Update workflow permissions and enhance environment variable

[frasermolyneux]

This pull request makes several improvements to the GitHub Actions workflows, primarily focusing on permissions, environment variable handling, and workflow conditions. The changes enhance security and flexibility for Terraform plan jobs, and improve dependency review feedback.

Workflow condition and environment variable improvements:

• Updated the conditions for running Terraform plan jobs in pr-verify.yml to remove explicit exclusion of Dependabot PRs, relying instead on label-based control. This simplifies workflow logic and ensures more predictable execution. [1] [2]
• Changed the way Azure credentials are set for Terraform jobs by introducing environment variables (env:) and conditional assignment for AZURE_CLIENT_ID to support Dependabot PRs using a separate client ID. This improves security and flexibility for CI/CD jobs. [1] [2]

Permissions and dependency review enhancements:

• Increased the pull-requests permission from read to write in codequality.yml, allowing the dependency review action to post summary comments directly in PRs.
• Enabled always posting dependency review summaries in PRs by setting comment-summary-in-pr: always for the dependency review action, improving visibility of dependency changes.

Workflow documentation update:

• Updated comments in pr-verify.yml to clarify workflow control, removing outdated references to Dependabot exclusion.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

Updates GitHub Actions workflows to refine Terraform plan execution logic and improve dependency review feedback on pull requests, aligning CI/CD behavior with label-driven controls and enabling PR comment output for dependency changes.

Changes:

• Adjust Terraform plan job conditions in pr-verify.yml to rely on labels (and add conditional Azure client ID selection via job env).
• Increase pull-requests permission and enable always-on PR summary comments for dependency review in codequality.yml.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/pr-verify.yml	Updates Terraform plan job if: conditions and centralizes Azure credential values via job-level env, including a Dependabot-specific client ID option.
.github/workflows/codequality.yml	Grants PR write permission to dependency review job and configures dependency review to always comment a summary in PRs.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud