ci: Updated workflows to match latest patterns.

Author: jamesiarmes

.github/workflows/branch.yaml

@@ -13,11 +13,6 @@ on:
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
-    # Runner size impacts CodeQL analysis time. To learn more, please see:
-    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
-    #   - https://gh.io/supported-runners-and-hardware-resources
-    #   - https://gh.io/using-larger-runners (GitHub.com only)
-    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
       security-events: write
@@ -28,20 +23,17 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          # We use javascript to analyze JSON and YAML files.
-          - language: javascript-typescript
-            build_mode: none
           - language: actions
             build_mode: none
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/codeql-analysis.yaml .github/workflows/codeql.yaml.github/workflows/codeql-analysis.yaml renamed to .github/workflows/codeql.yaml

@@ -18,12 +18,12 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Bump version and create changelog
         id: bump
-        uses: commitizen-tools/commitizen-action@master
+        uses: commitizen-tools/commitizen-action@0.27.0
         with:
           push: false
           github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -34,7 +34,7 @@ jobs:
           MESSAGE=$(git log --format=%B -n 1)
           echo "message=${MESSAGE}" >> $GITHUB_OUTPUT
       - name: Open a pull request for the release
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@v8
         with:
           branch: release-${{ steps.bump.outputs.version }}
           title: ${{ steps.message.outputs.message }}
@@ -48,7 +48,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Get the module name
         id: module_name
         run: |
@@ -58,7 +58,7 @@ jobs:
           echo "name=${MODULE_NAME}" >> $GITHUB_OUTPUT
       - name: Get the version from the commit message
         id: version
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         env:
           COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
         with:

.github/workflows/main.yaml

@@ -0,0 +1,53 @@
+name: TFLint Checks
+
+on:
+  push:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    env:
+      # Required to avoid rate limiting when downloading plugins.
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v6
+      - name: Cache plugin directory
+        uses: actions/cache@v5
+        with:
+          path: ~/.tflint.d/plugins
+          key: tflint-${{ hashFiles('.tflint.hcl') }}
+      - uses: terraform-linters/setup-tflint@v6
+        name: Setup TFLint
+      - name: Show version
+        run: tflint --version
+      - name: Init TFLint
+        run: tflint --init
+      - name: Run TFLint
+        # Run TFLint, outputting the results to a SARIF file. We use `tee` so
+        # that we can still see the output in the logs, and capture the exit
+        # code properly with `pipefail`.
+        run: |
+          set -o pipefail
+          tflint --format sarif --recursive \
+            --config "$GITHUB_WORKSPACE/.tflint.hcl" \
+            | tee tflint-results.sarif
+          exit "${PIPESTATUS[0]}"
+      - name: Parse SARIF file for annotations
+        if: always()
+        uses: jontyms/[email protected]
+        with:
+          annotation-level: notice
+          sarif-file: tflint-results.sarif
+      - name: Upload SARIF result
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: tflint-results.sarif

.github/workflows/release.yaml

@@ -0,0 +1,36 @@
+name: Trivy Analysis
+
+on:
+  push:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v6
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          format: sarif
+          output: trivy-results.sarif
+          scan-type: config
+          trivy-config: trivy.yaml
+      - name: Parse SARIF file for annotations
+        if: always()
+        uses: jontyms/[email protected]
+        with:
+          annotation-level: notice
+          sarif-file: trivy-results.sarif
+      - name: Upload SARIF result
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: trivy-results.sarif

.github/workflows/tflint.yaml

@@ -1,7 +1,7 @@
 # Uncomment if your module uses the aws provider.
 plugin "aws" {
   enabled = true
-  version = "0.40.0"
+  version = "0.45.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 

.github/workflows/trivy.yaml

@@ -1,6 +1,6 @@
 # AWS Secrets Module
 
-[![Main Checks][badge-checks]][code-checks] [![GitHub Release][badge-release]][latest-release]
+[![GitHub Release][badge-release]][latest-release]
 
 This module manages secrets in AWS through [Secrets Manager][secrets-manager].
 It will create a KMS key for encrypting secrets, and optionally create one or
@@ -123,9 +123,7 @@ applied.
 | secrets       | A map of created secrets.                     | `map(object)` |
 
 [2.0.0]: CHANGELOG.md#200-2025-08-19
-[badge-checks]: https://github.com/codeforamerica/tofu-modules-aws-secrets/actions/workflows/main.yaml/badge.svg
 [badge-release]: https://img.shields.io/github/v/release/codeforamerica/tofu-modules-aws-secrets?logo=github&label=Latest%20Release
-[code-checks]: https://github.com/codeforamerica/tofu-modules-aws-secrets/actions/workflows/main.yaml
 [latest-release]: https://github.com/codeforamerica/tofu-modules-aws-secrets/releases/latest
 [secrets]: #secrets
 [secrets-manager]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html