Add more cleanup

.github/workflows/codeql.yml

@@ -0,0 +1,33 @@
+name: CodeQL
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - labeled
+      - unlabeled
+  push:
+
+jobs:
+  codeql:
+    runs-on: ubuntu-latest
+    if: (github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'skip workflows')) || github.event_name == 'push'
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - go
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: '${{ matrix.language }}'
+      - uses: github/codeql-action/autobuild@v3
+      - uses: github/codeql-action/analyze@v3

.github/workflows/lint.yml

@@ -1,18 +1,19 @@
 name: Lint
 
 on:
-  push:
-    branches:
-      - main
   pull_request:
-    branches:
-      - main
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - labeled
+      - unlabeled
+  push:
 
 jobs:
   lint:
     name: Run golangci-lint
     runs-on: ubuntu-latest
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

.github/workflows/test.yml

@@ -0,0 +1,23 @@
+name: Tests
+
+on:
+    pull_request:
+      types:
+        - opened
+        - synchronize
+        - reopened
+        - labeled
+        - unlabeled
+    push:
+
+jobs:
+  go_test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - uses: actions/setup-go@v5
+      with:
+        go-version-file: go.mod
+    - run: make test

Makefile

@@ -1,4 +1,4 @@
-.PHONY: build test format
+.PHONY: build test format lint
 
 build:
 	go build -o build
@@ -7,4 +7,7 @@ test:
 	go test -v
 
 format:
-	gofmt -w -s .
+	gofmt -w -s .
+
+lint:
+	golangci-lint run --fix

README.md

@@ -1,12 +1,12 @@
-# aiven-terraform-governance-compliance-checker
-GitHub Action to check whether the plan generated by terraform plan complies with governance rules on aiven terraform provider resources.
+![Tests](https://github.com/github/docs/actions/workflows/test.yml/badge.svg)
+![Lint](https://github.com/github/docs/actions/workflows/lint.yml/badge.svg)
+![Codeql](https://github.com/github/docs/actions/workflows/codeql.yml/badge.svg)
 
-# How it works
-This action checks the generated plan whether the external user requesting the change is owner of the resource and whether the change has been approved by one of the resource owners and outputs a report in JSON format regadring any compliance errors that it finds. 
+## Overview
+This GitHub Action can be used to perform governing checks on terraform aiven provider resources for the terraform generated plan. 
+It outputs a compliance report in JSON format with any errors it finds.
 
-The program only considers resources with explicitly set owners. Right now, the only resource that supports having owner is the `aiven_kafka_topic` resource by using the optional `owner_user_group_id` configuration.
-
-Example output:
+Example report:
 ```json
 {
   "ok": false,
@@ -24,33 +24,8 @@ Example output:
 ```
 
 
-# Setup
-Here is how to set it up for your repository:
-1. Map the external user to aiven internal user by adding `aiven_external_identity` data resource in your terraform configuration. In this case, we are using service `github`, which refers to the github login name. For example:
-```
-data "aiven_external_identity" "foo" {
-  organization_id = data.aiven_organization_user.organization_id,
-  internal_user_id = data.aiven_organization_user.alice.user_id,
-  external_user_id = "github-login-name",
-  external_service_name = "github"
-}
-```
-
-**Note:**
-`aiven_external_identity` is currently in Beta. To use it in your configuration, you'll need have `PROVIDER_AIVEN_ENABLE_BETA: 1` set when running terraform commands.
-
-2. The action only considers topics with explicitly set owner which you can define using `aiven_kafka_topic.owner_user_group_id`. For example:
-```
-resource "aiven_kafka_topic" "foo" {
-  topic_name = "foo"
-  owner_user_group_id = aiven_organization_user_group.foo.group_id
-  ...
-}
-```
-
-3. Finally, create customized workflow around the action in your `.github/workflows` that suits your environment.
-
-For example, this workflow gets the pull request requester and approvers from the pull request and uses this action to check the plan compliance during pull request reviews:
+## Example
+This workflow gets the requester and approvers from the current pull request and uses the action to check the plan compliance during pull request reviews:
 ```yaml
 name: 'Check plan'
 
@@ -85,7 +60,7 @@ jobs:
         id: "pull_request_approvers"
         run: |
           APPROVERS=$(
-            echo '${{ steps.pull_request_reviewers.outputs.data }}' | jq '[.[] | select(.state == "APPROVED") | .user.login] | unique | @csv'
+            echo '${{ steps.pull_request_reviewers.outputs.data }}' | jq '[.[] | select(.state == "APPROVED") | .user.login] | unique | @csv' | tr -d \"
           )
           echo "approvers=$APPROVERS" >> "$GITHUB_OUTPUT"
         shell: bash
@@ -95,34 +70,45 @@ jobs:
 
       - name: "Terraform plan"
         env:
-          AIVEN_WEB_URL: ${{ secrets.AIVEN_WEB_URL }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
           PROVIDER_AIVEN_ENABLE_BETA: 1
         run: |
           terraform init
-          terraform state pull
           terraform plan -out=./plan -var="aiven_api_token=${{ secrets.AIVEN_API_TOKEN }}"
           terraform show -json ./plan > ./plan.json
         shell: bash
 
       - name: "Run compliance check"
         id: "governance"
-        uses: aiven/aiven-terraform-governance-compliance-checker@b9a4c2a80e2a9b4dc6809f6214909a27d8a8b5a5
+        uses: aiven/aiven-terraform-governance-compliance-checker@42d0bff4571d8ff79cc8bbcece855659f50b00c8
         with:
           requester: ${{ github.event.pull_request.user.login }}
           approvers: ${{ steps.pull_request_approvers.outputs.approvers }}
           plan: "./plan.json"
-
-      - name: "Handle results"
-        run: |
-          if [ $(echo '${{ steps.governance.outputs.result }}' | jq '.ok') == "true" ]
-            then
-              echo "✅"
-            else
-              echo '${{ steps.governance.outputs.result }}' | jq
-              exit 1
-            fi
+
+      - name: Comment OK Report on PR
+        id: comment-ok
+        if: ${{ fromJson(steps.governance.outputs.result).ok == true }}
+        uses: thollander/actions-comment-pull-request@v2
+        with:
+          message: |
+            ### Compliance report: ✅
+          pr_number: ${{ github.event.pull_request.number }}
+          comment_tag: compliance
+
+      - name: Comment NOK Report on PR
+        id: comment-nok
+        if: ${{ fromJson(steps.governance.outputs.result).ok == false }}
+        uses: thollander/actions-comment-pull-request@v2
+        with:
+          message: |
+            ### Compliance report:
+            ```json
+            ${{ toJson(fromJson(steps.governance.outputs.result)) }}
+            ```
+          pr_number: ${{ github.event.pull_request.number }}
+          comment_tag: compliance
 ```
 
 

SECURITY.md

@@ -0,0 +1,25 @@
+# Security policy
+
+## Supported versions
+
+We release patches for security vulnerabilities. Which versions are eligible to receive such patches depend on the CVSS v3.0 Rating:
+
+| CVSS v3.0 | Supported Versions  |
+|-----------|---------------------|
+| 4.0-10.0  | Most recent release |
+
+## Reporting a vulnerability
+
+Please report (suspected) security vulnerabilities to our **[bug bounty program](https://bugcrowd.com/aiven-mbb-og)**. You will receive a response from us within 2 working days. If the issue is confirmed, we will release a patch as soon as possible depending on impact and complexity.
+
+## Qualifying vulnerabilities
+
+Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program.
+
+We generally **aren't** interested in the following issues:
+* Social engineering (e.g. phishing, vishing, smishing) attacks
+* Brute force, DoS, text injection
+* Missing best practices such as HTTP security headers (CSP, X-XSS, etc.), email (SPF/DKIM/DMARC records), SSL/TLS configuration.
+* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
+* Clickjacking on pages with no sensitive actions
+* Theoretical vulnerabilities where you can't demonstrate a significant security impact with a proof of concept.

action.yml

@@ -1,18 +1,18 @@
 name: 'aiven_terraform_governance_compliance_check'
-description: 'GitHub Action to check whether the plan generated by terraform plan complies with governance rules on aiven terraform provider resources.'
+description: 'GitHub Action to perform governance checks on aiven terraform resources for a generated plan'
 author: 'Aiven'
 
 inputs:
   requester:
-    description: 'The github username that created the pull request'
+    description: 'The github username that created the pull request (data.aiven_external_identity.external_user_id)'
     required: true
 
   approvers:
-    description: 'The github usernames (csv) that have approved the pull request'
+    description: 'The github usernames (csv) that have approved the pull request (data.aiven_external_identity.external_user_id)'
     required: true
 
   plan:
-    description: 'Plan generated by terraform plan -json'
+    description: 'The path to a terraform plan.json file'
     required: true
 
 outputs: