feat: unify provider auth

[chris11-taylor-nttd]

Disclaimer: I've been building this out over the last couple weeks in our nttdtest organization, but Claude helped with the final review and PR description.

This will be tagged 0.15.0, and if nothing major arises, will become 1.0.0.

Unify Provider Authentication Across Workflows

Summary

This PR consolidates provider authentication into a composable auth_method pattern, introduces a new update-status-check action that correctly targets PR head commits, and adds several new reusable workflows for PR automation and skeleton-based repository updates. Existing AWS- and Azure-specific workflows are updated to emit the new status checks and have their credential handling hardened.

The existing cloud-specific workflows will be removed once we're fully converted to the consolidated workflows.

New: update-status-check action

A new composite action at .github/actions/update-status-check wraps the GitHub Commit Status API. The key problem it solves: github.sha on pull request events resolves to a temporary merge commit that is invisible in the PR UI, so status checks written to it never appear. This action resolves the actual PR head SHA via the API before writing any status, ensuring checks always surface correctly in the PR.

The action accepts check_name, status (error/failure/pending/success), an optional description, and an optional target_url. All workflows that write status checks now go through this action.

New: consolidated workflows with composable authentication

Three new unified workflows replace the pattern of maintaining separate AWS and Azure variants:

reusable-terraform-check.yml

Replaces reusable-terraform-check-aws.yml and reusable-terraform-check-azure.yml as the recommended entry point for Terraform module CI. Accepts an auth_method input (comma-delimited: aws, azure, github, or empty for no auth) and routes to the appropriate credential steps at runtime. Features:

• validate-inputs job performs upfront checks that required inputs and secrets are present for each requested auth method, failing fast with a clear error before any infrastructure-touching work begins
• lint and tests jobs run in parallel (after validation passes)
• legacy job writes the old Check AWS Terraform Code / Check AWS Terraform Code and Check Azure Terraform Code / Check Azure Terraform Code status checks on success, allowing repositories to transition to the new check names without losing merge-gate coverage

reusable-terragrunt-deploy.yml

Replaces reusable-terragrunt-deploy-aws.yml and reusable-terragrunt-deploy-azure.yml as the recommended entry point for Terragrunt environment deployments. Same auth_method composability. Emits Terragrunt Plan (<tg_dir>) and Terragrunt Deploy (<tg_dir>) status checks on the PR head commit throughout execution, so the PR status is live-updated rather than only reflecting final outcome.

reusable-terragrunt-plan-only.yml

Replaces reusable-terragrunt-plan-only-aws.yml and reusable-terragrunt-plan-only-azure.yml. Same pattern as the deploy workflow, plan-only variant.

All three consolidated workflows pass inputs and secrets through env: blocks in bash steps rather than expanding them inline, removing the risk of shell metacharacter injection from input values.

New: PR automation workflows

reusable-pr-automated-approvals.yml

Grants automated approvals to PRs opened by dependabot[bot] or launch-skeleton-auto-updater[bot], provided every commit on the PR was authored by one of those actors. For skeleton-updater PRs, an additional check requires the PR title to begin with chore. If a previously-approved PR later gains a commit from a non-automated author, any existing automated approvals are dismissed.

Uses two configurable GitHub App identities (Alpha and Bravo) so that repositories requiring two approvals can be served without manual intervention. Includes a validate-inputs job that checks all required app IDs and keys before attempting any API calls.

reusable-update-from-skeleton.yml

Runs copier update (or copier recopy when the recopy input is set) against the skeleton template recorded in the repository's .copier-answers.yml. After the update:

• If no changes are detected (git status --porcelain), the workflow exits cleanly with a step summary note.
• If changes are detected, it runs pre-commit run check-merge-conflict to check for conflict markers introduced by the update.
• Clean updates (no conflicts, not a full recopy) open a PR with auto-merge enabled and a chore: title — intended to land without human review once the configured status checks (Terraform lint/tests) pass.
• Updates with conflicts or full recopies open a PR with a fix: title, include the pre-commit output and a list of conflicting files in the PR body, and do not enable auto-merge.

