ci: Updated workflows to match latest from template.

.github/workflows/branch.yaml

@@ -5,6 +5,9 @@ on:
     branches-ignore:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint updated files
@@ -32,15 +35,15 @@ jobs:
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
-      - name: Run Trivy vulnarability scanner
-        uses: aquasecurity/trivy-action@master
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.31.0
         with:
           scan-type: config
           format: sarif
-          output: "trivy-results.sarif"
+          output: trivy-results.sarif
       - name: Parse SARIF file
         # Always run this step, even if a previous step failed.
         if: always()
         uses: Ayrx/[email protected]
         with:
-          sarif_file: "trivy-results.sarif"
+          sarif_file: trivy-results.sarif

.github/workflows/codeql-analysis.yaml

@@ -12,35 +12,35 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
+      security-events: write
+      packages: read
       actions: read
       contents: read
-      security-events: write
-
     strategy:
       fail-fast: false
       matrix:
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-        # Using "javascript" to scan JSON and YAML files.
-        language: [ 'javascript' ]
-
+        include:
+          # We use javascript to analyze JSON and YAML files.
+          - language: javascript-typescript
+            build_mode: none
+          - language: actions
+            build_mode: none
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-
-      # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-
-          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          queries: security-extended,security-and-quality
+          build-mode: ${{ matrix.build-mode }}
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:

.github/workflows/main.yaml

@@ -5,10 +5,17 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   lint:
     name: Lint updated modules
     runs-on: ubuntu-latest
+    env:
+      # Required to avoid rate limiting when downloading plugins.
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
@@ -24,7 +31,12 @@ jobs:
       - name: Init TFLint
         run: tflint --init
       - name: Run TFLint
-        run: tflint --format compact --recursive
+        run: tflint --format sarif --recursive --config "$GITHUB_WORKSPACE/.tflint.hcl" > tflint-results.sarif
+      - name: Upload SARIF result
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: tflint-results.sarif
 
   trivy:
     name: Run security scan
@@ -33,14 +45,14 @@ jobs:
       - name: Checkout source code
         uses: actions/checkout@v4
       - name: Run Trivy vulnarability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.30.0
         with:
           scan-type: config
           format: sarif
-          output: "trivy-results.sarif"
+          output: trivy-results.sarif
       - name: Upload SARIF result
         # Always run this step, even if a previous step failed.
         if: always()
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: "trivy-results.sarif"
+          sarif_file: trivy-results.sarif

.github/workflows/release.yaml

@@ -1,6 +1,7 @@
 name: Release New Version
 
 on:
+  workflow_dispatch:
   push:
     branches:
       - main
@@ -12,9 +13,14 @@ jobs:
     name: Build new release
     runs-on: ubuntu-latest
     if: ${{ !startsWith(github.event.head_commit.message, 'bump:') }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - name: Bump version and create changelog
         id: bump
         uses: commitizen-tools/commitizen-action@master
@@ -38,6 +44,8 @@ jobs:
     name: Release module
     runs-on: ubuntu-latest
     if: startsWith(github.event.head_commit.message, 'bump:')
+    permissions:
+      contents: write
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4

.tflint.hcl

@@ -0,0 +1,20 @@
+# Uncomment if your module uses the aws provider.
+plugin "aws" {
+  enabled = true
+  version = "0.40.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+plugin "terraform" {
+  preset = "all"
+  enabled = true
+}
+
+# TFLint doesn't understand the provider for_each syntax introduced with
+# OpenTofu 1.9, so we need to disable these rules so it doesn't error out.
+rule "terraform_required_providers" {
+  enabled = false
+}
+rule "terraform_unused_required_providers" {
+  enabled = false
+}

outputs.tf

@@ -1,11 +1,14 @@
 output "kms_key_alias" {
-  value = aws_kms_alias.secrets.name
+  description = "Alias for of the KMS key used for encryption."
+  value       = aws_kms_alias.secrets.name
 }
 
 output "kms_key_arn" {
-  value = aws_kms_key.secrets.arn
+  description = "ARN for of the KMS key used for encryption."
+  value       = aws_kms_key.secrets.arn
 }
 
 output "secrets" {
-  value = module.secrets_manager
+  description = "A map of created secrets."
+  value       = module.secrets_manager
 }