feat: Add an option to disable auto-upgrade [DEVOP-5736]

.github/workflows/repository-checkov.yml

@@ -0,0 +1,23 @@
+name: "repository-checkov"
+permissions: read-all
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  repository-checkov:
+    name: repository-checkov
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          submodules: "recursive"
+          token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
+      - name: Run Checkov
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          config_file: ".checkov.yaml"

.github/workflows/repository-terraform.yml

@@ -0,0 +1,46 @@
+---
+name: "repository-terraform"
+permissions:
+  actions: read
+  pull-requests: write
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+env:
+  tf_version: "latest"
+  tf_working_dir: "."
+  TF_VAR_google_credentials: ${{ secrets.GOOGLE_CREDENTIALS }}
+  TF_WORKSPACE: ${{ github.base_ref }}
+
+jobs:
+  repository-terraform:
+    name: repository-terraform
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: "recursive"
+          token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
+      - name: Terraform Init
+        id: init
+        run: terraform init
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color

.github/workflows/repository-terratest.yaml → .github/workflows/repository-terratest.yml

@@ -11,8 +11,6 @@ on:
       - main
 
 env:
-  TERRATEST_GOOGLE_CREDENTIALS_STORAGE: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS_STORAGE }}
-  TERRATEST_GOOGLE_PROJECT_STORAGE: ${{ secrets.TERRATEST_GOOGLE_PROJECT_STORAGE }}
   TERRATEST_GOOGLE_CREDENTIALS_NETWORK: ${{TERRATEST_GOOGLE_CREDENTIALS_NETWORK}}
 
 jobs:

.github/workflows/semantic-pr.yaml

@@ -1,28 +1,19 @@
-# yamllint disable rule:line-length
-# Use template from /~https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
-
-# Use this workflow for public repos, since public repos cannot access our internal
-# workflows repo.
----
-name: public-semantic-pr
-permissions:
-  contents: write
-  pull-requests: write
+name: "Semantic Pull Request"
+permissions: read-all
 
 on:
   pull_request:
     types:
       - opened
       - edited
-      - reopened
       - synchronize
 
 jobs:
-  public-semantic-pr:
-    name: public-semantic-pr
+  main:
+    name: "Semantic Pull Request"
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v4
+      - uses: amannn/action-semantic-pull-request@v5.0.2
         name: Semantic Pull Request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}