From 85f9e3cf5e318201153492dc511a5b9d03ffd865 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Sun, 21 Jun 2026 20:45:14 +0900 Subject: [PATCH 1/3] fix(repository): migrate vulnerability_alerts to dedicated resource The integrations/github provider deprecated the `vulnerability_alerts` attribute on `github_repository` in favor of the `github_repository_vulnerability_alerts` resource, which emitted a "Deprecated value used" warning from the module output. Manage vulnerability alerts through the dedicated resource instead and read the module's `vulnerability_alerts` output from it. The module's public interface (the `vulnerability_alerts` input/output) is unchanged. --- modules/repository/README.md | 2 ++ modules/repository/main.tf | 13 +++++++++++-- modules/repository/outputs.tf | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/modules/repository/README.md b/modules/repository/README.md index e8ecb6f..5a370ea 100644 --- a/modules/repository/README.md +++ b/modules/repository/README.md @@ -3,6 +3,7 @@ This module creates following resources. - `github_repository` +- `github_repository_vulnerability_alerts` - `github_repository_collaborator` (optional) - `github_repository_collaborators` (optional) - `github_repository_custom_property` (optional) @@ -49,6 +50,7 @@ This module creates following resources. | [github_repository_deploy_key.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource | | [github_repository_file.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file) | resource | | [github_repository_topics.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_topics) | resource | +| [github_repository_vulnerability_alerts.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_vulnerability_alerts) | resource | | [github_team_repository.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_repository) | resource | ## Inputs diff --git a/modules/repository/main.tf b/modules/repository/main.tf index c21506d..5260292 100644 --- a/modules/repository/main.tf +++ b/modules/repository/main.tf @@ -19,6 +19,7 @@ locals { # INFO: Use a separate resource # - `topics` # - `default_branch` +# - `vulnerability_alerts` resource "github_repository" "this" { name = var.name description = var.description @@ -28,8 +29,6 @@ resource "github_repository" "this" { archived = var.archived archive_on_destroy = var.archive_on_destroy - vulnerability_alerts = var.vulnerability_alerts - ## Template is_template = var.is_template @@ -107,6 +106,16 @@ resource "github_repository" "this" { } +################################################### +# Vulnerability Alerts for GitHub Repository +################################################### + +resource "github_repository_vulnerability_alerts" "this" { + repository = github_repository.this.name + enabled = var.vulnerability_alerts +} + + ################################################### # Custom Properties for GitHub Repository ################################################### diff --git a/modules/repository/outputs.tf b/modules/repository/outputs.tf index dcdda43..6982f16 100644 --- a/modules/repository/outputs.tf +++ b/modules/repository/outputs.tf @@ -172,7 +172,7 @@ output "files" { output "vulnerability_alerts" { description = "Whether the security alerts are enabled for vulnerable dpendencies." - value = github_repository.this.vulnerability_alerts + value = github_repository_vulnerability_alerts.this.enabled } output "deploy_keys" { From c7f5eca5a1c21ef036e27862312e0bb1c93235a7 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Sun, 21 Jun 2026 21:07:31 +0900 Subject: [PATCH 2/3] refactor(repository): fold vulnerability alerts into features as "DEPENDABOT_ALERTS" Replace the dedicated `vulnerability_alerts` boolean variable with a `DEPENDABOT_ALERTS` entry in the `features` set, matching how other repository features (DISCUSSIONS, ISSUES, PROJECTS, WIKI) are toggled. The `github_repository_vulnerability_alerts` resource is now driven by `contains(var.features, "DEPENDABOT_ALERTS")`. --- modules/repository/README.md | 3 +-- modules/repository/main.tf | 2 +- modules/repository/variables.tf | 13 +++---------- 3 files changed, 5 insertions(+), 13 deletions(-) diff --git a/modules/repository/README.md b/modules/repository/README.md index 5a370ea..497054a 100644 --- a/modules/repository/README.md +++ b/modules/repository/README.md @@ -68,7 +68,7 @@ This module creates following resources. | [deploy\_keys](#input\_deploy\_keys) | (Optional) A list of deploy keys to grant access to the repository. A deploy key is a SSH key. Each item of `deploy_keys` block as defined below.
(Optional) `name` - A name of deploy key.
(Required) `key` - A SSH key. Begins with 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519', 'sk-ecdsa-sha2-nistp256@openssh.com', or 'sk-ssh-ed25519@openssh.com'.
(Optional) `writable` - Whether to allow write access to the repository. The key can be used to push to the repository if enabled. Defaults to `false`. |
list(object({
name = optional(string)
key = string
writable = optional(bool, false)
}))
| `[]` | no | | [description](#input\_description) | (Optional) A description of the repository. | `string` | `"Managed by Terraform."` | no | | [environments](#input\_environments) | (Optional) A list of environments for the repository. Each item of `environments` block as defined below.
(Required) `name` - The name of the environment.
(Optional) `wait_timer` - The amount of time in minutes to wait before allowing deployments to proceed. The default value is `0`.
(Optional) `allow_admin_to_bypass` - Whether to allow admins to bypass the wait timer and deployment review. The default value is `true`.
(Optional) `allow_self_approval` - Whether to allow users to approve their own deployment. The default value is `false`.
(Optional) `reviewers` - A list of reviewers who may review jobs that reference the environment. Each item of `reviewers` block as defined below.
(Required) `type` - The type of the reviewer. Valid values are `USER` or `TEAM`.
(Required) `name` - The name of the reviewer. For a user reviewer, the value should be the user's username. For a team reviewer, the value should be the team's slug.
(Optional) `deployment_policy` - A configuration for deployment policy of the environment. `deployment_policy` block as defined below.
(Optional) `restriction` - The type of deployment restriction. Valid values are `NONE`, `PROTECTED_BRANCH`, or `CUSTOM`. Defaults to `NONE`.
(Optional) `branches` - A set of branch name patterns to restrict deployments to when the restriction type is `CUSTOM`.
(Optional) `tags` - A set of tag name patterns to restrict deployments to when the restriction type is `CUSTOM`.
(Optional) `variables` - A map of GitHub Actions variables to set for the environment. Defaults to `{}`.
(Optional) `secrets` - A map of GitHub Actions secrets to set for the environment. Defaults to `{}`. |
list(object({
name = string
wait_timer = optional(number, 0)
allow_admin_to_bypass = optional(bool, true)
allow_self_approval = optional(bool, false)

reviewers = optional(list(object({
type = string
name = string
})), [])
deployment_policy = optional(object({
restriction = optional(string, "NONE")
branches = optional(set(string), [])
tags = optional(set(string), [])
}), {})

variables = optional(map(string), {})
secrets = optional(map(string), {})
}))
| `[]` | no | -| [features](#input\_features) | (Optional) A list of enabled features on the repository. Available features: `DISCUSSIONS`, `ISSUES`, `PROJECTS`, `WIKI`. Defaults to `["ISSUES"]` | `set(string)` |
[
"ISSUES"
]
| no | +| [features](#input\_features) | (Optional) A list of enabled features on the repository. Available features: `DEPENDABOT_ALERTS`, `DISCUSSIONS`, `ISSUES`, `PROJECTS`, `WIKI`. `DEPENDABOT_ALERTS` enables Dependabot alerts for vulnerable dependencies. Defaults to `["ISSUES"]` | `set(string)` |
[
"ISSUES"
]
| no | | [files](#input\_files) | (Optional) A list of files to create and manage within the repository. Each item of `files` block as defined below.
(Required) `file` - A `file` block as defined below.
(Required) `path` - The path of the file to manage.
(Required) `content` - The file content.
(Optional) `commit` - A `commit` block as defined below.
(Optional) `author` - Committer author name to use. NOTE: GitHub app users may omit author and email information so GitHub can verify commits as the GitHub App. This maybe useful when a branch protection rule requires signed commits.
(Optional) `email` - Committer email address to use. NOTE: GitHub app users may omit author and email information so GitHub can verify commits as the GitHub App. This may be useful when a branch protection rule requires signed commits.
(Optional) `message` - The commit message when creating, updating or deleting the managed file. Defaults to `chore: managed by Terraform.`.
