Bump actions/checkout from 3.6.0 to 4.0.0

[dependabot]

Bumps actions/checkout from 3.6.0 to 4.0.0.

Release notes

Sourced from actions/checkout's releases.

v4.0.0

What's Changed

• Update default runtime to node20 by @​takost in actions/checkout#1436
• Support fetching without the --progress option by @​simonbaird in actions/checkout#1067
• Release 4.0.0 by @​takost in actions/checkout#1447

New Contributors

• @​takost made their first contribution in actions/checkout#1436
• @​simonbaird made their first contribution in actions/checkout#1067

Full Changelog: actions/checkout@v3...v4.0.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

v4.0.0

• Support fetching without the --progress option
• Update to node20

v3.6.0

• Fix: Mark test scripts with Bash'isms to be run via Bash
• Add option to fetch tags even if fetch-depth > 0

v3.5.3

• Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in
• Fix typos found by codespell
• Add support for sparse checkouts

v3.5.2

• Fix api endpoint for GHES

v3.5.1

• Fix slow checkout on Windows

v3.5.0

• Add new public key for known_hosts

v3.4.0

• Upgrade codeql actions to v2
• Upgrade dependencies
• Upgrade @​actions/io

v3.3.0

• Implement branch list using callbacks from exec function
• Add in explicit reference to private checkout options
• [Fix comment typos (that got added in #770)](actions/checkout#1057)

v3.2.0

• Add GitHub Action to perform release
• Fix status badge
• Replace datadog/squid with ubuntu/squid Docker image
• Wrap pipeline commands for submoduleForeach in quotes
• Update @​actions/io to 1.1.2
• Upgrading version to 3.2.0

v3.1.0

• Use @​actions/core saveState and getState
• Add github-server-url input

v3.0.2

• Add input set-safe-directory

v3.0.1

... (truncated)

Commits

• 3df4ab1 Release 4.0.0 (#1447)
• 8b5e8b7 Support fetching without the --progress option (#1067)
• 97a652b Update default runtime to node20 (#1436)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             226.509µs
  parsing              2.082865845s
  adaptation           710.721µs
  checks               18.07605ms
  total                2.101879125s

  counts
  ──────────────────────────────────────────
  modules downloaded   1
  modules processed    2
  blocks processed     55
  files read           9

  results
  ──────────────────────────────────────────
  passed               8
  ignored              28
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2023-09-05 11:17:47,175 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 28, Failed checks: 4, Skipped checks: 0

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.vm-import.aws_iam_policy.vmimport-policy
	File: /main.tf:83-116
	Calling File: /test/unit-test/main.tf:1-10

		83  | resource "aws_iam_policy" "vmimport-policy" {
		84  |   name   = "vmimport-policy-${var.application_name}"
		85  |   policy = <<EOF
		86  | {
		87  |   "Version":"2012-10-17",
		88  |    "Statement":[
		89  |       {
		90  |          "Effect": "Allow",
		91  |          "Action": [
		92  |             "s3:GetBucketLocation",
		93  |             "s3:GetObject",
		94  |             "s3:ListBucket",
		95  |             "s3:PutObject",
		96  |             "s3:GetBucketAcl"
		97  |          ],
		98  |          "Resource": [
		99  |             "${module.s3-bucket.bucket.arn}",
		100 |             "${module.s3-bucket.bucket.arn}/*"
		101 |          ]
		102 |       },
		103 |       {
		104 |          "Effect": "Allow",
		105 |          "Action": [
		106 |             "ec2:ModifySnapshotAttribute",
		107 |             "ec2:CopySnapshot",
		108 |             "ec2:RegisterImage",
		109 |             "ec2:Describe*"
		110 |          ],
		111 |          "Resource": "*"
		112 |       }
		113 |    ]
		114 | }
		115 | EOF
		116 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.vm-import.aws_iam_policy.vmimport-policy
	File: /main.tf:83-116
	Calling File: /test/unit-test/main.tf:1-10

		83  | resource "aws_iam_policy" "vmimport-policy" {
		84  |   name   = "vmimport-policy-${var.application_name}"
		85  |   policy = <<EOF
		86  | {
		87  |   "Version":"2012-10-17",
		88  |    "Statement":[
		89  |       {
		90  |          "Effect": "Allow",
		91  |          "Action": [
		92  |             "s3:GetBucketLocation",
		93  |             "s3:GetObject",
		94  |             "s3:ListBucket",
		95  |             "s3:PutObject",
		96  |             "s3:GetBucketAcl"
		97  |          ],
		98  |          "Resource": [
		99  |             "${module.s3-bucket.bucket.arn}",
		100 |             "${module.s3-bucket.bucket.arn}/*"
		101 |          ]
		102 |       },
		103 |       {
		104 |          "Effect": "Allow",
		105 |          "Action": [
		106 |             "ec2:ModifySnapshotAttribute",
		107 |             "ec2:CopySnapshot",
		108 |             "ec2:RegisterImage",
		109 |             "ec2:Describe*"
		110 |          ],
		111 |          "Resource": "*"
		112 |       }
		113 |    ]
		114 | }
		115 | EOF
		116 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.vm-import.aws_iam_policy.vmimport-policy
	File: /main.tf:83-116
	Calling File: /test/unit-test/main.tf:1-10

		83  | resource "aws_iam_policy" "vmimport-policy" {
		84  |   name   = "vmimport-policy-${var.application_name}"
		85  |   policy = <<EOF
		86  | {
		87  |   "Version":"2012-10-17",
		88  |    "Statement":[
		89  |       {
		90  |          "Effect": "Allow",
		91  |          "Action": [
		92  |             "s3:GetBucketLocation",
		93  |             "s3:GetObject",
		94  |             "s3:ListBucket",
		95  |             "s3:PutObject",
		96  |             "s3:GetBucketAcl"
		97  |          ],
		98  |          "Resource": [
		99  |             "${module.s3-bucket.bucket.arn}",
		100 |             "${module.s3-bucket.bucket.arn}/*"
		101 |          ]
		102 |       },
		103 |       {
		104 |          "Effect": "Allow",
		105 |          "Action": [
		106 |             "ec2:ModifySnapshotAttribute",
		107 |             "ec2:CopySnapshot",
		108 |             "ec2:RegisterImage",
		109 |             "ec2:Describe*"
		110 |          ],
		111 |          "Resource": "*"
		112 |       }
		113 |    ]
		114 | }
		115 | EOF
		116 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.vm-import.s3-bucket
	File: /main.tf:1-52
	Calling File: /test/unit-test/main.tf:1-10

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:

Passed checks: 175, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1

checkov_exitcode=1

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0