Refreshing stack with an org secret in it deleted the secret from the stack (but not GitHub) when it shouldn't have

[pierskarsenbarg]

Hello!

• Vote on this issue by adding a 👍 reaction
• To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

When creating an organization secret and assigning it to a repository, then refreshing the stack the secret resource is deleted from the stack but not from GitHub. Also, the secret should never be deleted from the stack or GitHub, we're just running a refresh

Steps to reproduce

1. Clone this repo: https://github.com/pierskarsenbarg/github-secrets
2. Add org name and GitHub access token to config (pulumi config set github:owner {organization name} followed by pulumi config set github:token {token} - token can be created from here)
3. Run pulumi up to create resources
4. Run pulumi refresh without changing anything. You'll see the ActionsOrganizationSecret marked for deletion. If you then select yes you'll see that the resource is deleted from the stack, but if you look at the organization secrets in GitHub, you'll see that the secret is still there

Expected:

Nothing to happen

Actual:

GitHub org secret resource is deleted from the stack

[MitchellGerdisch]

This is an issue from the underlying TF provider:
integrations/terraform-provider-github#974

You can work around this bug by using the embedded selectedRepositoryIds in the ActionsOrganizationSecret resource itself instead of using the separate ActionsOrganizationSecretRepositories resource.