docs(code-scanning): record default-setup bootstrap + import-adoption plan#18
Merged
Merged
Conversation
… plan Code scanning default setup is now enabled on all 31 public org repos (bootstrapped 2026-06-28 via the code-scanning API). An org-level Security Configuration attempt was reverted in favor of the per-repo default-setup mechanism this repo already plans to manage. The provider still can't manage it (github_repository_code_scanning_default_setup PR #3315 and github_organization_security_configuration PR #3284 are both open as of v6.12.1), so the resource stays commented. Updated the placeholder to: - record that default setup is already enabled on public repos, and - adopt the existing setups via an import block (ADOPT, not re-create) the moment the provider ships. Comment-only; no active resource change. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
JacobPEvans-personal
added a commit
to dryvist/docs
that referenced
this pull request
Jun 29, 2026
…onfiguration Align with dryvist/.github#52 / dryvist/tofu-github#18: code scanning default setup is managed per-repo as IaC in tofu-github (pending the provider resource), not via an org-level Security Configuration. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
JacobPEvans-personal
added a commit
to dryvist/docs
that referenced
this pull request
Jun 30, 2026
* docs(cicd): standardize self-references on @main + scanner posture - Dependency-versioning table: tighten the self-reference row to `@main` (drop "or a major version tag") and point to the new scanner posture. - New "Scanner posture for self-references" subsection: how each scanner is configured to allow `dryvist/*@main` — Renovate `pinDigests: false`, zizmor `dryvist/*: ref-pin`, a pre-staged CodeQL `actions/unpinned-tag` exclude, and OSV (N/A) — linking to dryvist/.github SECURITY.md. - ai-workflows Versioning section: state that consumers pin `@main` (never a SHA or version pin) and link to the scanner posture. Documents the org-wide overrides shipped in dryvist/.github#52. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB * docs(cicd): use native org code scanning, not a committed codeql config Match dryvist/.github#52: CodeQL is managed via the org Security Configuration (public repos, free) — no committed codeql-config.yml. Same-org @main false positives are dismissed natively in the code scanning UI. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB * docs(cicd): code scanning is IaC (tofu-github), not an org Security Configuration Align with dryvist/.github#52 / dryvist/tofu-github#18: code scanning default setup is managed per-repo as IaC in tofu-github (pending the provider resource), not via an org-level Security Configuration. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB * docs(cicd): scope scanner posture to dryvist/* action sources Review feedback (gemini-code-assist on #89): the self-reference table listed both dryvist/* and JacobPEvans/*, but the Renovate/zizmor overrides are dryvist/*-only. Clarify that the scanner overrides target dryvist/* action sources; JacobPEvans/* follows the same @main convention (overrides not expanded — out of scope for this dryvist-focused change). Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Updates the
code_scanning.tfplaceholder to record current reality and theIaC-adoption path. Comment-only — no active resource change (the provider
still can't manage code scanning).
Context
Org-wide code scanning was the goal of "take whatever GitHub gives us for free."
The clean IaC path (this repo) can't express it yet:
github_repository_code_scanning_default_setup(#3315) — OPENgithub_organization_security_configuration(#3284) — OPENNeither ships in
integrations/githubv6.12.1. An org-level SecurityConfiguration was briefly attached via the API, then reverted — it's the
wrong mechanism (this repo manages code scanning per-repo) and isn't
representable in Terraform.
Code scanning default setup is now enabled on all 31 public org repos
(bootstrapped 2026-06-28 via the API; free, public-only). This is the same
mechanism this file already plans to manage — so when #3315 ships it gets
imported (adopted), not re-created.
Change
importblock (withfor_each) so the existingsetups are adopted into state — no churn — the moment the provider ships.
would fail
tofu validate).Verification
terraform fmt,terraform validate,tflint,checkov,tofu test. Comment-only diff.🤖 Generated with Claude Code