Add github_code_security_configuration resource#3542
Conversation
|
👋 Hi, and thank you for this contribution! This repo is maintained by GitHub and community members on a best-effort basis. We'll get to this as soon as we can. You can help us prioritize by joining the discussion on open issues and PRs, sharing details on the changes you need, and reviewing other contributions. 🤖 This is an automated message. |
Adds org- and enterprise-level management of GitHub Code Security Configurations, including /defaults and /attach sub-endpoints.
Covers org-level create/update and import, plus enterprise-level create/update/import using the <enterprise_slug>:<id> import format.
Docs regenerated with make generatedocs.
0eb3a73 to
232b4cd
Compare
There was a problem hiding this comment.
Pull request overview
These provider review instructions are being used. Adds organization- and enterprise-level GitHub Code Security Configuration management. Blocking reliability and test issues are noted inline.
Changes:
- Adds full CRUD and import support.
- Registers the resource and adds acceptance tests.
- Adds examples and generated documentation.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
github/resource_github_code_security_configuration.go |
Implements schema, CRUD, import, defaults, and attachment behavior. |
github/resource_github_code_security_configuration_test.go |
Adds organization and enterprise acceptance tests. |
github/provider.go |
Registers the resource. |
examples/resources/code_security_configuration/example_1.tf |
Demonstrates typical usage. |
templates/resources/code_security_configuration.md.tmpl |
Defines documentation content. |
docs/resources/code_security_configuration.md |
Adds generated resource documentation. |
- Migrate CRUD callbacks to CreateContext/ReadContext/UpdateContext/DeleteContext returning diag.Diagnostics, threading the provided context through all API calls - Replace stdlib log with structured tflog logging per DECISIONS.md - Treat 404 on delete as successful deletion - Replace go-github attach helpers with a nil-safe direct request path - Set computed fields directly in Create instead of chaining Read - Convert acceptance tests to ConfigStateChecks/statecheck per DECISIONS.md - Add acceptance coverage for default_for_new_repos (set/change/remove + empty-plan check) and attach_scope (set + idempotent plan) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Thanks for the Copilot review — really useful pass! I've addressed the feedback in 5e15072:
The one comment I didn't action is the
|
Resolves #2412
Before the change?
After the change?
github_code_security_configurationresource with full CRUD + import.owner) or the enterprise level via an optionalenterprise_slug(ForceNew).advanced_security,dependency_graph,dependabot_alerts,dependabot_security_updates,code_scanning_default_setup,secret_scanning+push_protection/validity_checks/non_provider_patterns,private_vulnerability_reporting) andenforcement.default_for_new_reposdrives the/code-security/configurations/{id}/defaultsendpoint;attach_scopeis a write-only attribute driving/attach(the API does not expose the attach scope, so it cannot be read back — this is documented on the attribute).<configuration_id>for org-level,<enterprise_slug>:<configuration_id>for enterprise-level.Organizations.*CodeSecurityConfiguration*,Enterprise.*CodeSecurityConfiguration*); no SDK bump.Deliberately deferred to keep the initial resource small (happy to follow up):
code_scanning_default_setup_options,dependency_graph_autosubmit_action(_options), delegated bypass/dismissal options,secret_scanning_generic_secrets, and thecode_security/secret_protectionbundle toggles.Testing done:
make test,go vet,gofmt, andgolangci-lint runare clean; docs regenerated withmake generatedocs.Per the contribution guidelines' AI policy: this PR was developed with AI assistance (Claude); I have reviewed the code and manually verified the behaviour end-to-end as described above.
Pull request checklist
Does this introduce a breaking change?