chore: synced file(s) with honestbank/.github

.checkov.yaml

@@ -0,0 +1,14 @@
+compact: true
+directory:
+- .
+download-external-modules: true
+evaluate-variables: true
+external-modules-download-path: .external_modules
+framework:
+- all
+quiet: true
+skip-path:
+  - .external_modules
+  - modules
+  - catalog-info.yml
+baseline: .checkov.baseline

.github/CODEOWNERS

@@ -1,8 +1,11 @@
+# DO NOT CHANGE. This file is being managed from a central repository
+# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md
+
 # This is a comment.
 # Each line is a file pattern followed by one or more owners.
 
 # These owners will be the default owners for everything in
 # the repo. Unless a later match takes precedence,
 # @global-owner1 and @global-owner2 will be requested for
 # review when someone opens a pull request.
-*       @honestbank/devops-engineers @honestbank/honestbank-engineers
+*       @honestbank/devops-engineers

.github/pull_request_template.md

@@ -3,8 +3,23 @@
 
 * All PRs should reference an issue in our issue tracker. If one doesn't exist, please create one!
 * PR titles should follow https://www.conventionalcommits.org.
+
 -->
 
+### Pull Request Submission Checklist
+
+Please confirm that you have done the following before requesting reviews:
+
+- [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c).
+- [ ] I have typed an adequate description that explains **why** I am making this change.
+- [ ] I have installed and run standard pre-commit hooks that lints and validates my code.
+
 ### Description
 
 * <!-- WRITE A SHORT DESCRIPTION OF CHANGES -->
+
+### Experiment Link
+
+<!-- All code changes require an experiment - you can get started at https://www.notion.so/honestbank/How-to-create-a-feature-flag-ON-OFF-on-GrowthBook-0a11a156397d4eca89fb76dad0eb921c?pvs=4 -->
+
+GrowthBook Experiment Link: https://app.growthbook.io/features/

.github/workflows/checkov.yaml

@@ -0,0 +1,27 @@
+# yamllint disable rule:line-length
+# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
+---
+name: "repository-checkov"
+permissions: read-all
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches:
+      - test
+      - dev
+      - qa
+      - prod
+      - main
+  push:
+    branches:
+      - test
+      - dev
+      - qa
+      - prod
+      - main
+
+jobs:
+  repository-checkov:
+    name: repository-checkov
+    uses: honestbank/workflows/.github/workflows/shared-checkov.yaml@main
+    secrets: inherit

.github/workflows/semantic-pr.yaml

@@ -0,0 +1,21 @@
+# DO NOT CHANGE. This file is being managed from a central repository
+# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md
+
+# yamllint disable rule:line-length
+# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
+---
+name: "repository-semantic-pr"
+permissions: read-all
+
+on: # yamllint disable-line rule:truthy
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  repository-semantic-pr:
+    name: repository-semantic-pr
+    uses: honestbank/workflows/.github/workflows/shared-semantic-pr.yaml@main
+    secrets: inherit

.pre-commit-config.yaml

@@ -1,18 +1,42 @@
+# DO NOT CHANGE. This file is being managed from a central repository
+# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md
+
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
+
 repos:
-  -   repo: https://github.com/pre-commit/pre-commit-hooks
-      rev: v3.2.0
-      hooks:
-        -   id: trailing-whitespace
-        -   id: end-of-file-fixer
-        -   id: check-yaml
-        -   id: check-added-large-files
-  - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.48.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: detect-aws-credentials
+        args: ['--allow-missing-credentials']
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.83.5 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
-      - id: terraform_docs
-      - id: terraform_validate # Disabled due to flakiness
-#      - id: terraform_tfsec # Temporarily disabled due to PSP warnings on GKE
-#      - id: checkov # Disabled due to crashing
+      - id: terraform_validate
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+          - --tf-init-args=-upgrade
+      - id: terraform_tfsec
+        exclude: "test/"
+      - id: terraform_checkov
+        exclude: "test/"
+  -   repo: https://github.com/gitguardian/ggshield
+      rev: v1.20.0
+      hooks:
+        - id: ggshield
+          language: python
+          stages: [commit]
+          args: [ 'secret', 'scan', 'pre-commit' ]
+  - repo: local
+    hooks:
+      - id: docs
+        name: docs
+        entry: make
+        args: [ 'docs' ]
+        language: system

Makefile

@@ -0,0 +1,15 @@
+lint:
+	terraform fmt --recursive
+
+validate: lint
+	terraform init --upgrade
+	terraform validate
+
+docs:
+	mv .terraform{,.bak}
+	mv .terraform.lock.hcl{,.bak}
+	terraform-docs -c .terraform-docs.yml .
+	mv .terraform{.bak,}
+	mv .terraform.lock.hcl{.bak,}
+
+commit: docs validate