ci: Added GitHub Actions workflows.

.github/workflows/branch.yaml

@@ -0,0 +1,46 @@
+name: Branch Checks
+
+on:
+  push:
+    branches-ignore:
+      - main
+
+jobs:
+  lint:
+    name: Lint updated files
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - uses: actions/cache@v4
+        name: Cache plugin directory
+        with:
+          path: ~/.tflint.d/plugins
+          key: tflint-${{ hashFiles('.tflint.hcl') }}
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+      - name: Show version
+        run: tflint --version
+      - name: Init TFLint
+        run: tflint --init
+      - name: Run TFLint
+        run: tflint --format compact --recursive
+
+  trivy:
+    name: Run security scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Run Trivy vulnarability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: config
+          format: sarif
+          output: "trivy-results.sarif"
+      - name: Parse SARIF file
+        # Always run this step, even if a previous step failed.
+        if: always()
+        uses: Ayrx/sarif_to_github_annotations@v0.2.2
+        with:
+          sarif_file: "trivy-results.sarif"

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,47 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '45 13 * * *'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+        # Using "javascript" to scan JSON and YAML files.
+        language: [ 'javascript' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          queries: security-extended,security-and-quality
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/main.yaml

@@ -0,0 +1,46 @@
+name: Main Checks
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  lint:
+    name: Lint updated modules
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - uses: actions/cache@v4
+        name: Cache plugin directory
+        with:
+          path: ~/.tflint.d/plugins
+          key: tflint-${{ hashFiles('.tflint.hcl') }}
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+      - name: Show version
+        run: tflint --version
+      - name: Init TFLint
+        run: tflint --init
+      - name: Run TFLint
+        run: tflint --format compact --recursive
+
+  trivy:
+    name: Run security scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Run Trivy vulnarability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: config
+          format: sarif
+          output: "trivy-results.sarif"
+      - name: Upload SARIF result
+        # Always run this step, even if a previous step failed.
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"

.github/workflows/release.yaml

@@ -0,0 +1,95 @@
+name: Release New Version
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  # Builds a new release for the module by bumping the version number and
+  # generating a changelog entry. Commit the changes and open a pull request.
+  build-release:
+    name: Build new release
+    runs-on: ubuntu-latest
+    if: ${{ !startsWith(github.event.head_commit.message, 'bump:') }}
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Bump version and create changelog
+        id: bump
+        uses: commitizen-tools/commitizen-action@master
+        with:
+          push: false
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_redirect_stderr: true
+      - name: Get the commit message
+        id: message
+        run: |
+          MESSAGE=$(git log --format=%B -n 1)
+          echo "message=${MESSAGE}" >> $GITHUB_OUTPUT
+      - name: Open a pull request for the release
+        uses: peter-evans/create-pull-request@v7
+        with:
+          branch: release-${{ steps.bump.outputs.version }}
+          title: ${{ steps.message.outputs.message }}
+
+  # Creates a new tag and GitHub release for the module.
+  release:
+    name: Release module
+    runs-on: ubuntu-latest
+    if: startsWith(github.event.head_commit.message, 'bump:')
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Get the module name
+        id: module_name
+        run: |
+          REPO_NAME="${{ github.event.repository.name }}"
+          REPO_NAME="${REPO_NAME/tofu-modules-/}"
+          MODULE_NAME="${REPO_NAME//-/_}"
+          echo "name=${MODULE_NAME}" >> $GITHUB_OUTPUT
+      - name: Get the version from the commit message
+        id: version
+        uses: actions/github-script@v7
+        with:
+          result-encoding: string
+          # Look for the last version number, expecting it to be in the format:
+          # `#.#.#-<suffix>.#` where the suffix is optional.
+          script: |
+            const message = '${{ github.event.head_commit.message }}'
+            const regex = /^bump:.+(?<version>\d+\.\d+\.\d+[\da-z.-]*) \(#\d+\)$/m
+            const version = message.match(regex).groups.version
+            console.log(version)
+            return version
+      - name: Bundle the module
+        # We create an empty file first, so that tar doesn't complain about the
+        # contents changing while it's running.
+        run: |
+          touch '${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz'
+          tar \
+            --exclude='.git' \
+            --exclude='.gitignore' \
+            --exclude='.github' \
+            --exclude='.cz.yaml' \
+            --exclude='*.tar.gz' \
+            --exclude='release.md' \
+            --exclude='CODEOWNERS' \
+            --exclude='trivy.yaml' \
+            --exclude='*.env' \
+            -czf '${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz' \
+            .
+      - name: Get changelog entry
+        id: changelog
+        uses: artlaman/conventional-changelog-reader-action@v1.1.0
+        with:
+          version: ${{ steps.version.outputs.result }}
+      - name: Create release
+        uses: softprops/action-gh-release@v2
+        with:
+          body: |
+            ## ${{ steps.changelog.outputs.version }} (${{ steps.changelog.outputs.date }})
+
+            ${{ steps.changelog.outputs.changes }}
+          tag_name: ${{ steps.version.outputs.result }}
+          files: |
+            ${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz