Fix: default has_vulnerability_alerts to false

.github/workflows/copilot-setup-steps.yml

@@ -0,0 +1,26 @@
+name: "Copilot Setup Steps"
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+jobs:
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.9.8

modules/internal_repository/README.md

@@ -38,6 +38,7 @@ No resources.
 | <a name="input_description"></a> [description](#input\_description) | The description to give to the repository. Defaults to `""` | `string` | `""` | no |
 | <a name="input_environments"></a> [environments](#input\_environments) | Environments to create for the repository. | <pre>map(object({<br/>    wait_timer          = optional(number)<br/>    can_admins_bypass   = optional(bool)<br/>    prevent_self_review = optional(bool)<br/>    action_secrets      = optional(map(string))<br/>    reviewers = optional(object({<br/>      teams = optional(list(string))<br/>      users = optional(list(string))<br/>    }))<br/>    deployment_branch_policy = optional(object({<br/>      protected_branches     = bool<br/>      custom_branch_policies = bool<br/>      branch_patterns        = list(string)<br/>    }))<br/>  }))</pre> | `{}` | no |
 | <a name="input_has_ghas_license"></a> [has\_ghas\_license](#input\_has\_ghas\_license) | If the organization owning the repository has a GitHub Advanced Security license or not. Defaults to false. | `bool` | `false` | no |
+| <a name="input_has_vulnerability_alerts"></a> [has\_vulnerability\_alerts](#input\_has\_vulnerability\_alerts) | Enables security alerts for vulnerable dependencies for the repository | `bool` | `false` | no |
 | <a name="input_homepage"></a> [homepage](#input\_homepage) | The homepage for the repository | `string` | `""` | no |
 | <a name="input_license_template"></a> [license\_template](#input\_license\_template) | The (Optional) license template to apply to the repository | `string` | `null` | no |
 | <a name="input_merge_commit_message"></a> [merge\_commit\_message](#input\_merge\_commit\_message) | (Optional) Can be `PR_BODY`, `PR_TITLE`, or `BLANK` for a default merge commit message. Applicable only if allow\_merge\_commit is `true`. | `string` | `"PR_TITLE"` | no |

modules/internal_repository/repository.tf

@@ -35,7 +35,7 @@ module "repository_base" {
 
   secret_scanning             = local.enable_secret_scanning
   secret_scanning_on_push     = local.enable_secret_scanning
-  has_vulnerability_alerts    = true
+  has_vulnerability_alerts    = var.has_vulnerability_alerts
   advance_security            = var.advance_security
   dependabot_security_updates = var.dependabot_security_updates
   archived                    = var.archived

modules/internal_repository/variables.tf

@@ -61,6 +61,12 @@ variable "requires_web_commit_signing" {
   default     = false
 }
 
+variable "has_vulnerability_alerts" {
+  description = "Enables security alerts for vulnerable dependencies for the repository"
+  type        = bool
+  default     = false
+}
+
 variable "dependabot_security_updates" {
   description = "Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository."
   type        = bool

modules/private_repository/README.md

@@ -38,6 +38,7 @@ No resources.
 | <a name="input_description"></a> [description](#input\_description) | The description to give to the repository. Defaults to `""` | `string` | `""` | no |
 | <a name="input_environments"></a> [environments](#input\_environments) | Environments to create for the repository. | <pre>map(object({<br/>    wait_timer          = optional(number)<br/>    can_admins_bypass   = optional(bool)<br/>    prevent_self_review = optional(bool)<br/>    action_secrets      = optional(map(string))<br/>    reviewers = optional(object({<br/>      teams = optional(list(string))<br/>      users = optional(list(string))<br/>    }))<br/>    deployment_branch_policy = optional(object({<br/>      protected_branches     = bool<br/>      custom_branch_policies = bool<br/>      branch_patterns        = list(string)<br/>    }))<br/>  }))</pre> | `{}` | no |
 | <a name="input_has_ghas_license"></a> [has\_ghas\_license](#input\_has\_ghas\_license) | If the organization owning the repository has a GitHub Advanced Security license or not. Defaults to false. | `bool` | `false` | no |
+| <a name="input_has_vulnerability_alerts"></a> [has\_vulnerability\_alerts](#input\_has\_vulnerability\_alerts) | Enables security alerts for vulnerable dependencies for the repository | `bool` | `false` | no |
 | <a name="input_homepage"></a> [homepage](#input\_homepage) | The homepage for the repository | `string` | `""` | no |
 | <a name="input_license_template"></a> [license\_template](#input\_license\_template) | The (Optional) license template to use for the repository | `string` | `null` | no |
 | <a name="input_merge_commit_message"></a> [merge\_commit\_message](#input\_merge\_commit\_message) | (Optional) Can be `PR_BODY`, `PR_TITLE`, or `BLANK` for a default merge commit message. Applicable only if allow\_merge\_commit is `true`. | `string` | `"PR_TITLE"` | no |

modules/private_repository/repository.tf

@@ -35,7 +35,7 @@ module "repository_base" {
 
   secret_scanning             = local.enable_secret_scanning
   secret_scanning_on_push     = local.enable_secret_scanning
-  has_vulnerability_alerts    = true
+  has_vulnerability_alerts    = var.has_vulnerability_alerts
   advance_security            = var.advance_security
   dependabot_security_updates = var.dependabot_security_updates
   archived                    = var.archived

modules/private_repository/variables.tf

@@ -61,6 +61,12 @@ variable "requires_web_commit_signing" {
   default     = false
 }
 
