diff --git a/examples/enterprise_settings/README.md b/examples/enterprise_settings/README.md
new file mode 100644
index 0000000000..3a6bd9ae57
--- /dev/null
+++ b/examples/enterprise_settings/README.md
@@ -0,0 +1,172 @@
+# GitHub Enterprise Settings Example
+
+This example demonstrates how to configure GitHub Enterprise settings using the Terraform GitHub provider.
+
+## Overview
+
+Manage enterprise-level GitHub Actions settings with focused, composable resources:
+
+- **Actions Permissions**: Control which organizations can use GitHub Actions and what actions are allowed
+- **Workflow Permissions**: Manage default GITHUB_TOKEN permissions and pull request review settings
+
+## Requirements
+
+- GitHub Enterprise account
+- Personal access token with enterprise admin permissions
+- Terraform >= 0.14
+
+## Usage
+
+1. Set your environment variables:
+
+```bash
+export TF_VAR_github_token="your_github_token"
+export TF_VAR_enterprise_slug="your-enterprise-slug"
+```
+
+2. Initialize and apply:
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+## Configuration Examples
+
+### Basic Configuration - Allow All Actions
+
+```terraform
+# Allow all actions for all organizations
+resource "github_enterprise_actions_permissions" "basic" {
+ enterprise_slug = "my-enterprise"
+
+ enabled_organizations = "all"
+ allowed_actions = "all"
+}
+
+# Use restrictive workflow permissions
+resource "github_enterprise_actions_workflow_permissions" "basic" {
+ enterprise_slug = "my-enterprise"
+
+ default_workflow_permissions = "read"
+ can_approve_pull_request_reviews = false
+}
+```
+
+### Advanced Configuration - Selective Permissions
+
+```terraform
+# Selective actions and organizations
+resource "github_enterprise_actions_permissions" "advanced" {
+ enterprise_slug = "my-enterprise"
+
+ enabled_organizations = "selected"
+ allowed_actions = "selected"
+
+ allowed_actions_config {
+ github_owned_allowed = true
+ verified_allowed = true
+ patterns_allowed = [
+ "actions/cache@*",
+ "actions/checkout@*",
+ "my-org/custom-action@v1"
+ ]
+ }
+
+ enabled_organizations_config {
+ organization_ids = [123456, 789012] # Replace with actual org IDs
+ }
+}
+
+# More permissive workflow settings
+resource "github_enterprise_actions_workflow_permissions" "advanced" {
+ enterprise_slug = "my-enterprise"
+
+ default_workflow_permissions = "write"
+ can_approve_pull_request_reviews = true
+}
+```
+
+## Available Enterprise Resources
+
+### Actions & Workflow Management
+- **`github_enterprise_actions_permissions`** - Controls which organizations can use GitHub Actions and which actions are allowed to run
+- **`github_enterprise_actions_workflow_permissions`** - Manages default GITHUB_TOKEN permissions and whether GitHub Actions can approve pull requests
+
+### Security & Analysis
+- **`github_enterprise_security_analysis_settings`** - Manages Advanced Security, secret scanning, and code analysis features for new repositories
+
+### Additional Resources (Available)
+- **`github_enterprise_actions_runner_group`** - Manages enterprise-level runner groups for GitHub Actions
+
+## Security Recommendations
+
+1. Use `"read"` workflow permissions by default
+2. Disable pull request review approvals for security
+3. Use `"selected"` actions policy to limit which actions can run
+4. Store tokens securely using environment variables
+
+## Configuration Reference
+
+### Actions Settings
+
+- **`actions_enabled_organizations`**: Controls which organizations can run GitHub Actions
+ - `"all"` - All organizations in the enterprise
+ - `"none"` - No organizations
+ - `"selected"` - Only specified organizations (requires additional configuration)
+
+- **`actions_allowed_actions`**: Controls which actions can be run
+ - `"all"` - All actions and reusable workflows
+ - `"local_only"` - Only actions and workflows in the same repository/organization
+ - `"selected"` - Only specified actions (requires additional configuration)
+
+When `actions_allowed_actions` is set to `"selected"`, you can specify:
+
+- **`actions_github_owned_allowed`**: Allow GitHub-owned actions (e.g., `actions/checkout`)
+- **`actions_verified_allowed`**: Allow verified Marketplace actions
+- **`actions_patterns_allowed`**: List of specific action patterns to allow
+
+### Workflow Settings
+
+- **`default_workflow_permissions`**: Default permissions for the GITHUB_TOKEN
+ - `"read"` - Read-only permissions (recommended for security)
+ - `"write"` - Read and write permissions
+
+- **`can_approve_pull_request_reviews`**: Whether GitHub Actions can approve pull request reviews
+ - `true` - Actions can approve PR reviews
+ - `false` - Actions cannot approve PR reviews (recommended for security)
+
+## Security Considerations
+
+1. **Workflow Permissions**: Use `"read"` permissions by default and grant `"write"` only when necessary
+2. **PR Approvals**: Disable `can_approve_pull_request_reviews` to prevent automated approval bypasses
+3. **Action Restrictions**: Use `"selected"` for `actions_allowed_actions` to limit which actions can run
+4. **Token Security**: Store your GitHub token securely and use environment variables
+
+## Limitations
+
+This resource currently supports a subset of enterprise settings available through the GitHub API. Additional settings like fork PR workflows, artifact retention, and self-hosted runner permissions are not yet supported by the go-github version used in this provider and will be added in future versions.
+
+## Import
+
+You can import existing enterprise settings:
+
+```bash
+terraform import github_enterprise_settings.example my-enterprise
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Authentication**: Ensure your token has enterprise admin permissions
+2. **Enterprise Access**: Verify you have access to the specified enterprise
+3. **API Limits**: GitHub API has rate limits; consider adding delays for large configurations
+
+### Verification
+
+After applying, verify settings in the GitHub Enterprise dashboard:
+1. Go to your enterprise settings
+2. Navigate to "Policies" > "Actions"
+3. Check that the configured settings match your Terraform configuration
\ No newline at end of file
diff --git a/examples/enterprise_settings/main.tf b/examples/enterprise_settings/main.tf
new file mode 100644
index 0000000000..c73cf29c65
--- /dev/null
+++ b/examples/enterprise_settings/main.tf
@@ -0,0 +1,122 @@
+terraform {
+ required_providers {
+ github = {
+ source = "integrations/github"
+ version = "~> 6.0"
+ }
+ }
+}
+
+provider "github" {
+ token = var.github_token
+}
+
+variable "github_token" {
+ description = "GitHub personal access token with enterprise admin permissions"
+ type = string
+ sensitive = true
+}
+
+variable "enterprise_slug" {
+ description = "The GitHub Enterprise slug"
+ type = string
+}
+
+# Basic Enterprise Actions Permissions - Allow all actions for all organizations
+resource "github_enterprise_actions_permissions" "basic" {
+ enterprise_slug = var.enterprise_slug
+
+ enabled_organizations = "all"
+ allowed_actions = "all"
+}
+
+# Basic Enterprise Workflow Permissions - Restrictive settings
+resource "github_enterprise_actions_workflow_permissions" "basic" {
+ enterprise_slug = var.enterprise_slug
+
+ default_workflow_permissions = "read"
+ can_approve_pull_request_reviews = false
+}
+
+# Advanced Enterprise Actions Permissions - Selective configuration
+resource "github_enterprise_actions_permissions" "advanced" {
+ enterprise_slug = var.enterprise_slug
+
+ enabled_organizations = "selected"
+ allowed_actions = "selected"
+
+ # Configure allowed actions when "selected" policy is used
+ allowed_actions_config {
+ github_owned_allowed = true
+ verified_allowed = true
+ patterns_allowed = [
+ "actions/cache@*",
+ "actions/checkout@*",
+ "actions/setup-node@*",
+ "actions/setup-python@*",
+ "actions/upload-artifact@*",
+ "actions/download-artifact@*",
+ "my-org/custom-action@v1"
+ ]
+ }
+
+ # Configure enabled organizations when "selected" policy is used
+ enabled_organizations_config {
+ organization_ids = [123456, 789012] # Replace with actual org IDs
+ }
+}
+
+# Advanced Enterprise Workflow Permissions - Permissive settings
+resource "github_enterprise_actions_workflow_permissions" "advanced" {
+ enterprise_slug = var.enterprise_slug
+
+ default_workflow_permissions = "write"
+ can_approve_pull_request_reviews = true
+}
+
+# Security Analysis Settings - Enable security features for new repositories
+resource "github_enterprise_security_analysis_settings" "example" {
+ enterprise_slug = var.enterprise_slug
+
+ advanced_security_enabled_for_new_repositories = true
+ secret_scanning_enabled_for_new_repositories = true
+ secret_scanning_push_protection_enabled_for_new_repositories = true
+ secret_scanning_validity_checks_enabled = true
+ secret_scanning_push_protection_custom_link = "https://octokit.com/security-help"
+}
+
+output "basic_enterprise_actions" {
+ description = "Basic enterprise actions permissions configuration"
+ value = {
+ enterprise_slug = github_enterprise_actions_permissions.basic.enterprise_slug
+ enabled_organizations = github_enterprise_actions_permissions.basic.enabled_organizations
+ allowed_actions = github_enterprise_actions_permissions.basic.allowed_actions
+ }
+}
