From 262b5939bab52848350aac2171f8c5c3ac1ba1e5 Mon Sep 17 00:00:00 2001
From: Kurtis Mash <24705116+kurtismash@users.noreply.github.com>
Date: Sat, 19 Jul 2025 15:30:07 +0100
Subject: [PATCH 1/2] Standardise workflow naming and formatting

---
 .../workflows/lint-and-validate-terraform.yml |  4 +--
 .../{plan.yml => plan-examples-tags.yml}      | 33 +++++++------------
 .../{website.yaml => publish-docs.yml}        | 23 +++++--------
 .github/workflows/{tflint.yaml => tflint.yml} | 18 ++++------
 4 files changed, 28 insertions(+), 50 deletions(-)
 rename .github/workflows/{plan.yml => plan-examples-tags.yml} (85%)
 rename .github/workflows/{website.yaml => publish-docs.yml} (84%)
 rename .github/workflows/{tflint.yaml => tflint.yml} (69%)

diff --git a/.github/workflows/lint-and-validate-terraform.yml b/.github/workflows/lint-and-validate-terraform.yml
index 5eeecbd..384cd99 100644
--- a/.github/workflows/lint-and-validate-terraform.yml
+++ b/.github/workflows/lint-and-validate-terraform.yml
@@ -1,4 +1,4 @@
-name: Lint and Validate Terraform
+name: Lint and validate Terraform
 
 on:
   push:
@@ -39,4 +39,4 @@ jobs:
   call_tflint_workflow:
     name: Run TFLint
     needs: terraform_validation
-    uses: ./.github/workflows/tflint.yaml
+    uses: ./.github/workflows/tflint.yml
diff --git a/.github/workflows/plan.yml b/.github/workflows/plan-examples-tags.yml
similarity index 85%
rename from .github/workflows/plan.yml
rename to .github/workflows/plan-examples-tags.yml
index 3d5d9d2..84802cb 100644
--- a/.github/workflows/plan.yml
+++ b/.github/workflows/plan-examples-tags.yml
@@ -1,10 +1,11 @@
-name: Terraform Plan
+name: Plan examples/tags
+
 on:
   workflow_dispatch:
   push:
     paths:
       - "**/*.tf"
-      - ".github/workflows/plan.yml"
+      - ".github/workflows/plan-examples-tags.yml"
     branches:
       - "**"
 
@@ -18,7 +19,6 @@ jobs:
   terraform_validate:
     name: Terraform validate
     runs-on: ubuntu-latest
-
     permissions:
       id-token: write
       contents: read
@@ -28,23 +28,18 @@ jobs:
         uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
-
       - name: Terraform setup
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: 1.12.1
-
-      - name: Checkout
+      - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Terraform format
+      - name: terraform fmt -check -recursive
         run: terraform fmt -check -recursive
-
-      - name: Terraform init
+      - name: terraform init -backend=false
         working-directory: ./examples/tags
-        run: terraform init -get -backend=false
-
-      - name: Terraform validate
+        run: terraform init -backend=false
+      - name: terraform validate
         working-directory: ./examples/tags
         run: terraform validate
 
@@ -55,7 +50,6 @@ jobs:
     defaults:
       run:
         working-directory: ./examples/tags
-
     permissions:
       id-token: write
       contents: read
@@ -66,27 +60,22 @@ jobs:
         uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
-
       - name: Terraform setup
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: 1.12.1
-
-      - name: checkout
+      - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Configure AWS Credentials
+      - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
         with:
           role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN}}
           aws-region: ${{ secrets.AWS_REGION }}
-
-      - name: Terraform initialise
+      - name: terraform init
         run: >
           terraform init
           -backend-config=bucket=${{ secrets.TERRAFORM_STATE_BUCKET}}
           -backend-config=key=${{ secrets.TERRAFORM_STATE_KEY}}
           -backend-config=region=${{ secrets.TERRAFORM_STATE_REGION}}
-
       - name: terraform plan
         run: terraform plan -out tfplan
diff --git a/.github/workflows/website.yaml b/.github/workflows/publish-docs.yml
similarity index 84%
rename from .github/workflows/website.yaml
rename to .github/workflows/publish-docs.yml
index d5ca6d3..ccf7c66 100644
--- a/.github/workflows/website.yaml
+++ b/.github/workflows/publish-docs.yml
@@ -1,4 +1,5 @@
-name: Publish website
+name: Publish docs
+
 on:
   push:
     branches:
@@ -15,27 +16,25 @@ permissions:
 
 jobs:
   deploy:
-    name: Publish docs website
+    name: Publish docs
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
-
-      - name: Checkout code
+      - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Configure Git Credentials
+      - name: Configure Git credentials
         run: |
           git config user.name github-actions[bot]
           git config user.email 41898282+github-actions[bot]@users.noreply.github.com
-
-      - name: Setup Python
+      - name: Install Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.13
-
+      - name: Install Python dependencies
+        run: pip install -r requirements-docs.txt
       - name: Set up build cache
         uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
@@ -43,14 +42,8 @@ jobs:
           path: .cache
           restore-keys: |
             mkdocs-material-
-
-      - name: Install dependencies
-        run: |
-          pip install -r requirements-docs.txt
-
       - name: Deploy GitHub Pages
         run: mkdocs gh-deploy --force
-
       - name: Save build cache
         uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yml
similarity index 69%
rename from .github/workflows/tflint.yaml
rename to .github/workflows/tflint.yml
index fb8ce7d..ebbea99 100644
--- a/.github/workflows/tflint.yaml
+++ b/.github/workflows/tflint.yml
@@ -1,4 +1,4 @@
-name: Run TFLint
+name: TFLint
 
 on:
   workflow_call:
@@ -10,23 +10,19 @@ jobs:
   tflint:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden the runner (audit all outbound calls)
         uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
-
-      - name: Checkout Repository
+      - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Setup TFLint with checksum verification
+      - name: Install TFLint
         uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4.1.1
         with:
           tflint_version: v0.58.0
           checksums: |
-            1e8ccdf3e4b57ba154545b4343621bf46f25ca8f5cc97e36432469752f7ef0c0 
-
-      - name: Initialise & Install TFLint AWS Ruleset Plugin
+            1e8ccdf3e4b57ba154545b4343621bf46f25ca8f5cc97e36432469752f7ef0c0
+      - name: tflint --init
         run: tflint --init
-
-      - name: Run TFLint
+      - name: tflint
         run: tflint

From 32e7a0b8c1f2e87d2b61e9f4826ff9508d248963 Mon Sep 17 00:00:00 2001
From: Kurtis Mash <24705116+kurtismash@users.noreply.github.com>
Date: Sat, 19 Jul 2025 15:37:13 +0100
Subject: [PATCH 2/2] Add Dependency Review action

---
 .github/workflows/dependency-review.yml | 28 +++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 .github/workflows/dependency-review.yml

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 0000000..dd0c1bf
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,28 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+
+name: Dependency Review
+
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        with:
+          egress-policy: audit
+      - name: "Checkout Repository"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1