fix: Add etag diff suppression to remaining resources (supersedes #3311)

[mtb-xt]

This is #3311 by @ei-grad, rebased onto current main (the original branch had fallen 64 commits behind). All commits retain original authorship; review feedback from that PR is already incorporated. Opening this to keep the fix moving — @ei-grad, happy to close in favor of yours if you'd rather rebase the original.

Summary

PR #2840 added DiffSuppressFunc and DiffSuppressOnRefresh to etag fields in 7 resources to prevent spurious diffs on plan/apply. This PR applies the same fix to the remaining 22 resources that were missed:

• github_actions_runner_group
• github_branch_protection_v3
• github_emu_group_mapping
• github_enterprise_actions_runner_group
• github_issue
• github_membership
• github_organization_project
• github_organization_ruleset
• github_organization_webhook
• github_project_card
• github_project_column
• github_release
• github_repository_autolink_reference
• github_repository_deploy_key
• github_repository_ruleset
• github_team
• github_team_membership
• github_team_repository
• github_team_sync_group_mapping
• github_user_gpg_key
• github_user_ssh_key
• organization_block

TestEtagSchemaConsistency covers all 29 resources (7 existing + 22 new) and runs InternalValidate on each.

Answering the open review questions from #3311

Why Optional: true on the etag fields? (thread) — The SDK requires it: InternalValidate rejects DiffSuppressFunc on Computed-only fields with "There is no config for computed-only field, nothing to compare." This matches how the 7 resources fixed in #2840 are declared.

What's the benefit of running InternalValidate in the consistency test? (thread) — It guards exactly the constraint above: if someone later removes Optional from an etag field (a natural-looking cleanup — it was in fact requested in the first review round), the test fails immediately instead of the provider breaking at runtime. The two review threads on #3311 are each other's justification.

Real-world impact

The etag churn makes no-op plans non-reproducible: a planfile saved at PR-review time never byte-matches the apply-time plan, which breaks plan-equality gates in CI (e.g. atmos terraform plan-diff / Cloud Posse's terraform-apply GitHub Action). Byte-level evidence from our production environment: a no-op plan differs from its immediate re-plan in 6 of 7352 lines — five occurrences of a refreshed github_repository_ruleset etag, plus the plan timestamp. lifecycle.ignore_changes = [etag] cannot work around this since the attribute is provider-managed. Downstream report with details: https://github.com/orgs/cloudposse/discussions/125

Verification

• go build ./..., go vet ./github/ clean
• Full unit suite passes; all 28 TestEtagSchemaConsistency subtests pass
• Audited resources added to main since the original PR — no new etag fields need coverage

Fixes #3103
Fixes #3291
Likely fixes #3085

[github-actions]

👋 Hi, and thank you for this contribution!

This repo is maintained by GitHub and community members on a best-effort basis. We'll get to this as soon as we can.

You can help us prioritize by joining the discussion on open issues and PRs, sharing details on the changes you need, and reviewing other contributions.

---

_{🤖 This is an automated message.}

[Copilot]

Pull request overview

These provider review instructions are being used. No blocking findings found.

This PR extends the etag diff suppression fix from PR #2840 to the remaining 22 resources that were missed. It adds Optional: true, DiffSuppressFunc (always returns true), and DiffSuppressOnRefresh: true to all etag schema fields across the provider, preventing spurious plan diffs caused by etag value changes on refresh. The test suite is extended to validate the pattern across all 29 resources.

Changes:

• Added Optional: true, DiffSuppressFunc, and DiffSuppressOnRefresh: true to etag fields in 22 resources
• Extended TestEtagSchemaConsistency to cover all 29 resources (7 existing + 22 new)
• Added InternalValidate call in the test to guard against future regressions if Optional is removed

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
github/resource_github_actions_runner_group.go	Add etag diff suppression
github/resource_github_branch_protection_v3.go	Add etag diff suppression
github/resource_github_emu_group_mapping.go	Add etag diff suppression
github/resource_github_enterprise_actions_runner_group.go	Add etag diff suppression
github/resource_github_issue.go	Add etag diff suppression
github/resource_github_membership.go	Add etag diff suppression
github/resource_github_organization_project.go	Add etag diff suppression
github/resource_github_organization_ruleset.go	Add etag diff suppression
github/resource_github_organization_webhook.go	Add etag diff suppression
github/resource_github_project_card.go	Add etag diff suppression
github/resource_github_project_column.go	Add etag diff suppression
github/resource_github_release.go	Add etag diff suppression
github/resource_github_repository_autolink_reference.go	Add etag diff suppression
github/resource_github_repository_deploy_key.go	Add etag diff suppression
github/resource_github_repository_ruleset.go	Add etag diff suppression
github/resource_github_team.go	Add etag diff suppression
github/resource_github_team_membership.go	Add etag diff suppression
github/resource_github_team_repository.go	Add etag diff suppression
github/resource_github_team_sync_group_mapping.go	Add etag diff suppression
github/resource_github_user_gpg_key.go	Add etag diff suppression
github/resource_github_user_ssh_key.go	Add etag diff suppression
github/resource_organization_block.go	Add etag diff suppression
github/resource_github_etag_unit_test.go	Extend consistency test to cover all 29 resources with InternalValidate