 2026
edited
Loading

Even if the UI allows you to specify an empty list of required workflows, it doesn't do anything. The UI states "Require all changes made to a targeted branch to pass the specified workflows before they can be merged." and the API has similar wording https://docs.github.com/en/rest/orgs/rules?apiVersion=2026-03-10#create-an-organization-repository-ruleset

There is no use-case for the provider to allow this.

The provider should faithfully represent any state the API can return.

This is not true, the provider should be an abstraction layer on top of the API

the primary use case here is enforcing that PRs have successful checks before merge. The "Require workflows to pass" toggle in rulesets serves as a gate

I think you're mixing something up. required_workflows is a way to ensure all Org PRs have a shared workflow run. When you talk about "enforcing that PRs have successful checks before merge", then you might mean required_status_checks. Which also needs a specified list of status checks.

AFAIK Import doesn't fail if only the boolean has been set, it would just cause drift. Can you show me output of a failing import?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Type: Bug Something isn't working as documented

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG]: required_workflows rule cannot represent empty workflows list (UI / API inconsistency)

2 participants

@sc0rp10 @deiga