Adventure 02: Building CloudHaven | 🔴 Expert: The Guardian Protocols

Welcome to the expert level of the Building CloudHaven challenge adventure!

The Challenge

After the Modular Metropolis refactoring, CloudHaven flourished. But with growth came risk. One night, a rogue change slipped through unnoticed and nearly brought down the North Market’s trading vaults. The Council was furious — how could this happen without anyone noticing?

The Guild Master summoned you urgently. “We need guardians,” she said, “automated sentinels that watch over our infrastructure day and night. They must catch dangerous changes before they reach the city, detect when reality drifts from our blueprints, and sound the alarm when threats appear.”

A previous engineer began building these Guardian Protocols using GitHub Actions, but was reassigned before completing them. The workflows exist, but they’re incomplete and broken. Your mission: bring the Guardian Protocols online and protect CloudHaven from chaos.

What You’ll Learn

• GitHub Actions workflows for infrastructure automation

• Infrastructure drift detection with tofu plan

• Security scanning with Trivy

• Running integration tests with service containers

• The TF-via-PR action for plan/apply workflows

Objective

By the end of this level, your workflows should:

• Detect infrastructure drift

  • Run tofu plan to check for changes

  • Create a PR when drift is found

• Validate pull requests

  • Run tofu plan and comment results on the PR

  • Run tests against the mock GCP API

  • Scan for security vulnerabilities and comment results on the PR

  • Fail on critical or high severity vulnerabilities

• Apply infrastructure automatically

  • Apply changes when a PR is merged to main

All three workflows must have succeeded at least once.

Toolbox

Your Codespace comes pre-configured with the following tools to help you solve the challenge:

• tofu: The OpenTofu CLI for infrastructure provisioning

• gcp-api-mock: A mock GCP API running locally to simulate cloud resources without real cloud costs

• GitHub Actions: The workflows you’ll be fixing are in .github/workflows/

Note: The mock API only supports Cloud Storage and Cloud SQL, and only the functions needed for this challenge have been properly tested.

Deadline

Wednesday, 4 February 2026 at 23:59 CET

You can still complete the challenge after this date, but points will only be awarded for submissions before the deadline.

Level: Expert

Get Started

Start the Challenge

Discussion

Share your solutions and questions in this thread. Good luck, and we can’t wait to see your solutions!

Hello guys i think i need some help , so i followed the instruction on the challenge and did all the drill and run the smoke teskt with sucess as you see in the image :

but when i go to run the validate adventure pipeline it fails with this error :

I understand that it is asking me to have a closer look at the security job specifically at
step but i have aready what its asking

- name: 🔒 Scan for Vulnerabilities

 uses: aquasecurity/trivy-action@0.33.1

   with:

    scan-type: 'config'

    scan-ref: ${{ env.WORKING_DIR }}

    format: 'json'

    output: 'vulnerabilities.json'

    exit-code: 0

I just checked your action and it looks good

Seems like you ran into an edge case I didn’t consider with validation again. I’m really sorry! I’ll update the validation workflow tomorrow and let you know once it’s fixed

Your points will of course be awarded from today instead of tomorrow then.

Ok thank u for the fast response

I just pushed a fix. The problem was that the verification action checked if the severity field is set but it actually defaults to all vulnerability types anyways.

Thanks again for bringing this up and for playing

Confirming that the pipeline finished with success , thank you !!