diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 08ea211..533728b 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -8,4 +8,4 @@
 # the repo. Unless a later match takes precedence,
 # @global-owner1 and @global-owner2 will be requested for
 # review when someone opens a pull request.
-*       @honestbank/devops-engineers @honestbank/backend-engineers
+*       @honestbank/devops-engineers
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index a178f2c..7e799e2 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -6,13 +6,14 @@
 
 -->
 
-## Pull Request Submission Checklist
+### Pull Request Submission Checklist
 
 Please confirm that you have done the following before requesting reviews:
 
 - [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c).
 - [ ] I have typed an adequate description that explains **why** I am making this change.
 - [ ] I have installed and run standard pre-commit hooks that lints and validates my code.
+- [ ] All entities that I am working with are up-to-date in Backstage; if updates are needed, I have linked the relevant PRs. [Backstage guide](https://www.notion.so/honestbank/How-to-Write-a-Backstage-Service-Catalog-Entry-a-catalog-info-yaml-file-21845ff72e404b14aed2ac989fb202cf?pvs=4)
 
 ### Description
 
diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml
index 9f4d000..ccec113 100644
--- a/.github/workflows/checkov.yaml
+++ b/.github/workflows/checkov.yaml
@@ -1,5 +1,6 @@
 name: "Checkov GitHub Action"
 permissions: read-all
+
 on:
   pull_request:
     branches: [test, dev, qa, prod, main]
@@ -10,13 +11,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           submodules: "recursive"
-          token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create empty baseline (if needed)
+        run: |
+          if [ -f .checkov.baseline ]; then
+            echo "⏩⏩⏩ Baseline file exists - do nothing."
+          else
+            echo "🆕🆕🆕 Baseline file does not exist - creating empty baseline file."
+            echo "{}" >> .checkov.baseline
+          fi
+      - name: Output baseline contents to console
+        run: |
+            echo "Checkov baseline file (.checkov.baseline) contents:"
+            cat .checkov.baseline
       - name: Run Checkov
         id: checkov
         uses: bridgecrewio/checkov-action@master
         with:
-          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
-          quiet: true # optional: display only failed checks
+          config_file: ".checkov.yaml"
diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml
index 7cb927b..3627556 100644
--- a/.github/workflows/semantic-pr.yaml
+++ b/.github/workflows/semantic-pr.yaml
@@ -1,17 +1,28 @@
-name: "Semantic Pull Request"
-permissions: read-all
+# yamllint disable rule:line-length
+# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
+
+# Use this workflow for public repos, since public repos cannot access our internal
+# workflows repo.
+---
+name: public-semantic-pr
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
   pull_request:
     types:
       - opened
       - edited
+      - reopened
       - synchronize
 
 jobs:
-  main:
-    name: Semantic Pull Request
+  public-semantic-pr:
+    name: public-semantic-pr
     runs-on: ubuntu-latest
     steps:
       - uses: amannn/action-semantic-pull-request@v4
+        name: Semantic Pull Request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
index fbf16e5..cbdc29f 100644
--- a/.github/workflows/terraform.yaml
+++ b/.github/workflows/terraform.yaml
@@ -1,32 +1,26 @@
 name: "Terraform GitHub Action"
-permissions: read-all
 on:
   pull_request:
-    branches: [test, dev, qa, prod, main]
-env:
-  tf_version: "latest"
-  tf_working_dir: "."
-  TF_WORKSPACE: ${{ github.base_ref }}
+    # This workflow is meant for public Terraform module repositories
+    # which are generally component modules that follow trunk-based development.
+    branches: [main]
 jobs:
   terraform:
     name: "terraform"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           submodules: "recursive"
-          token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@v3
         with:
           cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
       - name: Terraform Format
         id: fmt
         run: terraform fmt
         continue-on-error: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
       - name: Terraform Init
         id: init
         run: terraform init
@@ -37,29 +31,3 @@ jobs:
         id: plan
         run: terraform plan -no-color
         continue-on-error: true
-      - uses: actions/github-script@v4
-        if: github.event_name == 'pull_request'
-        env:
-          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
-        with:
-          github-token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
-          script: |
-            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
-            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
-            #### Terraform Validation 🤖${{ steps.validate.outputs.stdout }}
-            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
-
-            <details><summary>Show Plan</summary>
-
-            \`\`\`${process.env.PLAN}\`\`\`
-
-            </details>
-
-            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
-
-            github.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: output
-            })
diff --git a/.github/workflows/terratest.yaml b/.github/workflows/terratest.yaml
index 5fb2888..05041b1 100644
--- a/.github/workflows/terratest.yaml
+++ b/.github/workflows/terratest.yaml
@@ -1,8 +1,4 @@
 name: "Terratest GitHub Action"
-permissions:
-    pull-requests: write
-    contents: write
-
 on:
   pull_request:
     branches: [test, dev, qa, prod, main]
@@ -19,15 +15,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           submodules: true
-      - name: Set up Go (1.16)
-        uses: actions/setup-go@v2
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.16
+          go-version: 1.20
         id: go
-      - name: Run 'go test -v -timeout 30m'
+      - name: Run 'go test -v -timeout 60m'
         run: |
           cd test
           go mod download