ci: synced file(s) with honestbank/.github

Author: honestbank-bot

.github/workflows/terraform.yaml

@@ -0,0 +1,33 @@
+name: "Terraform GitHub Action"
+on:
+  pull_request:
+    # This workflow is meant for public Terraform module repositories
+    # which are generally component modules that follow trunk-based development.
+    branches: [main]
+jobs:
+  terraform:
+    name: "terraform"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: "recursive"
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt
+        continue-on-error: true
+      - name: Terraform Init
+        id: init
+        run: terraform init
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color
+        continue-on-error: true

.github/workflows/terratest.yaml

@@ -0,0 +1,30 @@
+name: "Terratest GitHub Action"
+on:
+  pull_request:
+    branches: [test, dev, qa, prod, main]
+  push:
+    branches: [test, dev, qa, prod, main]
+env:
+  AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }}
+  AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
+  AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
+jobs:
+  terratest:
+    name: terratest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.20
+        id: go
+      - name: Run 'go test -v -timeout 60m'
+        run: |
+          cd test
+          go mod download
+          go test -v -timeout 30m

.github/workflows/trivy.yaml

@@ -0,0 +1,30 @@
+---
+name: Trivy Security Scan
+
+# permissions required for the action, restricting to read-only for repository contents.
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  trivy-security-scan:
+    name: Run Trivy Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          submodules: "recursive"  # Ensure any submodules are included in the scan.
+          token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
+
+      # Run Trivy Configuration Scan with specified options.
+      - name: Run Trivy Security Scan
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'config'
+          trivy-config: 'trivy.yaml'