chore: add CI, pre-commit, dependabot, and bump provider versions#11
Merged
chore: add CI, pre-commit, dependabot, and bump provider versions#11
Conversation
tvansteenburgh
approved these changes
Apr 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
what
.github/workflows/ci.yml: GitHub Actions CI workflow runningpre-commit checks (terraform fmt/validate/tflint, actionlint,
zizmor, codespell) on push and PR to main. All permissions scoped
to minimum required; action SHAs are pinned.
.github/dependabot.yaml: monthly grouped Dependabot updatesfor GitHub Actions with a 7-day cooldown and
chorecommit prefix..pre-commit-config.yaml: hooks for terraform fmt/validate/tflint, actionlint, zizmor, and codespell. All revs are pinned to
exact SHAs with frozen version comments.
.tool-versions: pins just 1.40.0, terraform 1.13.5,tflint v0.61.0, uv 0.8.14 for use by CI and local dev.
justfile:format(terraform fmt -recursive) andlint(uvx prek run --all-files) recipes.
terraform/provider.tf: add explicitterraformblock withrequired_version >= 1.13.5and version constraints for aws (> 6.0),> 4.0), and random (~> 3.0).azurerm (
terraform/.terraform.lock.hcl: bump aws 4.44.0 → 6.39.0,azurerm 3.64.0 → 4.67.0, random 3.5.1 → 3.8.1.
why
The repo lacked automated linting, dependency updates, and pinned tool
versions. Adding CI enforces consistent formatting and security checks
on every PR. Dependabot keeps Actions dependencies current without
manual effort. Provider version constraints and lock file updates bring
the Terraform configuration in line with current major versions.
testing
CI workflow runs on this PR and exercises the full pre-commit hook suite
against the changed files.
docs
No docs needed.
🤖 Generated with Claude Code