fix: Correct repo vulnerability alert logic (#3144)

Signed-off-by: Steve Hipwell <[email protected]>

Author: stevehipwell

github/resource_github_organization_ruleset_test.go

@@ -22,7 +22,6 @@ resource "github_repository" "test" {
 	name = "%s"
 	visibility = "private"
 	auto_init = true
-	ignore_vulnerability_alerts_during_read = true
 }
 
 resource "github_repository_file" "workflow_file" {

github/resource_github_repository.go

@@ -402,10 +402,10 @@ func resourceGithubRepository() *schema.Resource {
 				Description: "Set to 'true' to enable security alerts for vulnerable dependencies. Enabling requires alerts to be enabled on the owner level. (Note for importing: GitHub enables the alerts on all repos by default). Note that vulnerability alerts have not been successfully tested on any GitHub Enterprise instance and may be unavailable in those settings.",
 			},
 			"ignore_vulnerability_alerts_during_read": {
-				Type:        schema.TypeBool,
-				Optional:    true,
-				Default:     false,
-				Description: "Set to true to not call the vulnerability alerts endpoint so the resource can also be used without admin permissions during read.",
+				Type:       schema.TypeBool,
+				Optional:   true,
+				Default:    false,
+				Deprecated: "This is ignored as the provider now handles lack of permissions automatically.",
 			},
 			"full_name": {
 				Type:        schema.TypeString,
@@ -831,6 +831,7 @@ func resourceGithubRepositoryRead(ctx context.Context, d *schema.ResourceData, m
 	_ = d.Set("node_id", repo.GetNodeID())
 	_ = d.Set("repo_id", repo.GetID())
 
+	// TODO: Validate this behavior as I can see these fields being returned even when archived
 	// GitHub API doesn't respond following parameters when repository is archived
 	if !d.Get("archived").(bool) {
 		_ = d.Set("allow_auto_merge", repo.GetAllowAutoMerge())
@@ -888,18 +889,18 @@ func resourceGithubRepositoryRead(ctx context.Context, d *schema.ResourceData, m
 		}
 	}
 
-	if !d.Get("ignore_vulnerability_alerts_during_read").(bool) {
+	if repo.GetSecurityAndAnalysis() != nil {
 		vulnerabilityAlerts, _, err := client.Repositories.GetVulnerabilityAlerts(ctx, owner, repoName)
 		if err != nil {
 			return diag.Errorf("error reading repository vulnerability alerts: %s", err.Error())
 		}
 		if err = d.Set("vulnerability_alerts", vulnerabilityAlerts); err != nil {
 			return diag.FromErr(err)
 		}
-	}
 
-	if err = d.Set("security_and_analysis", flattenSecurityAndAnalysis(repo.GetSecurityAndAnalysis())); err != nil {
-		return diag.FromErr(err)
+		if err = d.Set("security_and_analysis", flattenSecurityAndAnalysis(repo.SecurityAndAnalysis)); err != nil {
+			return diag.FromErr(err)
+		}
 	}
 
 	return nil
@@ -1005,11 +1006,13 @@ func resourceGithubRepositoryUpdate(ctx context.Context, d *schema.ResourceData,
 		}
 	}
 
-	if v, ok := d.GetOkExists("vulnerability_alerts"); ok { //nolint:staticcheck,SA1019 // We sometimes need to use GetOkExists for booleans
-		if val, ok := v.(bool); ok {
-			err := updateVulnerabilityAlerts(ctx, client, owner, repoName, val)
-			if err != nil {
-				return diag.FromErr(err)
+	if d.IsNewResource() || d.HasChange("vulnerability_alerts") {
+		if v, ok := d.GetOkExists("vulnerability_alerts"); ok { //nolint:staticcheck,SA1019 // We sometimes need to use GetOkExists for booleans
+			if val, ok := v.(bool); ok {
+				err := updateVulnerabilityAlerts(ctx, client, owner, repoName, val)
+				if err != nil {
+					return diag.FromErr(err)
+				}
 			}
 		}
 	}
@@ -1063,9 +1066,6 @@ func resourceGithubRepositoryImport(ctx context.Context, d *schema.ResourceData,
 	if err := d.Set("auto_init", false); err != nil {
 		return nil, err
 	}
-	if err := d.Set("ignore_vulnerability_alerts_during_read", true); err != nil {
-		return nil, err
-	}
 	return []*schema.ResourceData{d}, nil
 }
 

github/resource_github_repository_environment_deployment_policy_test.go

@@ -23,7 +23,6 @@ func TestAccGithubRepositoryEnvironmentDeploymentPolicy(t *testing.T) {
 
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -90,7 +89,6 @@ func TestAccGithubRepositoryEnvironmentDeploymentPolicy(t *testing.T) {
 
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -141,7 +139,6 @@ func TestAccGithubRepositoryEnvironmentDeploymentPolicy(t *testing.T) {
 
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -203,7 +200,6 @@ func TestAccGithubRepositoryEnvironmentDeploymentPolicy(t *testing.T) {
 
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -270,7 +266,6 @@ func TestAccGithubRepositoryEnvironmentDeploymentPolicy(t *testing.T) {
 
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -321,7 +316,6 @@ func TestAccGithubRepositoryEnvironmentDeploymentPolicy(t *testing.T) {
 
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -396,7 +390,6 @@ func TestAccGithubRepositoryEnvironmentDeploymentPolicy(t *testing.T) {
 
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -447,7 +440,6 @@ func TestAccGithubRepositoryEnvironmentDeploymentPolicy(t *testing.T) {
 
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -522,7 +514,6 @@ func TestAccGithubRepositoryEnvironmentDeploymentPolicy(t *testing.T) {
 
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -573,7 +564,6 @@ func TestAccGithubRepositoryEnvironmentDeploymentPolicy(t *testing.T) {
 
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -691,7 +681,6 @@ resource "github_repository_environment_deployment_policy" "test" {
 		config := fmt.Sprintf(`
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -727,7 +716,6 @@ resource "github_repository_environment_deployment_policy" "test" {
 		config := fmt.Sprintf(`
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -765,7 +753,6 @@ resource "github_repository_environment_deployment_policy" "test" {
 		config := fmt.Sprintf(`
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {
@@ -802,7 +789,6 @@ resource "github_repository_environment_deployment_policy" "test" {
 		config := fmt.Sprintf(`
 			resource "github_repository" "test" {
 				name      = "%s"
-				ignore_vulnerability_alerts_during_read = true
 			}
 
 			resource "github_repository_environment" "test" {