feat: unify provider auth

.github/actions/get-custom-properties/README.md

@@ -0,0 +1,92 @@
+# Get Custom Properties Action
+
+This action retrieves custom properties from a GitHub repository using the GitHub API. Custom properties are organization-defined metadata that can be applied to repositories for classification, automation, and policy enforcement.
+
+## Behavior
+
+This action will:
+1. Call the GitHub API to retrieve all custom properties applied to the specified repository
+2. Return the properties as a JSON object that can be used in subsequent workflow steps
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `owner` | The owner (organization or user) of the repository | No | `${{ github.repository_owner }}` |
+| `repo` | The name of the repository | No | `${{ github.event.repository.name }}` |
+| `github_token` | GitHub token for API access | No | `${{ github.token }}` |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `properties` | JSON object containing all custom properties applied to the repository |
+
+## Usage
+
+### Basic Usage
+
+When used in a workflow, all inputs are optional. The action defaults to the current repository and automatic GITHUB_TOKEN (replacing `ref` with a tag or commit SHA from this repository):
+
+```yaml
+jobs:
+  your-job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get Custom Properties
+        id: props
+        uses: launchbynttdata/launch-workflows/.github/actions/get-custom-properties@ref
+
+      - name: Use Properties
+        run: |
+          echo "Properties: ${{ steps.props.outputs.properties }}"
+```
+
+### Query a Different Repository
+
+To retrieve properties from a different repository:
+
+```yaml
+- name: Get Custom Properties
+  id: props
+  uses: launchbynttdata/launch-workflows/.github/actions/get-custom-properties@ref
+  with:
+    owner: "my-org"
+    repo: "my-repo"
+```
+
+### Parse Properties in Workflow
+
+You can use `jq` to parse specific properties from the output:
+
+```yaml
+- name: Get Custom Properties
+  id: props
+  uses: launchbynttdata/launch-workflows/.github/actions/get-custom-properties@ref
+
+- name: Check Environment Property
+  run: |
+    ENVIRONMENT=$(echo '${{ steps.props.outputs.properties }}' | jq -r '.[] | select(.property_name == "environment") | .value')
+    echo "Environment: $ENVIRONMENT"
+```
+
+## Required Permissions
+
+The default `GITHUB_TOKEN` has sufficient permissions to read custom properties for the repository where the workflow runs. When querying a different repository, the token needs "Metadata" repository permission (read).
+
+## Response Format
+
+The API returns an array of property objects:
+
+```json
+[
+  {
+    "property_name": "environment",
+    "value": "production"
+  },
+  {
+    "property_name": "team",
+    "value": "platform"
+  }
+]
+```

.github/actions/get-custom-properties/action.yml

@@ -0,0 +1,61 @@
+name: "Get Custom Properties"
+description: "Retrieve custom properties from a GitHub repository"
+inputs:
+  owner:
+    description: "The owner (organization or user) of the repository. Defaults to the current repository owner."
+    required: false
+    default: ${{ github.repository_owner }}
+  repo:
+    description: "The name of the repository. Defaults to the current repository name."
+    required: false
+    default: ${{ github.event.repository.name }}
+  github_token:
+    description: "GitHub token for API access. Defaults to the automatic GITHUB_TOKEN."
+    required: false
+    default: ${{ github.token }}
+outputs:
+  properties:
+    description: "JSON object containing all custom properties applied to the repository"
+    value: ${{ steps.get-properties.outputs.properties }}
+runs:
+  using: "composite"
+  steps:
+    - name: Get Custom Properties
+      id: get-properties
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+        OWNER: ${{ inputs.owner }}
+        REPO: ${{ inputs.repo }}
+      run: |
+        if [[ -z "$OWNER" ]]; then
+          echo "Error: Repository owner not provided and not available in the event context."
+          exit 1
+        fi
+
+        if [[ -z "$REPO" ]]; then
+          echo "Error: Repository name not provided and not available in the event context."
+          exit 1
+        fi
+
+        echo "Fetching custom properties for ${OWNER}/${REPO}..."
+
+        RESPONSE=$(curl -sL \
+          -H "Accept: application/vnd.github+json" \
+          -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+          -H "X-GitHub-Api-Version: 2026-03-10" \
+          "https://api.github.com/repos/${OWNER}/${REPO}/properties/values")
+
+        # Check for API errors
+        if echo "$RESPONSE" | jq -e '.message' > /dev/null 2>&1; then
+          ERROR_MSG=$(echo "$RESPONSE" | jq -r '.message')
+          echo "Error from GitHub API: $ERROR_MSG"
+          exit 1
+        fi
+
+        # Output the properties as JSON
+        echo "properties<<EOF" >> $GITHUB_OUTPUT
+        echo "$RESPONSE" >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+
+        echo "Successfully retrieved custom properties for ${OWNER}/${REPO}"

.github/actions/remove-dependabot-labels/README.md

@@ -23,7 +23,7 @@ This action will:
 
 ### Basic Usage
 
-When used in a `pull_request` event workflow, all inputs are optional:
+When used in a `pull_request` event workflow, all inputs are optional (replacing `ref` with a tag or commit SHA from this repository):
 
 ```yaml
 jobs:
@@ -36,7 +36,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Remove Dependabot Labels
-        uses: launchbynttdata/launch-workflows/.github/actions/remove-dependabot-labels@main
+        uses: launchbynttdata/launch-workflows/.github/actions/remove-dependabot-labels@ref
 ```
 
 ### Preserve Additional Labels
@@ -45,7 +45,7 @@ To preserve additional Dependabot labels beyond `dependencies`:
 
 ```yaml
 - name: Remove Dependabot Labels
-  uses: launchbynttdata/launch-workflows/.github/actions/remove-dependabot-labels@main
+  uses: launchbynttdata/launch-workflows/.github/actions/remove-dependabot-labels@ref
   with:
     preserve_labels: "dependencies,security"
 ```
@@ -56,7 +56,7 @@ If running outside a `pull_request` event context, provide the PR number explici
 
 ```yaml
 - name: Remove Dependabot Labels
-  uses: launchbynttdata/launch-workflows/.github/actions/remove-dependabot-labels@main
+  uses: launchbynttdata/launch-workflows/.github/actions/remove-dependabot-labels@ref
   with:
     pr_number: "123"
 ```

.github/actions/terragrunt-configure-mise/README.md

@@ -18,6 +18,8 @@ The configured `mise.toml` file will then be used by subsequent `gruntwork-io/te
 
