codeforamerica · jamesiarmes · Oct 9, 2025 · Oct 9, 2025 · Oct 9, 2025 · Oct 9, 2025
@@ -0,0 +1,53 @@
+name: Discover changed OpenTofu modules
+description: |
+  Finds all OpenTofu modules that have changed in a pull request or push to a
+  branch.
+outputs:
+  modules:
+    description: A JSON array of all changed modules.
+    value: ${{ steps.modified.outputs.modules }}
+inputs:
+  working-directory:
+    description: The working directory to search for modules in.
+    required: false
+    default: tofu
+runs:
+  using: composite
+  steps:
+    - name: Find all OpenTofu modules
+      id: find
+      uses: bendrucker/find-terraform-modules@v1
+      with:
+        working-directory: ${{ inputs.working-directory }}
+    - name: Show all matching modules
+      shell: bash
+      run: |
+        mods=(${{ join(fromJSON(steps.find.outputs.modules), ' ') }})
+        printf "%s\n" "${mods[@]}"
+    - name: Find all changed files
+      id: diff
+      uses: technote-space/get-diff-action@v6
+      with:
+        FORMAT: json
+    - name: Show changed files
+      shell: bash
+      run: |
+        echo "${{ steps.diff.outputs.diff }}"
+    - name: Get the modified modules
+      id: modified
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const modules = ${{ steps.find.outputs.modules }}
+          const diff = ${{ steps.diff.outputs.diff }}
+          const modifiedModules = modules.filter(
+            (module) => {
+              return !!diff.find(file => new RegExp(`^${module}/.+`).test(file))
+            }
+          )
+
+          core.setOutput('modules', modifiedModules)
+    - name: Show modified modules
+      shell: bash
+      run: |
+        echo "${{ steps.modified.outputs.modules }}"
@@ -0,0 +1,29 @@
+name: Check for GitHub security features
+description: |
+  Checks if the repository is public or has GitHub Advanced Security enabled.
+outputs:
+  codeql:
+    description: Whether or not CodeQL analysis is supported.
+    value: ${{ github.event.repository.security_and_analysis.advanced_security_enabled || !github.event.repository.private }}
+  ghas:
+    description: Whether or not GitHub Advanced Security is enabled.
+    value: ${{ github.event.repository.security_and_analysis.advanced_security_enabled }}
+  public:
+    description: Whether or not the repository is public.
+    value: ${{ github.event.repository.private == false }}
+  sarif:
+    description: Whether or not SARIF uploads are supported.
+    value: ${{ github.event.repository.security_and_analysis.advanced_security_enabled || !github.event.repository.private }}
+runs:
+  using: composite
+  steps:
+    - name: GHAS enabled notice
+      shell: bash
+      if: ${{ github.event.repository.security_and_analysis.advanced_security_enabled }}
+      run: |
+        echo "GitHub Advanced Security is enabled."
+    - name: Public repository notice
+      shell: bash
+      if: ${{ github.event.repository.private == false }}
+      run: |
+        echo "Repository is public."
@@ -11,43 +11,24 @@ jobs:
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
-      - name: Find all configs
-        id: find
-        uses: bendrucker/find-terraform-modules@v1
+      - name: Find changed OpenTofu modules
+        id: modified
+        uses: ./.github/actions/changed-modules
         with:
           working-directory: tofu/config
-      - name: Show all matching configs
-        shell: bash
-        run: |
-          mods=(${{ join(fromJSON(steps.find.outputs.modules), ' ') }})
-          printf "%s\n" "${mods[@]}"
-      - name: Find all changed files
-        id: diff
-        uses: technote-space/get-diff-action@v6
-        with:
-          FORMAT: json
-      - name: Show changed files
-        run: |
-          echo "${{ steps.diff.outputs.diff }}"
-      - name: Get the modified configs
-        id: modified
+      - name: Strip prefix from modified configs
+        id: configs
         uses: actions/github-script@v7
         with:
           script: |
-            const configs = ${{ steps.find.outputs.modules }}
-            const diff = ${{ steps.diff.outputs.diff }}
-            const modifiedConfigs = configs.filter(
-              (config) => {
-                return !!diff.find(file => new RegExp(`^${config}/.+`).test(file))
-              }
-            ).map(config => config.replace(/^tofu\/config\//, ''))
-
-            core.setOutput('configs', modifiedConfigs)
+            const modules = ${{ steps.modified.outputs.modules }}
+            const configs = modules.map(m => m.replace(/^tofu\/config\//, ''))
+            core.setOutput('configs', configs)
       - name: Show modified configs
         run: |
-          echo "${{ steps.modified.outputs.configs }}"
+          echo "${{ steps.configs.outputs.configs }}"
     outputs:
-      configs: ${{ steps.modified.outputs.configs }}
+      configs: ${{ steps.configs.outputs.configs }}
 
   plan:
     uses: ./.github/workflows/plan.yaml

@@ -0,0 +1,46 @@
+name: TFLint Checks
+
+on:
+  push:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Check security features
+        id: security-features
+        uses: ./.github/actions/security-features
+      - name: Cache plugin directory
+        uses: actions/cache@v4
+        with:
+          path: ~/.tflint.d/plugins
+          key: tflint-${{ hashFiles('.tflint.hcl') }}
+      - uses: terraform-linters/setup-tflint@v5
+        name: Setup TFLint
+      - name: Show version
+        run: tflint --version
+      - name: Init TFLint
+        run: tflint --init
+      - name: Run TFLint
+        run: tflint --format sarif --recursive --config "$GITHUB_WORKSPACE/.tflint.hcl" > tflint-results.sarif
+      - name: Parse SARIF file for annotations
+        if: always()
+        uses: Miragon/[email protected]
+        with:
+          severity-level: low
+          sarif-file: tflint-results.sarif
+      # When run on main, if SARIF uploads are available, we want to upload the
+      # SARIF file to GitHub.
+      - name: Upload SARIF result
+        if: always() && github.ref == 'refs/heads/main' && steps.security-features.outputs.sarif == 'true'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: tflint-results.sarif
@@ -0,0 +1,39 @@
+name: Trivy Analysis
+
+on:
+  push:
+
+permissions:
+  contents: read
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Check security features
+        id: security-features
+        uses: ./.github/actions/security-features
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: config
+          ignore-unfixed: true
+          skip-dirs: "**/*/.terraform"
+          exit-code: 1
+          format: sarif
+          output: trivy-results.sarif
+      - name: Parse SARIF file for annotations
+        if: always()
+        uses: Miragon/[email protected]
+        with:
+          severity-level: low
+          sarif-file: trivy-results.sarif
+      # When run on main, if SARIF uploads are available, we want to upload the
+      # SARIF file to GitHub.
+      - name: Upload SARIF result
+        if: always() && github.ref == 'refs/heads/main' && steps.security-features.outputs.sarif == 'true'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif