ci: consolidate PR workflows into single ci.yml + add act support (#34)

- Rewrites ci.yml with 6 jobs: validate, module-tests, docs,
  schema-drift, yaml-validate, mkdocs-build
- Deletes test.yml, schema-drift.yml, validate.yml (content merged in)
- Removes pull_request trigger from deploy_docs.yml (build-only check
  now lives in ci.yml mkdocs-build job)
- Adds scripts/gen-docs.sh to centralize terraform-docs generation
- Adds .actrc for local act runs (linux/amd64, catthehacker image,
  offline mode)
- Adds .secrets to .gitignore for local integration test credentials
- Deletes Makefile (all targets replaced by pre-commit hooks and act)

Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: trouze

.actrc

@@ -0,0 +1,5 @@
+--container-architecture linux/amd64
+-P ubuntu-latest=catthehacker/ubuntu:act-latest
+--action-offline-mode
+--pull=false
+--secret-file .secrets

.github/workflows/ci.yml

@@ -4,21 +4,34 @@ on:
   pull_request:
     paths:
       - "**.tf"
+      - "modules/**"
       - "tests/**"
       - "schemas/**"
-      - "docs/reference/**"
+      - "scripts/**"
+      - "validate/**"
+      - "docs/**"
+      - "mkdocs.yml"
       - ".terraform-docs.yml"
+      - ".terraform.lock.hcl"
       - ".github/workflows/ci.yml"
       - "!topologies/**"
   push:
     branches: [main]
     paths:
       - "**.tf"
+      - "modules/**"
       - "tests/**"
       - "schemas/**"
-      - "docs/reference/**"
+      - "scripts/**"
+      - "validate/**"
+      - "docs/**"
+      - "mkdocs.yml"
       - ".terraform-docs.yml"
+      - ".terraform.lock.hcl"
+      - ".github/workflows/ci.yml"
       - "!topologies/**"
+  schedule:
+    - cron: "0 8 * * 1"
 
 permissions:
   contents: read
@@ -61,6 +74,42 @@ jobs:
       - name: Test (mock providers)
         run: terraform test
 
+  module-tests:
+    name: Module Tests (${{ matrix.module }})
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        module:
+          - project
+          - environments
+          - jobs
+          - credentials
+          - repository
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
+        with:
+          terraform_version_file: .terraform-version
+
+      - name: Cache Terraform providers
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: .terraform
+          key: terraform-${{ hashFiles('.terraform.lock.hcl') }}
+          restore-keys: terraform-
+
+      - name: Terraform Init
+        working-directory: modules/${{ matrix.module }}
+        run: terraform init -backend=false
+
+      - name: Terraform Test
+        working-directory: modules/${{ matrix.module }}
+        run: terraform test -verbose
+
   docs:
     name: Docs up to date
     runs-on: ubuntu-latest
@@ -78,12 +127,130 @@ jobs:
           chmod +x /usr/local/bin/terraform-docs
 
       - name: Regenerate docs
-        run: make docs
+        run: bash scripts/gen-docs.sh
 
       - name: Check for drift
         run: |
           if ! git diff --exit-code docs/reference/; then
             echo ""
-            echo "Docs are out of date. Run 'make docs' locally and commit the result."
+            echo "Docs are out of date. Run 'bash scripts/gen-docs.sh' locally and commit the result."
+            exit 1
+          fi
+
+  schema-drift:
+    name: Schema Drift Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
+        with:
+          terraform_version_file: .terraform-version
+
+      - name: Cache Terraform providers
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: .terraform
+          key: terraform-${{ hashFiles('.terraform.lock.hcl') }}
+          restore-keys: terraform-
+
+      - name: Init
+        run: terraform init -backend=false
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Check schema drift
+        run: |
+          uv run --with PyYAML scripts/check_schema_drift.py \
+            --mapping scripts/resource_mapping.yml \
+            --schema schemas/v1.json \
+            --terraform-dir .
+
+      - name: Annotate PR on failure
+        if: failure() && github.event_name == 'pull_request'
+        run: |
+          echo "::error::Schema drift detected. Run 'uv run --with PyYAML scripts/check_schema_drift.py --mapping scripts/resource_mapping.yml --schema schemas/v1.json --terraform-dir .' locally and classify any UNMAPPED fields in scripts/resource_mapping.yml. Add MISSING_FROM_SCHEMA fields to schemas/v1.json."
+
+  yaml-validate:
+    name: YAML Validate Action
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Valid YAML passes
+        uses: ./validate
+        with:
+          file: validate/tests/valid.yml
+
+      - name: Invalid YAML is rejected
+        id: validate-invalid
+        uses: ./validate
+        with:
+          file: validate/tests/invalid.yml
+        continue-on-error: true
+
+      - name: Assert validation failed
+        run: |
+          if [ "${{ steps.validate-invalid.outcome }}" != "failure" ]; then
+            echo "Expected validation to fail for invalid.yml, but it did not."
             exit 1
           fi
+          echo "Validation correctly rejected invalid.yml."
+
+  mkdocs-build:
+    name: MkDocs Build
+    runs-on: ubuntu-latest
+    env:
+      TERRAFORM_DOCS_VERSION: v0.20.0
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.12"
+          cache: "pip"
+          cache-dependency-path: "docs/requirements.txt"
+
+      - name: Install MkDocs and dependencies
+        run: pip install -r docs/requirements.txt
+
+      - name: Install terraform-docs
+        run: |
+          wget -O /tmp/terraform-docs.tar.gz \
+            https://github.com/terraform-docs/terraform-docs/releases/download/${TERRAFORM_DOCS_VERSION}/terraform-docs-${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz
+          tar -xzf /tmp/terraform-docs.tar.gz -C /tmp
+          sudo mv /tmp/terraform-docs /usr/local/bin/
+          chmod +x /usr/local/bin/terraform-docs
+
+      - name: Generate Terraform documentation
+        run: bash scripts/gen-docs.sh
+
+      - name: Setup Pages
+        id: pages
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
+
+      - name: Set MkDocs site_url for GitHub Pages
+        run: |
+          SITE_URL="https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/"
+          python3 -c "
+          import re, pathlib, sys
+          site_url = sys.argv[1]
+          path = pathlib.Path('mkdocs.yml')
+          text = path.read_text()
+          text, n = re.subn(r'(?m)^site_url:.*$', f'site_url: {site_url}', text, count=1)
+          if n != 1:
+              sys.exit('Expected exactly one site_url line in mkdocs.yml')
+          path.write_text(text)
+          print(f'site_url -> {site_url}')
+          " "$SITE_URL"
+
+      - name: Build with MkDocs
+        run: mkdocs build --strict --site-dir ./site

.github/workflows/deploy_docs.yml

@@ -15,16 +15,6 @@ on:
       - 'schemas/**'
       - 'topologies/**'
       - '.github/workflows/deploy_docs.yml'
-  
-  pull_request:
-    types: [opened, synchronize]
-    paths:
-      - 'docs/**'
-      - 'mkdocs.yml'
-      - '*.tf'
-      - 'modules/**'
-      - 'schemas/**'
-      - 'topologies/**'
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
@@ -77,7 +67,7 @@ jobs:
           terraform-docs --version
       
       - name: Generate Terraform documentation
-        run: make docs
+        run: bash scripts/gen-docs.sh
 
       - name: Setup Pages
         id: pages
@@ -109,7 +99,7 @@ jobs:
 
   # Deployment job
   deploy:
-    if: github.event_name == 'push' || github.event.pull_request.merged == true
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}