Respects a prerelease repository custom property: when set to true, copier will also consider pre-release versions of the skeleton template.

reusable-pr-dependabot-automerge.yml

Enables auto-merge (squash) on Dependabot PRs.

Updates to existing workflows

reusable-terraform-check-aws.yml / reusable-terraform-check-azure.yml

• Added statuses: write permission.
• Added Terraform Lint and Terraform Tests status checks (pending → success/failure/error) around the existing make lint and make test steps.
• AWS: Fixed credential file population — was incorrectly reading from secrets.AWS_ACCESS_KEY_ID etc. (which were never populated); now correctly reads from steps.aws-login.outputs.* after the configure-aws-credentials step.
• AWS/Azure: Inputs and secrets that need to reach make configure are now passed via env: blocks instead of inline shell expansion.

reusable-pr-conventional-commit-title.yml

• Added statuses: write permission.
• Writes a Conventional Commit PR Title status check and a legacy Label Pull Request / Label Pull Request status check, enabling repositories to gate merges on commit title validation.
• Label-clearing now only fires on ready_for_review and edited (title change) events, preventing spurious label removal on unrelated PR activity.
• Removed wip from the default task_types list — work-in-progress commits should not land on main.
• Pinned all third-party actions (actions/github-script, peter-evans/find-comment, peter-evans/create-or-update-comment) to full commit SHAs.

reusable-terragrunt-deploy-aws.yml, reusable-terragrunt-deploy-azure.yml, reusable-terragrunt-deploy-ephemeral-aws.yml, reusable-terragrunt-destroy-ephemeral-aws.yml, reusable-terragrunt-plan-only-aws.yml, reusable-terragrunt-plan-only-azure.yml

Updated terragrunt-configure-mise action ref from @0.14.2 to @0.15.0.

reusable-python-uv-pytest.yml

Formatting-only: normalized step indentation to be consistent with the rest of the workflow files. No behavioural changes.

.github/actions/terragrunt-configure-mise/action.yml

Fixed toml set invocation — the --toml-path flag is required by the current toml-cli version; the previous positional-argument form no longer works.

Migration guide

Existing callers of reusable-terraform-check-aws.yml / reusable-terraform-check-azure.yml: These workflows remain functional and now emit the new status checks alongside the legacy ones. No caller changes are required. To migrate to the consolidated workflow:

# Before (AWS)
uses: launchbynttdata/launch-workflows/.github/workflows/reusable-terraform-check-aws.yml@0.15.0
with:
  assume_role_arn: ${{ vars.TERRAFORM_CHECK_AWS_ASSUME_ROLE_ARN }}
  region: us-east-2

# After
uses: launchbynttdata/launch-workflows/.github/workflows/reusable-terraform-check.yml@0.15.0
with:
  auth_method: "aws"
  aws_assume_role_arn: ${{ vars.TERRAFORM_CHECK_AWS_ASSUME_ROLE_ARN }}
  aws_auth_region: us-east-2

Existing callers of the Terragrunt deploy/plan-only workflows: The AWS- and Azure-specific variants remain functional. To migrate, replace the provider-specific workflow ref with the consolidated one and add auth_method.

Branch protection rules: Repositories currently gating on Check AWS Terraform Code / Check AWS Terraform Code or Check Azure Terraform Code / Check Azure Terraform Code will continue to work — the legacy job in the consolidated workflow writes those checks on success. Once all callers have migrated, the legacy job and the old check names can be retired from branch protection rules.

[chris11-taylor-nttd]

Workflows are currently still pointed at this branch, so I've cloned this entire PR as #78. I will leave this branch in place after the other merges so that we can safely transition to 0.15.0 via the launch-terraform-skeleton repo and confirm that entire set of workflows at once.