+
+output "basic_enterprise_workflow" {
+ description = "Basic enterprise workflow permissions configuration"
+ value = {
+ enterprise_slug = github_enterprise_actions_workflow_permissions.basic.enterprise_slug
+ default_workflow_permissions = github_enterprise_actions_workflow_permissions.basic.default_workflow_permissions
+ can_approve_pull_request_reviews = github_enterprise_actions_workflow_permissions.basic.can_approve_pull_request_reviews
+ }
+}
+
+output "advanced_enterprise_actions" {
+ description = "Advanced enterprise actions permissions configuration"
+ value = {
+ enterprise_slug = github_enterprise_actions_permissions.advanced.enterprise_slug
+ enabled_organizations = github_enterprise_actions_permissions.advanced.enabled_organizations
+ allowed_actions = github_enterprise_actions_permissions.advanced.allowed_actions
+ }
+}
+
+output "advanced_enterprise_workflow" {
+ description = "Advanced enterprise workflow permissions configuration"
+ value = {
+ enterprise_slug = github_enterprise_actions_workflow_permissions.advanced.enterprise_slug
+ default_workflow_permissions = github_enterprise_actions_workflow_permissions.advanced.default_workflow_permissions
+ can_approve_pull_request_reviews = github_enterprise_actions_workflow_permissions.advanced.can_approve_pull_request_reviews
+ }
+}
\ No newline at end of file
diff --git a/github/provider.go b/github/provider.go
index 8d24bf6c43..5f280d3a5e 100644
--- a/github/provider.go
+++ b/github/provider.go
@@ -202,6 +202,8 @@ func Provider() *schema.Provider {
"github_user_ssh_key": resourceGithubUserSshKey(),
"github_enterprise_organization": resourceGithubEnterpriseOrganization(),
"github_enterprise_actions_runner_group": resourceGithubActionsEnterpriseRunnerGroup(),
+ "github_enterprise_actions_workflow_permissions": resourceGithubEnterpriseActionsWorkflowPermissions(),
+ "github_enterprise_security_analysis_settings": resourceGithubEnterpriseSecurityAnalysisSettings(),
"github_workflow_repository_permissions": resourceGithubWorkflowRepositoryPermissions(),
},
diff --git a/github/resource_github_enterprise_actions_workflow_permissions.go b/github/resource_github_enterprise_actions_workflow_permissions.go
new file mode 100644
index 0000000000..a8a925d753
--- /dev/null
+++ b/github/resource_github_enterprise_actions_workflow_permissions.go
@@ -0,0 +1,117 @@
+package github
+
+import (
+ "context"
+ "log"
+
+ "github.com/google/go-github/v67/github"
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func resourceGithubEnterpriseActionsWorkflowPermissions() *schema.Resource {
+ return &schema.Resource{
+ Description: "GitHub Enterprise Actions Workflow Permissions management.",
+ Create: resourceGithubEnterpriseActionsWorkflowPermissionsCreateOrUpdate,
+ Read: resourceGithubEnterpriseActionsWorkflowPermissionsRead,
+ Update: resourceGithubEnterpriseActionsWorkflowPermissionsCreateOrUpdate,
+ Delete: resourceGithubEnterpriseActionsWorkflowPermissionsDelete,
+ Importer: &schema.ResourceImporter{
+ StateContext: schema.ImportStatePassthroughContext,
+ },
+
+ Schema: map[string]*schema.Schema{
+ "enterprise_slug": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ Description: "The slug of the enterprise.",
+ },
+ "default_workflow_permissions": {
+ Type: schema.TypeString,
+ Optional: true,
+ Default: "read",
+ Description: "The default workflow permissions granted to the GITHUB_TOKEN when running workflows. Can be 'read' or 'write'.",
+ ValidateFunc: validation.StringInSlice([]string{"read", "write"}, false),
+ },
+ "can_approve_pull_request_reviews": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Default: false,
+ Description: "Whether GitHub Actions can approve pull request reviews.",
+ },
+ },
+ }
+}
+
+func resourceGithubEnterpriseActionsWorkflowPermissionsCreateOrUpdate(d *schema.ResourceData, meta interface{}) error {
+ client := meta.(*Owner).v3client
+ ctx := context.Background()
+
+ enterpriseSlug := d.Get("enterprise_slug").(string)
+ d.SetId(enterpriseSlug)
+
+ workflowPerms := github.DefaultWorkflowPermissionEnterprise{}
+
+ if v, ok := d.GetOk("default_workflow_permissions"); ok {
+ workflowPerms.DefaultWorkflowPermissions = github.String(v.(string))
+ }
+
+ if v, ok := d.GetOk("can_approve_pull_request_reviews"); ok {
+ workflowPerms.CanApprovePullRequestReviews = github.Bool(v.(bool))
+ }
+
+ log.Printf("[DEBUG] Updating workflow permissions for enterprise: %s", enterpriseSlug)
+ _, _, err := client.Actions.EditDefaultWorkflowPermissionsInEnterprise(ctx, enterpriseSlug, workflowPerms)
+ if err != nil {
+ return err
+ }
+
+ return resourceGithubEnterpriseActionsWorkflowPermissionsRead(d, meta)
+}
+
+func resourceGithubEnterpriseActionsWorkflowPermissionsRead(d *schema.ResourceData, meta interface{}) error {
+ client := meta.(*Owner).v3client
+ ctx := context.Background()
+
+ enterpriseSlug := d.Id()
+ log.Printf("[DEBUG] Reading workflow permissions for enterprise: %s", enterpriseSlug)
+
+ workflowPerms, _, err := client.Actions.GetDefaultWorkflowPermissionsInEnterprise(ctx, enterpriseSlug)
+ if err != nil {
+ return err
+ }
+
+ if err := d.Set("enterprise_slug", enterpriseSlug); err != nil {
+ return err
+ }
+ if err := d.Set("default_workflow_permissions", workflowPerms.DefaultWorkflowPermissions); err != nil {
+ return err
+ }
+ if err := d.Set("can_approve_pull_request_reviews", workflowPerms.CanApprovePullRequestReviews); err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func resourceGithubEnterpriseActionsWorkflowPermissionsDelete(d *schema.ResourceData, meta interface{}) error {
+ client := meta.(*Owner).v3client
+ ctx := context.Background()
+
+ enterpriseSlug := d.Id()
+ log.Printf("[DEBUG] Resetting workflow permissions to defaults for enterprise: %s", enterpriseSlug)
+
+ // Reset to safe defaults
+ workflowPerms := github.DefaultWorkflowPermissionEnterprise{
+ DefaultWorkflowPermissions: github.String("read"),
+ CanApprovePullRequestReviews: github.Bool(false),
+ }
+
+ _, _, err := client.Actions.EditDefaultWorkflowPermissionsInEnterprise(ctx, enterpriseSlug, workflowPerms)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
diff --git a/github/resource_github_enterprise_actions_workflow_permissions_test.go b/github/resource_github_enterprise_actions_workflow_permissions_test.go
new file mode 100644
index 0000000000..fe84172a60
--- /dev/null
+++ b/github/resource_github_enterprise_actions_workflow_permissions_test.go
@@ -0,0 +1,159 @@
+package github
+
+import (
+ "fmt"
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccGithubEnterpriseActionsWorkflowPermissions(t *testing.T) {
+
+ t.Run("creates enterprise workflow permissions without error", func(t *testing.T) {
+
+ config := fmt.Sprintf(`
+ resource "github_enterprise_actions_workflow_permissions" "test" {
+ enterprise_slug = "%s"
+
+ default_workflow_permissions = "read"
+ can_approve_pull_request_reviews = false
+ }
+ `, testEnterprise)
+
+ check := resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr("github_enterprise_actions_workflow_permissions.test", "enterprise_slug", testEnterprise),
+ resource.TestCheckResourceAttr("github_enterprise_actions_workflow_permissions.test", "default_workflow_permissions", "read"),
+ resource.TestCheckResourceAttr("github_enterprise_actions_workflow_permissions.test", "can_approve_pull_request_reviews", "false"),
+ )
+
+ testCase := func(t *testing.T, mode string) {
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { skipUnlessMode(t, mode) },
+ Providers: testAccProviders,
+ Steps: []resource.TestStep{
+ {
+ Config: config,
