feat: implement comprehensive DevOps workflows and fix GitHub Actions

- Add enterprise-grade DevOps workflows with security, monitoring, and infrastructure testing
- Fix Dependencies workflow to prevent PR creation failures on tag pushes
- Enhance CI workflow with multi-OS testing (Ubuntu, macOS, Windows) and SBOM generation
- Add comprehensive security scanning with TruffleHog, Gosec, and vulnerability checks
- Implement infrastructure testing across Terraform versions 1.0-1.9
- Add monitoring workflow with daily health checks and failure notifications
- Create semantic release workflow with automated changelog generation
- Enhance Makefile with 15+ DevOps targets for local development
- Add development container configuration with VS Code integration
- Implement pre-commit hooks for quality gates and security checks

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: petems

.devcontainer/devcontainer.json

@@ -0,0 +1,54 @@
+{
+  "name": "Terraform Provider ExtIP Development",
+  "image": "mcr.microsoft.com/devcontainers/go:1.24",
+  
+  "features": {
+    "ghcr.io/devcontainers/features/terraform:1": {
+      "version": "1.9"
+    },
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+    "ghcr.io/devcontainers/features/github-cli:1": {}
+  },
+
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "golang.go",
+        "hashicorp.terraform",
+        "ms-vscode.vscode-json",
+        "redhat.vscode-yaml",
+        "github.vscode-pull-request-github",
+        "streetsidesoftware.code-spell-checker",
+        "ms-vscode.makefile-tools"
+      ],
+      "settings": {
+        "go.toolsManagement.checkForUpdates": "local",
+        "go.useLanguageServer": true,
+        "go.lintOnSave": "package",
+        "go.formatTool": "goimports",
+        "terraform.experimentalFeatures.validateOnSave": true,
+        "terraform.experimentalFeatures.prefillRequiredFields": true
+      }
+    }
+  },
+
+  "onCreateCommand": "bash .devcontainer/setup.sh",
+  
+  "postCreateCommand": [
+    "go mod download",
+    "make ci-setup"
+  ],
+
+  "remoteUser": "vscode",
+  
+  "mounts": [
+    "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind"
+  ],
+
+  "forwardPorts": [],
+  
+  "containerEnv": {
+    "TF_PLUGIN_CACHE_DIR": "/tmp/.terraform-plugin-cache",
+    "CHECKPOINT_DISABLE": "1"
+  }
+}

.devcontainer/setup.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+set -e
+
+echo "🚀 Setting up Terraform Provider ExtIP development environment..."
+
+# Install development tools
+echo "📦 Installing development tools..."
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.55.2
+go install github.com/securecode/gosec/v2/cmd/gosec@latest
+go install golang.org/x/vuln/cmd/govulncheck@latest
+go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@latest
+go install github.com/goreleaser/goreleaser@latest
+
+# Install pre-commit if available
+if command -v pip >/dev/null 2>&1; then
+    echo "🪝 Installing pre-commit..."
+    pip install pre-commit
+    pre-commit install || echo "Pre-commit hooks will be set up when you first commit"
+fi
+
+# Create necessary directories
+echo "📁 Creating cache directories..."
+mkdir -p /tmp/.terraform-plugin-cache
+mkdir -p ~/.terraform.d/plugins
+
+# Verify installations
+echo "✅ Verifying installations..."
+go version
+terraform version
+golangci-lint version
+gosec --version || echo "gosec installed"
+govulncheck -version || echo "govulncheck installed"
+tfplugindocs version || echo "tfplugindocs installed"
+
+echo "🎉 Development environment setup complete!"
+echo ""
+echo "Available commands:"
+echo "  make help          - Show all available make targets"
+echo "  make pre-commit    - Run pre-commit checks"
+echo "  make test          - Run tests"
+echo "  make ci-test       - Run full CI test suite"
+echo "  make security-scan - Run security scans"
+echo ""

.github/workflows/ci.yml

@@ -22,11 +22,18 @@ permissions:
 jobs:
   test:
     name: Test
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         go-version: [1.22, 1.23, 1.24]
+        os: [ubuntu-latest]
+        include:
+          # Test on additional OS only for latest Go version
+          - go-version: 1.24
+            os: macos-latest
+          - go-version: 1.24
+            os: windows-latest
 
     steps:
       - name: Checkout code
@@ -92,7 +99,8 @@ jobs:
           path: |
             ~/.terraform.d/plugins
             ~/.terraform.d/plugin-cache
-          key: terraform-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+            ~/.cache/terraform
+          key: terraform-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-v2
           restore-keys: |
             terraform-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-
             terraform-${{ runner.os }}-
@@ -262,6 +270,20 @@ jobs:
         run: |
           govulncheck ./...
 
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          path: .
+          format: spdx-json
+          output-file: sbom.spdx.json
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{ github.sha }}
+          path: sbom.spdx.json
+          retention-days: 30
+
   validate:
     name: Validate
     runs-on: ubuntu-latest

.github/workflows/dependencies.yml

@@ -44,7 +44,7 @@ jobs:
         run: |
           # Get current versions
           go list -mod=readonly -m all > current_modules.txt
-          
+
           # Check for updates
           if go list -mod=readonly -u -m all | grep -E '\[.*\]'; then
             echo "Updates available"
@@ -67,29 +67,30 @@ jobs:
           make test-short
 
       - name: Create Pull Request
-        if: steps.check.outputs.has_updates == 'true'
+        if: steps.check.outputs.has_updates == 'true' && github.ref_type == 'branch'
         uses: peter-evans/create-pull-request@v6
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: 'chore: update dependencies'
           title: 'chore: update dependencies'
           body: |
             ## Dependency Updates
-            
+
             This PR updates Go dependencies to their latest versions.
-            
+
             ### Changes
             - Updated Go modules to latest compatible versions
             - Ran `go mod tidy` to clean up dependencies
             - Updated vendor directory
             - Verified tests still pass
-            
+
             ### Testing
             - [x] Basic tests pass
             - [ ] Full integration tests pass
             - [ ] Security scan passes
           branch: chore/update-dependencies
           delete-branch: true
+          base: ${{ github.head_ref || github.ref_name }}
 
   security-scan:
     name: Security Scan
@@ -169,12 +170,12 @@ jobs:
           # Ensure govulncheck is available
           export PATH="$HOME/go/bin:$PATH"
           govulncheck -json ./... > vuln-report.json || true
-          
+
           # Check for vulnerabilities
           if [ -s vuln-report.json ] && jq -e '.Vulns[]?' vuln-report.json > /dev/null 2>&1; then
             echo "❌ Vulnerabilities found in dependencies!"
             jq '.Vulns[] | {Package: .PkgPath, Vulnerability: .OSV.id, Summary: .OSV.summary}' vuln-report.json
             exit 1
           else
             echo "✅ No known vulnerabilities found in dependencies"
-          fi 
+          fi