devopsfactory-io · kaio6fellipe · Apr 20, 2026 · Apr 20, 2026 · Apr 20, 2026 · Apr 20, 2026
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# Default code owners for all files
+* @kaio6fellipe
diff --git a/.github/workflows/ami-build.yml b/.github/workflows/ami-build.yml
@@ -35,16 +35,17 @@ on:
     paths:
       - "infra/packer/**"
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 env:
   AMI_DISTRIBUTION_REGIONS: >-
     us-east-1,us-west-1,us-west-2,eu-west-1,eu-west-2,eu-west-3,eu-central-1,eu-north-1,sa-east-1
 
 jobs:
   build:
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -72,7 +73,7 @@ jobs:
           aws-region: us-east-2
 
       - name: Setup Packer
-        uses: hashicorp/setup-packer@main
+        uses: hashicorp/setup-packer@c3d53c525d422944e50ee27b840746d6522b08de # v3.2.0
 
       - name: Packer init
         working-directory: infra/packer

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,37 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '0 6 * * 3'
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze Go
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          languages: go
+
+      - name: Build
+        run: cd lambda && go build ./...
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          category: /language:go
diff --git a/.github/workflows/label-old-prs.yml b/.github/workflows/label-old-prs.yml
@@ -20,13 +20,14 @@ on:
         default: '200'
         type: string
 
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
+permissions: {}
 
 jobs:
   labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     runs-on: [self-hosted, medium]
     steps:
       - name: Checkout

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -4,10 +4,7 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
+permissions: {}
 
 jobs:
   labeler:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,11 +5,12 @@ on:
     tags:
       - "v*"
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   release:
+    permissions:
+      contents: write
     runs-on: [self-hosted, release]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

diff --git a/.github/workflows/scorecard-pr.yml b/.github/workflows/scorecard-pr.yml
@@ -0,0 +1,123 @@
+name: Scorecard PR Check
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  scorecard-check:
+    name: Scorecard Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: read
+      checks: read
+    env:
+      SCORECARD_VERSION: "5.4.0"
+      SCORECARD_CHECKSUM: "e5183aeaa5aa548fbb7318a6deb3e1038be0ef9aca24e655422ae88dfbe67502"
+      SCORE_THRESHOLD: "7.0"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Install scorecard CLI
+        run: |
+          set -euo pipefail
+          TARBALL="scorecard_${SCORECARD_VERSION}_linux_amd64.tar.gz"
+          curl -sLO "https://github.com/ossf/scorecard/releases/download/v${SCORECARD_VERSION}/${TARBALL}"
+          echo "${SCORECARD_CHECKSUM}  ${TARBALL}" | sha256sum --check --strict
+          tar xzf "${TARBALL}" scorecard
+          chmod +x scorecard
+          sudo mv scorecard /usr/local/bin/scorecard
+          rm "${TARBALL}"
+
+      - name: Run scorecard
+        id: scorecard
+        env:
+          GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          scorecard --repo="github.com/${{ github.repository }}" \
+            --commit="${{ github.event.pull_request.head.sha }}" \
+            --format=json --show-details > scorecard.json
+          SCORE=$(jq -r '.score' scorecard.json)
+          echo "score=${SCORE}" >> "$GITHUB_OUTPUT"
+          echo "Scorecard overall score: ${SCORE}"
+
+      - name: Comment on PR
+        if: github.event.pull_request.head.repo.full_name == github.repository
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        with:
+          script: |
+            const fs = require('fs');
+            const data = JSON.parse(fs.readFileSync('scorecard.json', 'utf8'));
+            const score = data.score;
+            const threshold = parseFloat('${{ env.SCORE_THRESHOLD }}');
+            const passed = score >= threshold;
+            const icon = passed ? ':white_check_mark:' : ':x:';
+            const repo = '${{ github.repository }}';
+
+            const checks = data.checks
+              .sort((a, b) => a.name.localeCompare(b.name))
+              .map(c => {
+                const s = c.score === -1 ? 'N/A' : `${c.score}/10`;
+                const raw = (c.reason || '').replace(/\|/g, '\\|');
+                const reason = raw.length > 80
+                  ? raw.substring(0, 77) + '...'
+                  : raw;
+                return `| ${c.name} | ${s} | ${reason} |`;
+              })
+              .join('\n');
+
+            let body = `## OpenSSF Scorecard — ${score}/10 ${icon}\n\n`;
+            body += `| Check | Score | Details |\n`;
+            body += `|-------|-------|---------|`;
+            body += `\n${checks}\n\n`;
+
+            if (!passed) {
+              body += `> :rotating_light: Score ${score} is below threshold ${threshold} — this check will fail.\n\n`;
+            }
+
+            body += `> Threshold: ${threshold} | [Full report](https://securityscorecards.dev/viewer/?uri=github.com/${repo})\n`;
+
+            const marker = '<!-- ossf-scorecard-pr-check -->';
+            body = marker + '\n' + body;
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            const existing = comments.find(c => c.body.includes(marker));
+
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body: body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body: body,
+              });
+            }
+
+      - name: Enforce threshold
+        run: |
+          SCORE="${{ steps.scorecard.outputs.score }}"
+          THRESHOLD="${{ env.SCORE_THRESHOLD }}"
+          if [ "$(echo "${SCORE} < ${THRESHOLD}" | bc -l)" -eq 1 ]; then
+            echo "::error::OpenSSF Scorecard score ${SCORE} is below threshold ${THRESHOLD}"
+            exit 1
+          fi
+          echo "Scorecard score ${SCORE} meets threshold ${THRESHOLD}"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,45 @@
+name: OSSF Scorecard
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload SARIF artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: scorecard-sarif
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload SARIF to Security tab
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,58 @@
+name: Security Scanning
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  gitleaks:
+    name: Secret Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          set -euo pipefail
+          GITLEAKS_VERSION="8.30.1"
+          curl -sLO "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          tar xzf "gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" gitleaks
+          sudo mv gitleaks /usr/local/bin/gitleaks
+          rm "gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+
+      - name: Run Gitleaks
+        run: gitleaks detect --source . --verbose
+
+  govulncheck:
+    name: Vulnerability Scan (Go)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: lambda
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+        with:
+          go-version-file: lambda/go.mod
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
+
+      - name: Run govulncheck
+        run: govulncheck ./...
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -6,12 +6,13 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
     name: fmt, vet, test and coverage
+    permissions:
+      contents: read
     runs-on: [self-hosted, large]
     defaults:
       run:
@@ -37,6 +38,8 @@ jobs:
 
   lint:
     name: lint
+    permissions:
+      contents: read
     runs-on: [self-hosted, large]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Default code owners for all files
		* @kaio6fellipe