Skip to content

fix(repository): migrate vulnerability_alerts to dedicated resource#34

Merged
posquit0 merged 3 commits into
mainfrom
fix/repository-vulnerability-alerts-resource
Jun 21, 2026
Merged

fix(repository): migrate vulnerability_alerts to dedicated resource#34
posquit0 merged 3 commits into
mainfrom
fix/repository-vulnerability-alerts-resource

Conversation

@posquit0

@posquit0 posquit0 commented Jun 21, 2026

Copy link
Copy Markdown
Member

Summary

The integrations/github provider deprecated the vulnerability_alerts attribute on the github_repository resource in favor of the dedicated github_repository_vulnerability_alerts resource. Reading it in the module output produced:

Warning: Deprecated value used
  on .../repository/outputs.tf line 175, in output "vulnerability_alerts":
 175:   value = github_repository.this.vulnerability_alerts
Deprecated resource attribute "vulnerability_alerts" used.

This PR migrates to the dedicated resource and, while at it, reworks the module input.

Changes

  • Removed vulnerability_alerts from the github_repository resource.
  • Added a github_repository_vulnerability_alerts.this resource (manages Dependabot alerts for vulnerable dependencies).
  • Removed the vulnerability_alerts input variable; the toggle is now a DEPENDABOT_ALERTS entry in the existing features set, consistent with the other feature toggles (DISCUSSIONS, ISSUES, PROJECTS, WIKI). The resource is driven by contains(var.features, "DEPENDABOT_ALERTS").
  • Kept the vulnerability_alerts output (now sourced from the new resource's enabled).
  • Updated the README resource list, resources table, and inputs.

⚠️ Breaking change

The vulnerability_alerts input is removed. Consumers migrate as:

# before
vulnerability_alerts = true

# after
features = ["ISSUES", "DEPENDABOT_ALERTS"]

State migration note

Because alerts now live in a separate resource, the next terraform apply drops the attribute from github_repository.this and creates github_repository_vulnerability_alerts.this — same underlying GitHub setting, no functional change. Optionally terraform import github_repository_vulnerability_alerts.this <repo-name> to avoid the recreate.

terraform validate passes; the targeted deprecation warning is gone.

The integrations/github provider deprecated the `vulnerability_alerts`
attribute on `github_repository` in favor of the
`github_repository_vulnerability_alerts` resource, which emitted a
"Deprecated value used" warning from the module output.

Manage vulnerability alerts through the dedicated resource instead and
read the module's `vulnerability_alerts` output from it. The module's
public interface (the `vulnerability_alerts` input/output) is unchanged.
@github-actions github-actions Bot added 💾 repository This issue or pull request is related to repository module. size/S Small size issue or PR. labels Jun 21, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the GitHub repository module to manage vulnerability alerts using a separate github_repository_vulnerability_alerts resource instead of the inline argument on github_repository. However, the new resource does not support an enabled argument or attribute. The feedback suggests conditionally creating the resource using the count meta-argument and updating the output accordingly to prevent Terraform evaluation errors.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +113 to +116
resource "github_repository_vulnerability_alerts" "this" {
repository = github_repository.this.name
enabled = var.vulnerability_alerts
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The github_repository_vulnerability_alerts resource in the GitHub provider does not support an enabled argument. To conditionally enable or disable vulnerability alerts, you should use the count meta-argument to conditionally create the resource based on var.vulnerability_alerts.

resource "github_repository_vulnerability_alerts" "this" {
  count      = var.vulnerability_alerts ? 1 : 0
  repository = github_repository.this.name
}

Comment thread modules/repository/outputs.tf Outdated
output "vulnerability_alerts" {
description = "Whether the security alerts are enabled for vulnerable dpendencies."
value = github_repository.this.vulnerability_alerts
value = github_repository_vulnerability_alerts.this.enabled

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Since the github_repository_vulnerability_alerts resource does not have an enabled attribute, and should be conditionally created using count, referencing github_repository_vulnerability_alerts.this.enabled directly will result in a Terraform evaluation error. Instead, you can check if the resource is created by checking the length of the resource list.

  value       = length(github_repository_vulnerability_alerts.this) > 0

posquit0 added 2 commits June 21, 2026 21:07
…ENDABOT_ALERTS"

Replace the dedicated `vulnerability_alerts` boolean variable with a
`DEPENDABOT_ALERTS` entry in the `features` set, matching how other
repository features (DISCUSSIONS, ISSUES, PROJECTS, WIKI) are toggled.
The `github_repository_vulnerability_alerts` resource is now driven by
`contains(var.features, "DEPENDABOT_ALERTS")`.
With the toggle folded into the features set, the standalone
vulnerability_alerts output is no longer needed.
@posquit0 posquit0 merged commit 2f4fd00 into main Jun 21, 2026
7 checks passed
@posquit0 posquit0 deleted the fix/repository-vulnerability-alerts-resource branch June 21, 2026 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

💾 repository This issue or pull request is related to repository module. size/S Small size issue or PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant