From 7b14647386c2e717e69d812cb033b63660a0422d Mon Sep 17 00:00:00 2001
From: chris3ware <36608309+chris3ware@users.noreply.github.com>
Date: Wed, 1 Mar 2023 21:54:53 +0000
Subject: [PATCH 01/10] remove .gitignore

The terraform .gitignore template is not required in this repository.
---
 .gitignore | 38 --------------------------------------
 1 file changed, 38 deletions(-)
 delete mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index b7c587c..0000000
--- a/.gitignore
+++ /dev/null
@@ -1,38 +0,0 @@
-# Local .terraform directories
-**/.terraform/*
-
-# .tfstate files
-*.tfstate
-*.tfstate.*
-
-# Crash log files
-crash.log
-crash.*.log
-
-# Exclude all .tfvars files, which are likely to contain sentitive data, such as
-# password, private keys, and other secrets. These should not be part of version
-# control as they are data points which are potentially sensitive and subject
-# to change depending on the environment.
-#
-# *.tfvars
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
-
-# Include override files you do wish to add to version control using negated pattern
-#
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
-# Ignore CLI configuration files
-.terraformrc
-terraform.rc
-
-# Exclude pem files used for authentication
-*.pem

From 43c2bc3a622b40e9ab10409600382f47b403490e Mon Sep 17 00:00:00 2001
From: chris3ware <36608309+chris3ware@users.noreply.github.com>
Date: Wed, 1 Mar 2023 21:56:11 +0000
Subject: [PATCH 02/10] fix spelling mistake

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a21f91c..f2d6aa4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file.
 
 ### Bug Fixes
 
-* pin workflow dependancies to hash ([#45](https://github.com/3ware/workflows/issues/45)) ([e62a20b](https://github.com/3ware/workflows/commit/e62a20bd57926694764d3af20a81d6c5ebf4b424))
+* pin workflow dependencies to hash ([#45](https://github.com/3ware/workflows/issues/45)) ([e62a20b](https://github.com/3ware/workflows/commit/e62a20bd57926694764d3af20a81d6c5ebf4b424))
 
 ## [1.9.2](https://github.com/3ware/workflows/compare/v1.9.1...v1.9.2) (2023-02-24)
 

From 9d27842a462aa7aa9171b8320fbd3be7bf8a0d5f Mon Sep 17 00:00:00 2001
From: chris3ware <36608309+chris3ware@users.noreply.github.com>
Date: Wed, 1 Mar 2023 21:56:36 +0000
Subject: [PATCH 03/10] add words to cspell config file

---
 .cspell.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.cspell.json b/.cspell.json
index e4b086d..ffd1059 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -6,9 +6,12 @@
   "language": "en-GB",
   // words - list of words to be always considered correct
   "words": [
+    "amannn",
+    "analyzer",
     "aquasecurity",
     "codeql",
     "conventionalcommits",
+    "cycjimmy",
     "linters",
     "markdownlint",
     "noreply",

From b76aee46acfadacce25cf78ffc2a0a0a68cbf2fd Mon Sep 17 00:00:00 2001
From: chris3ware <36608309+chris3ware@users.noreply.github.com>
Date: Wed, 1 Mar 2023 21:57:39 +0000
Subject: [PATCH 04/10] attempt to run `required_status_checks` on main

When semantic-release pushes to main, the previous commit messages
included `[skip ci]` so `required_status_checks` stayed in a pending
state. This has been removed from the commit message so workflows are
triggered.

A generic workflow has been added for the `Validate PR title` workflow
to ensure this check also runs successfully on pushes to main.
---
 .github/workflows/lint.yaml          |  7 +++++--
 .github/workflows/pr-title-main.yaml | 25 ++++++++++++++++++++++
 .releaserc.json                      | 31 ++++++++++++++++++++++------
 3 files changed, 55 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/pr-title-main.yaml

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index c5c5247..e215524 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,5 +1,8 @@
 name: "Lint"
 on:
+  push:
+    branches:
+      - main
   pull_request:
     types:
       - opened
@@ -44,12 +47,12 @@ jobs:
           terraform_version: ${{ inputs.terraform-version }}
           cli_config_credentials_token: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
 
-      #Initialise terraform in the directory where terraform file have changed.
+      # Initialise terraform in the directory where terraform file have changed.
       - name: "Initialise Terraform"
         if: ${{ needs.find-terraform.outputs.terraform-dir != ''}}
         working-directory: ${{ needs.find-terraform.outputs.terraform-dir }}
         run: terraform init
 
       - name: "Lint with trunk"
-        if: ${{ always() }} #Run anyway, even if no terraform
+        if: ${{ always() }} # Run anyway, even if no terraform
         uses: trunk-io/trunk-action@9cf65e08e822e9842fd9ef7ed2a2bd9092de0986 # v1.0.6
diff --git a/.github/workflows/pr-title-main.yaml b/.github/workflows/pr-title-main.yaml
new file mode 100644
index 0000000..4581d43
--- /dev/null
+++ b/.github/workflows/pr-title-main.yaml
@@ -0,0 +1,25 @@
+# Generic workflow, that runs on main, so required_status_checks pass
+# https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
+
+name: "Validate PR title"
+
+on:
+  push:
+    branches:
+      - main
+  workflow_call:
+
+# Declare default permissions as read only.
+permissions: read-all
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  conventional-pr-title:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Validate pull request title is conventional"
+        run: 'echo "No pull request title to check"'
diff --git a/.releaserc.json b/.releaserc.json
index 47bda2a..bc5e1e3 100644
--- a/.releaserc.json
+++ b/.releaserc.json
@@ -6,8 +6,15 @@
       {
         "preset": "conventionalcommits",
         "releaseRules": [
-          { "type": "refactor", "release": "minor" },
-          { "type": "chore", "scope": "deps", "release": "patch" }
+          {
+            "type": "refactor",
+            "release": "minor"
+          },
+          {
+            "type": "chore",
+            "scope": "deps",
+            "release": "patch"
+          }
         ]
       }
     ],
@@ -17,9 +24,21 @@
         "preset": "conventionalcommits",
         "presetConfig": {
           "types": [
-            { "type": "refactor", "section": "Enhancement", "hidden": false },
-            { "type": "feat", "section": "Features", "hidden": false },
-            { "type": "fix", "section": "Bug Fixes", "hidden": false },
+            {
+              "type": "refactor",
+              "section": "Enhancement",
+              "hidden": false
+            },
+            {
+              "type": "feat",
+              "section": "Features",
+              "hidden": false
+            },
+            {
+              "type": "fix",
+              "section": "Bug Fixes",
+              "hidden": false
+            },
             {
               "type": "chore",
               "scope": "deps",
@@ -49,7 +68,7 @@
       "@semantic-release/git",
       {
         "assets": ["CHANGELOG.md"],
-        "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+        "message": "chore(release): version ${nextRelease.version}\n\n${nextRelease.notes}"
       }
     ]
   ]

From 7460c103ba7e055b6d2c284cffe711cccfe0aba2 Mon Sep 17 00:00:00 2001
From: chris3ware <36608309+chris3ware@users.noreply.github.com>
Date: Thu, 2 Mar 2023 16:34:31 +0000
Subject: [PATCH 05/10] move linter configuration files to .trunk/configs
 directory

---
 .trunk/configs/.markdownlint.yaml | 10 ++++++++++
 .trunk/configs/.yamllint.yaml     | 10 ++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 .trunk/configs/.markdownlint.yaml
 create mode 100644 .trunk/configs/.yamllint.yaml

diff --git a/.trunk/configs/.markdownlint.yaml b/.trunk/configs/.markdownlint.yaml
new file mode 100644
index 0000000..fb94039
--- /dev/null
+++ b/.trunk/configs/.markdownlint.yaml
@@ -0,0 +1,10 @@
+# Autoformatter friendly markdownlint config (all formatting rules disabled)
+default: true
+blank_lines: false
+bullet: false
+html: false
+indentation: false
+line_length: false
+spaces: false
+url: false
+whitespace: false
diff --git a/.trunk/configs/.yamllint.yaml b/.trunk/configs/.yamllint.yaml
new file mode 100644
index 0000000..4d44466
--- /dev/null
+++ b/.trunk/configs/.yamllint.yaml
@@ -0,0 +1,10 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  empty-values:
+    forbid-in-block-mappings: true
+    forbid-in-flow-mappings: true
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true

From 952c0d45785f18afdd80e2580bd860a3fc36682d Mon Sep 17 00:00:00 2001
From: chris3ware <36608309+chris3ware@users.noreply.github.com>
Date: Thu, 2 Mar 2023 16:35:10 +0000
Subject: [PATCH 06/10] enable yamllint in trunk configuration

---
 .trunk/trunk.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
index df954e6..9844b0e 100644
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -8,6 +8,7 @@ plugins:
       uri: https://github.com/trunk-io/plugins
 lint:
   enabled:
+    - yamllint@1.29.0
     - cspell@6.22.0
     - gitleaks@8.15.3
     - actionlint@1.6.23

From f5d5c124a82c7d9157080996f8a833a7ca3d54d0 Mon Sep 17 00:00:00 2001
From: chris3ware <36608309+chris3ware@users.noreply.github.com>
Date: Thu, 2 Mar 2023 16:36:43 +0000
Subject: [PATCH 07/10] fix yamllint issues

---
 .github/dependabot.yml                    |  6 +++---
 .github/workflows/dependency-review.yml   |  6 +++---
 .github/workflows/get-terraform-dir.yaml  | 14 +++++++-------
 .github/workflows/get-workflow-token.yaml |  8 ++++----
 .github/workflows/pr-title-main.yaml      | 11 +++++------
 .github/workflows/pr-title.yaml           | 11 ++++-------
 .github/workflows/scorecard.yml           | 16 ++++++++--------
 .github/workflows/semantic-release.yaml   | 19 +++++++++----------
 .github/workflows/terraform-docs.yaml     | 21 ++++++++++-----------
 .github/workflows/tfsec-pr.yaml           | 10 +++++-----
 .markdownlint.yaml                        | 10 ----------
 11 files changed, 58 insertions(+), 74 deletions(-)
 delete mode 100644 .markdownlint.yaml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 4eb1d53..a6819e3 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,7 +5,7 @@
 
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "monthly"
+      interval: monthly
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 880591a..29b3ea2 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -4,7 +4,7 @@
 #
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
-name: "Dependency Review"
+name: Dependency Review
 on: [pull_request]
 
 permissions:
@@ -14,7 +14,7 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: "Checkout Repository"
+      - name: Checkout Repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-      - name: "Dependency Review"
+      - name: Dependency Review
         uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/get-terraform-dir.yaml b/.github/workflows/get-terraform-dir.yaml
index 975f69a..f82f29d 100644
--- a/.github/workflows/get-terraform-dir.yaml
+++ b/.github/workflows/get-terraform-dir.yaml
@@ -1,9 +1,9 @@
-name: "Terraform directory"
+name: Terraform directory
 on:
   workflow_call:
     outputs:
       terraform-dir:
-        description: "The terraform directory to initialise"
+        description: The terraform directory to initialise
         value: ${{ jobs.terraform-directory.outputs.dir }}
 
 # Declare default permissions as read only.
@@ -19,23 +19,23 @@ jobs:
     outputs:
       dir: ${{ steps.changed-dir.outputs.all_changed_files }}
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           persist-credentials: false
 
-      - name: "Get changed files"
+      - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1 # v35.5.6
 
-      - name: "List all changed files"
+      - name: List all changed files
         run: |
           for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
             echo "$file was changed"
           done
 
       # Find the directory where files have been changed.
-      - name: "Get terraform directory"
+      - name: Get terraform directory
         id: changed-dir
         uses: tj-actions/changed-files@23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1 # v35.5.6
         # Step fails if nothing found.
@@ -47,7 +47,7 @@ jobs:
           dir_names: true
           dir_names_exclude_root: true
 
-      - name: "List terraform directory"
+      - name: List terraform directory
         if: ${{ steps.changed-dir.conclusion == 'success'}}
         run: |
           echo "${{ steps.changed-dir.outputs.all_changed_files }}"
diff --git a/.github/workflows/get-workflow-token.yaml b/.github/workflows/get-workflow-token.yaml
index 5ccceaa..ee3a2f8 100644
--- a/.github/workflows/get-workflow-token.yaml
+++ b/.github/workflows/get-workflow-token.yaml
@@ -1,10 +1,10 @@
 # This workflow generates an installation access token for GitHub authentication
-name: "Generate workflow token"
+name: Generate workflow token
 on:
   workflow_call:
     outputs:
       temp-token:
-        description: "The temporary installation access token"
+        description: The temporary installation access token
         value: ${{ jobs.get-temp-token.outputs.token }}
 
 # Declare default permissions as read only.
@@ -17,7 +17,7 @@ jobs:
     outputs:
       token: ${{ steps.encrypt-token.outputs.encrypted-token }}
     steps:
-      - name: "Get GitHub authentication token"
+      - name: Get GitHub authentication token
         id: get-workflow-token
         uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db # v2.1.0
         with:
@@ -25,7 +25,7 @@ jobs:
           application_private_key: ${{ secrets.THREEWARE_RELEASE_APPLICATION_PRIVATE_KEY }}
           organization: 3ware
 
-      - name: "Encrypt the token for reuse between jobs / workflows"
+      - name: Encrypt the token for reuse between jobs / workflows
         id: encrypt-token
         run: |
           ENCRYPTED_TOKEN=$(gpg --symmetric --batch --passphrase "$KEY" \
diff --git a/.github/workflows/pr-title-main.yaml b/.github/workflows/pr-title-main.yaml
index 4581d43..78ad5c9 100644
--- a/.github/workflows/pr-title-main.yaml
+++ b/.github/workflows/pr-title-main.yaml
@@ -1,13 +1,12 @@
 # Generic workflow, that runs on main, so required_status_checks pass
 # https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
 
-name: "Validate PR title"
+name: Validate PR title
 
 on:
   push:
-    branches:
-      - main
-  workflow_call:
+    branches: [main]
+  workflow_call: {}
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -21,5 +20,5 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - name: "Validate pull request title is conventional"
-        run: 'echo "No pull request title to check"'
+      - name: Validate pull request title is conventional
+        run: echo "No pull request title to check"
diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml
index 06b2fec..c98c486 100644
--- a/.github/workflows/pr-title.yaml
+++ b/.github/workflows/pr-title.yaml
@@ -1,12 +1,9 @@
-name: "Validate PR title"
+name: Validate PR title
 
 on:
   pull_request_target:
-    types:
-      - opened
-      - edited
-      - synchronize
-  workflow_call:
+    types: [opened, edited]
+  workflow_call: {}
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -22,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - name: "Validate pull request title is conventional"
+      - name: Validate pull request title is conventional
         uses: amannn/action-semantic-pull-request@b6bca70dcd3e56e896605356ce09b76f7e1e0d39 # v5.1.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 26c83a1..165bc91 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -2,7 +2,7 @@
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
 
-name: "Scorecard supply-chain security"
+name: Scorecard supply-chain security
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
@@ -10,16 +10,16 @@ on:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: "27 7 * * 6"
+    - cron: 27 7 * * 6
   push:
-    branches: ["main"]
+    branches: [main]
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analysis:
-    name: "Scorecard analysis"
+    name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
@@ -31,12 +31,12 @@ jobs:
       # actions: read
 
     steps:
-      - name: "Checkout code"
+      - name: Checkout code
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:
           persist-credentials: false
 
-      - name: "Run analysis"
+      - name: Run analysis
         uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
         with:
           results_file: results.sarif
@@ -58,7 +58,7 @@ jobs:
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
-      - name: "Upload artifact"
+      - name: Upload artifact
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
         with:
           name: SARIF file
@@ -66,7 +66,7 @@ jobs:
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
+      - name: Upload to code-scanning
         uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/semantic-release.yaml b/.github/workflows/semantic-release.yaml
index f794fe1..a135deb 100644
--- a/.github/workflows/semantic-release.yaml
+++ b/.github/workflows/semantic-release.yaml
@@ -1,11 +1,10 @@
-name: "Semantic Release"
+name: Semantic Release
 
 on:
-  workflow_dispatch:
-  workflow_call:
+  workflow_dispatch: {}
+  workflow_call: {}
   push:
-    branches:
-      - main
+    branches: [main]
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -21,14 +20,14 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
-    needs: ["get-temp-token"]
+    needs: [get-temp-token]
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           persist-credentials: false
 
-      - name: "Decrypt the installation access token"
+      - name: Decrypt the installation access token
         id: decrypt-token
         run: |
           DECRYPTED_TOKEN=$(gpg --decrypt --quiet --batch --passphrase "$KEY" \
@@ -39,7 +38,7 @@ jobs:
         env:
           KEY: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }}
 
-      - name: "Create GitHub release and update CHANGELOG"
+      - name: Create GitHub release and update CHANGELOG
         if: ${{ ! env.ACT }}
         uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0
         with:
@@ -51,7 +50,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ steps.decrypt-token.outputs.temp-token }}
 
-      - name: "Local test release"
+      - name: Local test release
         if: ${{ env.ACT }}
         uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0
         with:
diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml
index a91387f..acfe0c4 100644
--- a/.github/workflows/terraform-docs.yaml
+++ b/.github/workflows/terraform-docs.yaml
@@ -1,6 +1,5 @@
-name: "Generate terraform docs"
-on:
-  workflow_call:
+name: Generate terraform docs
+on: workflow_call
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -28,15 +27,15 @@ jobs:
     env:
       WORKING_DIR: ${{ needs.find-terraform.outputs.terraform-dir }}
       TF_DOCS_FILE: README.md
-    needs: ["get-temp-token", "find-terraform"]
+    needs: [get-temp-token, find-terraform]
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           persist-credentials: false
 
-      - name: "Decrypt the installation access token"
+      - name: Decrypt the installation access token
         id: decrypt-token
         run: |
           DECRYPTED_TOKEN=$(gpg --decrypt --quiet --batch --passphrase "$KEY" \
@@ -47,7 +46,7 @@ jobs:
         env:
           KEY: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }}
 
-      - name: "Render terraform docs"
+      - name: Render terraform docs
         id: terraform-docs
         uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # v1.0.0
         with:
@@ -55,12 +54,12 @@ jobs:
           output-file: ${{ env.TF_DOCS_FILE }}
           output-method: inject
 
-      - name: "Set file path env"
+      - name: Set file path env
         run: echo "FILE_PATH=${{ env.WORKING_DIR }}/${{ env.TF_DOCS_FILE }}" >> $GITHUB_ENV
 
       # Use the REST API to commit changes, so we get automatic commit signing
       # Only run this job if the file has changed to prevent empty commits
-      - name: "Push changes back to PR with signature"
+      - name: Push changes back to PR with signature
         id: push-with-sig
         if: ${{ steps.terraform-docs.outputs.num_changed != 0 }}
         env:
@@ -78,14 +77,14 @@ jobs:
             --field branch="$DESTINATION_BRANCH" \
             --field sha="$SHA"
 
-      - name: "Summary if skipped"
+      - name: Summary if skipped
         if: ${{ steps.push-with-sig.conclusion == 'skipped' }}
         run: |
           echo "### Push Skipped" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Changes were not made to ${{ env.FILE_PATH }} on this run" >> $GITHUB_STEP_SUMMARY
 
-      - name: "Summary if successful"
+      - name: Summary if successful
         if: ${{ steps.push-with-sig.conclusion == 'success' }}
         env:
           BRANCH: ${{ github.head_ref  }}
diff --git a/.github/workflows/tfsec-pr.yaml b/.github/workflows/tfsec-pr.yaml
index 8a0180d..776cf71 100644
--- a/.github/workflows/tfsec-pr.yaml
+++ b/.github/workflows/tfsec-pr.yaml
@@ -1,10 +1,10 @@
-name: "tfsec Code Analysis"
+name: tfsec Code Analysis
 
 on:
   workflow_call:
     inputs:
       tfsec_args:
-        description: "Command line arguments to pass to tfsec."
+        description: Command line arguments to pass to tfsec.
         default: ""
         required: false
         type: string
@@ -27,15 +27,15 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
-    needs: ["find-terraform"]
+    needs: [find-terraform]
 
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           persist-credentials: false
 
-      - name: "Add tfsec comments to pull request"
+      - name: Add tfsec comments to pull request
         uses: aquasecurity/tfsec-pr-commenter-action@7a44c5dcde5dfab737363e391800629e27b6376b # v1.3.1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
deleted file mode 100644
index fb94039..0000000
--- a/.markdownlint.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-# Autoformatter friendly markdownlint config (all formatting rules disabled)
-default: true
-blank_lines: false
-bullet: false
-html: false
-indentation: false
-line_length: false
-spaces: false
-url: false
-whitespace: false

From 867c974758f2132432ea77e4d8fed47cf6de09a2 Mon Sep 17 00:00:00 2001
From: chris3ware <36608309+chris3ware@users.noreply.github.com>
Date: Thu, 2 Mar 2023 16:52:42 +0000
Subject: [PATCH 08/10] amend ci badge logo

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3e01554..6b60074 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # 3ware reusable workflows
 
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/3ware/workflows/badge)](https://api.securityscorecards.dev/projects/github.com/3ware/workflows) [![semantic-release: conventionalcommits](https://img.shields.io/badge/semantic--release-conventionalcommits-blue?logo=semantic-release)](https://github.com/semantic-release/semantic-release) [![GitHub release](https://img.shields.io/github/release/3ware/workflows?include_prereleases=&sort=semver&color=yellow)](https://github.com/3ware/workflows/releases/) [![issues - workflows](https://img.shields.io/github/issues/3ware/workflows)](https://github.com/3ware/workflows/issues) [![CI](https://github.com/3ware/workflows/actions/workflows/lint.yaml/badge.svg)](https://github.com/3ware/workflows/actions/workflows/lint.yaml)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/3ware/workflows/badge)](https://api.securityscorecards.dev/projects/github.com/3ware/workflows) [![semantic-release: conventionalcommits](https://img.shields.io/badge/semantic--release-conventionalcommits-blue?logo=semantic-release)](https://github.com/semantic-release/semantic-release) [![GitHub release](https://img.shields.io/github/release/3ware/workflows?include_prereleases=&sort=semver&color=yellow)](https://github.com/3ware/workflows/releases/) [![issues - workflows](https://img.shields.io/github/issues/3ware/workflows)](https://github.com/3ware/workflows/issues) [![CI](https://img.shields.io/github/actions/workflow/status/3ware/workflows/lint.yaml?label=CI&logo=githubactions&logoColor=white)](https://github.com/3ware/workflows/actions/workflows/lint.yaml)
 
 The repository contains [GitHub Action](https://docs.github.com/en/actions) [reusable workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows) that can be consumed by other repositories.
 

From e600dd849c4f012ef024454524a43d088a0b3f31 Mon Sep 17 00:00:00 2001
From: chris3ware <36608309+chris3ware@users.noreply.github.com>
Date: Fri, 3 Mar 2023 12:19:45 +0000
Subject: [PATCH 09/10] fix yamllint issues

---
 .github/workflows/lint.yaml | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index e215524..6790cca 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,15 +1,10 @@
-name: "Lint"
+name: Lint
 on:
   push:
-    branches:
-      - main
+    branches: [main]
   pull_request:
-    types:
-      - opened
-      - edited
-      - synchronize
-    branches:
-      - main
+    types: [opened, synchronize]
+    branches: [main]
   workflow_call:
     inputs:
       terraform-version:
@@ -33,14 +28,14 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
-    needs: ["find-terraform"]
+    needs: [find-terraform]
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           persist-credentials: false
 
-      - name: "Setup Terraform"
+      - name: Setup Terraform
         if: ${{ needs.find-terraform.outputs.terraform-dir != '' }}
         uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
         with:
@@ -48,11 +43,11 @@ jobs:
           cli_config_credentials_token: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
 
       # Initialise terraform in the directory where terraform file have changed.
-      - name: "Initialise Terraform"
+      - name: Initialise Terraform
         if: ${{ needs.find-terraform.outputs.terraform-dir != ''}}
         working-directory: ${{ needs.find-terraform.outputs.terraform-dir }}
         run: terraform init
 
-      - name: "Lint with trunk"
+      - name: Lint with trunk
         if: ${{ always() }} # Run anyway, even if no terraform
         uses: trunk-io/trunk-action@9cf65e08e822e9842fd9ef7ed2a2bd9092de0986 # v1.0.6

From bed066e8760f793dba1db79249f03a34b3fbe323 Mon Sep 17 00:00:00 2001
From: chris3ware <36608309+chris3ware@users.noreply.github.com>
Date: Fri, 3 Mar 2023 12:23:07 +0000
Subject: [PATCH 10/10] add generic lint workflow for required_status_checks

---
 .github/workflows/lint-main.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/workflows/lint-main.yaml

diff --git a/.github/workflows/lint-main.yaml b/.github/workflows/lint-main.yaml
new file mode 100644
index 0000000..2b0e78b
--- /dev/null
+++ b/.github/workflows/lint-main.yaml
@@ -0,0 +1,24 @@
+# Generic workflow, that runs on main, so required_status_checks pass
+# https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
+
+name: Lint
+
+on:
+  push:
+    branches: [main]
+  workflow_call: {}
+
+# Declare default permissions as read only.
+permissions: read-all
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Lint with trunk
+        run: echo "No linting required"