+ Check: check,
+ },
+ },
+ })
+ }
+
+ t.Run("with an enterprise account", func(t *testing.T) {
+ if isEnterprise != "true" {
+ t.Skip("Skipping because `ENTERPRISE_ACCOUNT` is not set or set to false")
+ }
+ if testEnterprise == "" {
+ t.Skip("Skipping because `ENTERPRISE_SLUG` is not set")
+ }
+ testCase(t, enterprise)
+ })
+ })
+
+ t.Run("updates enterprise workflow permissions without error", func(t *testing.T) {
+
+ configs := map[string]string{
+ "before": fmt.Sprintf(`
+ resource "github_enterprise_actions_workflow_permissions" "test" {
+ enterprise_slug = "%s"
+
+ default_workflow_permissions = "read"
+ can_approve_pull_request_reviews = false
+ }
+ `, testEnterprise),
+
+ "after": fmt.Sprintf(`
+ resource "github_enterprise_actions_workflow_permissions" "test" {
+ enterprise_slug = "%s"
+
+ default_workflow_permissions = "write"
+ can_approve_pull_request_reviews = true
+ }
+ `, testEnterprise),
+ }
+
+ checks := map[string]resource.TestCheckFunc{
+ "before": resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr("github_enterprise_actions_workflow_permissions.test", "default_workflow_permissions", "read"),
+ resource.TestCheckResourceAttr("github_enterprise_actions_workflow_permissions.test", "can_approve_pull_request_reviews", "false"),
+ ),
+ "after": resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr("github_enterprise_actions_workflow_permissions.test", "default_workflow_permissions", "write"),
+ resource.TestCheckResourceAttr("github_enterprise_actions_workflow_permissions.test", "can_approve_pull_request_reviews", "true"),
+ ),
+ }
+
+ testCase := func(t *testing.T, mode string) {
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { skipUnlessMode(t, mode) },
+ Providers: testAccProviders,
+ Steps: []resource.TestStep{
+ {
+ Config: configs["before"],
+ Check: checks["before"],
+ },
+ {
+ Config: configs["after"],
+ Check: checks["after"],
+ },
+ },
+ })
+ }
+
+ t.Run("with an enterprise account", func(t *testing.T) {
+ if isEnterprise != "true" {
+ t.Skip("Skipping because `ENTERPRISE_ACCOUNT` is not set or set to false")
+ }
+ if testEnterprise == "" {
+ t.Skip("Skipping because `ENTERPRISE_SLUG` is not set")
+ }
+ testCase(t, enterprise)
+ })
+ })
+
+ t.Run("imports enterprise workflow permissions without error", func(t *testing.T) {
+
+ config := fmt.Sprintf(`
+ resource "github_enterprise_actions_workflow_permissions" "test" {
+ enterprise_slug = "%s"
+
+ default_workflow_permissions = "read"
+ can_approve_pull_request_reviews = false
+ }
+ `, testEnterprise)
+
+ check := resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr("github_enterprise_actions_workflow_permissions.test", "enterprise_slug", testEnterprise),
+ resource.TestCheckResourceAttr("github_enterprise_actions_workflow_permissions.test", "default_workflow_permissions", "read"),
+ resource.TestCheckResourceAttr("github_enterprise_actions_workflow_permissions.test", "can_approve_pull_request_reviews", "false"),
+ )
+
+ testCase := func(t *testing.T, mode string) {
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { skipUnlessMode(t, mode) },
+ Providers: testAccProviders,
+ Steps: []resource.TestStep{
+ {
+ Config: config,
+ Check: check,
+ },
+ {
+ ResourceName: "github_enterprise_actions_workflow_permissions.test",
+ ImportState: true,
+ ImportStateVerify: true,
+ },
+ },
+ })
+ }
+
+ t.Run("with an enterprise account", func(t *testing.T) {
+ if isEnterprise != "true" {
+ t.Skip("Skipping because `ENTERPRISE_ACCOUNT` is not set or set to false")
+ }
+ if testEnterprise == "" {
+ t.Skip("Skipping because `ENTERPRISE_SLUG` is not set")
+ }
+ testCase(t, enterprise)
+ })
+ })
+}
diff --git a/github/resource_github_enterprise_security_analysis_settings.go b/github/resource_github_enterprise_security_analysis_settings.go
new file mode 100644
index 0000000000..8426315064
--- /dev/null
+++ b/github/resource_github_enterprise_security_analysis_settings.go
@@ -0,0 +1,156 @@
+package github
+
+import (
+ "context"
+ "log"
+
+ "github.com/google/go-github/v67/github"
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceGithubEnterpriseSecurityAnalysisSettings() *schema.Resource {
+ return &schema.Resource{
+ Description: "GitHub Enterprise Security Analysis Settings management.",
+ Create: resourceGithubEnterpriseSecurityAnalysisSettingsCreateOrUpdate,
+ Read: resourceGithubEnterpriseSecurityAnalysisSettingsRead,
+ Update: resourceGithubEnterpriseSecurityAnalysisSettingsCreateOrUpdate,
+ Delete: resourceGithubEnterpriseSecurityAnalysisSettingsDelete,
+ Importer: &schema.ResourceImporter{
+ StateContext: schema.ImportStatePassthroughContext,
+ },
+
+ Schema: map[string]*schema.Schema{
+ "enterprise_slug": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ Description: "The slug of the enterprise.",
+ },
+ "advanced_security_enabled_for_new_repositories": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Default: false,
+ Description: "Whether GitHub Advanced Security is automatically enabled for new repositories.",
+ },
+ "secret_scanning_enabled_for_new_repositories": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Default: false,
+ Description: "Whether secret scanning is automatically enabled for new repositories.",
+ },
+ "secret_scanning_push_protection_enabled_for_new_repositories": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Default: false,
+ Description: "Whether secret scanning push protection is automatically enabled for new repositories.",
+ },
+ "secret_scanning_push_protection_custom_link": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Custom URL for secret scanning push protection bypass instructions.",
+ },
+ "secret_scanning_validity_checks_enabled": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Default: false,
+ Description: "Whether secret scanning validity checks are enabled.",
+ },
+ },
+ }
+}
+
+func resourceGithubEnterpriseSecurityAnalysisSettingsCreateOrUpdate(d *schema.ResourceData, meta interface{}) error {
+ client := meta.(*Owner).v3client
+ ctx := context.Background()
+
+ enterpriseSlug := d.Get("enterprise_slug").(string)
+ d.SetId(enterpriseSlug)
+
+ settings := &github.EnterpriseSecurityAnalysisSettings{}
+
+ if v, ok := d.GetOk("advanced_security_enabled_for_new_repositories"); ok {
+ settings.AdvancedSecurityEnabledForNewRepositories = github.Bool(v.(bool))
+ }
+
+ if v, ok := d.GetOk("secret_scanning_enabled_for_new_repositories"); ok {
+ settings.SecretScanningEnabledForNewRepositories = github.Bool(v.(bool))
+ }
+
+ if v, ok := d.GetOk("secret_scanning_push_protection_enabled_for_new_repositories"); ok {
+ settings.SecretScanningPushProtectionEnabledForNewRepositories = github.Bool(v.(bool))
+ }
+
+ if v, ok := d.GetOk("secret_scanning_push_protection_custom_link"); ok {
+ settings.SecretScanningPushProtectionCustomLink = github.String(v.(string))
+ }
+
+ if v, ok := d.GetOk("secret_scanning_validity_checks_enabled"); ok {
+ settings.SecretScanningValidityChecksEnabled = github.Bool(v.(bool))
+ }
+
+ log.Printf("[DEBUG] Updating security analysis settings for enterprise: %s", enterpriseSlug)
+ _, err := client.Enterprise.UpdateCodeSecurityAndAnalysis(ctx, enterpriseSlug, settings)
+ if err != nil {
+ return err
+ }
+
+ return resourceGithubEnterpriseSecurityAnalysisSettingsRead(d, meta)
+}
+
+func resourceGithubEnterpriseSecurityAnalysisSettingsRead(d *schema.ResourceData, meta interface{}) error {
+ client := meta.(*Owner).v3client
+ ctx := context.Background()
+
+ enterpriseSlug := d.Id()
+ log.Printf("[DEBUG] Reading security analysis settings for enterprise: %s", enterpriseSlug)
+
+ settings, _, err := client.Enterprise.GetCodeSecurityAndAnalysis(ctx, enterpriseSlug)
+ if err != nil {
+ return err
+ }
+
+ if err := d.Set("enterprise_slug", enterpriseSlug); err != nil {
+ return err
+ }
+ if err := d.Set("advanced_security_enabled_for_new_repositories", settings.AdvancedSecurityEnabledForNewRepositories); err != nil {
+ return err
+ }
+ if err := d.Set("secret_scanning_enabled_for_new_repositories", settings.SecretScanningEnabledForNewRepositories); err != nil {
+ return err
+ }
+ if err := d.Set("secret_scanning_push_protection_enabled_for_new_repositories", settings.SecretScanningPushProtectionEnabledForNewRepositories); err != nil {
+ return err
+ }
+ if err := d.Set("secret_scanning_push_protection_custom_link", settings.SecretScanningPushProtectionCustomLink); err != nil {
+ return err
+ }
+ if err := d.Set("secret_scanning_validity_checks_enabled", settings.SecretScanningValidityChecksEnabled); err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func resourceGithubEnterpriseSecurityAnalysisSettingsDelete(d *schema.ResourceData, meta interface{}) error {
+ client := meta.(*Owner).v3client
+ ctx := context.Background()
+
+ enterpriseSlug := d.Id()
+ log.Printf("[DEBUG] Resetting security analysis settings to defaults for enterprise: %s", enterpriseSlug)
+
+ // Reset to safe defaults (all disabled)
+ settings := &github.EnterpriseSecurityAnalysisSettings{
+ AdvancedSecurityEnabledForNewRepositories: github.Bool(false),
+ SecretScanningEnabledForNewRepositories: github.Bool(false),
+ SecretScanningPushProtectionEnabledForNewRepositories: github.Bool(false),
+ SecretScanningPushProtectionCustomLink: github.String(""),
+ SecretScanningValidityChecksEnabled: github.Bool(false),
+ }
+
+ _, err := client.Enterprise.UpdateCodeSecurityAndAnalysis(ctx, enterpriseSlug, settings)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
diff --git a/website/docs/r/enterprise_actions_workflow_permissions.html.markdown b/website/docs/r/enterprise_actions_workflow_permissions.html.markdown
new file mode 100644
index 0000000000..d4a179e64d
--- /dev/null
+++ b/website/docs/r/enterprise_actions_workflow_permissions.html.markdown
@@ -0,0 +1,64 @@
+---
+layout: "github"
+page_title: "GitHub: github_enterprise_actions_workflow_permissions"
+description: |-
+ Manages GitHub Actions workflow permissions for a GitHub Enterprise.
+---
+
+# github_enterprise_actions_workflow_permissions
+
+This resource allows you to manage GitHub Actions workflow permissions for a GitHub Enterprise account. This controls the default permissions granted to the GITHUB_TOKEN when running workflows and whether GitHub Actions can approve pull request reviews.
+
+You must have enterprise admin access to use this resource.
+
+## Example Usage
+
+```hcl
+# Basic workflow permissions configuration
+resource "github_enterprise_actions_workflow_permissions" "example" {
+ enterprise_slug = "my-enterprise"
+
+ default_workflow_permissions = "read"
+ can_approve_pull_request_reviews = false
+}
+
+# Allow write permissions and PR approvals
+resource "github_enterprise_actions_workflow_permissions" "permissive" {
+ enterprise_slug = "my-enterprise"
+
+ default_workflow_permissions = "write"
+ can_approve_pull_request_reviews = true
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `enterprise_slug` - (Required) The slug of the enterprise.
+
+* `default_workflow_permissions` - (Optional) The default workflow permissions granted to the GITHUB_TOKEN when running workflows. Can be `read` or `write`. Defaults to `read`.
+
+* `can_approve_pull_request_reviews` - (Optional) Whether GitHub Actions can approve pull request reviews. Defaults to `false`.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The enterprise slug.
