From 2f1bde717c8b2f890586d27747672a9d44afe0af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fatih=20T=C3=BCrken?= <turkenf@gmail.com>
Date: Tue, 9 Sep 2025 14:16:39 +0300
Subject: [PATCH 1/5] Update dependecies to fix CVEs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Fatih Türken <turkenf@gmail.com>
---
 cluster/images/provider-upjet-github/Dockerfile | 2 +-
 go.mod                                          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cluster/images/provider-upjet-github/Dockerfile b/cluster/images/provider-upjet-github/Dockerfile
index 0b66de44..ebee07de 100644
--- a/cluster/images/provider-upjet-github/Dockerfile
+++ b/cluster/images/provider-upjet-github/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.19.1
+FROM alpine:3.22.1
 RUN apk --no-cache add ca-certificates bash
 
 ARG TARGETOS
diff --git a/go.mod b/go.mod
index de64b1ee..d31900c2 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/crossplane-contrib/provider-upjet-github
 
-go 1.23.0
+go 1.23.12
 
 require (
 	dario.cat/mergo v1.0.2

From 5c288450bcfa096989a9bb1d4954d4224f983662 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 10 Sep 2025 18:41:55 +0000
Subject: [PATCH 2/5] chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0
 (#221)

---
 .github/workflows/ci.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 633a5ce6..d07b96e6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -38,7 +38,7 @@ jobs:
         with:
           submodules: true
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Find the Go Build Cache
@@ -74,7 +74,7 @@ jobs:
         with:
           submodules: true
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Install goimports
@@ -110,7 +110,7 @@ jobs:
       - name: Fetch History
         run: git fetch --prune --unshallow
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Find the Go Build Cache
@@ -149,7 +149,7 @@ jobs:
       - name: Fetch History
         run: git fetch --prune --unshallow
       - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Find the Go Build Cache

From 70faa44706584056b3d40711b689525a3a408599 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 10 Sep 2025 18:42:46 +0000
Subject: [PATCH 3/5] chore(deps): bump codecov/codecov-action from 5.5.0 to
 5.5.1 (#222)

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d07b96e6..ff74d1c3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -133,7 +133,7 @@ jobs:
       - name: Run Unit Tests
         run: make -j2 test
       - name: Publish Unit Test Coverage
-        uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v1
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v1
         with:
           flags: unittests
           file: _output/tests/linux_amd64/coverage.txt

From 03788cf97b8da9bfcaa7bb3d755edc807bd689f8 Mon Sep 17 00:00:00 2001
From: Tim Tattersall <tim@tattsy.com>
Date: Sun, 31 Aug 2025 15:19:53 +1000
Subject: [PATCH 4/5] feat: prevent reconfiguring terraform setups for the same
 providerconfig

Signed-off-by: Tim Tattersall <tim@tattsy.com>
---
 internal/clients/github.go | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/internal/clients/github.go b/internal/clients/github.go
index 33332a76..de87ea32 100644
--- a/internal/clients/github.go
+++ b/internal/clients/github.go
@@ -7,6 +7,7 @@ package clients
 import (
 	"context"
 	"encoding/json"
+	"sync"
 
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -139,6 +140,9 @@ func terraformProviderConfigurationBuilder(creds githubConfig) (terraform.Provid
 
 // TerraformSetupBuilder builds Terraform a terraform.SetupFn function which returns Terraform provider setup configuration
 func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn {
+	var tfSetupLock sync.RWMutex
+	tfSetups := make(map[string]*terraform.Setup)
+
 	return func(ctx context.Context, client client.Client, mg resource.Managed) (terraform.Setup, error) {
 		ps := terraform.Setup{}
 
@@ -147,6 +151,14 @@ func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn {
 			return ps, errors.New(errNoProviderConfig)
 		}
 
+		tfSetupLock.Lock()
+		defer tfSetupLock.Unlock()
+
+		tfSetup, ok := tfSetups[configRef.Name]
+		if ok {
+			return *tfSetup, nil
+		}
+
 		pc := &v1beta1.ProviderConfig{}
 		if err := client.Get(ctx, types.NamespacedName{Name: configRef.Name}, pc); err != nil {
 			return ps, errors.Wrap(err, errGetProviderConfig)
@@ -163,8 +175,10 @@ func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn {
 		}
 
 		creds := githubConfig{}
-		if err := json.Unmarshal(data, &creds); err != nil {
-			return ps, errors.Wrap(err, errUnmarshalCredentials)
+		if data != nil {
+			if err := json.Unmarshal(data, &creds); err != nil {
+				return ps, errors.Wrap(err, errUnmarshalCredentials)
+			}
 		}
 
 		ps.Configuration, err = terraformProviderConfigurationBuilder(creds)
@@ -172,7 +186,14 @@ func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn {
 			return ps, errors.Wrap(err, errProviderConfigurationBuilder)
 		}
 
-		return ps, errors.Wrap(configureNoForkGithubClient(ctx, &ps, *tfProvider), "failed to configure the Terraform Github provider meta")
+		err = configureNoForkGithubClient(ctx, &ps, *tfProvider)
+		if err != nil {
+			return ps, errors.Wrap(err, "failed to configure the Terraform Github provider meta")
+		}
+
+		tfSetups[configRef.Name] = &ps
+
+		return ps, nil
 
 	}
 }

From d783d77a1a4c9d0c0762554a7bbda5ad6176dac1 Mon Sep 17 00:00:00 2001
From: Tim Tattersall <tim@tattsy.com>
Date: Tue, 16 Sep 2025 21:26:57 +1000
Subject: [PATCH 5/5] feat: add expiry to tfSetup cache

Signed-off-by: Tim Tattersall <tim@tattsy.com>
---
 internal/clients/github.go | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/internal/clients/github.go b/internal/clients/github.go
index de87ea32..d148b61d 100644
--- a/internal/clients/github.go
+++ b/internal/clients/github.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"encoding/json"
 	"sync"
+	"time"
 
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -138,10 +139,24 @@ func terraformProviderConfigurationBuilder(creds githubConfig) (terraform.Provid
 
 }
 
+// The terraform provider currently doesn't refresh installation tokens automatically
+// Therefore, the terraform provider config needs to be refreshed at least every hour
+// Once this PR is merged to terraform provider, the cache expiry can be removed
+// https://github.com/integrations/terraform-provider-github/pull/2695
+
+type CachedTerraformSetup struct {
+	setup  *terraform.Setup
+	expiry time.Time
+}
+
+const (
+	tfSetupCacheTTL = time.Minute * 55
+)
+
 // TerraformSetupBuilder builds Terraform a terraform.SetupFn function which returns Terraform provider setup configuration
 func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn {
 	var tfSetupLock sync.RWMutex
-	tfSetups := make(map[string]*terraform.Setup)
+	tfSetups := make(map[string]CachedTerraformSetup)
 
 	return func(ctx context.Context, client client.Client, mg resource.Managed) (terraform.Setup, error) {
 		ps := terraform.Setup{}
@@ -155,8 +170,8 @@ func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn {
 		defer tfSetupLock.Unlock()
 
 		tfSetup, ok := tfSetups[configRef.Name]
-		if ok {
-			return *tfSetup, nil
+		if ok && tfSetup.expiry.After(time.Now()) {
+			return *tfSetup.setup, nil
 		}
 
 		pc := &v1beta1.ProviderConfig{}
@@ -191,7 +206,10 @@ func TerraformSetupBuilder(tfProvider *schema.Provider) terraform.SetupFn {
 			return ps, errors.Wrap(err, "failed to configure the Terraform Github provider meta")
 		}
 
-		tfSetups[configRef.Name] = &ps
+		tfSetups[configRef.Name] = CachedTerraformSetup{
+			setup:  &ps,
+			expiry: time.Now().Add(tfSetupCacheTTL),
+		}
 
 		return ps, nil