PSModule · MariusStorhaug · Oct 5, 2025 · Aug 4, 2024 · Aug 4, 2024 · Oct 5, 2025
diff --git a/.github/workflows/Linter.yml b/.github/workflows/Linter.yml
@@ -0,0 +1,28 @@
+name: Linter
+
+run-name: "Linter - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  statuses: write
+
+jobs:
+  Lint:
+    name: Lint code base
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Lint code base
+        uses: super-linter/super-linter/slim@latest
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml
@@ -0,0 +1,48 @@
+name: Create Repo - Assign
+on:
+  issues:
+    types:
+      - opened
+
+permissions:
+  contents: read
+
+env:
+  number_of_assignees: 1
+
+jobs:
+  assign:
+    name: Assign new issue
+    runs-on: ubuntu-latest
+    if: contains(github.event.issue.labels.*.name, 'create-repo') && github.event.action == 'opened'
+    steps:
+      - name: Generate app token
+        uses: actions/create-github-app-token@v1
+        id: authenticate
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PEM }}
+
+      - name: Acknowledge
+        uses: actions/github-script@v7
+        env:
+          reviewer_team: ${{ vars.reviewer_team }}
+        with:
+          github-token: ${{ steps.authenticate.outputs.token }}
+          script: |
+            const body = `
+            @${context.actor} : Hey!  Let's get this issue assigned to someone from the @${context.repo.owner}/${process.env.reviewer_team} team while we validate the request.
+            `
+
+            github.rest.issues.createComment({
+              ...context.repo,
+              issue_number: context.issue.number,
+              body
+            })
+
+      - name: Auto-assign issue
+        uses: pozil/auto-assign-issue@v2.0.0
+        with:
+          repo-token: ${{ steps.authenticate.outputs.token }}
+          teams: ${{ vars.reviewer_team }}
+          numOfAssignee: ${{ env.number_of_assignees }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,81 @@
+name: CI
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      # All tf files
+      - '**/*.tf'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  statuses: write
+  id-token: write
+
+env:
+  ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+  ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+  GITHUB_TOKEN: ${{ secrets.PAT }}
+  ARM_USE_OIDC: true
+
+jobs:
+  CI:
+    name: CI
+    runs-on: ubuntu-latest
+    environment: prod
+    steps:
+      - name: Generate app token
+        uses: actions/create-github-app-token@v1
+        id: authenticate
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PEM }}
+
+      - uses: actions/checkout@v4
+
+      - run: terraform init
+
+      - name: Create a speculative plan
+        id: tfplan
+        shell: pwsh
+        run: |
+          # Create a speculative plan
+          $plan = terraform plan -lock=false -no-color
+          Set-Content -Path 'tfplan' -Value $plan -Encoding utf8
+
+          terraform plan -lock=false
+
+      - name: Write plan in pr comment
+        uses: actions/github-script@v7
+        if: github.event_name == 'pull_request'
+        env:
+          plan: ${{ steps.tfplan.outputs.plan }}
+        with:
+          github-token: ${{ steps.authenticate.outputs.token }}
+          script: |
+              const fs = require('fs')
+              const fileContent = fs.readFileSync('tfplan', 'utf8')
+
+              const body = `
+              Here is the plan for the changes in this PR:
+
+              <details>
+              <summary>Terraform Plan</summary>
+
+              \`\`\`terraform
+              ${fileContent}
+              \`\`\`
+
+              `
+
+              github.rest.issues.createComment({
+                ...context.repo,
+                issue_number: context.issue.number,
+                body
+              })
diff --git a/.github/workflows/fulfill.yml b/.github/workflows/fulfill.yml
@@ -0,0 +1,117 @@
+name: CD
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}
+
+permissions:
+  id-token: write # Needed for OIDC auth in Terraform
+
+env:
+  ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+  ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+  ARM_USE_OIDC: true
+
+jobs:
+  CD:
+    name: CD
+    runs-on: ubuntu-latest
+    environment: prod
+    steps:
+      - name: Generate app token
+        uses: actions/create-github-app-token@v1
+        id: authenticate
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PEM }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ steps.authenticate.outputs.token }}
+
+      - name: Get PR data
+        uses: actions/github-script@v7
+        if: github.event_name == 'push'
+        id: get_pr_data
+        with:
+          github-token: ${{ steps.authenticate.outputs.token }}
+          script: |
+              return (
+                await github.rest.repos.listPullRequestsAssociatedWithCommit({
+                  ...context.repo,
+                  commit_sha: context.sha,
+                })
+              ).data[0]
+
+      - name: Get issue number
+        shell: pwsh
+        id: get_issue_data
+        if: ${{ steps.get_pr_data.outputs.result != null }}
+        env:
+          PR_DATA: ${{ steps.get_pr_data.outputs.result }}
+        run: |
+          $prdata = $env:PR_DATA | ConvertFrom-Json
+          $prTitle = $prdata.title
+
+          # Get the issue number from the PR title
+          if ($prTitle -match '#(\d+)') {
+              $issueNumber = $matches[1]
+              Write-Output "Issue number: $issueNumber"
+              "issue=$true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+              "issueNumber=$issueNumber" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+          } else {
+              Write-Output "No issue number found in the title."
+              "issue=$false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+          }
+
+      - name: Acknowledge
+        uses: actions/github-script@v7
+        if: ${{ steps.get_issue_data.outputs.issue == 'true' }}
+        env:
+          issue_number: ${{ steps.get_issue_data.outputs.issueNumber }}
+        with:
+          github-token: ${{ steps.authenticate.outputs.token }}
+          script: |
+            const body = `
+            @${context.actor} : All looks good! Merged the request now so we can get the repository created for you.
+            `
+
+            github.rest.issues.createComment({
+              ...context.repo,
+              issue_number: process.env.issue_number,
+              body
+            })
+
+      - run: terraform init
+
+      - name: Terraform apply
+        env:
+          # GITHUB_TOKEN: ${{ steps.authenticate.outputs.token }} # App has issues with GH permissions team lookup and generate repo from template
+          GITHUB_TOKEN: ${{ secrets.PAT }}
+        run: terraform apply -auto-approve
+
+      - name: Close initial issue
+        if: ${{ steps.get_issue_data.outputs.issue == 'true' }}
+        shell: pwsh
+        env:
+          GITHUB_ENTERPRISE_TOKEN: ${{ steps.authenticate.outputs.token }}
+          ISSUE_NUMBER: ${{ steps.get_issue_data.outputs.issueNumber }}
+          PR_DATA: ${{ steps.get_pr_data.outputs.result }}
+        run: |
+          $prdata = $env:PR_DATA | ConvertFrom-Json
+          $prNumber = $prdata.number
+
+          '::group::Authenticate to GitHub'
+          $env:GITHUB_ENTERPRISE_TOKEN | gh auth login --hostname $env:GH_HOST --with-token
+          gh auth status
+
+          '::group::Close issue'
+          gh issue close $env:ISSUE_NUMBER --comment "With PR #$prNumber being closed, we can close this issue." --reason completed