From 5e2e962f5074f0a4e9aa84c46a05033e7363dc9a Mon Sep 17 00:00:00 2001
From: Jahir <jahir.uddin@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 10:16:55 +0000
Subject: [PATCH 01/20] updated terraform version to be picked up dynamically
 from .terraform-version or required-version

---
 .github/workflows/org.terraform-ci.yml | 33 ++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 873422ae..dcc8a744 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -34,10 +34,43 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - name: Determine Terraform Version
+        id: tf-version
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          VERSION=""
+
+          # Check for .terraform-version file
+          if [[ -f ".terraform-version" ]]; then
+            VERSION="$(cat .terraform-version | tr -d '[:space:]')"
+            echo "Using version from .terraform-version: $VERSION"
+          fi
+
+          # Check required_version in Terraform code if not found
+          if [[ -z "$VERSION" ]]; then
+            # Find first required_version constraint
+            RV=$(grep -Rho 'required_version *= *"[^"]\+"' . | head -n1 | sed 's/.*"//; s/"$//')
+            if [[ -n "$RV" ]]; then
+              echo "Using version from required_version: $RV"
+              VERSION="$RV"
+            fi
+          fi
+
+          # Default to latest
+          if [[ -z "$VERSION" ]]; then
+            VERSION="latest"
+            echo "No version found; using default: latest"
+          fi
+
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Setup Terraform
         id: setup-tf
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+        with:
+          terraform_version: ${{ steps.tf-version.outputs.version }}
 
       # fmt is local-only
       - name: FMT (repo-wide)

From 078e7cb916c22ad68bc4f233d737d5de1be73e56 Mon Sep 17 00:00:00 2001
From: Jahir <jahir.uddin@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 10:29:43 +0000
Subject: [PATCH 02/20] updated logic in retriving TF version

---
 .github/workflows/org.terraform-ci.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index dcc8a744..fec9cd14 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -44,17 +44,16 @@ jobs:
 
           # Check for .terraform-version file
           if [[ -f ".terraform-version" ]]; then
-            VERSION="$(cat .terraform-version | tr -d '[:space:]')"
+            VERSION="$(sed 's/[[:space:]]//g' .terraform-version || true)"
             echo "Using version from .terraform-version: $VERSION"
           fi
 
           # Check required_version in Terraform code if not found
           if [[ -z "$VERSION" ]]; then
-            # Find first required_version constraint
-            RV=$(grep -Rho 'required_version *= *"[^"]\+"' . | head -n1 | sed 's/.*"//; s/"$//')
+            RV="$(grep -Rho 'required_version *= *"[^"]\+"' . || true)"
             if [[ -n "$RV" ]]; then
-              echo "Using version from required_version: $RV"
-              VERSION="$RV"
+              VERSION="$(echo "$RV" | head -n1 | sed 's/.*"//; s/"$//')"
+              echo "Found required_version: $VERSION"
             fi
           fi
 
@@ -65,6 +64,7 @@ jobs:
           fi
 
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "Terraform version resolved to: $VERSION"
 
       - name: Setup Terraform
         id: setup-tf

From 09766adfdab8230cc20a4c64ae66f8b6519f9b18 Mon Sep 17 00:00:00 2001
From: Jahir <jahir.uddin@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 10:54:23 +0000
Subject: [PATCH 03/20] updated cache stage to removePer-directory providers
 folder

---
 .github/workflows/org.terraform-ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index fec9cd14..61912813 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -94,6 +94,9 @@ jobs:
           restore-keys: |
             tf-plugins-${{ runner.os }}-tf${{ steps.setup-tf.outputs.terraform_version }}-
             tf-plugins-${{ runner.os }}-
+      - name: Clear per-directory .terraform providers
+        run: |
+          find . -type d -name ".terraform" -exec rm -rf {} +
 
       # ---- Discover roots (skip examples entirely)
       - name: Discover Terraform dirs (skip examples)

From db2462563643df53f3ea9c9cacb3e78b3b9477ef Mon Sep 17 00:00:00 2001
From: Jahir <jahir.uddin@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 11:38:23 +0000
Subject: [PATCH 04/20] updated cache stage to removePer-directory providers
 folder

---
 .github/workflows/org.terraform-ci.yml | 35 +++++++++++++-------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 61912813..3045b945 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -44,33 +44,32 @@ jobs:
 
           # Check for .terraform-version file
           if [[ -f ".terraform-version" ]]; then
-            VERSION="$(sed 's/[[:space:]]//g' .terraform-version || true)"
-            echo "Using version from .terraform-version: $VERSION"
-          fi
-
-          # Check required_version in Terraform code if not found
-          if [[ -z "$VERSION" ]]; then
-            RV="$(grep -Rho 'required_version *= *"[^"]\+"' . || true)"
-            if [[ -n "$RV" ]]; then
-              VERSION="$(echo "$RV" | head -n1 | sed 's/.*"//; s/"$//')"
-              echo "Found required_version: $VERSION"
+            VERSION=$(sed -E 's/#.*//; s/[[:space:]]+//g' .terraform-version)
+            if [[ -n "$VERSION" ]]; then
+              echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+              echo "Terraform version resolved from .terraform-version: $VERSION"
+              exit 0
             fi
           fi
-
-          # Default to latest
-          if [[ -z "$VERSION" ]]; then
-            VERSION="latest"
-            echo "No version found; using default: latest"
+          RV=$(grep -Rho 'required_version *= *"= *[0-9]+\.[0-9]+\.[0-9]+"' . || true)
+          if [[ -n "$RV" ]]; then
+            VERSION=$(echo "$RV" | sed -E 's/.*"= *([0-9]+\.[0-9]+\.[0-9]+)".*/\1/' | head -n1)
+            if [[ -n "$VERSION" ]]; then
+              echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+              echo "Terraform version resolved from required_version: $VERSION"
+              exit 0
+            fi
           fi
-
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-          echo "Terraform version resolved to: $VERSION"
+          VERSION="latest"
+          echo "version=latest" >> "$GITHUB_OUTPUT"
+          echo "Terraform version resolved to fallback: $VERSION"
 
       - name: Setup Terraform
         id: setup-tf
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
         with:
           terraform_version: ${{ steps.tf-version.outputs.version }}
+          terraform_wrapper: false
 
       # fmt is local-only
       - name: FMT (repo-wide)

From 2f7a8bab7dbe01248b651b15756fd61730d5e359 Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 13:04:29 +0000
Subject: [PATCH 05/20] feat: initialise with --upgrade flag

---
 .github/workflows/org.terraform-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 3045b945..ce7dddb0 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -165,7 +165,7 @@ jobs:
 
             # INIT — SOFT-SKIP on auth/path/download issues
             log="$(mktemp)"
-            if ! terraform -chdir="$d" init -backend=false -input=false "${lockflag[@]}" -no-color 2>&1 | tee "$log"; then
+            if ! terraform -chdir="$d" init -backend=false -input=false "${lockflag[@]}" --upgrade -no-color 2>&1 | tee "$log"; then
               if grep -Eq 'Failed to download module|Permission denied \(publickey\)|Authentication failed|Repository not found|could not read from remote repository|The requested URL returned error: (403|404)|Unreadable module directory|Unable to evaluate directory symlink|no such file or directory' "$log"; then
                 echo "::warning file=$d::terraform init failed (private module auth or bad local module path). Skipping validate for this dir."
                 soft_skipped+=("$d (init auth/path)")

From 10ebb3da24547f4710b0f57c9f51270493eb6639 Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 13:05:28 +0000
Subject: [PATCH 06/20] feat: initialise with --upgrade flag

---
 .github/workflows/org.terraform-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index ce7dddb0..f87dae19 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -165,7 +165,7 @@ jobs:
 
