feat: Add support for Private Vulnerability Reporting by eslerm · Pull Request #2969 · integrations/terraform-provider-github

eslerm · 2025-12-05T02:08:13Z

Adds private_vulnerability_reporting to the github_repository resource's security_and_analysis block.

Implementation uses dedicated GitHub API endpoints rather than the repository Edit API, since PVR status is not included in the SecurityAndAnalysis response:

EnablePrivateReporting/DisablePrivateReporting for writes
IsPrivateReportingEnabled for reads
Gracefully handles repos where PVR is unavailable

Changes:

Add private_vulnerability_reporting schema field (Optional, Computed)
Add updatePrivateVulnerabilityReporting helper function
Fetch and merge PVR status separately in Read function
Add acceptance test for public repository PVR management
Add documentation for private_vulnerability_reporting field

Resolves #2399

cpanato

lgtm

+1

deiga · 2026-01-24T09:14:20Z

Hey @eslerm

Thank you for your contribution!

Could you change your approach here? Instead of adding a new field to github_repository please create a new resource.
~Every API endpoint should be a separate resource in Terraform as that makes dealing with edge-cases and errors a lot simpler and has the least potential for breaking State

eslerm · 2026-03-06T06:14:22Z

Rebased onto main and refactored per @deiga's feedback — private vulnerability reporting is now a standalone resource (github_repository_private_vulnerability_reporting) instead of a field on github_repository.

The resource follows the same pattern as github_repository_dependabot_security_updates:

repository (required, ForceNew) and enabled (required, bool) schema
CRUD via EnablePrivateReporting/DisablePrivateReporting/IsPrivateReportingEnabled APIs
Import by repository name

Additional improvements over the reference pattern:

404 handling in Read (gracefully removes from state if repo is deleted or PVR unavailable)
Archived repository handling in Delete via handleArchivedRepoDelete
Error wrapping with fmt.Errorf for better debugging context
Test for private repo rejection (PVR is public-only)
CheckDestroy validation in all test cases

Please let me know if I can make improvements!

deiga · 2026-03-06T22:13:21Z

+		Create: resourceGithubRepositoryPrivateVulnerabilityReportingCreateOrUpdate,
+		Read:   resourceGithubRepositoryPrivateVulnerabilityReportingRead,
+		Update: resourceGithubRepositoryPrivateVulnerabilityReportingCreateOrUpdate,
+		Delete: resourceGithubRepositoryPrivateVulnerabilityReportingDelete,
+		Importer: &schema.ResourceImporter{
+			State: resourceGithubRepositoryPrivateVulnerabilityReportingImport,


Please use the Context-aware functions here

deiga · 2026-03-06T22:25:52Z

+			"repository": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The GitHub repository.",
+			},


Please adopt the repo rename pattern which has been introduced:

Remove ForceNew

Add new Computed field repository_id

Add diffRepository to CustomizeDiff

deiga · 2026-03-06T22:26:02Z

+
+func resourceGithubRepositoryPrivateVulnerabilityReporting() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceGithubRepositoryPrivateVulnerabilityReportingCreateOrUpdate,


Please add a top-level Describe

deiga · 2026-03-06T22:27:17Z

+		return fmt.Errorf("error setting private vulnerability reporting for repository %s/%s: %w", owner, repoName, err)
+	}
+	d.SetId(repoName)
+	return resourceGithubRepositoryPrivateVulnerabilityReportingRead(d, meta)


Every CRUD function should have no calls to other CRUD functions

deiga · 2026-03-06T22:27:46Z

+	if err != nil {
+		var ghErr *github.ErrorResponse
+		if errors.As(err, &ghErr) && ghErr.Response.StatusCode == http.StatusNotFound {
+			log.Printf("[WARN] private vulnerability reporting not available for %s/%s, removing from state", owner, repoName)


Please use tflog

deiga · 2026-03-06T22:28:54Z

+
+	_ = d.Set("repository", repoName)
+
+	err := resourceGithubRepositoryPrivateVulnerabilityReportingRead(d, meta)


Do not call any CRUD functions directly

deiga · 2026-03-06T22:29:01Z

+func resourceGithubRepositoryPrivateVulnerabilityReportingImport(d *schema.ResourceData, meta any) ([]*schema.ResourceData, error) {
+	repoName := d.Id()
+
+	_ = d.Set("repository", repoName)


Do not swallow errors

deiga · 2026-03-06T22:29:33Z

+		checks := map[string]resource.TestCheckFunc{
+			"before": resource.ComposeTestCheckFunc(
+				resource.TestCheckResourceAttr(
+					"github_repository_private_vulnerability_reporting.test", "enabled",
+					"false",
+				),
+			),
+			"after": resource.ComposeTestCheckFunc(
+				resource.TestCheckResourceAttr(
+					"github_repository_private_vulnerability_reporting.test", "enabled",
+					"true",
+				),
+			),
+		}


Please don't use a separate variable for these

deiga · 2026-03-06T22:29:48Z

+			Steps: []resource.TestStep{
+				{
+					Config: config,
+					Check:  checks["before"],


Please use ConfigStateChecks instead

deiga · 2026-03-06T22:30:20Z

+					Config: strings.Replace(config,
+						enabled,
+						updatedEnabled, 1),


Please don't use strings.Replace on the config, rather use fmt.Sprintf

eslerm · 2026-03-09T06:04:50Z

Thank you @deiga 🙏

Add a standalone resource for managing private vulnerability reporting on GitHub repositories, modeled after github_repository_vulnerability_alerts: - Context-aware CRUD (CreateContext/ReadContext/UpdateContext/DeleteContext) - Computed repository_id with diffRepository CustomizeDiff so renames don't force replacement - tflog logging and propagated d.Set errors - 404 handling in Read (gracefully removes from state when PVR is unavailable or the repository is gone) - Archived repository handling in Delete via handleArchivedRepoDelete - Acceptance tests using ConfigStateChecks, with import and private-repo rejection coverage Closes integrations#2399

github-actions Bot added the Type: Feature New feature or request label Dec 5, 2025

cpanato approved these changes Dec 5, 2025

View reviewed changes

deiga added the Awaiting response label Jan 24, 2026

eslerm force-pushed the feature/private-vulnerability-reporting branch from 6e22178 to 69c7e18 Compare March 6, 2026 06:03

deiga requested changes Mar 6, 2026

View reviewed changes

eslerm force-pushed the feature/private-vulnerability-reporting branch from 69c7e18 to eb00224 Compare May 13, 2026 14:41

eslerm force-pushed the feature/private-vulnerability-reporting branch from eb00224 to deea2f3 Compare May 13, 2026 19:04


		_ = d.Set("repository", repoName)

		err := resourceGithubRepositoryPrivateVulnerabilityReportingRead(d, meta)

Conversation

eslerm commented Dec 5, 2025

Uh oh!

cpanato left a comment

Choose a reason for hiding this comment

Uh oh!

deiga commented Jan 24, 2026

Uh oh!

eslerm commented Mar 6, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

eslerm commented Mar 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants