diff --git a/code_scanning.tf b/code_scanning.tf index fecacb4..dadac75 100644 --- a/code_scanning.tf +++ b/code_scanning.tf @@ -1,30 +1,32 @@ -# CodeQL default-setup — pending upstream provider support. +# CodeQL default-setup — manually bootstrapped, pending provider support for IaC adoption. # # Code scanning default-setup is FREE on public repos (no GHAS license -# consumed). Enabling it across every public org repo with a supported -# language is the goal; this file is the placeholder that becomes the -# canonical config once integrations/terraform-provider-github exposes the -# resource. +# consumed) and is the chosen mechanism for org-wide code scanning. # -# Status as of 2026-06-04: the resource does NOT exist in the provider yet. -# `integrations/github` ~> 6.0's `security_and_analysis` block covers -# advanced_security, code_security (paid GHAS), secret_scanning, push -# protection, AI detection, and non-provider patterns — but not the free -# CodeQL default-setup endpoint. +# CURRENT STATE (2026-06-28): default setup is ENABLED on every public org repo +# (31 repos), bootstrapped manually via the code-scanning default-setup API +# because the Terraform provider does not expose the resource yet. This file +# becomes the canonical config — by IMPORT, not create — once the provider ships. +# +# Why not Terraform yet: as of provider v6.12.1, neither +# - github_repository_code_scanning_default_setup (PR #3315, OPEN), nor +# - github_organization_security_configuration (PR #3284, OPEN) +# exists in a tagged release. `integrations/github` ~> 6.0's +# `security_and_analysis` block covers secret_scanning + push protection (free +# on public, used in modules/repo-settings) but NOT the free CodeQL +# default-setup endpoint. # # Upstream: https://github.com/integrations/terraform-provider-github/pull/3315 # (feat: Add github_repository_code_scanning_default_setup resource). -# Opened 2026-04-01 by oda251. Adds the resource with the schema below. # # When that PR merges and ships in a tagged release: # # 1. Bump `version = "~> 6.X"` in versions.tf to the release that includes it. -# 2. Uncomment the data + resource blocks below. -# 3. `tofu apply` — for_each fans out across every public, non-archived, -# non-fork org repo. The provider's underlying API will return success -# on repos with a supported language and a clear error on repos -# without one; refine the query if necessary, or filter via a follow-up -# data lookup once the provider exposes `languages` reliably. +# 2. Uncomment the data + resource + import blocks below. +# 3. `tofu plan` should show the import ADOPTING the already-enabled repos +# with no resource changes (the manual bootstrap used state=configured, +# query_suite=default — keep those matched here). `tofu apply` writes +# state. Adjust query_suite/languages only if a plan diff appears. # # Cost impact (per AGENTS.md "Cost policy"): $0. Code scanning is FREE on # public repos and the data source's `visibility:public` filter is the safety @@ -45,3 +47,13 @@ # # provider auto-detect from the repo's contents. Set explicitly only # # for repos where a subset is desired. # } +# +# # Adopt the manually-enabled default setups into state (ADOPT, do not +# # re-create). Requires Terraform >= 1.7 for for_each in import blocks; this +# # repo already pins >= 1.10. Confirm the import ID format against the shipped +# # provider docs (expected: the repository name). +# import { +# for_each = toset(data.github_repositories.public_for_codeql.names) +# to = github_repository_code_scanning_default_setup.codeql[each.value] +# id = each.value +# }