Add clearer error for user when trying to add to an archived repository

deiga · deiga · commit a48ea4fa040d · 2026-03-30T09:08:29.000+03:00
Signed-off-by: Timo Sand &lt;timo.sand@f-secure.com&gt;
diff --git a/github/resource_github_repository_vulnerability_alerts.go b/github/resource_github_repository_vulnerability_alerts.go
@@ -2,8 +2,13 @@ package github
 
 import (
 	"context"
+	"errors"
+	"fmt"
+	"net/http"
 	"strconv"
+	"strings"
 
+	"github.com/google/go-github/v83/github"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -59,14 +64,14 @@ func resourceGithubRepositoryVulnerabilityAlertsCreate(ctx context.Context, d *s
 
 	vulnerabilityAlertsEnabled := d.Get("enabled").(bool)
 	if vulnerabilityAlertsEnabled {
-		_, err := client.Repositories.EnableVulnerabilityAlerts(ctx, owner, repoName)
+		resp, err := client.Repositories.EnableVulnerabilityAlerts(ctx, owner, repoName)
 		if err != nil {
-			return diag.FromErr(err)
+			return diag.FromErr(handleVulnerabilityAlertsErrorOnArchivedRepository(err, resp, repoName))
 		}
 	} else {
-		_, err := client.Repositories.DisableVulnerabilityAlerts(ctx, owner, repoName)
+		resp, err := client.Repositories.DisableVulnerabilityAlerts(ctx, owner, repoName)
 		if err != nil {
-			return diag.FromErr(err)
+			return diag.FromErr(handleVulnerabilityAlertsErrorOnArchivedRepository(err, resp, repoName))
 		}
 	}
 	repo, _, err := client.Repositories.Get(ctx, owner, repoName)
@@ -162,3 +167,14 @@ func resourceGithubRepositoryVulnerabilityAlertsImport(ctx context.Context, d *s
 
 	return []*schema.ResourceData{d}, nil
 }
+
+func handleVulnerabilityAlertsErrorOnArchivedRepository(err error, resp *github.Response, repoName string) error {
+	var ghErr *github.ErrorResponse
+	if errors.As(err, &ghErr) {
+		// Error response when trying to enable vulnerability alerts on an archived repository. "422 Failed to change dependabot alerts status"
+		if resp.StatusCode == http.StatusUnprocessableEntity && strings.Contains(strings.ToLower(ghErr.Message), "failed to change dependabot alerts status") {
+			return fmt.Errorf("failed to change vulnerability alerts for repository %s. The repository is most likely archived: %s", repoName, ghErr.Message)
+		}
+	}
+	return err
+}
diff --git a/github/resource_github_repository_vulnerability_alerts_test.go b/github/resource_github_repository_vulnerability_alerts_test.go
@@ -2,6 +2,7 @@ package github
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/compare"
@@ -246,6 +247,45 @@ func TestAccGithubRepositoryVulnerabilityAlerts(t *testing.T) {
 		})
 	})
 
+	t.Run("creates_on_archived_repository_with_error)", func(t *testing.T) {
+		randomID := acctest.RandString(5)
+		repoName := fmt.Sprintf("%svuln-alerts-%s", testResourcePrefix, randomID)
+
+		repoConfig := `
+			resource "github_repository" "test" {
+				name       = "%s"
+				visibility = "private"
+				auto_init  = true
+				archived   = %t
+			}
+			%s
+		`
+
+		alertsBlock := `
+			resource "github_repository_vulnerability_alerts" "test" {
+				repository = github_repository.test.name
+				enabled    = true
+			}
+		`
+
+		resource.Test(t, resource.TestCase{
+			PreCheck:          func() { skipUnauthenticated(t) },
+			ProviderFactories: providerFactories,
+			Steps: []resource.TestStep{
+				{
+					Config: fmt.Sprintf(repoConfig, repoName, false, ""),
+				},
+				{
+					Config: fmt.Sprintf(repoConfig, repoName, true, ""),
+				},
+				{
+					Config:      fmt.Sprintf(repoConfig, repoName, true, alertsBlock),
+					ExpectError: regexp.MustCompile(`repository is most likely archived`),
+				},
+			},
+		})
+	})
+
 	t.Run("creates_on_public_repo_without_error", func(t *testing.T) {
 		randomID := acctest.RandString(5)
 		repoName := fmt.Sprintf("%svuln-alerts-%s", testResourcePrefix, randomID)