+
+## Import
+
+Enterprise Actions workflow permissions can be imported using the enterprise slug:
+
+```
+terraform import github_enterprise_actions_workflow_permissions.example my-enterprise
+```
+
+## Notes
+
+~> **Note:** This resource requires a GitHub Enterprise account and enterprise admin permissions.
+
+When this resource is destroyed, the workflow permissions will be reset to safe defaults:
+- `default_workflow_permissions` = `read`
+- `can_approve_pull_request_reviews` = `false`
\ No newline at end of file
diff --git a/website/docs/r/enterprise_security_analysis_settings.html.markdown b/website/docs/r/enterprise_security_analysis_settings.html.markdown
new file mode 100644
index 0000000000..cfc949cdd6
--- /dev/null
+++ b/website/docs/r/enterprise_security_analysis_settings.html.markdown
@@ -0,0 +1,83 @@
+---
+layout: "github"
+page_title: "GitHub: github_enterprise_security_analysis_settings"
+description: |-
+ Manages GitHub Enterprise security analysis settings.
+---
+
+# github_enterprise_security_analysis_settings
+
+This resource allows you to manage code security and analysis settings for a GitHub Enterprise account. This controls Advanced Security, Secret Scanning, and related security features that are automatically enabled for new repositories in the enterprise.
+
+You must have enterprise admin access to use this resource.
+
+## Example Usage
+
+```hcl
+# Basic security settings - enable secret scanning only
+resource "github_enterprise_security_analysis_settings" "basic" {
+ enterprise_slug = "my-enterprise"
+
+ secret_scanning_enabled_for_new_repositories = true
+}
+
+# Full security configuration with all features enabled
+resource "github_enterprise_security_analysis_settings" "comprehensive" {
+ enterprise_slug = "my-enterprise"
+
+ advanced_security_enabled_for_new_repositories = true
+ secret_scanning_enabled_for_new_repositories = true
+ secret_scanning_push_protection_enabled_for_new_repositories = true
+ secret_scanning_validity_checks_enabled = true
+ secret_scanning_push_protection_custom_link = "https://octokit.com/security-guidelines"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `enterprise_slug` - (Required) The slug of the enterprise.
+
+* `advanced_security_enabled_for_new_repositories` - (Optional) Whether GitHub Advanced Security is automatically enabled for new repositories. Defaults to `false`. Requires Advanced Security license.
+
+* `secret_scanning_enabled_for_new_repositories` - (Optional) Whether secret scanning is automatically enabled for new repositories. Defaults to `false`.
+
+* `secret_scanning_push_protection_enabled_for_new_repositories` - (Optional) Whether secret scanning push protection is automatically enabled for new repositories. Defaults to `false`.
+
+* `secret_scanning_push_protection_custom_link` - (Optional) Custom URL for secret scanning push protection bypass instructions.
+
+* `secret_scanning_validity_checks_enabled` - (Optional) Whether secret scanning validity checks are enabled. Defaults to `false`.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The enterprise slug.
+
+## Import
+
+Enterprise security analysis settings can be imported using the enterprise slug:
+
+```
+terraform import github_enterprise_security_analysis_settings.example my-enterprise
+```
+
+## Notes
+
+~> **Note:** This resource requires a GitHub Enterprise account and enterprise admin permissions.
+
+~> **Note:** Advanced Security features require a GitHub Advanced Security license.
+
+When this resource is destroyed, all security analysis settings will be reset to disabled defaults for security reasons.
+
+## Dependencies
+
+This resource manages the following security features:
+
+- **Advanced Security**: Code scanning, secret scanning, and dependency review
+- **Secret Scanning**: Automatic detection of secrets in code
+- **Push Protection**: Prevents secrets from being committed to repositories
+- **Validity Checks**: Verifies that detected secrets are actually valid
+
+These settings only apply to **new repositories** created after the settings are enabled. Existing repositories are not affected and must be configured individually.
\ No newline at end of file
diff --git a/website/github.erb b/website/github.erb
index 7122ba338e..e7b6c6a61b 100644
--- a/website/github.erb
+++ b/website/github.erb
@@ -226,6 +226,9 @@
github_enterprise_actions_permissions
+
+ github_enterprise_settings
+
github_actions_organization_secret