+variable "has_vulnerability_alerts" {
+  description = "Enables security alerts for vulnerable dependencies for the repository"
+  type        = bool
+  default     = false
+}
+
 variable "dependabot_security_updates" {
   description = "Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository."
   type        = bool

modules/public_repository/README.md

@@ -37,6 +37,7 @@ No resources.
 | <a name="input_dependabot_security_updates"></a> [dependabot\_security\_updates](#input\_dependabot\_security\_updates) | Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository. | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | The description to give to the repository. Defaults to `""` | `string` | `""` | no |
 | <a name="input_environments"></a> [environments](#input\_environments) | Environments to create for the repository. | <pre>map(object({<br/>    wait_timer          = optional(number)<br/>    can_admins_bypass   = optional(bool)<br/>    prevent_self_review = optional(bool)<br/>    action_secrets      = optional(map(string))<br/>    reviewers = optional(object({<br/>      teams = optional(list(string))<br/>      users = optional(list(string))<br/>    }))<br/>    deployment_branch_policy = optional(object({<br/>      protected_branches     = bool<br/>      custom_branch_policies = bool<br/>      branch_patterns        = list(string)<br/>    }))<br/>  }))</pre> | `{}` | no |
+| <a name="input_has_vulnerability_alerts"></a> [has\_vulnerability\_alerts](#input\_has\_vulnerability\_alerts) | Enables security alerts for vulnerable dependencies for the repository | `bool` | `false` | no |
 | <a name="input_homepage"></a> [homepage](#input\_homepage) | The homepage for the repository | `string` | `""` | no |
 | <a name="input_license_template"></a> [license\_template](#input\_license\_template) | The (Optional) license template to apply to the repository | `string` | `null` | no |
 | <a name="input_merge_commit_message"></a> [merge\_commit\_message](#input\_merge\_commit\_message) | (Optional) Can be `PR_BODY`, `PR_TITLE`, or `BLANK` for a default merge commit message. Applicable only if allow\_merge\_commit is `true`. | `string` | `"PR_TITLE"` | no |

modules/public_repository/repository.tf

@@ -31,7 +31,7 @@ module "repository_base" {
 
   secret_scanning             = true
   secret_scanning_on_push     = true
-  has_vulnerability_alerts    = true
+  has_vulnerability_alerts    = var.has_vulnerability_alerts
   advance_security            = var.advance_security
   dependabot_security_updates = var.dependabot_security_updates
   archived                    = var.archived

modules/public_repository/variables.tf

@@ -61,6 +61,12 @@ variable "requires_web_commit_signing" {
   default     = false
 }
 
+variable "has_vulnerability_alerts" {
+  description = "Enables security alerts for vulnerable dependencies for the repository"
+  type        = bool
+  default     = false
+}
+
 variable "dependabot_security_updates" {
   description = "Enables dependabot security updates. Only works when `has_vulnerability_alerts` is set because that is required to enable dependabot for the repository."
   type        = bool

modules/repository_base/README.md

@@ -58,7 +58,7 @@
 | <a name="input_has_downloads"></a> [has\_downloads](#input\_has\_downloads) | Enables downloads for the repository | `bool` | `false` | no |
 | <a name="input_has_issues"></a> [has\_issues](#input\_has\_issues) | Enables Github Issues for the repository | `bool` | `true` | no |
 | <a name="input_has_projects"></a> [has\_projects](#input\_has\_projects) | Enables Github Projects for the repository | `bool` | `true` | no |
-| <a name="input_has_vulnerability_alerts"></a> [has\_vulnerability\_alerts](#input\_has\_vulnerability\_alerts) | Enables security alerts for vulnerable dependencies for the repository | `bool` | `true` | no |
+| <a name="input_has_vulnerability_alerts"></a> [has\_vulnerability\_alerts](#input\_has\_vulnerability\_alerts) | Enables security alerts for vulnerable dependencies for the repository | `bool` | `false` | no |
 | <a name="input_has_wiki"></a> [has\_wiki](#input\_has\_wiki) | Enables Github Wiki for the repository | `bool` | `true` | no |
 | <a name="input_homepage"></a> [homepage](#input\_homepage) | The homepage for the repository | `string` | `""` | no |
 | <a name="input_license_template"></a> [license\_template](#input\_license\_template) | The (Optional) license template to use for the repository | `string` | `null` | no |

modules/repository_base/variables.tf

@@ -64,7 +64,7 @@ variable "has_wiki" {
 variable "has_vulnerability_alerts" {
   description = "Enables security alerts for vulnerable dependencies for the repository"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "archived" {