 ## Usage
 
+Replace `ref` with a tag or commit SHA from this repository:
+
 ```yaml
 
 jobs:
@@ -29,7 +31,7 @@ jobs:
 
       # Ensure mise.toml contains terraform and terragrunt at our desired versions
       - name: Configure Mise
-        uses: launchbynttdata/launch-workflows/.github/actions/terragrunt-configure-mise@0.14.0 # or later
+        uses: launchbynttdata/launch-workflows/.github/actions/terragrunt-configure-mise@ref
         with:
           tf_version: '1.5.5'
           tg_version: '0.54.11'

.github/actions/terragrunt-configure-mise/action.yml

@@ -1,5 +1,6 @@
 name: "Configure Mise for Terragrunt"
-description: "Configure Mise to install specific versions of Terraform and Terragrunt for use with terragrunt-action"
+description: "Configure Mise to install specific versions of Terraform and
+  Terragrunt for use with terragrunt-action"
 inputs:
   tf_version:
     description: "Version of Terraform to install"
@@ -34,8 +35,8 @@ runs:
 
           # https://github.com/mrijken/toml-cli
           # `toml set` will add if necessary or update if the entry already exists
-          toml set mise.toml tools.terragrunt "${{ inputs.tg_version }}"
-          toml set mise.toml tools.terraform "${{ inputs.tf_version }}"
+          toml set --toml-path mise.toml tools.terragrunt "${{ inputs.tg_version }}"
+          toml set --toml-path mise.toml tools.terraform "${{ inputs.tf_version }}"
         fi
         echo "Final mise.toml configuration:"
         cat mise.toml

.github/actions/update-status-check/README.md

@@ -0,0 +1,111 @@
+# Update Status Check Action
+
+GitHub's [Commit Status API](https://docs.github.com/en/rest/commits/statuses) allows workflows to report the state of a check back to a specific commit SHA. This is useful for surfacing the outcome of external processes, gating merges, or providing richer context in pull requests beyond what a workflow run alone provides.
+
+This action wraps the Commit Status API with a simple interface: provide a check name and a status, and we handle the API call.
+
+## Behavior
+
+This action will:
+1. Validate that the provided `status` is one of the accepted values (`error`, `failure`, `pending`, `success`)
+2. Call the GitHub Commit Status API to create or update the named status check on the specified commit SHA
+3. Optionally attach a human-readable description and a target URL to the status
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `check_name` | The name (context) of the status check to create or update | Yes | — |
+| `status` | The state to set. One of: `error`, `failure`, `pending`, `success` | Yes | — |
+| `sha` | The commit SHA to attach the status check to | No | `${{ github.sha }}` |
+| `description` | A short human-readable description of the status | No | `""` |
+| `target_url` | A URL to associate with the status (e.g. a link to a build log) | No | `""` |
+| `github_token` | GitHub token for API access | No | `${{ github.token }}` |
+
+## Usage
+
+### Basic Usage
+
+Mark a status check as successful on the current commit (replacing `ref` with a tag or commit SHA from this repository):
+
+```yaml
+jobs:
+  your-job:
+    runs-on: ubuntu-latest
+    permissions:
+      statuses: write
+    steps:
+      - name: Set status check to success
+        uses: launchbynttdata/launch-workflows/.github/actions/update-status-check@ref
+        with:
+          check_name: "my-check"
+          status: "success"
+```
+
+### With Description and Target URL
+
+Provide additional context visible in the GitHub UI:
+
+```yaml
+- name: Set status check to failure
+  uses: launchbynttdata/launch-workflows/.github/actions/update-status-check@ref
+  with:
+    check_name: "security-scan"
+    status: "failure"
+    description: "Vulnerabilities were detected."
+    target_url: "https://example.com/scan-results/123"
+```
+
+### Marking a Check as Pending Before a Long-Running Step
+
+Use `pending` to signal that a check is in progress, then update it on completion:
+
+```yaml
+- name: Mark check as pending
+  uses: launchbynttdata/launch-workflows/.github/actions/update-status-check@ref
+  with:
+    check_name: "integration-tests"
+    status: "pending"
+    description: "Integration tests are running..."
+
+- name: Run integration tests
+  run: make test-integration
+
+- name: Mark check as success
+  if: success()
+  uses: launchbynttdata/launch-workflows/.github/actions/update-status-check@ref
+  with:
+    check_name: "integration-tests"
+    status: "success"
+    description: "All integration tests passed."
+
+- name: Mark check as failure
+  if: failure()
+  uses: launchbynttdata/launch-workflows/.github/actions/update-status-check@ref
+  with:
+    check_name: "integration-tests"
+    status: "failure"
+    description: "One or more integration tests failed."
+```
+
+### Targeting a Specific Commit SHA
+
+Override the default SHA to set a status on a commit other than the one that triggered the workflow:
+
+```yaml
+- name: Set status on a specific commit
+  uses: launchbynttdata/launch-workflows/.github/actions/update-status-check@ref
+  with:
+    check_name: "my-check"
+    status: "success"
+    sha: "abc1234def5678"
+```
+
+## Required Permissions
+
+This action requires the following permission on the workflow job:
+
+```yaml
+permissions:
+  statuses: write
+```