             # INIT — SOFT-SKIP on auth/path/download issues
             log="$(mktemp)"
-            if ! terraform -chdir="$d" init -backend=false -input=false "${lockflag[@]}" --upgrade -no-color 2>&1 | tee "$log"; then
+            if ! terraform -chdir="$d" init -backend=false -input=false --upgrade -no-color 2>&1 | tee "$log"; then
               if grep -Eq 'Failed to download module|Permission denied \(publickey\)|Authentication failed|Repository not found|could not read from remote repository|The requested URL returned error: (403|404)|Unreadable module directory|Unable to evaluate directory symlink|no such file or directory' "$log"; then
                 echo "::warning file=$d::terraform init failed (private module auth or bad local module path). Skipping validate for this dir."
                 soft_skipped+=("$d (init auth/path)")

From b4d249f76c786bcd5729b830a16e3f602aeb0917 Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 13:18:36 +0000
Subject: [PATCH 07/20] feat: initialise with --lockfile=update

---
 .github/workflows/org.terraform-ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index f87dae19..66fa6c98 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -161,11 +161,11 @@ jobs:
             echo "==> terraform init:   $d"
             echo "=============================="
             lockflag=()
-            [[ -f "$d/.terraform.lock.hcl" ]] && lockflag=(-lockfile=readonly)
+            [[ -f "$d/.terraform.lock.hcl" ]] && lockflag=(-lockfile=update)
 
             # INIT — SOFT-SKIP on auth/path/download issues
             log="$(mktemp)"
-            if ! terraform -chdir="$d" init -backend=false -input=false --upgrade -no-color 2>&1 | tee "$log"; then
+            if ! terraform -chdir="$d" init -backend=false -input=false "${lockflag[@]}" -no-color 2>&1 | tee "$log"; then
               if grep -Eq 'Failed to download module|Permission denied \(publickey\)|Authentication failed|Repository not found|could not read from remote repository|The requested URL returned error: (403|404)|Unreadable module directory|Unable to evaluate directory symlink|no such file or directory' "$log"; then
                 echo "::warning file=$d::terraform init failed (private module auth or bad local module path). Skipping validate for this dir."
                 soft_skipped+=("$d (init auth/path)")

From 03f98d4883f3f163dfd4a964f78c11023977185e Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 16:06:33 +0000
Subject: [PATCH 08/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 66fa6c98..42768f99 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -77,6 +77,31 @@ jobs:
           TF_PLUGIN_CACHE_DIR: ""
         run: terraform fmt -recursive -check
 
+      # GitHub App token for cloning private module repos
+      - name: Verify GitHub App secrets present
+        env:
+          APP_ID: ${{ secrets.APP_ID }}
+          APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+        run: |
+          set -euo pipefail
+          [ -n "${APP_ID:-}" ] || { echo "Missing secret APP_ID"; exit 1; }
+          [ -n "${APP_PRIVATE_KEY:-}" ] || { echo "Missing secret APP_PRIVATE_KEY"; exit 1; }
+
+      - name: Get GitHub App token for modules
+        id: app-token
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: uktrade
+
+      - name: Configure git auth for private module clones
+        env:
+          TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          git config --global url."https://x-access-token:${TOKEN}@github.com/".insteadOf "https://github.com/"
+          git config --global --get-regexp '^url\..*\.insteadOf$' || true
+
       # ---- Provider cache (used by init/validate) ----
       - name: Prepare Terraform provider cache dir
         shell: bash

From b956f93a9ef4006ad955d2f034c39e48e921b2fd Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 16:06:47 +0000
Subject: [PATCH 09/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 42768f99..0771e20f 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -18,6 +18,11 @@ on:
         required: false
         type: string
         default: ""
+      secrets:
+      APP_ID:
+        required: true
+      APP_PRIVATE_KEY:
+        required: true
 
   pull_request:
     types: [opened, edited, reopened, synchronize]

From 8c317a114a49acb7e21d291f44e9ba8387e86e02 Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 16:16:18 +0000
Subject: [PATCH 10/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 0771e20f..e6502ba4 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -84,7 +84,7 @@ jobs:
 
       # GitHub App token for cloning private module repos
       - name: Verify GitHub App secrets present
-        env:
+        secrets:
           APP_ID: ${{ secrets.APP_ID }}
           APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
         run: |
@@ -95,9 +95,10 @@ jobs:
       - name: Get GitHub App token for modules
         id: app-token
         uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94
-        with:
+        secrets:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
+        with:
           owner: uktrade
 
       - name: Configure git auth for private module clones

From 15f145beab7249ac695c103f86fe26e8d350fce1 Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 16:16:54 +0000
Subject: [PATCH 11/20] fix: yaml formatting

---
 .github/workflows/org.terraform-ci.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index e6502ba4..5dac6969 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -19,10 +19,10 @@ on:
         type: string
         default: ""
       secrets:
-      APP_ID:
-        required: true
-      APP_PRIVATE_KEY:
-        required: true
+        APP_ID:
+          required: false
+        APP_PRIVATE_KEY:
+          required: false
 
   pull_request:
     types: [opened, edited, reopened, synchronize]

From 36469463b609352e528e1ccdd644593b266a2cfb Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Fri, 5 Dec 2025 16:24:02 +0000
Subject: [PATCH 12/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 5dac6969..0eeda239 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -18,11 +18,6 @@ on:
         required: false
         type: string
         default: ""
-      secrets:
-        APP_ID:
-          required: false
-        APP_PRIVATE_KEY:
-          required: false
 
   pull_request:
     types: [opened, edited, reopened, synchronize]

From 235c34ccd0bf7addfa2edd646f5401bd9af7b474 Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Mon, 8 Dec 2025 09:19:03 +0000
Subject: [PATCH 13/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 0eeda239..75b6c416 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -80,8 +80,8 @@ jobs:
       # GitHub App token for cloning private module repos
       - name: Verify GitHub App secrets present
         secrets:
-          APP_ID: ${{ secrets.APP_ID }}
-          APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
+          APP_ID: ${{ secrets.TERRAFORM_MODULE_ACCESS_APP_ID }}
+          APP_PRIVATE_KEY: ${{ secrets.TERRAFORM_MODULE_ACCESS_PRIVATE_KEY }}
         run: |
           set -euo pipefail
           [ -n "${APP_ID:-}" ] || { echo "Missing secret APP_ID"; exit 1; }
@@ -91,8 +91,8 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94
         secrets:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.TERRAFORM_MODULE_ACCESS_APP_ID }}
+          private-key: ${{ secrets.TERRAFORM_MODULE_ACCESS_PRIVATE_KEY }}
         with:
           owner: uktrade
 

From c91a214f21326c72d1dd42354f68f9aa4bf2ef9b Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Mon, 8 Dec 2025 09:31:01 +0000
Subject: [PATCH 14/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 75b6c416..1eb0f8d7 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -79,7 +79,7 @@ jobs:
 
       # GitHub App token for cloning private module repos
       - name: Verify GitHub App secrets present
-        secrets:
+        with:
           APP_ID: ${{ secrets.TERRAFORM_MODULE_ACCESS_APP_ID }}
           APP_PRIVATE_KEY: ${{ secrets.TERRAFORM_MODULE_ACCESS_PRIVATE_KEY }}
         run: |
@@ -90,7 +90,7 @@ jobs:
       - name: Get GitHub App token for modules
         id: app-token
         uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94
-        secrets:
+        with:
           app-id: ${{ secrets.TERRAFORM_MODULE_ACCESS_APP_ID }}
           private-key: ${{ secrets.TERRAFORM_MODULE_ACCESS_PRIVATE_KEY }}
         with:

From 4b239b2adfe80309995e554b3687abed28e7d742 Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Mon, 8 Dec 2025 09:33:13 +0000
Subject: [PATCH 15/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 1eb0f8d7..f93f8aef 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -79,7 +79,7 @@ jobs:
 
       # GitHub App token for cloning private module repos
       - name: Verify GitHub App secrets present
-        with:
+        env:
           APP_ID: ${{ secrets.TERRAFORM_MODULE_ACCESS_APP_ID }}
           APP_PRIVATE_KEY: ${{ secrets.TERRAFORM_MODULE_ACCESS_PRIVATE_KEY }}
         run: |
@@ -91,10 +91,9 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94
         with:
+          owner: uktrade
           app-id: ${{ secrets.TERRAFORM_MODULE_ACCESS_APP_ID }}
           private-key: ${{ secrets.TERRAFORM_MODULE_ACCESS_PRIVATE_KEY }}
-        with:
-          owner: uktrade
 
       - name: Configure git auth for private module clones
         env:

From 2474c74562e0087c0e5f760212f465553e599db6 Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Mon, 8 Dec 2025 09:36:05 +0000
Subject: [PATCH 16/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index f93f8aef..c1e7e539 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -94,6 +94,8 @@ jobs:
           owner: uktrade
           app-id: ${{ secrets.TERRAFORM_MODULE_ACCESS_APP_ID }}
           private-key: ${{ secrets.TERRAFORM_MODULE_ACCESS_PRIVATE_KEY }}
+          repositories: |
+            {{ github.event.repository.name }}
 
       - name: Configure git auth for private module clones
         env:

From 45c19fef2c6d838f5701cd1a7ba94a2fe97ef7fe Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Mon, 8 Dec 2025 09:36:56 +0000
Subject: [PATCH 17/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index c1e7e539..cfbec8e3 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -95,7 +95,7 @@ jobs:
           app-id: ${{ secrets.TERRAFORM_MODULE_ACCESS_APP_ID }}
           private-key: ${{ secrets.TERRAFORM_MODULE_ACCESS_PRIVATE_KEY }}
           repositories: |
-            {{ github.event.repository.name }}
+            ${{ github.event.repository.name }}
 
       - name: Configure git auth for private module clones
         env:

From 36c930ab471990e668b7fd69bde6cb0eff46e918 Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Mon, 8 Dec 2025 09:39:06 +0000
Subject: [PATCH 18/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index cfbec8e3..9edb96d1 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -91,11 +91,8 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94
         with:
-          owner: uktrade
           app-id: ${{ secrets.TERRAFORM_MODULE_ACCESS_APP_ID }}
           private-key: ${{ secrets.TERRAFORM_MODULE_ACCESS_PRIVATE_KEY }}
-          repositories: |
-            ${{ github.event.repository.name }}
 
       - name: Configure git auth for private module clones
         env:

From 6dafb1fe86519193733b4697d19aa5c14d51199d Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Mon, 8 Dec 2025 09:44:58 +0000
Subject: [PATCH 19/20] feat: allow access to github app for reading module
 repos

---
 .github/workflows/org.terraform-ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/org.terraform-ci.yml b/.github/workflows/org.terraform-ci.yml
index 9edb96d1..f93f8aef 100644
--- a/.github/workflows/org.terraform-ci.yml
+++ b/.github/workflows/org.terraform-ci.yml
@@ -91,6 +91,7 @@ jobs:
         id: app-token
         uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94
         with:
+          owner: uktrade
           app-id: ${{ secrets.TERRAFORM_MODULE_ACCESS_APP_ID }}
           private-key: ${{ secrets.TERRAFORM_MODULE_ACCESS_PRIVATE_KEY }}
 

From 4a26f7d5f354121e0242d6c6e40b4a362e023e58 Mon Sep 17 00:00:00 2001
From: SamW94 <sam.wild@digital.trade.gov.uk>
Date: Wed, 7 Jan 2026 09:27:36 +0000
Subject: [PATCH 20/20] fix: false positive in presidio

---
 personal-data-exclusions.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/personal-data-exclusions.txt b/personal-data-exclusions.txt
index ba7d611d..8514a34e 100644
--- a/personal-data-exclusions.txt
+++ b/personal-data-exclusions.txt
@@ -1,3 +1,4 @@
 tests/test_data/*
 .github/workflows/test.yml
-.github/workflows/org.common-ci.yml
\ No newline at end of file
+.github/workflows/org.common-ci.yml
+.github/workflows/org.terraform-ci.yml
\ No newline at end of file