Skip to content

docs(code-scanning): record default-setup bootstrap + import-adoption plan#18

Merged
JacobPEvans-personal merged 1 commit into
mainfrom
chore/codeql-bootstrap-import-plan
Jun 29, 2026
Merged

docs(code-scanning): record default-setup bootstrap + import-adoption plan#18
JacobPEvans-personal merged 1 commit into
mainfrom
chore/codeql-bootstrap-import-plan

Conversation

@JacobPEvans-personal

Copy link
Copy Markdown
Member

What

Updates the code_scanning.tf placeholder to record current reality and the
IaC-adoption path. Comment-only — no active resource change (the provider
still can't manage code scanning).

Context

Org-wide code scanning was the goal of "take whatever GitHub gives us for free."
The clean IaC path (this repo) can't express it yet:

  • github_repository_code_scanning_default_setup (#3315) — OPEN
  • github_organization_security_configuration (#3284) — OPEN

Neither ships in integrations/github v6.12.1. An org-level Security
Configuration was briefly attached via the API, then reverted — it's the
wrong mechanism (this repo manages code scanning per-repo) and isn't
representable in Terraform.

Code scanning default setup is now enabled on all 31 public org repos
(bootstrapped 2026-06-28 via the API; free, public-only). This is the same
mechanism this file already plans to manage — so when #3315 ships it gets
imported (adopted), not re-created.

Change

  • Records that default setup is already enabled on public repos.
  • Adds a ready-to-uncomment import block (with for_each) so the existing
    setups are adopted into state — no churn — the moment the provider ships.
  • Keeps everything commented (the resource is unreleased; uncommenting now
    would fail tofu validate).

Verification

  • pre-commit hooks pass in the devshell: terraform fmt, terraform validate,
    tflint, checkov, tofu test. Comment-only diff.

🤖 Generated with Claude Code

… plan

Code scanning default setup is now enabled on all 31 public org repos
(bootstrapped 2026-06-28 via the code-scanning API). An org-level Security
Configuration attempt was reverted in favor of the per-repo default-setup
mechanism this repo already plans to manage.

The provider still can't manage it (github_repository_code_scanning_default_setup
PR #3315 and github_organization_security_configuration PR #3284 are both open
as of v6.12.1), so the resource stays commented. Updated the placeholder to:
- record that default setup is already enabled on public repos, and
- adopt the existing setups via an import block (ADOPT, not re-create) the
  moment the provider ships.

Comment-only; no active resource change.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
JacobPEvans-personal added a commit to dryvist/docs that referenced this pull request Jun 29, 2026
…onfiguration

Align with dryvist/.github#52 / dryvist/tofu-github#18: code scanning default
setup is managed per-repo as IaC in tofu-github (pending the provider resource),
not via an org-level Security Configuration.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
@JacobPEvans-personal JacobPEvans-personal merged commit b935beb into main Jun 29, 2026
5 checks passed
JacobPEvans-personal added a commit to dryvist/docs that referenced this pull request Jun 30, 2026
* docs(cicd): standardize self-references on @main + scanner posture

- Dependency-versioning table: tighten the self-reference row to `@main`
  (drop "or a major version tag") and point to the new scanner posture.
- New "Scanner posture for self-references" subsection: how each scanner is
  configured to allow `dryvist/*@main` — Renovate `pinDigests: false`,
  zizmor `dryvist/*: ref-pin`, a pre-staged CodeQL `actions/unpinned-tag`
  exclude, and OSV (N/A) — linking to dryvist/.github SECURITY.md.
- ai-workflows Versioning section: state that consumers pin `@main` (never a
  SHA or version pin) and link to the scanner posture.

Documents the org-wide overrides shipped in dryvist/.github#52.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB

* docs(cicd): use native org code scanning, not a committed codeql config

Match dryvist/.github#52: CodeQL is managed via the org Security
Configuration (public repos, free) — no committed codeql-config.yml. Same-org
@main false positives are dismissed natively in the code scanning UI.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB

* docs(cicd): code scanning is IaC (tofu-github), not an org Security Configuration

Align with dryvist/.github#52 / dryvist/tofu-github#18: code scanning default
setup is managed per-repo as IaC in tofu-github (pending the provider resource),
not via an org-level Security Configuration.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB

* docs(cicd): scope scanner posture to dryvist/* action sources

Review feedback (gemini-code-assist on #89): the self-reference table listed
both dryvist/* and JacobPEvans/*, but the Renovate/zizmor overrides are
dryvist/*-only. Clarify that the scanner overrides target dryvist/* action
sources; JacobPEvans/* follows the same @main convention (overrides not
expanded — out of scope for this dryvist-focused change).

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant