Fix Support for Github Environment Secrets' Lifecycle Ignore Changes

[bshore-bf]

Resolves #2288

---

Before the change?

Modifying a Github Environment Secret value from Terraform OR Externally in Github while using a lifecycle ignore_changes block always results in Secret creation.

After the change?

Modifying a Github Environment Secret value from Terraform OR Externally in Github no longer causes Secret creation, and the lifecycle ignore_changes block is respected.

Notably, with this change a terraform plan without the ignore_changes now appropriately states that a Github Environment Secret value must be replaced rather than just "created".

Terraform will perform the following actions:

  # github_actions_environment_secret.no_ignore must be replaced
-/+ resource "github_actions_environment_secret" "no_ignore" {
      ~ created_at      = "2025-05-03 18:42:21 +0000 UTC" -> (known after apply)
      + encrypted_value = (sensitive value) # forces replacement
      ~ id              = "gh-provider-tf-testing:test-environment:SECRET_WITHOUT_IGNORE" -> (known after apply)
      ~ updated_at      = "2025-05-03 18:42:21 +0000 UTC" -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Pull request checklist

• Tests for the changes have been added (for bug fixes / features)
• Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

• Yes
• No

---

Manual test Terraform code (expand)

terraform {
  required_providers {
    github = {
      source                = "integrations/github"
      version               = ">=6.6"
      configuration_aliases = [github.primary]
    }
  }
  required_version = "~>1.7"
}

provider "github" {
  alias = "primary"
  owner = "your owner config name here"
}

resource "github_repository" "repository" {
  provider = github.primary

  name        = "gh-provider-tf-testing"
  description = "Testing stuff with the GitHub TF Provider."

  visibility = "private"
}

resource "github_repository_environment" "environment" {
  provider = github.primary

  environment = "test-environment"
  repository  = github_repository.repository.name
}

resource "github_actions_environment_secret" "ignore" {
  provider = github.primary

  repository      = github_repository.repository.name
  environment     = github_repository_environment.environment.environment
  secret_name     = "SECRET_WITH_IGNORE"
  encrypted_value = base64sha256("placeholder")

  lifecycle {
    ignore_changes = [encrypted_value]
  }
}

resource "github_actions_environment_secret" "no_ignore" {
  provider = github.primary

  repository      = github_repository.repository.name
  environment     = github_repository_environment.environment.environment
  secret_name     = "SECRET_WITHOUT_IGNORE"
  encrypted_value = base64sha256("placeholder")
}