feat: Refactor workflows

Signed-off-by: Steve Hipwell <steve.hipwell@gmail.com>

Author: stevehipwell

.github/workflows/add_to_octokit_project.yml renamed to .github/workflows/add-to-octokit-project.yaml

@@ -1,19 +1,24 @@
-name: Add PRs and issues to Octokit org project
+name: Add PRs & Issues to Octokit Org Project
 
 on:
   issues:
     types: [reopened, opened]
   pull_request_target:
     types: [reopened, opened]
 
+permissions: read-all
+
 jobs:
   add-to-project:
-    name: Add issue to project
+    name: Add to Project
     runs-on: ubuntu-latest
     continue-on-error: true
-    if: ${{ github.repository == 'integrations/terraform-provider-github' }}
+    defaults:
+      run:
+        shell: bash
     steps:
-      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e #v1.0.2
+      - name: Add to project
+        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/octokit/projects/10
           github-token: ${{ secrets.OCTOKITBOT_PROJECT_ACTION_TOKEN }}

.github/workflows/ci.yml renamed to .github/workflows/ci.yaml

@@ -2,24 +2,31 @@ name: GitHub Actions CI
 
 on:
   push:
-    branches: [main]
-  pull_request: {}
+    branches:
+      - main
+      - release-v*
+  pull_request:
+    branches:
+      - main
+      - release-v*
 
 permissions:
   contents: read # for actions/checkout
 
-env:
-  test_stacks_directory: test_tf_stacks
-
 jobs:
   ci:
     name: Continuous Integration
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
     env:
       GITHUB_TEST_ORGANIZATION: kfcampbell-terraform-provider
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+      - name: Checkout
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Set-up Go
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: go.mod
           cache: true
@@ -32,6 +39,11 @@ jobs:
   generate-matrix:
     name: Generate matrix for test stacks
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    env:
+      TEST_STACKS_DIRECTORY: test-stacks
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
       has-tests: ${{ steps.set-matrix.outputs.has-tests }}
@@ -42,7 +54,7 @@ jobs:
       - name: Generate matrix
         id: set-matrix
         run: |
-          if [ -d "${{ env.test_stacks_directory }}" ]; then
+          if [ -d "${{ env.TEST_STACKS_DIRECTORY }}" ]; then
             # find all directories and validate their names
             VALID_TESTS=()
             INVALID_TESTS=()
@@ -51,11 +63,11 @@ jobs:
               dirname=$(basename "$dir")
               # validate that directory name only contains alphanumeric, hyphens, underscores, and dots
               if [[ "$dirname" =~ ^[a-zA-Z0-9_.-]+$ ]]; then
-                VALID_TESTS+=("$dirname")
+                VALID_TESTS+=("$dir")
               else
                 INVALID_TESTS+=("$dirname")
               fi
-            done < <(find ${{ env.test_stacks_directory }} -mindepth 1 -maxdepth 1 -type d)
+            done < <(find ${{ env.TEST_STACKS_DIRECTORY }} -mindepth 1 -maxdepth 1 -type d)
 
             # report invalid directory names if any
             if [ ${#INVALID_TESTS[@]} -gt 0 ]; then
@@ -75,7 +87,7 @@ jobs:
               echo "No valid test directories found"
             fi
           else
-            echo "Test directory ${{ env.test_stacks_directory }} does not exist"
+            echo "Test directory ${{ env.TEST_STACKS_DIRECTORY }} does not exist"
             echo "matrix=[]" >> $GITHUB_OUTPUT
             echo "has-tests=false" >> $GITHUB_OUTPUT
           fi
@@ -85,12 +97,13 @@ jobs:
     needs: [ci, generate-matrix]
     if: ${{ needs.generate-matrix.outputs.has-tests == 'true' }} # only run if there are some test stacks
     runs-on: ubuntu-latest
-
+    defaults:
+      run:
+        shell: bash
     strategy:
       fail-fast: false
       matrix:
         tests: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
-
     steps:
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -129,10 +142,10 @@ jobs:
 
       - name: Terraform init
         continue-on-error: true # continue even if init fails
-        run: terraform -chdir=./${{ env.test_stacks_directory }}/${{ matrix.tests }} init
+        run: terraform -chdir=${{ matrix.tests }} init
 
       - name: Terraform validate
-        run: terraform -chdir=./${{ env.test_stacks_directory }}/${{ matrix.tests }} validate
+        run: terraform -chdir=${{ matrix.tests }} validate
 
       - name: Clean up
         run: rm -f ~/.terraformrc terraform-provider-github

.github/workflows/codeql.yaml

@@ -0,0 +1,80 @@
+name: CodeQL
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+  schedule:
+    - cron: "16 7 * * 5"
+
+permissions: read-all
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+            queries: security-extended # can be 'default' (use empty for 'default'), 'security-and-quality', 'security-extended'
+          - language: go
+            build-mode: manual
+            queries: "" # will be used 'default' queries
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+
+      - name: Set-up Go
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        if: matrix.language == 'go'
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: ${{ matrix.queries }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        with:
+          category: "/language:${{matrix.language}}"
+
+  check:
+    name: Check CodeQL Analysis
+    if: always() && github.event_name == 'pull_request'
+    needs:
+      - analyze
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Check
+        env:
+          INPUT_RESULTS: ${{ join(needs.*.result, ' ') }}
+        run: |
+          set -euo pipefail
+          read -a results <<< "${INPUT_RESULTS}"
+          for result in "${results[@]}"; do
+            if [[ "${result}" == "failure" ]] || [[ "${result}" == "cancelled" ]]; then
+              echo "::error::Workflow failed!"
+              exit 1
+            fi
+          done

.github/workflows/codeql.yml

@@ -1,31 +1,33 @@
-name: Issue/PR response
-permissions:
-  issues: write
-  pull-requests: write
+name: Issue/PR Response
+
 on:
   issues:
     types:
       - opened
   pull_request_target:
     types:
       - opened
+
+permissions: read-all
+
 jobs:
-  respond-to-issue:
-    if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' && 
-      github.actor != 'githubactions[bot]' && github.actor != 'octokitbot' && 
-      github.repository == 'integrations/terraform-provider-github' }}
+  respond:
+    name: Respond to Issue or PR
+    if: github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' && github.actor != 'githubactions[bot]' && github.actor != 'octokitbot' && github.repository == 'integrations/terraform-provider-github'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    defaults:
+      run:
+        shell: bash
     steps:
-      - name: Determine issue or PR number
-        id: extract
-        run: echo "NUMBER=${{ github.event.issue.number || github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
-
-      - name: Respond to issue or PR
+      - name: Comment
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         with:
-          issue-number: ${{ steps.extract.outputs.NUMBER }}
+          issue-number: ${{ github.event.issue.number || github.event.pull_request.number }}
           body: >
             👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday!
-            We have a [process in place](https://github.com/octokit/.github/blob/main/community/prioritization_response.md#overview) for prioritizing and responding to your input. 
+            We have a [process in place](https://github.com/octokit/.github/blob/main/community/prioritization_response.md#overview) for prioritizing and responding to your input.
             Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with `Status: Up for grabs`.
             You & others like you are the reason all of this works! So thank you & happy coding! 🚀