From 290b6ba3440f832c4bab00b9b7698cf01e41305d Mon Sep 17 00:00:00 2001
From: JacobPEvans <20714140+JacobPEvans-personal@users.noreply.github.com>
Date: Thu, 4 Jun 2026 07:58:15 -0400
Subject: [PATCH] feat(security): stage CodeQL default-setup config pending
 upstream provider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds code_scanning.tf as a commented-out placeholder for the eventual
github_repository_code_scanning_default_setup resource. README's "Next
up" section now points at this file so the work isn't forgotten when
upstream ships.

Provider gap: integrations/terraform-provider-github does not yet expose
a resource for PUT /repos/{owner}/{repo}/code-scanning/default-setup.
The closest existing knob (security_and_analysis.code_security) requires
paid GHAS, which dryvist is intentionally off (AGENTS.md "Cost policy").

Upstream: integrations/terraform-provider-github#3315 — adds the resource
with the exact schema captured in the comment block. When that PR merges
and ships:

  1. Bump provider version in versions.tf.
  2. Uncomment data + resource blocks in code_scanning.tf.
  3. tofu apply.

Cost impact: $0 once enabled. Code scanning is FREE on public repos and
the data source's visibility:public filter is the safety belt — no
private repo can land in the for_each.
---
 README.md        |  6 +++++-
 code_scanning.tf | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 code_scanning.tf

diff --git a/README.md b/README.md
index 5fbaffe..a5a6fed 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,11 @@ After successful apply, the `import` blocks can be removed in a follow-up
 PR (they're idempotent but only useful once).
 
 Next up (separate PRs): org Actions permissions, org-level settings, org
-variables, per-repo labels and LICENSE files via `for_each`.
+variables, per-repo labels and LICENSE files via `for_each`. CodeQL
+default-setup across every public org repo is staged in
+`code_scanning.tf` as a commented-out resource block pending upstream
+[integrations/terraform-provider-github#3315](https://github.com/integrations/terraform-provider-github/pull/3315);
+uncomment + bump the provider version when that PR ships.
 
 ## Layout
 
diff --git a/code_scanning.tf b/code_scanning.tf
new file mode 100644
index 0000000..fecacb4
--- /dev/null
+++ b/code_scanning.tf
@@ -0,0 +1,47 @@
+# CodeQL default-setup — pending upstream provider support.
+#
+# Code scanning default-setup is FREE on public repos (no GHAS license
+# consumed). Enabling it across every public org repo with a supported
+# language is the goal; this file is the placeholder that becomes the
+# canonical config once integrations/terraform-provider-github exposes the
+# resource.
+#
+# Status as of 2026-06-04: the resource does NOT exist in the provider yet.
+# `integrations/github` ~> 6.0's `security_and_analysis` block covers
+# advanced_security, code_security (paid GHAS), secret_scanning, push
+# protection, AI detection, and non-provider patterns — but not the free
+# CodeQL default-setup endpoint.
+#
+# Upstream: https://github.com/integrations/terraform-provider-github/pull/3315
+# (feat: Add github_repository_code_scanning_default_setup resource).
+# Opened 2026-04-01 by oda251. Adds the resource with the schema below.
+#
+# When that PR merges and ships in a tagged release:
+#
+#   1. Bump `version = "~> 6.X"` in versions.tf to the release that includes it.
+#   2. Uncomment the data + resource blocks below.
+#   3. `tofu apply` — for_each fans out across every public, non-archived,
+#      non-fork org repo. The provider's underlying API will return success
+#      on repos with a supported language and a clear error on repos
+#      without one; refine the query if necessary, or filter via a follow-up
+#      data lookup once the provider exposes `languages` reliably.
+#
+# Cost impact (per AGENTS.md "Cost policy"): $0. Code scanning is FREE on
+# public repos and the data source's `visibility:public` filter is the safety
+# belt — no private repo can land in the for_each.
+#
+# data "github_repositories" "public_for_codeql" {
+#   query = "org:dryvist archived:false fork:false visibility:public"
+# }
+#
+# resource "github_repository_code_scanning_default_setup" "codeql" {
+#   for_each = toset(data.github_repositories.public_for_codeql.names)
+#
+#   repository  = each.value
+#   state       = "configured"
+#   query_suite = "default"
+#
+#   # `languages` is Optional/Computed in the upstream schema — let the
+#   # provider auto-detect from the repo's contents. Set explicitly only
+#   # for repos where a subset is desired.
+# }