(Optional) `overwrite_on_create` - Enable overwriting existing files. If set to true it will overwrite an existing file with the same name. If set to false it will fail if there is an existing file with the same name. Defaults to `true`. |
list(object({
file = object({
path = string
content = string
})
commit = optional(object({
author = optional(string)
email = optional(string)
message = optional(string, "chore: managed by Terraform.")
}), {})
overwrite_on_create = optional(bool, true)
}))
| `[]` | no | | [homepage](#input\_homepage) | (Optional) A URL of website describing the repository. | `string` | `""` | no | | [is\_template](#input\_is\_template) | (Optional) Whether this is a template repository. Defaults to `false`. | `bool` | `false` | no | @@ -78,7 +78,6 @@ This module creates following resources. | [template](#input\_template) | (Optional) Use a template repository, license or gitignore to create the repository.this resource. `template` block as defined below.
(Optional) `gitignore` - Choose which files not to track from a list of templates. Use the name of the template without the extension. For example, `Haskell`.
(Optional) `init_readme` - Whether to produce an initial commit with README.md in the repository. Defaults to `false`.
(Optional) `license` - A license tells others what they can and can't do with your code. Use the name of the license template without the extension. For example, `mit` or `mpl-2.0`.
(Optional) `repository` - Start this repository with a template repository's contents. The full name of the repository is required. A string of the form `owner/repository`. |
object({
gitignore = optional(string)
init_readme = optional(bool, false)
license = optional(string)
repository = optional(string)
})
| `{}` | no | | [topics](#input\_topics) | (Optional) A list of topics for the repository. | `set(string)` | `[]` | no | | [visibility](#input\_visibility) | (Optional) Can be `public`, `private` or `internal`. `internal` visibility is only available if your organization is associated with an enterprise account using GitHub Enterprise Cloud or GitHub Enterprise Server 2.20+. | `string` | `"private"` | no | -| [vulnerability\_alerts](#input\_vulnerability\_alerts) | (Optional) Set to true to enable security alerts for vulnerable dependencies. Enabling requires alerts to be enabled on the owner level. GitHub enables the alerts on public repos but disables them on private repos by default. | `bool` | `false` | no | ## Outputs diff --git a/modules/repository/main.tf b/modules/repository/main.tf index 5260292..88341c1 100644 --- a/modules/repository/main.tf +++ b/modules/repository/main.tf @@ -112,7 +112,7 @@ resource "github_repository" "this" { resource "github_repository_vulnerability_alerts" "this" { repository = github_repository.this.name - enabled = var.vulnerability_alerts + enabled = contains(var.features, "DEPENDABOT_ALERTS") } diff --git a/modules/repository/variables.tf b/modules/repository/variables.tf index e6ec056..b1812d8 100644 --- a/modules/repository/variables.tf +++ b/modules/repository/variables.tf @@ -68,7 +68,7 @@ variable "template" { variable "features" { description = < Date: Sun, 21 Jun 2026 21:11:03 +0900 Subject: [PATCH 3/3] refactor(repository): drop vulnerability_alerts output With the toggle folded into the features set, the standalone vulnerability_alerts output is no longer needed. --- modules/repository/README.md | 1 - modules/repository/outputs.tf | 5 ----- 2 files changed, 6 deletions(-) diff --git a/modules/repository/README.md b/modules/repository/README.md index 497054a..4c1ce48 100644 --- a/modules/repository/README.md +++ b/modules/repository/README.md @@ -110,5 +110,4 @@ This module creates following resources. | [topics](#output\_topics) | A list of topics for the repository. | | [url](#output\_url) | The URL of the repository. | | [visibility](#output\_visibility) | The visibility of the repository. Can be `public`, `private` or `internal`. | -| [vulnerability\_alerts](#output\_vulnerability\_alerts) | Whether the security alerts are enabled for vulnerable dpendencies. | diff --git a/modules/repository/outputs.tf b/modules/repository/outputs.tf index 6982f16..4e63e8d 100644 --- a/modules/repository/outputs.tf +++ b/modules/repository/outputs.tf @@ -170,11 +170,6 @@ output "files" { } } -output "vulnerability_alerts" { - description = "Whether the security alerts are enabled for vulnerable dpendencies." - value = github_repository_vulnerability_alerts.this.enabled -} - output "deploy_keys" { description = "A map of deploy keys granted access to the repository." value = {