Add CI workflows for docs, Terraform, and PowerShell checks#465
Merged
Conversation
Introduce three GitHub Actions workflows that run static-analysis checks on pull requests targeting vnext (and pushes to vnext). No Azure deployment or credentials are required. Workflows: - ci-docs: markdownlint-cli2 + lychee (offline/internal link check) - ci-terraform: terraform fmt -check -recursive + tflint --recursive - ci-powershell: PSScriptAnalyzer (fails on Error/Warning) Configuration: - .markdownlint.jsonc / .markdownlint-cli2.jsonc (rules, globs, ignores) - PSScriptAnalyzerSettings.psd1 with documented rule exclusions for intentional patterns/false positives in this automation codebase Baseline fixes so the checks pass on the current tree: - terraform fmt normalization across 5 files; scoped tflint-ignore comments for two intentional unused-variable declarations - Markdown fixes in PR/issue templates and the NVMe README; LICENSE newline - PowerShell: resolve 11 real findings (unused vars -> $null=, empty catch blocks -> Write-Verbose, hardcoded host -> variable) Document the CI in CONTRIBUTING.md with local reproduction commands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The standalone extras/configurations/rg-devops-iac config pins a different azurerm plugin version than the root, so a single 'tflint --init' did not install the plugin used when recursing into that directory. Initialize plugins for every directory containing a .tflint.hcl before running 'tflint --recursive'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Use the latest supported tflint CLI in CI and the latest azurerm ruleset in every .tflint.hcl in the repo: - ci-terraform: tflint_version v0.61.0 -> v0.63.1 - root .tflint.hcl: azurerm ruleset 0.31.1 -> 0.32.0 - extras/configurations/rg-devops-iac/.tflint.hcl: azurerm ruleset 0.28.0 -> 0.32.0 (also aligning it with the root version) The 0.32.0 ruleset adds azurerm_resources_missing_prevent_destroy, which flags the rg-devops-iac Key Vault, Storage Account, and Storage Container. This is an ephemeral sandbox designed to be provisioned and torn down on demand, so prevent_destroy is intentionally not used; the rule is disabled in both .tflint.hcl files with an explanatory comment. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
4 tasks
doherty100
added a commit
that referenced
this pull request
Jun 16, 2026
* Update Terraform required_version to ~> 1.15.6 (#463) Bump the pinned Terraform CLI version from ~> 1.15.5 to ~> 1.15.6 in the root configuration and all modules to match the new CLI release. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#462) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#461) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#460) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#459) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#458) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#457) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#456) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#455) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#454) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#453) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#452) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#451) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#450) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update hashicorp/azurerm requirement from ~> 4.76.0 to ~> 4.77.0 (#449) Updates the requirements on [hashicorp/azurerm](https://github.com/hashicorp/terraform-provider-azurerm) to permit the latest version. Updates `hashicorp/azurerm` to 4.77.0 - [Release notes](https://github.com/hashicorp/terraform-provider-azurerm/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-azurerm@v4.76.0...v4.77.0) --- updated-dependencies: - dependency-name: hashicorp/azurerm dependency-version: 4.77.0 dependency-type: direct:production dependency-group: terraform-all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: update copilot instructions for use of allow-all * chore: update .gitignore to ignore tfplan files * chore: update cleanup script to delete tfplan files * Add CI workflows for docs, Terraform, and PowerShell checks (#465) * Add CI workflows for docs, Terraform, and PowerShell checks on vnext PRs Introduce three GitHub Actions workflows that run static-analysis checks on pull requests targeting vnext (and pushes to vnext). No Azure deployment or credentials are required. Workflows: - ci-docs: markdownlint-cli2 + lychee (offline/internal link check) - ci-terraform: terraform fmt -check -recursive + tflint --recursive - ci-powershell: PSScriptAnalyzer (fails on Error/Warning) Configuration: - .markdownlint.jsonc / .markdownlint-cli2.jsonc (rules, globs, ignores) - PSScriptAnalyzerSettings.psd1 with documented rule exclusions for intentional patterns/false positives in this automation codebase Baseline fixes so the checks pass on the current tree: - terraform fmt normalization across 5 files; scoped tflint-ignore comments for two intentional unused-variable declarations - Markdown fixes in PR/issue templates and the NVMe README; LICENSE newline - PowerShell: resolve 11 real findings (unused vars -> $null=, empty catch blocks -> Write-Verbose, hardcoded host -> variable) Document the CI in CONTRIBUTING.md with local reproduction commands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Initialize tflint plugins per-config for recursive linting The standalone extras/configurations/rg-devops-iac config pins a different azurerm plugin version than the root, so a single 'tflint --init' did not install the plugin used when recursing into that directory. Initialize plugins for every directory containing a .tflint.hcl before running 'tflint --recursive'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Upgrade tflint to v0.63.1 and azurerm ruleset to v0.32.0 Use the latest supported tflint CLI in CI and the latest azurerm ruleset in every .tflint.hcl in the repo: - ci-terraform: tflint_version v0.61.0 -> v0.63.1 - root .tflint.hcl: azurerm ruleset 0.31.1 -> 0.32.0 - extras/configurations/rg-devops-iac/.tflint.hcl: azurerm ruleset 0.28.0 -> 0.32.0 (also aligning it with the root version) The 0.32.0 ruleset adds azurerm_resources_missing_prevent_destroy, which flags the rg-devops-iac Key Vault, Storage Account, and Storage Container. This is an ephemeral sandbox designed to be provisioned and torn down on demand, so prevent_destroy is intentionally not used; the rule is disabled in both .tflint.hcl files with an explanatory comment. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore: copilot use .tfplan for plan output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Adds automated CI checks that run on every pull request targeting
vnext(and on pushes tovnext). The checks are static-analysis only — no Azure deployment and no credentials required.Workflows (
.github/workflows/)ci-docsmarkdownlint-cli2(pinned 0.22.1) +lycheeoffline/internal link checkci-terraformterraform fmt -check -recursive(Terraform 1.15.6) +tflint --recursive(v0.61.0, existing.tflint.hcl)ci-powershellPSScriptAnalyzer1.24.0, fails on Error/WarningAll run with
contents: readonly and concurrency-cancel.New configuration
.markdownlint.jsonc(rules) +.markdownlint-cli2.jsonc(globs/ignores — excludesnode_modules, the frozenretiredmodule, and the agentcopilot-instructions.md)PSScriptAnalyzerSettings.psd1— default rules minus documented exclusions for intentional patterns / false positives in this automation codebase (Write-Host, the project's ownWrite-Loghelper, required plaintext→SecureString, uniform run-command parameter contracts, BOM on cross-platform pwsh 7, singular-noun / ShouldProcess style)Baseline fixes (so the checks pass on the current tree)
fmtnormalization across 5 files; scoped# tflint-ignorecomments on two intentional unused-variable declarations$null =, emptycatch {}→Write-Verbose, hardcoded host → variable); all scripts re-parsed cleanDocumented in
CONTRIBUTING.mdwith local reproduction commands.Does this introduce a breaking change?
Pull Request Type
How to Test
ci-docs,ci-terraform, andci-powershellchecks run and pass.CONTRIBUTING.md.What to Check