Refactor workflows to use workflow_call and add required secrets for Azure deployment

Author: austenstone

.github/workflows/ci.yml

@@ -0,0 +1,25 @@
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, synchronize, reopened, closed]
+    branches: [main]
+
+jobs:
+  terraform:
+    uses: ./.github/workflows/terraform.yml
+    secrets:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+  deploy:
+    needs: terraform
+    uses: ./.github/workflows/deploy.yml
+    secrets:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }}

.github/workflows/deploy.yml

@@ -1,11 +1,16 @@
 name: Deploy to Azure Static Web App
 on:
-  push:
-    branches: [main]
-  pull_request:
-    types: [opened, synchronize, reopened, closed]
-    branches: [main]
-     
+  workflow_call:
+     secrets:
+       AZURE_CLIENT_ID:
+         required: true
+       AZURE_TENANT_ID:
+         required: true
+       AZURE_SUBSCRIPTION_ID:
+         required: true
+       AZURE_STATIC_WEB_APPS_API_TOKEN:
+         required: true
+
 jobs: 
   deploy:
     if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
@@ -19,10 +24,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
-      with:
-        submodules: true
-        lfs: false
+      uses: actions/checkout@v5
 
     - name: Azure Login
       uses: azure/login@v1
@@ -32,7 +34,7 @@ jobs:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: Deploy Static Web App
-      uses: Azure/static-web-apps-deploy@v1
+      uses: azure/static-web-apps-deploy@v1
       with:
         azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }}
         repo_token: ${{ secrets.GITHUB_TOKEN }}
@@ -46,7 +48,7 @@ jobs:
     name: Close Pull Request
     steps:
     - name: Close Pull Request
-      uses: Azure/static-web-apps-deploy@v1
+      uses: azure/static-web-apps-deploy@v1
       with:
         azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }}
         action: "close"

.github/workflows/terraform.yml

@@ -45,9 +45,14 @@
 name: 'Terraform'
 
 on:
-  push:
-    branches: [ "main" ]
-  pull_request:
+  workflow_call:
+    secrets:
+      AZURE_CLIENT_ID:
+        required: true
+      AZURE_TENANT_ID:
+        required: true
+      AZURE_SUBSCRIPTION_ID:
+        required: true
 
 permissions:
   contents: read
@@ -81,7 +86,7 @@ jobs:
 
     # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
     - name: Setup Terraform
-      uses: hashicorp/setup-terraform@v1
+      uses: hashicorp/setup-terraform@v3
 
     # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
     - name: Terraform Init

README.md

@@ -0,0 +1,27 @@
+# GitHub Actions Terraform
+
+Automated Azure infrastructure deployment using Terraform and GitHub Actions with OIDC authentication.
+
+## 🚀 What This Does
+
+- **Terraform** manages Azure infrastructure (Resource Group + Static Web App)
+- **GitHub Actions** automatically deploys on push to `main`
+- **OIDC** for secure, keyless authentication to Azure
+- **Remote State** stored in Azure Storage with locking
+
+## 🔗 Live Site
+
+[https://black-sky-0510e820f.3.azurestaticapps.net](https://black-sky-0510e820f.3.azurestaticapps.net)
+
+## 🏗️ Infrastructure
+
+- Azure Static Web App (Free tier)
+- Resource Group: `rg-github-actions-terraform`
+- Terraform State: Azure Storage account `tfstate56202`
+
+## 🔐 Security
+
+- OIDC federated identity (no secrets stored)
+- Encrypted state at rest
+- State locking enabled
+- Environment protection: `production`