The Guardian Protocols
Three broken GitHub Actions workflows stand between CloudHaven and automated infrastructure governance. Fix drift detection that creates PRs, PR validation with Trivy security scanning and service-container integration tests, and automatic apply on merge.
Mission Objective
- Drift detection: run tofu plan and create a PR when drift is found
- PR validation: run tofu plan and comment results, run integration tests against the mock GCP API, scan for security vulnerabilities with Trivy and fail on critical or high severity issues
- Automatic apply: apply infrastructure when a PR is merged to main
- All three workflows must have succeeded at least once
Key Learnings
- GitHub Actions for drift detection and plan/apply
- Integration tests with service containers
- Security scanning with Trivy
The Story
After the Modular Metropolis refactoring, CloudHaven flourished. But with growth came risk. One night, a rogue change slipped through unnoticed and nearly brought down the North Market's trading vaults. The Council was furious: how could this happen without anyone noticing?
The Guild Master summoned you urgently. "We need guardians," she said. "Automated sentinels that watch over our infrastructure day and night. They must catch dangerous changes before they reach the city, detect when reality drifts from our blueprints, and sound the alarm when threats appear."
A previous engineer began building these Guardian Protocols using GitHub Actions, but was reassigned before completing them. The workflows exist, but they're incomplete and broken.
Your mission: bring the Guardian Protocols online and protect CloudHaven from chaos.
Ready to start?
Launch in a preconfigured devcontainer
Free GitHub account required
Walkthrough
Open in GitHub Codespaces. The devcontainer is pre-configured and starts automatically. When you push from Codespaces, GitHub forks the repository to your account automatically.
Prefer working locally? Clone the repo and open it in any editor that supports the Dev Containers specification (VS Code, JetBrains IDEs, and others). The devcontainer config will be detected automatically.
Wait ~2 minutes for the environment to initialize.
Open the Ports tab and navigate to each service:
- Port 30104: GCP API Mock. Port is set to public so GitHub Actions runners can reach it during workflow runs. You may see a browser security warning. Click Continue to proceed.
Fix the three workflows in
.github/workflows/:adventure02-expert-detect-drift.yamladventure02-expert-validate-changes.yamladventure02-expert-apply-infrastructure.yaml
The OpenTofu configuration is correct, focus only on the workflow files.
Commit and push to main. Go to the Actions tab, select the drift detection workflow, and click Run workflow. The infrastructure has intentional drift, so the workflow should create a draft PR.
Click Ready for Review on the draft PR to trigger the validation workflow. To re-trigger validation after pushing new changes, convert the PR back to draft then Ready for Review again. Re-running a failed workflow uses the code from the original run, so toggling draft state is how you pick up new changes pushed to main.
When the PR is merged to main, the apply workflow runs automatically.
Run the smoke test to verify your solution:
cd adventures/02-building-cloudhaven/expert ./smoke-test.sh
Complete Your Challenge
- When you push from Codespaces, GitHub forks the repository to your account automatically. If you are working locally, fork the repository on GitHub before pushing.
- Verify your solution:
If it passes, it generates a Certificate of Completion you can paste into the discussion../smoke-test.sh - Share your solutions in the challenge thread (opens in new tab) on community.offon.dev.
Completed the challenge? Share your achievement on LinkedIn (opens in new tab)
Toolbox
- tofu (opens in new tab) - OpenTofu CLI for infrastructure provisioning
- gcp-api-mock (opens in new tab) - mock GCP API running locally (port set to public so GitHub Actions runners can access it)
- GitHub Actions (opens in new tab) - the workflows you will fix are in .github/workflows/