cloudposse · goruha · Oct 8, 2025 · Sep 3, 2025 · Oct 7, 2025 · Oct 7, 2025
@@ -7,7 +7,7 @@ assignees: ''
 
 ---
 
-Found a bug? Maybe our [Slack Community](https://slack.cloudposse.com) can help. 
+Found a bug? Maybe our [Slack Community](https://slack.cloudposse.com) can help.
 
 [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
 
@@ -34,4 +34,4 @@ Anything that will help us triage the bug will help. Here are some ideas:
  - Version [e.g. 10.15]
 
 ## Additional Context
-Add any other context about the problem here.
+Add any other context about the problem here.
@@ -8,7 +8,7 @@ body:
     attributes:
       value: |
         Found a bug?
-        
+
         Please checkout our [Slack Community](https://slack.cloudposse.com)
         or visit our [Slack Archive](https://archive.sweetops.com/).
 

@@ -15,4 +15,4 @@ contact_links:
   - name: DevOps Accelerator Program
     url: https://cloudposse.com/accelerate/
     about: |-
-      Own your infrastructure in record time. We build it. You drive it. 
+      Own your infrastructure in record time. We build it. You drive it.
@@ -7,13 +7,13 @@ assignees: ''
 
 ---
 
-Have a question? Please checkout our [Slack Community](https://slack.cloudposse.com) or visit our [Slack Archive](https://archive.sweetops.com/). 
+Have a question? Please checkout our [Slack Community](https://slack.cloudposse.com) or visit our [Slack Archive](https://archive.sweetops.com/).
 
 [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
 
 ## Describe the Feature
 
-A clear and concise description of what the bug is. 
+A clear and concise description of what the bug is.
 
 ## Expected Behavior
 

@@ -8,7 +8,7 @@ body:
     attributes:
       value: |
         Have a question?
-        
+
         Please checkout our [Slack Community](https://slack.cloudposse.com)
         or visit our [Slack Archive](https://archive.sweetops.com/).
 
@@ -39,7 +39,7 @@ body:
       description: |
         Is your feature request related to a problem/challenge you are trying
         to solve?
-        
+
         Please provide some additional context of why this feature or
         capability will be valuable.
     validations:

@@ -8,14 +8,14 @@
 ## why
 
 <!--
-- Provide the justifications for the changes (e.g. business case). 
+- Provide the justifications for the changes (e.g. business case).
 - Describe why these changes were made (e.g. why do these commits fix the problem?)
 - Use bullet points to be concise and to the point.
 -->
 
 ## references
 
 <!--
-- Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow). 
+- Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow).
 - Use `closes #123`, if this PR closes a GitHub issue `#123`
 -->
@@ -0,0 +1,56 @@
+---
+# The workflow name **must** be "autofix.ci" for Autofix CI to function correctly.
+# Any deviation from this name will cause Autofix CI to fail, as it relies on this
+# specific identifier for execution. This is a strict requirement of Autofix CI.
+name: autofix.ci
+on: pull_request
+permissions: {}
+jobs:
+  autofix:
+    runs-on: ubuntu-24.04
+    permissions: {}
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: aquaproj/aqua-installer@5e54e5cee8a95ee2ce7c04cb993da6dfad13e59c # v3.1.2
+        with:
+          aqua_version: v2.43.0
+
+      - name: Update aqua-checksums.json
+        run: aqua upc -prune
+
+      # go mod tidy
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version-file: go.mod
+      - run: go mod tidy
+
+      # gofumpt
+      - name: Get changed Go files
+        id: changed-files
+        uses: tj-actions/changed-files@e7b157b1c4ad44acfc8d9be14b8cd8f5058636e3 # v45.0.6
+        with:
+          use_rest_api: "true"
+          files: |
+            **/*.go
+      - if: steps.changed-files.outputs.all_changed_files_count != '0'
+        env:
+          ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+        run: |
+          # shellcheck disable=SC2086
+          gofumpt -l -w $ALL_CHANGED_FILES
+
+      # Run pre-commit hooks for whitespace fixes
+      - name: Install pre-commit
+        run: |
+          pip install pre-commit
+
+      - name: Run pre-commit whitespace fixes
+        run: |
+          # Run only the whitespace-related hooks from pre-commit
+          pre-commit run trailing-whitespace --all-files || true
+          pre-commit run end-of-file-fixer --all-files || true
+
+      - uses: autofix-ci/action@2891949f3779a1cafafae1523058501de3d4e944 # v1.3.1
@@ -0,0 +1,100 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+    types: [opened, labeled, unlabeled, synchronize]
+  schedule:
+    # runs on 19:17 every Tuesday
+    - cron: "27 19 * * 2"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go", "javascript-typescript"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #     echo "Run, Build Application using script"
+      #     ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+
+  lint-golangci:
+    name: "Lint (golangci)"
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      # Required: allow read access to the content for analysis.
+      contents: read
+      # allow read access to pull request. Use with `only-new-issues` option.
+      pull-requests: read
+      # allow write access to checks to allow the action to annotate code in the PR.
+      checks: write
+      # allow write access to security events to allow the action to upload SARIF files.
+      security-events: write
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v8
+        id: golangci
+        with:
+          version: v2.4.0
+          only-new-issues: true # Shows only issues introduced in the PR
+          # Not all line numbers in diff may match the linter's line outputs
+          # See: https://github.com/golangci/golangci-lint/issues/4376#issuecomment-1938874827
+          # Always exit 0 so we upload the sarif file to CodeQL
+          args: >
+            --output.sarif.path=golangci-lint.sarif
+            --issues-exit-code=0
+
+      - name: Upload filtered SARIF results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: golangci-lint.sarif
@@ -0,0 +1,55 @@
+name: Pre-commit
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+env:
+  # Ensure pre-commit uses the right Python version
+  PYTHON_VERSION: "3.11"
+  # Skip hooks that are already running in other CI jobs to avoid redundant work
+  # go-build-mod: Already runs in test.yml build job
+  # golangci-lint: Already runs in codeql.yml lint-golangci job
+  SKIP: go-build-mod,golangci-lint
+
+jobs:
+  pre-commit:
+    name: Run pre-commit hooks
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          # Fetch full history for proper diff checking
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Install Go tools
+        run: |
+          # Install gofumpt for pre-commit
+          go install mvdan.cc/gofumpt@latest
+
+          # Install golangci-lint v2
+          go install github.com/golangci/golangci-lint/v2/cmd/[email protected]
+
+          # Add Go bin to PATH
+          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Run CloudPosse pre-commit action
+        uses: cloudposse/[email protected]
+        with:
+          # Run against files changed in the PR only
+          # This prevents formatting/checking unrelated files
+          extra_args: --from-ref ${{ github.event.pull_request.base.sha }} --to-ref HEAD
@@ -26,13 +26,13 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Install Atmos
         uses: cloudposse/github-action-setup-atmos@v2
         with:
           token: ${{ github.token }}
-          install-wrapper: false        
+          install-wrapper: false
 
       - name: Set up Go
         uses: actions/setup-go@v5
@@ -66,7 +66,7 @@ jobs:
           - "1.6.3"
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Install Atmos
         uses: cloudposse/github-action-setup-atmos@v2

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: "Checkout source code at current commit"
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       # Leave pinned at 0.7.1 until https://github.com/mszostok/codeowners-validator/issues/173 is resolved
     - uses: mszostok/[email protected]
       if: github.event.pull_request.head.repo.full_name == github.repository