Skip to content

Add github_code_security_configuration resource#3542

Open
mushhzz wants to merge 4 commits into
integrations:mainfrom
mushhzz:add-code-security-configuration-resource
Open

Add github_code_security_configuration resource#3542
mushhzz wants to merge 4 commits into
integrations:mainfrom
mushhzz:add-code-security-configuration-resource

Conversation

@mushhzz

@mushhzz mushhzz commented Jul 15, 2026

Copy link
Copy Markdown

Resolves #2412


Before the change?

After the change?

  • New github_code_security_configuration resource with full CRUD + import.
  • Works at the organization level (default, using the provider owner) or the enterprise level via an optional enterprise_slug (ForceNew).
  • Manages the feature toggles (advanced_security, dependency_graph, dependabot_alerts, dependabot_security_updates, code_scanning_default_setup, secret_scanning + push_protection/validity_checks/non_provider_patterns, private_vulnerability_reporting) and enforcement.
  • default_for_new_repos drives the /code-security/configurations/{id}/defaults endpoint; attach_scope is a write-only attribute driving /attach (the API does not expose the attach scope, so it cannot be read back — this is documented on the attribute).
  • Import: <configuration_id> for org-level, <enterprise_slug>:<configuration_id> for enterprise-level.
  • Uses the code security configuration methods already present in go-github v89 (Organizations.*CodeSecurityConfiguration*, Enterprise.*CodeSecurityConfiguration*); no SDK bump.

Deliberately deferred to keep the initial resource small (happy to follow up): code_scanning_default_setup_options, dependency_graph_autosubmit_action(_options), delegated bypass/dismissal options, secret_scanning_generic_secrets, and the code_security/secret_protection bundle toggles.

Testing done:

  • Manually verified end-to-end against a live enterprise: create, read/plan idempotency, update, delete, and import (both ID formats) all behaved as expected.
  • Acceptance tests added (org create/update/import gated on org modes; enterprise create/update/import gated on enterprise mode). They need live credentials, so they have not run in CI here.
  • make test, go vet, gofmt, and golangci-lint run are clean; docs regenerated with make generatedocs.

Per the contribution guidelines' AI policy: this PR was developed with AI assistance (Claude); I have reviewed the code and manually verified the behaviour end-to-end as described above.

Pull request checklist

  • Schema migrations have been created if needed (example) (not needed — new resource)
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

  • Yes
  • No

@github-actions

Copy link
Copy Markdown

👋 Hi, and thank you for this contribution!

This repo is maintained by GitHub and community members on a best-effort basis. We'll get to this as soon as we can.

You can help us prioritize by joining the discussion on open issues and PRs, sharing details on the changes you need, and reviewing other contributions.


🤖 This is an automated message.

Adds org- and enterprise-level management of GitHub Code Security
Configurations, including /defaults and /attach sub-endpoints.
Covers org-level create/update and import, plus enterprise-level
create/update/import using the <enterprise_slug>:<id> import format.
@mushhzz mushhzz force-pushed the add-code-security-configuration-resource branch from 0eb3a73 to 232b4cd Compare July 15, 2026 04:43
@deiga deiga requested a review from Copilot July 15, 2026 08:00

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

These provider review instructions are being used. Adds organization- and enterprise-level GitHub Code Security Configuration management. Blocking reliability and test issues are noted inline.

Changes:

  • Adds full CRUD and import support.
  • Registers the resource and adds acceptance tests.
  • Adds examples and generated documentation.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
github/resource_github_code_security_configuration.go Implements schema, CRUD, import, defaults, and attachment behavior.
github/resource_github_code_security_configuration_test.go Adds organization and enterprise acceptance tests.
github/provider.go Registers the resource.
examples/resources/code_security_configuration/example_1.tf Demonstrates typical usage.
templates/resources/code_security_configuration.md.tmpl Defines documentation content.
docs/resources/code_security_configuration.md Adds generated resource documentation.

Comment thread github/resource_github_code_security_configuration.go Outdated
Comment thread github/resource_github_code_security_configuration.go Outdated
Comment thread github/resource_github_code_security_configuration.go Outdated
Comment thread github/resource_github_code_security_configuration.go
Comment thread github/resource_github_code_security_configuration.go
Comment thread github/resource_github_code_security_configuration_test.go Outdated
Comment thread github/resource_github_code_security_configuration_test.go Outdated
Comment thread github/resource_github_code_security_configuration_test.go Outdated
Comment thread github/resource_github_code_security_configuration.go Outdated
Comment thread github/resource_github_code_security_configuration.go
- Migrate CRUD callbacks to CreateContext/ReadContext/UpdateContext/DeleteContext
  returning diag.Diagnostics, threading the provided context through all API calls
- Replace stdlib log with structured tflog logging per DECISIONS.md
- Treat 404 on delete as successful deletion
- Replace go-github attach helpers with a nil-safe direct request path
- Set computed fields directly in Create instead of chaining Read
- Convert acceptance tests to ConfigStateChecks/statecheck per DECISIONS.md
- Add acceptance coverage for default_for_new_repos (set/change/remove +
  empty-plan check) and attach_scope (set + idempotent plan)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@mushhzz

mushhzz commented Jul 15, 2026

Copy link
Copy Markdown
Author

Thanks for the Copilot review — really useful pass! I've addressed the feedback in 5e15072:

  • Context-aware CRUD: migrated to CreateContext/ReadContext/UpdateContext/DeleteContext with diag.Diagnostics, threading the provided context through all API calls. Create now sets its computed fields directly rather than chaining Read.
  • Logging: all stdlib log calls replaced with structured tflog per DECISIONS.md.
  • Delete: a 404 is now treated as already-deleted, so terraform destroy succeeds if the configuration was removed out-of-band.
  • Attach path: swapped the go-github v89 attach helpers (which can nil-deref on transport failures) for a nil-safe direct client.NewRequest/client.Do call; that helper issue looks worth an upstream go-github report.
  • Tests: all steps converted to ConfigStateChecks + statecheck/knownvalue/plancheck per DECISIONS.md, and added new acceptance coverage for default_for_new_repos (set → change → remove → empty plan) and attach_scope (set + idempotent re-plan).

The one comment I didn't action is the new(d.Get(...).(string)) one — Go 1.26 (declared in go.mod) allows new(expr), and the repo already uses this idiom elsewhere; details in the thread reply.

make test, go vet, gofmt, and go build are all clean after the changes. Happy to adjust anything further!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[FEAT]: Code Security Configuration

3 participants