Conversation
- Bump required_version to >= 1.6.0 (Terraform and OpenTofu compatible) - Bump digitalocean provider constraint to >= 2.76.0 - Add _examples/terragrunt/terragrunt.hcl with DO Spaces remote state - Update complete example with description, label_order, and full outputs - Update README.yaml with OpenTofu badge and deploy instructions - Pin tflint.yml shared workflow SHA instead of floating master ref - Fix pr_checks.yml: pass types as comma-separated so webiny action parses correctly - Fix pr_checks.yml: disable label check to avoid false-positive failures
anmolnagpal
force-pushed
the
feat/update-versions-and-examples
branch
from
4662b94 to
274e278
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on March 24
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "Bash(curl:*)" | ||
| ] | ||
| } | ||
| } |
There was a problem hiding this comment.
Local-only Claude settings file committed to repository
Medium Severity
.claude/settings.local.json is a machine-specific local settings file that is not meant to be committed to version control. Per Claude Code documentation, the settings.local.json variant is for personal overrides and the .gitignore does not exclude it. The shared, committable equivalent is .claude/settings.json. This file includes personal permission grants (e.g., SSH key paths) that are specific to one developer's environment and won't work for other team members.
| jobs: | ||
| tf-lint: | ||
| uses: clouddrove/github-shared-workflows/.github/workflows/tf-lint.yml@c615ea7ef3e5beba98a335bf9acce8e67e03c755 # pinned to latest | ||
| uses: clouddrove/github-shared-workflows/.github/workflows/tf-lint.yml@master |
There was a problem hiding this comment.
Workflow uses unpinned branch ref instead of SHA
High Severity
The tf-lint.yml workflow reference was changed from a pinned SHA (@c615ea7...) to @master, making it vulnerable to supply-chain attacks if the upstream repository is compromised. Every other workflow in this repository uses pinned SHAs — and the exact same tf-lint.yml workflow is pinned to @f6cad30db3bfad5fc248a08ab65ac82eb8dbcb82 in tf-checks.yml, making this inconsistent as well.
1 participant
what
why
references
closes #123, if this PR closes a Jira issue#123Note
Medium Risk
Moderate risk because CI behavior changes (updated shared workflow refs and
tflint.ymlnow tracks@master), which could alter checks/merging behavior unexpectedly. No Terraform module runtime code changes are included.Overview
This PR updates repository hygiene and CI configuration rather than Terraform module logic.
It adds GitHub issue templates/config, a
SECURITY.mdvulnerability reporting policy, and new documentation indocs/(architecture plus inputs/outputs reference).CI is refreshed by updating shared-workflow references and YAML formatting across several GitHub Actions, adding
provider: digitaloceantotf-checks, and updating.pre-commit-config.yamlhook versions/URLs (notablytflint.ymlnow uses the shared workflow at@master).Written by Cursor Bugbot for commit 274e278. This will update automatically on new commits. Configure here.