updates GitHub Actions

.github/workflows/snyk.yml

@@ -0,0 +1,74 @@
+---
+name: "Security Scan: Snyk IaC"
+
+on:
+  push:
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+
+    strategy:
+      # see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast
+      fail-fast: false
+      matrix:
+        # The Snyk IaC GitHub Action currently only supports single files (via the `file` attribute in `with`).
+        # To work around this, a GitHub Actions Strategy is used to provide the files that should be tested.
+        terraform_files:
+          - "./examples/basic/main.tf"
+          - "./examples/basic/providers.tf"
+          - "./examples/basic/terraform.tf"
+          - "./examples/branch_protection/main.tf"
+          - "./examples/branch_protection/providers.tf"
+          - "./examples/branch_protection/terraform.tf"
+          - "./examples/complex/main.tf"
+          - "./examples/complex/providers.tf"
+          - "./examples/complex/terraform.tf"
+          - "./examples/deploy_keys/main.tf"
+          - "./examples/deploy_keys/providers.tf"
+          - "./examples/deploy_keys/terraform.tf"
+          - "./examples/files/main.tf"
+          - "./examples/files/providers.tf"
+          - "./examples/files/terraform.tf"
+          - "./examples/issue_labels/main.tf"
+          - "./examples/issue_labels/providers.tf"
+          - "./examples/issue_labels/terraform.tf"
+          - "./examples/pages/main.tf"
+          - "./examples/pages/providers.tf"
+          - "./examples/pages/terraform.tf"
+          - "./examples/project/main.tf"
+          - "./examples/project/providers.tf"
+          - "./examples/project/terraform.tf"
+          - "./examples/project_columns/main.tf"
+          - "./examples/project_columns/providers.tf"
+          - "./examples/project_columns/terraform.tf"
+          - "./examples/template/main.tf"
+          - "./examples/template/providers.tf"
+          - "./examples/template/terraform.tf"
+          - "./examples/webhook/main.tf"
+          - "./examples/webhook/providers.tf"
+          - "./examples/webhook/terraform.tf"
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      # see https://github.com/snyk/actions/tree/master/iac
+      - name: Lint Code with Snyk
+        uses: snyk/actions/iac@master
+        env:
+          # see https://github.com/snyk/actions#getting-your-snyk-token
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          file: ${{ matrix.terraform_files }}
+          # see https://docs.snyk.io/products/snyk-infrastructure-as-code/snyk-cli-for-infrastructure-as-code/iac-ignores-using-the-.snyk-policy-file#policy-flags-and-policy-file-notes
+          args: --policy-path=.snyk --org=${{ secrets.SNYK_ORG }}
+          sarif: true
+
+#      # see https://github.com/github/codeql-action/tree/main/upload-sarif
+#      - name: Upload Snyk IaC results to GitHub Code Scanning
+#        uses: github/codeql-action/upload-sarif@v2
+#        with:
+#          sarif_file: snyk.sarif

.github/workflows/superlinter.yml

@@ -10,18 +10,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
 
       - name: Lint Code with Super-Linter
-        uses: github/super-linter@v4
+        uses: super-linter/super-linter/slim@v6
         env:
-          VALIDATE_ALL_CODEBASE: true
           DEFAULT_BRANCH: "main"
           DISABLE_ERRORS: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           TERRAFORM_TFLINT_CONFIG_FILE: ".tflint.hcl"
+          VALIDATE_ALL_CODEBASE: true
           VALIDATE_BASH: true
           VALIDATE_JSON: true
           VALIDATE_MD: true

.github/workflows/terraform-docs.yml

@@ -26,12 +26,12 @@ jobs:
           - "./examples/webhook"
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Render documentation for Module and push changes back to branch
-        uses: terraform-docs/gh-actions@v1.0.0
+        uses: terraform-docs/gh-actions@v1.2.0
         with:
           config-file: ".terraform-docs.yml"
           output-file: "README.md"
@@ -40,7 +40,7 @@ jobs:
           working-dir: "./"
 
       - name: Render documentation for Examples and push changes back to branch
-        uses: terraform-docs/gh-actions@v1.0.0
+        uses: terraform-docs/gh-actions@v1.2.0
         with:
           config-file: "../../.terraform-docs.yml"
           output-file: "README.md"

.github/workflows/terraform.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
 

.github/workflows/tflint.yml

@@ -27,20 +27,21 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
+      # see https://github.com/terraform-linters/setup-tflint/releases
       - name: Setup TFLint
-        uses: terraform-linters/setup-tflint@v2.0.0
+        uses: terraform-linters/setup-tflint@v4.0.0
         with:
           tflint_version: latest
           github_token: ${{ secrets.GITHUB_TOKEN }}
         env:
           working-dir: "${{ matrix.examples }}"
 
       - name: Initialize TFLint
-        run: tflint --init "${{ matrix.examples }}"
+        run: tflint --init --chdir "./${{ matrix.examples }}"
 
       - name: Run TFLint
-        run: tflint --format=compact "${{ matrix.examples }}"
+        run: tflint --format=compact --chdir "./${{ matrix.examples }}"