ci: synced file(s) with honestbank/.github

.github/CODEOWNERS

@@ -8,4 +8,4 @@
 # the repo. Unless a later match takes precedence,
 # @global-owner1 and @global-owner2 will be requested for
 # review when someone opens a pull request.
-* @honestbank/devops-engineers @honestbank/backend-engineers
+* @honestbank/devops-engineers

.github/pull_request_template.md

@@ -6,13 +6,14 @@
 
 -->
 
-## Pull Request Submission Checklist
+### Pull Request Submission Checklist
 
 Please confirm that you have done the following before requesting reviews:
 
 - [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c).
 - [ ] I have typed an adequate description that explains **why** I am making this change.
 - [ ] I have installed and run standard pre-commit hooks that lints and validates my code.
+- [ ] All entities that I am working with are up-to-date in Backstage; if updates are needed, I have linked the relevant PRs. [Backstage guide](https://www.notion.so/honestbank/How-to-Write-a-Backstage-Service-Catalog-Entry-a-catalog-info-yaml-file-21845ff72e404b14aed2ac989fb202cf?pvs=4)
 
 ### Description
 

.github/workflows/checkov.yaml

@@ -1,5 +1,6 @@
 name: "Checkov GitHub Action"
 permissions: read-all
+
 on:
  pull_request:
  branches: [test, dev, qa, prod, main]
@@ -10,13 +11,24 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
  with:
  submodules: "recursive"
- token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
+ token: ${{ secrets.GITHUB_TOKEN }}
+ - name: Create empty baseline (if needed)
+ run: |
+ if [ -f .checkov.baseline ]; then
+ echo "⏩⏩⏩ Baseline file exists - do nothing."
+ else
+ echo "🆕🆕🆕 Baseline file does not exist - creating empty baseline file."
+ echo "{}" >> .checkov.baseline
+ fi
+ - name: Output baseline contents to console
+ run: |
+ echo "Checkov baseline file (.checkov.baseline) contents:"
+ cat .checkov.baseline
  - name: Run Checkov
  id: checkov
  uses: bridgecrewio/checkov-action@master
  with:
- download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
- quiet: true # optional: display only failed checks
+ config_file: ".checkov.yaml"

.github/workflows/semantic-pr.yaml

@@ -1,17 +1,28 @@
-name: "Semantic Pull Request"
-permissions: read-all
+# yamllint disable rule:line-length
+# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
+
+# Use this workflow for public repos, since public repos cannot access our internal
+# workflows repo.
+---
+name: public-semantic-pr
+permissions:
+ contents: write
+ pull-requests: write
+
 on:
  pull_request:
  types:
  - opened
  - edited
+ - reopened
  - synchronize
 
 jobs:
- main:
- name: Semantic Pull Request
+ public-semantic-pr:
+ name: public-semantic-pr
  runs-on: ubuntu-latest
  steps:
  - uses: amannn/action-semantic-pull-request@v4
+ name: Semantic Pull Request
  env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/terraform.yaml

@@ -1,32 +1,26 @@
 name: "Terraform GitHub Action"
-permissions: read-all
 on:
  pull_request:
- branches: [test, dev, qa, prod, main]
-env:
- tf_version: "latest"
- tf_working_dir: "."
- TF_WORKSPACE: ${{ github.base_ref }}
+ # This workflow is meant for public Terraform module repositories
+ # which are generally component modules that follow trunk-based development.
+ branches: [main]
 jobs:
  terraform:
  name: "terraform"
  runs-on: ubuntu-latest
  steps:
  - name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
  with:
  submodules: "recursive"
- token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
  - name: Set up Terraform
- uses: hashicorp/setup-terraform@v1
+ uses: hashicorp/setup-terraform@v3
  with:
  cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
  - name: Terraform Format
  id: fmt
  run: terraform fmt
  continue-on-error: true
- env:
- GITHUB_TOKEN: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
  - name: Terraform Init
  id: init
  run: terraform init
@@ -37,29 +31,3 @@ jobs:
  id: plan
  run: terraform plan -no-color
  continue-on-error: true
- - uses: actions/github-script@v4
- if: github.event_name == 'pull_request'
- env:
- PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
- with:
- github-token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
- script: |
- const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
- #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
- #### Terraform Validation 🤖${{ steps.validate.outputs.stdout }}
- #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
-
- <details><summary>Show Plan</summary>
-
- \`\`\`${process.env.PLAN}\`\`\`
-
- </details>
-
- *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
-
- github.issues.createComment({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- body: output
- })

.github/workflows/terratest.yaml

@@ -1,8 +1,4 @@
 name: "Terratest GitHub Action"
-permissions:
- pull-requests: write
- contents: write
-
 on:
  pull_request:
  branches: [test, dev, qa, prod, main]
@@ -19,15 +15,15 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
  with:
  submodules: true
- - name: Set up Go (1.16)
- uses: actions/setup-go@v2
+ - name: Set up Go
+ uses: actions/setup-go@v5
  with:
- go-version: 1.16
+ go-version: 1.20
  id: go
- - name: Run 'go test -v -timeout 30m'
+ - name: Run 'go test -v -timeout 60m'
  run: |
  cd test
  go mod download