philips-labs
diff --git a/Diff for: ‎.github/workflows/auto-approve-dependabot.yml
+1-3 b/Diff for: ‎.github/workflows/auto-approve-dependabot.yml
+1-3
diff --git a/Diff for: ‎.github/workflows/lambda-runner-binaries-syncer.yml
-1 b/Diff for: ‎.github/workflows/lambda-runner-binaries-syncer.yml
-1
diff --git a/Diff for: ‎.github/workflows/lambda-runners.yml
-1 b/Diff for: ‎.github/workflows/lambda-runners.yml
-1
diff --git a/Diff for: ‎.github/workflows/lambda-webhook.yml
-1 b/Diff for: ‎.github/workflows/lambda-webhook.yml
-1
diff --git a/Diff for: ‎.github/workflows/packer-build.yml
+2-7 b/Diff for: ‎.github/workflows/packer-build.yml
+2-7
diff --git a/Diff for: ‎.github/workflows/release.yml
+7-18 b/Diff for: ‎.github/workflows/release.yml
+7-18
diff --git a/Diff for: ‎.github/workflows/semantic-check.yml
+2-6 b/Diff for: ‎.github/workflows/semantic-check.yml
+2-6
diff --git a/Diff for: ‎.github/workflows/stale.yml
+5-9 b/Diff for: ‎.github/workflows/stale.yml
+5-9
diff --git a/Diff for: ‎.github/workflows/update-docs.yml
+22 b/Diff for: ‎.github/workflows/update-docs.yml
+22
@@ -1,5 +1,4 @@
 name: Auto approve dependabot
-
 # Warning: The pull_request_target event is granted a read/write repository
 # token and can access secrets, even when it is triggered from a fork. Although
 # the workflow runs in the context of the base of the pull request, you should
@@ -8,12 +7,11 @@ name: Auto approve dependabot
 # the base branch, and to help prevent cache poisoning, you should not save the
 # cache if there is a possibility that the cache contents were altered. 
 on: pull_request_target
-
 jobs:
   approve:
     if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'
     runs-on: ubuntu-latest
     steps:
-      - uses: hmarr/[email protected]
+      - uses: hmarr/auto-approve-action@de8ae18c173c131e182d4adf2c874d8d2308a85b # ratchet:hmarr/auto-approve-action@v3.1.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
@@ -7,7 +7,6 @@ on:
     paths:
       - .github/workflows/lambda-runner-binaries-syncer.yml
       - "modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/**"
-
 jobs:
   build:
     uses: ./.github/workflows/lambda-template.yml
 
@@ -7,7 +7,6 @@ on:
     paths:
       - .github/workflows/lambda-runners.yml
       - "modules/runners/lambdas/runners/**"
-
 jobs:
   build:
     uses: ./.github/workflows/lambda-template.yml
 
@@ -7,7 +7,6 @@ on:
     paths:
       - .github/workflows/lambda-webhook.yml
       - "modules/webhook/lambdas/webhook/**"
-
 jobs:
   build:
     uses: ./.github/workflows/lambda-template.yml
 
@@ -8,16 +8,14 @@ on:
       - "images/**"
       - ".github/workflows/packer-build.yml"
       - "module/runners/templates/**"
-
 env:
   AWS_REGION: eu-west-1
-
 jobs:
   verify_packer:
     name: Verify packer
     runs-on: ubuntu-latest
     container:
-      image: hashicorp/packer:1.7.8
+      image: index.docker.io/hashicorp/packer@sha256:f795aace438ef92e738228c21d5ceb7d5dd73ceb7e0b1efab5b0e90cbc4d4dcd # ratchet:hashicorp/packer:1.7.8
     strategy:
       matrix:
         image: ["linux-amzn2", "windows-core-2019", "windows-core-2022", "ubuntu-focal", "ubuntu-jammy", "ubuntu-jammy-arm64"]
@@ -26,13 +24,10 @@ jobs:
         working-directory: images/${{ matrix.image }}
     steps:
       - name: "Checkout"
-        uses: actions/checkout@v3
-
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
       - name: packer init
         run: packer init .
-
       - name: check packer formatting
         run: packer fmt -recursive -check=true .
-
       - name: packer validate
         run: packer validate .
@@ -1,12 +1,10 @@
 name: Release build
-
 on:
   push:
     branches:
       - main
       - v1
   workflow_dispatch:
-
 jobs:
   prepare:
     name: Create dist
@@ -24,49 +22,43 @@ jobs:
         env:
           LAMBDA: ${{ matrix.lambda }}
         run: echo "name=${LAMBDA##*/}" >> $GITHUB_OUTPUT
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
       - name: Add zip
         run: apt update && apt install zip
       - name: Build dist
         working-directory: ${{ matrix.lambda }}
         run: yarn install && yarn run test && yarn dist
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # ratchet:actions/upload-artifact@v3
         with:
           name: ${{ steps.lambda.outputs.name }}
           path: ${{ matrix.lambda }}/${{ steps.lambda.outputs.name }}.zip
           retention-days: 1
-
   release:
     name: release
     runs-on: ubuntu-latest
-    needs:
-      prepare
+    needs: prepare
     outputs:
       releases_created: ${{ steps.release.outputs.releases_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}
     steps:
       - name: Get installation token
-        uses: philips-software/[email protected]
+        uses: philips-software/app-token-action@a37926571e4cec6f219e06727136efdd073d8657 # ratchet:philips-software/app-token-action@v1.1.2
         id: token
         with:
           app_id: ${{ secrets.FOREST_RELEASER_APP_ID }}
           app_base64_private_key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY_BASE64 }}
           auth_type: installation
-
-
       - name: Extract branch name
         id: branch
         shell: bash
         run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
-
       - name: Release
         id: release
         uses: google-github-actions/release-please-action@e0b9d1885d92e9a93d5ce8656de60e3b806e542c # ratchet:google-github-actions/release-please-action@v3
         with:
           default-branch: ${{ steps.branch.outputs.name }}
           release-type: terraform-module
           token: ${{ steps.token.outputs.token }}
-
   assets:
     name: upload assets
     if: ${{ needs.release.outputs.releases_created }}
@@ -78,15 +70,12 @@ jobs:
     permissions:
       contents: write
       actions: read
-
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/download-artifact@v3
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3
         with:
           name: ${{ matrix.asset }}
-
       - name: Upload Release Asset
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run:
-          gh release upload ${{ needs.release.outputs.tag_name }} ${{ matrix.asset }}.zip
+        run: gh release upload ${{ needs.release.outputs.tag_name }} ${{ matrix.asset }}.zip
@@ -1,24 +1,20 @@
 name: "Semantic Check"
-
 on:
   pull_request_target:
     types:
       - opened
       - edited
       - synchronize
-
 permissions:
   contents: read
   pull-requests: read
-
 jobs:
   main:
     name: Semantic Commit Message Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
+      - uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # ratchet:amannn/action-semantic-pull-request@v5
         name: Check PR for Semantic Commit Message
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -3,25 +3,21 @@ on:
   schedule:
     - cron: "30 1 * * *"
   workflow_dispatch:
-
 permissions:
   issues: write
   pull-requests: write
-
 jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v7
+      - uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b # ratchet:actions/stale@v7
         with:
           stale-issue-message: >
-            This issue has been automatically marked as stale because it has not had
-            activity in the last 30 days. It will be closed if no further activity occurs. 
-            Thank you for your contributions.
+            This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs.  Thank you for your contributions.
+
           stale-pr-message: >
-            This pull request has been automatically marked as stale because it has not had
-            activity in the last 30 days. It will be closed if no further activity occurs. Thank you
-            for your contributions.
+            This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions.
+
           days-before-stale: 30
           days-before-close: 10
           close-issue-label: "abandoned"
 
@@ -0,0 +1,22 @@
+name: Update docs
+on:
+  push:
+    branches:
+      - release-please--branches--main
+permissions: read-all
+jobs:
+  docs:
+    # update docs after merge back to develop
+    name: Auto update terraform docs
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout branch
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+      - name: Generate TF docs
+        uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # ratchet:terraform-docs/[email protected]
+        with:
+          find-dir: .
+          git-commit-message: "docs: auto update terraform docs"
+          git-push: true