[SYNC] mcaf-github-workflows

Author: Workflow Sync Bot

.github/ISSUE_TEMPLATE/bug-report.md

@@ -10,9 +10,6 @@ assignees: ''
 **💡 Problem description**
 Enter summary of the problem here.
 
-**✏️ Name and email of requester** 
-Details of the requester.
-
 **☹️ Current Behavior**
 Describe what is happening. More detail is better. When code is pasted, use correct formatting.
 
@@ -24,3 +21,8 @@ Enter detailed steps to reproduce here. More detail is better.
 
 **🚧 Workaround**
 If there is a way to work around the problem, place that information here.
+
+**💻 Environment**
+Anything that will help triage the bug will help. For example:
+ - Terraform version
+ - Module version

.github/ISSUE_TEMPLATE/general-request.md

@@ -2,7 +2,7 @@
 name: General Request
 about: A template for a general request on this repository
 title: ''
-labels: documentation, enhancement, question
+labels: documentation, enhancement, chore
 assignees: ''
 
 ---
@@ -11,7 +11,7 @@ assignees: ''
 A clear and concise description of what the request is about. Please add the fitting label to this issue:
 - Documentation
 - Enhancement
-- Question
+- Chore (not covered by something else / question)
 
 **:bookmark: Additional context**
 Add any other context or screenshots about the feature request here.

.github/labels.yaml

@@ -16,10 +16,10 @@
   description: New feature or request
 - name: fix
   color: "d93f0b"
-  description: Something isn't working
-- name: misc
-  color: "#6B93D3"
-  description: Miscellaneous task not covered by something else
+  description: Fixes a bug
+- name: chore
+  color: "6b93d3"
+  description: Task not covered by something else (e.g. refactor, CI changes, tests)
 - name: no-changelog
   color: "cccccc"
   description: No entry should be added to the release notes and changelog

.github/pull_request_template.md

@@ -1,8 +1,9 @@
-**:bulb: Summary of the pull request**
+**:hammer_and_wrench: Summary**
+<!--- A clear and concise description of what the PR entails. -->
 <!-- Ex. I have added extra variables to be able to deploy [...] -->
 
-**:hammer_and_wrench: Implementation Details**
-<!-- A clear and concise description of what the PR entails. We cannot guess what you mean by a code change. -->
+**:rocket: Motivation**
+<!-- Why is this change required? What problem does it solve? -->
 
 **:pencil: Additional Information**
-<!-- If the proposed changes entail any design decisions, please enter any background or references such as Confluence, Microsoft Docs, etc. that may help with reviewing the PR. -->
+<!-- If the proposed changes entail any design decisions, please provide any relevant background or references such as links to Confluence, Microsoft Docs, or images that may help with reviewing the PR. -->

.github/release-drafter-config.yaml

@@ -1,82 +1,89 @@
-name-template: 'v$RESOLVED_VERSION'
-tag-template: 'v$RESOLVED_VERSION'
-version-template: '$MAJOR.$MINOR.$PATCH'
+name-template: "v$RESOLVED_VERSION"
+tag-template: "v$RESOLVED_VERSION"
+version-template: "$MAJOR.$MINOR.$PATCH"
 change-title-escapes: '\<*_&'
 
 categories:
-  - title: '🚀 Features'
+  - title: "🚀 Features"
     labels:
-      - 'breaking'
-      - 'enhancement'
-      - 'feature'
-  - title: '🐛 Bug Fixes'
+      - "breaking"
+      - "enhancement"
+      - "feature"
+  - title: "🐛 Bug Fixes"
     labels:
-      - 'bug'
-      - 'fix'
-      - 'security'
-  - title: '📖 Documentation'
+      - "bug"
+      - "fix"
+      - "security"
+  - title: "📖 Documentation"
     labels:
-      - 'documentation'
-  - title: '🧺 Miscellaneous'
+      - "documentation"
+  - title: "🧺 Miscellaneous"
     labels:
-      - 'misc'
+      - "chore"
 
 version-resolver:
   major:
     labels:
-      - 'breaking'
+      - "breaking"
   minor:
     labels:
-      - 'enhancement'
-      - 'feature'
+      - "enhancement"
+      - "feature"
   patch:
     labels:
-      - 'bug'
-      - 'documentation'
-      - 'fix'
-      - 'security'
-  default: 'minor'
+      - "bug"
+      - "chore"
+      - "documentation"
+      - "fix"
+      - "security"
+  default: "minor"
 
 autolabeler:
-  - label: 'documentation'
+  - label: "documentation"
     body:
-      - '/documentation/'
+      - "/documentation/"
     branch:
       - '/docs\/.+/'
     title:
-      - '/documentation/i'
-      - '/docs/i'
-  - label: 'bug'
+      - "/documentation/i"
+      - "/docs/i"
+  - label: "bug"
     body:
-      - '/bug/'
+      - "/bug/"
     branch:
       - '/bug\/.+/'
       - '/fix\/.+/'
     title:
-      - '/bug/i'
-      - '/fix/i'
-  - label: 'feature'
+      - "/bug/i"
+      - "/fix/i"
+  - label: "feature"
     branch:
       - '/feature\/.+/'
       - '/enhancement\/.+/'
     title:
-      - '/feature/i'
-      - '/feat/i'
-      - '/enhancement/i'
-  - label: 'breaking'
+      - "/feature/i"
+      - "/feat/i"
+      - "/enhancement/i"
+  - label: "breaking"
     body:
-      - '/breaking/'
+      - "/breaking change/i"
     branch:
       - '/breaking\/.+/'
     title:
-      - '/breaking/i'
-      - '/major/i'
+      - "/!:/"
+      - "/breaking/i"
+      - "/major/i"
+  - label: "chore"
+    branch:
+      - '/chore\/.+/'
+    title:
+      - "/chore/i"
 
 exclude-contributors:
-  - 'github-actions[bot]'
+  - "github-actions[bot]"
 
 exclude-labels:
-  - 'no-changelog'
+  - "no-changelog"
 
 template: |
   # What's Changed

.github/workflows/label-synchronization.yaml

@@ -1,3 +1,6 @@
+# DO NOT CHANGE THIS FILE DIRECTLY
+# Source: https://github.com/schubergphilis/mcaf-github-workflows
+
 name: label-synchronization
 on:
   workflow_dispatch:

.github/workflows/pr-validation.yaml

@@ -1,3 +1,6 @@
+# DO NOT CHANGE THIS FILE DIRECTLY
+# Source: https://github.com/schubergphilis/mcaf-github-workflows
+
 name: "pr-validation"
 
 on:
@@ -31,13 +34,13 @@ jobs:
           types: |
             breaking
             bug
+            chore
             docs
             documentation
             enhancement
             feat
             feature
             fix
-            misc
             security
           requireScope: false
           ignoreLabels: |
@@ -82,7 +85,7 @@ jobs:
       - uses: danielchabr/pr-labels-checker@v3.3
         id: lint_pr_labels
         with:
-          hasSome: breaking,bug,documentation,enhancement,feature,fix,misc,security
+          hasSome: breaking,bug,chore,documentation,enhancement,feature,fix,security
           githubToken: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: marocchino/sticky-pull-request-comment@v2
@@ -94,7 +97,16 @@ jobs:
           message: |
             Hey there and thank you for opening this pull request! 👋🏼
 
-            The PR needs to have at least one of the following labels: breaking, bug, documentation, enhancement, feature, fix, misc, security.
+            The PR needs to have at least one of the following labels:
+
+            - breaking
+            - bug
+            - chore
+            - documentation
+            - enhancement
+            - feature
+            - fix
+            - security
 
       # Delete a previous comment when the issue has been resolved
       - if: ${{ steps.lint_pr_labels.outputs.passed != false }}

.github/workflows/release-drafter.yaml

@@ -1,3 +1,6 @@
+# DO NOT CHANGE THIS FILE DIRECTLY
+# Source: https://github.com/schubergphilis/mcaf-github-workflows
+
 name: "release-drafter"
 
 on:

.github/workflows/terraform-validation.yaml

@@ -1,3 +1,6 @@
+# DO NOT CHANGE THIS FILE DIRECTLY
+# Source: https://github.com/schubergphilis/mcaf-github-workflows
+
 name: "terraform"
 
 on:
@@ -19,7 +22,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
 
       - name: Setup Terraform Linters
         uses: terraform-linters/setup-tflint@v4
@@ -60,7 +63,7 @@ jobs:
           terraform init
           terraform test
 
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@v7
         if: github.event_name == 'pull_request' || always()
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -114,7 +117,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Render terraform docs inside the README.md and push changes back to PR branch
-        uses: terraform-docs/gh-actions@v1.1.0
+        uses: terraform-docs/gh-actions@v1.3.0
         with:
           args: --sort-by required
           git-commit-message: "docs(readme): update module usage"
@@ -124,24 +127,28 @@ jobs:
           working-dir: .
         continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow
 
-  tfsec:
+  # If the recursive flag is set to true, the action will not update the main README.md file. 
+  # Therefore we need to run the action twice, once for the root module and once for the modules directory
+  docs-modules:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
-      - name: Terraform security scan
-        uses: aquasecurity/tfsec-action@v1.0.3
         with:
-          github_token: ${{ github.token }}
-          soft_fail: false
-          tfsec_args: --concise-output --force-all-dirs
+          ref: ${{ github.event.pull_request.head.ref }}
 
-      - name: Terraform pr commenter
-        uses: aquasecurity/tfsec-pr-commenter-action@v1.3.1
+      - name: Render terraform docs inside the README.md and push changes back to PR branch
+        uses: terraform-docs/gh-actions@v1.3.0
         with:
-          github_token: ${{ github.token }}
-          tfsec_args: --concise-output --force-all-dirs
+          args: --sort-by required
+          git-commit-message: "docs(readme): update module usage"
+          git-push: true
+          output-file: README.md
+          output-method: inject
+          recursive-path: modules
+          recursive: true
+          working-dir: .
+        continue-on-error: true # added this to prevent a PR from a remote fork failing the workflow
 
   checkov:
     runs-on: ubuntu-latest

.github/workflows/update-changelog.yaml

@@ -1,3 +1,6 @@
+# DO NOT CHANGE THIS FILE DIRECTLY
+# Source: https://github.com/schubergphilis/mcaf-github-workflows
+
 name: "update-changelog"
 
 on: