[BUG]: cannot use ignore_vulnerability_alerts_during_read for terraform import #3111
Description
Expected Behavior
When importing a github_repository using a token with limited permissions, it should be possible to skip the vulnerability alerts API call if well configured.
Actual Behavior
There is ignore_vulnerability_alerts_during_read option at the resource level which is ignored during terraform import. This is because resource configuration values are not accessible to the provider during the import process. As a result, the provider attempts to call the vulnerability alerts API, fails due to insufficient permissions, and the import process results in 401.
Terraform Version
OpenTofu v1.11.2
on linux_amd64
+ provider registry.opentofu.org/integrations/github v6.9.1
I guess this bug is valid in Terraform too.
Affected Resource(s)
github_repository?
Terraform Configuration Files
import {
id = "declam"
to = github_repository.this
}
resource "github_repository" "this" {
allow_auto_merge = false
allow_merge_commit = false
allow_rebase_merge = false
allow_squash_merge = true
allow_update_branch = true
archived = false
archive_on_destroy = true
auto_init = false
delete_branch_on_merge = true
description = ""
has_discussions = false
has_downloads = true
has_issues = true
has_projects = false
has_wiki = false
ignore_vulnerability_alerts_during_read = true
homepage_url = ""
name = "declam"
squash_merge_commit_message = "BLANK"
squash_merge_commit_title = "PR_TITLE"
topics = []
visibility = "public"
web_commit_signoff_required = false
security_and_analysis {
secret_scanning {
status = "enabled"
}
secret_scanning_push_protection {
status = "enabled"
}
}
}Steps to Reproduce
To be honestly, I tried this on a github actions runner with GITHUB_TOKEN. I think this is not the supported use case. Anyway, the workflow is:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- uses: opentofu/setup-opentofu@9d84900f3238fab8cd84ce47d658d25dd008be2f # v1.0.8
- run: tofu init
- run: tofu plan -no-colorDebug Output
2026-01-22T14:37:32.140Z [DEBUG] provider.terraform-provider-github_v6.9.1: Sending HTTP Request: X-Github-Api-Version=2022-11-28 new_logger_warning="This log was generated by a subsystem logger that wasn't created before being used. Use tflog.NewSubsystem to create this logger before it is used." @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.38.1/helper/logging/logging_http_transport.go:160 tf_http_op_type=request tf_http_req_version=HTTP/1.1 tf_http_trans_id=5dfe8d23-a2de-7ce7-f37c-ce0b9ef5595a tf_http_req_body="" @module=provider.GitHub Accept-Encoding=gzip Accept="application/vnd.github.dorian-preview+json,application/vnd.github.stone-crop-preview+json" Host=api.github.com tf_http_req_method=GET tf_http_req_uri=/repos/lens0021/declam/vulnerability-alerts User-Agent=go-github/v67.0.0 timestamp=2026-01-22T14:37:32.139Z
2026-01-22T14:37:32.162Z [DEBUG] provider.terraform-provider-github_v6.9.1: Received HTTP Response: @module=provider.GitHub Server=github.com X-Ratelimit-Used=4 X-Xss-Protection=0 @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.38.1/helper/logging/logging_http_transport.go:160 tf_http_trans_id=5dfe8d23-a2de-7ce7-f37c-ce0b9ef5595a new_logger_warning="This log was generated by a subsystem logger that wasn't created before being used. Use tflog.NewSubsystem to create this logger before it is used." Content-Security-Policy="default-src 'none'" Content-Type="application/json; charset=utf-8" Vary="Accept-Encoding, Accept, X-Requested-With" X-Content-Type-Options=nosniff X-Github-Request-Id=7C30:321683:F3D2B6:443D7C3:6972362C X-Ratelimit-Resource=core tf_http_res_version=HTTP/2.0 Access-Control-Expose-Headers="ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset" X-Frame-Options=deny X-Ratelimit-Remaining=56 tf_http_op_type=response Referrer-Policy="origin-when-cross-origin, strict-origin-when-cross-origin" Strict-Transport-Security="max-age=31536000; includeSubdomains; preload" Content-Length=120 Date="Thu, 22 Jan 2026 14:37:32 GMT" X-Ratelimit-Reset=1769094261
tf_http_res_body=
| {\r
| "message": "Requires authentication",\r
| "documentation_url": "https://docs.github.com/rest",\r
| "status": "401"\r
| }
X-Github-Media-Type="github.v3; format=json" X-Ratelimit-Limit=60 tf_http_res_status_code=401 tf_http_res_status_reason="401 Unauthorized" Access-Control-Allow-Origin="*" timestamp=2026-01-22T14:37:32.162Z
Error: -22T14:37:32.162Z [ERROR] provider.terraform-provider-github_v6.9.1: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.29.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="error reading repository vulnerability alerts: GET https://api.github.com/repos/lens0021/declam/vulnerability-alerts: 401 Requires authentication []" tf_req_id=f307d037-97b8-817a-4877-39ee2633a73b tf_resource_type=github_repository tf_rpc=ReadResource @module=sdk.proto tf_proto_version=5.10 tf_provider_addr=provider timestamp=2026-01-22T14:37:32.162Z
Error: -22T14:37:32.163Z [ERROR] vertex "github_repository.this" error: error reading repository vulnerability alerts: GET https://api.github.com/repos/lens0021/declam/vulnerability-alerts: 401 Requires authentication []
Error: -22T14:37:32.163Z [ERROR] vertex "github_repository.this (expand)" error: error reading repository vulnerability alerts: GET https://api.github.com/repos/lens0021/declam/vulnerability-alerts: 401 Requires authentication []Panic Output
Code of Conduct
- I agree to follow this project's Code of Conduct