ActionsOrganizationSecret: Updates delete but do not create the secret.

[MitchellGerdisch]

What happened?

An update to a github.ActionsOrganizationSecret resource results in the resource being replaced (expected) but the secret is deleted and then not recreated and no error message is given. Pulumi indicates that everything worked as expected but going to github to see the secret shows it is deleted.

Steps to reproduce

Using the code provided below, do the following:

1. pulumi up -y
2. Go to github organization and see the "TESTSECRET" secret is created.
3. Change the plaintext field to something else.
4. pulumi up -y (this will require replacing the secret)
5. See the pulumi up completes as expected with no errors.
6. Go to Github and see that the secret is no longer there.
7. WORKAROUND: Use deleteBeforeReplace resource option.

TEST CODE:

import * as github from "@pulumi/github";

const secret = new github.ActionsOrganizationSecret("secret", {
    secretName: "testsecret",
    visibility: "private",
    plaintextValue: "mysecret",
}, 
// { deleteBeforeReplace: true}
)

Expected Behavior

Without the deleteBeforeReplace setting, I would expect some error to be presented instead of silently failing with indications of success.

Actual Behavior

The pulumi up that replaces the secret completes with no error message but the secret is deleted and not recreated.

Output of pulumi about

CLI          
Version      3.40.2
Go Version   go1.19.1
Go Compiler  gc

Plugins
NAME    VERSION
github  4.17.0
nodejs  unknown

Host     
OS       darwin
Version  12.5.1
Arch     x86_64

This project is written in nodejs: executable='/Users/mitch/.nvm/versions/node/v18.0.0/bin/node' version='v18.0.0'

Current Stack: dev

TYPE                                                              URN
pulumi:pulumi:Stack                                               urn:pulumi:dev::github-org-testing::pulumi:pulumi:Stack::github-org-testing-dev
pulumi:providers:github                                           urn:pulumi:dev::github-org-testing::pulumi:providers:github::default_4_17_0
github:index/actionsOrganizationSecret:ActionsOrganizationSecret  urn:pulumi:dev::github-org-testing::github:index/actionsOrganizationSecret:ActionsOrganizationSecret::secret


Found no pending operations associated with dev

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/xxxxxx
User           xxxxxxx
Organizations  xxxxx

Dependencies:
NAME            VERSION
@pulumi/github  4.17.0
@pulumi/pulumi  3.40.2
@types/node     14.18.31

Pulumi locates its logs in /var/folders/qp/6k0zsrj13rz5ll53hsmlksvw0000gq/T/ by default

Additional context

Workaround is to use deleteBeforeReplace: true

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[MitchellGerdisch]

Forgot to mention that using the TF provider directly works as expected. So it appears to be specific to the bridged provider.

Here's TF code that can be used to test:

terraform {
  required_providers {
    github = {
      source  = "integrations/github"
      version = "5.2.0"
    }
  }
}

# Configure the GitHub Provider
provider "github" {
  token = "XXXXXXXXXX"
  owner = "YYYYYYYYYY"

}

resource "github_actions_organization_secret" "tf_example_secret" {
  secret_name     = "tf_example_secret_name"
  visibility      = "private"
  plaintext_value = "mybadsecret"
}

[cbruun]

The same behavior occurs with ActionsSecret.