honestbank · honestbank-bot · Jan 24, 2025
@@ -4,7 +4,7 @@
 # Use this workflow for public repos, since public repos cannot access our internal
 # workflows repo.
 ---
-name: semantic-pull-request
+name: public-semantic-pr
 permissions:
   contents: write
   pull-requests: write
@@ -18,8 +18,8 @@ on:
       - synchronize
 
 jobs:
-  semantic-pull-request:
-    name: semantic-pull-request
+  public-semantic-pr:
+    name: public-semantic-pr
     runs-on: ubuntu-latest
     steps:
       - uses: amannn/action-semantic-pull-request@v4

@@ -1,13 +1,9 @@
 name: "Terraform GitHub Action"
 on:
  pull_request:
     # This workflow is meant for public Terraform module repositories
     # which are generally component modules that follow trunk-based development.
     branches: [main]
-
-permissions:
-  contents: read # Only read access to repository contents
-
 jobs:
   terraform:
     name: "terraform"

@@ -1,17 +1,14 @@
 name: "Terratest GitHub Action"
 on:
  pull_request:
     branches: [test, dev, qa, prod, main]
   push:
     branches: [test, dev, qa, prod, main]
-
-permissions:
-  contents: read  # Only read access to repository contents
-  id-token: write # Required for Google Actions auth
-
 env:
-  TERRATEST_GOOGLE_CREDENTIALS_NETWORK: ${{secrets.TERRATEST_GOOGLE_CREDENTIALS_NETWORK}}
-  TERRATEST_GOOGLE_CREDENTIALS_COMPUTE: ${{secrets.TERRATEST_GOOGLE_CREDENTIALS_COMPUTE}}
+  AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }}
+  AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
+  AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
 jobs:
   terratest:
     name: terratest
@@ -24,21 +21,8 @@
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22
+          go-version: 1.20
         id: go
-      - name: Install Terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: "1.9.0"
-      - name: 'auth'
-        uses: 'google-github-actions/auth@v2'
-        with:
-          credentials_json: '${{ secrets.TERRATEST_GOOGLE_CREDENTIALS_COMPUTE }}'
-      - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@v2'
-        with:
-          version: '>= 363.0.0'
-          install_components: 'gke-gcloud-auth-plugin'
       - name: Run 'go test -v -timeout 60m'
         run: |
           cd test

@@ -0,0 +1,30 @@
+---
+name: Trivy Security Scan
+
+# permissions required for the action, restricting to read-only for repository contents.
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  trivy-security-scan:
+    name: Run Trivy Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          submodules: "recursive"  # Ensure any submodules are included in the scan.
+          token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
+
+      # Run Trivy Configuration Scan with specified options.
+      - name: Run Trivy Security Scan
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'config'
+          trivy-config: 'trivy.yaml'