integrations
diff --git a/‎.github/labeler.yml‎
Lines changed: 56 additions & 0 deletions b/‎.github/labeler.yml‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 117 additions & 2 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 117 additions & 2 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 14 additions & 5 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎.github/workflows/immediate-response.yml‎
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/immediate-response.yml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/labeler.yml‎
Lines changed: 18 additions & 0 deletions b/‎.github/workflows/labeler.yml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎.golangci.yml‎
Lines changed: 62 additions & 22 deletions b/‎.golangci.yml‎
Lines changed: 62 additions & 22 deletions
@@ -0,0 +1,56 @@
+# Configuration for labeler - https://github.com/actions/labeler
+"Type: Breaking change":
+  - head-branch:
+    - '^breaking/'
+    - '^breaking-'
+
+"Type: Feature":
+  - head-branch:
+    - '^feat/'
+    - '^feat-'
+    - '^feature/'
+    - '^feature-'
+
+"Type: Bug":
+  - head-branch:
+    - '^fix/'
+    - '^fix-'
+    - '^bugfix/'
+    - '^bugfix-'
+    - '^bug/'
+    - '^bug-'
+
+"Deprecation":
+  - head-branch:
+    - '^deprecate/'
+    - '^deprecate-'
+    - '^deprecation/'
+    - '^deprecation-'
+
+"Type: Maintenance":
+  - head-branch:
+    - '^chore/'
+    - '^chore-'
+    - '^maintenance/'
+    - '^maintenance-'
+    - '^maint/'
+    - '^maint-'
+    - '^deps/'
+    - '^deps-'
+    - '^dependencies/'
+    - '^dependencies-'
+  # - changed-files:
+  #   - any-glob-to-any-file: 
+  #     - .github/workflows/**
+  #     - .github/labeler.yml
+  #     - .github/dependabot.yml
+  #     - .github/release.yml
+
+"Type: Documentation":
+  - head-branch:
+    - '^docs/'
+    - '^docs-'
+    - '^doc/'
+    - '^doc-'
+  # - changed-files:
+  #   - any-glob-to-any-file: 'website/**'
@@ -5,19 +5,134 @@ on:
     branches: [main]
   pull_request: {}
 
+permissions:
+  contents: read # for actions/checkout
+
+env:
+  test_stacks_directory: test_tf_stacks
+
 jobs:
   ci:
+    name: Continuous Integration
     runs-on: ubuntu-latest
     env:
-      GITHUB_TEST_ORGANIZATION: 'kfcampbell-terraform-provider'
+      GITHUB_TEST_ORGANIZATION: kfcampbell-terraform-provider
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: go.mod
           cache: true
       - run: make tools
       - run: make lint
       - run: make website-lint
       - run: make build
       - run: make test
+
+  generate-matrix:
+    name: Generate matrix for test stacks
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      has-tests: ${{ steps.set-matrix.outputs.has-tests }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Generate matrix
+        id: set-matrix
+        run: |
+          if [ -d "${{ env.test_stacks_directory }}" ]; then
+            # find all directories and validate their names
+            VALID_TESTS=()
+            INVALID_TESTS=()
+
+            while IFS= read -r dir; do
+              dirname=$(basename "$dir")
+              # validate that directory name only contains alphanumeric, hyphens, underscores, and dots
+              if [[ "$dirname" =~ ^[a-zA-Z0-9_.-]+$ ]]; then
+                VALID_TESTS+=("$dirname")
+              else
+                INVALID_TESTS+=("$dirname")
+              fi
+            done < <(find ${{ env.test_stacks_directory }} -mindepth 1 -maxdepth 1 -type d)
+
+            # report invalid directory names if any
+            if [ ${#INVALID_TESTS[@]} -gt 0 ]; then
+              echo "::warning::Invalid test directory names found (must contain only alphanumeric, hyphens, underscores, and dots):"
+              printf ' - %s (will be skipped)\n' "${INVALID_TESTS[@]}"
+            fi
+
+            # create JSON array from valid tests
+            if [ ${#VALID_TESTS[@]} -gt 0 ]; then
+              TESTS=$(printf '%s\n' "${VALID_TESTS[@]}" | jq -R -s -c 'split("\n")[:-1]')
+              echo "matrix=${TESTS}" >> $GITHUB_OUTPUT
+              echo "has-tests=true" >> $GITHUB_OUTPUT
+              echo "Found valid test directories: ${TESTS}"
+            else
+              echo "matrix=[]" >> $GITHUB_OUTPUT
+              echo "has-tests=false" >> $GITHUB_OUTPUT
+              echo "No valid test directories found"
+            fi
+          else
+            echo "Test directory ${{ env.test_stacks_directory }} does not exist"
+            echo "matrix=[]" >> $GITHUB_OUTPUT
+            echo "has-tests=false" >> $GITHUB_OUTPUT
+          fi
+
+  tests:
+    name: Run tests for Terraform test stacks
+    needs: [ci, generate-matrix]
+    if: ${{ needs.generate-matrix.outputs.has-tests == 'true' }} # only run if there are some test stacks
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        tests: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Build provider
+        run: go build -o terraform-provider-github
+
+      - name: Setup dev overrides
+        run: |
+          ROOT_DIR=$(pwd)
+          cat > ~/.terraformrc << EOF
+          provider_installation {
+            dev_overrides {
+              "integrations/github" = "${ROOT_DIR}"
+            }
+            direct {}
+          }
+          EOF
+
+      - name: Verify dev overrides setup
+        run: cat ~/.terraformrc
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_version: 1.x
+
+      - name: Check Terraform version
+        run: terraform version
+
+      - name: Terraform init
+        continue-on-error: true # continue even if init fails
+        run: terraform -chdir=./${{ env.test_stacks_directory }}/${{ matrix.tests }} init
+
+      - name: Terraform validate
+        run: terraform -chdir=./${{ env.test_stacks_directory }}/${{ matrix.tests }} validate
+
+      - name: Clean up
+        run: rm -f ~/.terraformrc terraform-provider-github
@@ -11,7 +11,7 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -21,27 +21,36 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'go' ]
+        include:
+        - language: actions
+          build-mode: none
+          queries: security-extended # can be 'default' (use empty for 'default'), 'security-and-quality', 'security-extended'
+        - language: go
+          build-mode: autobuild
+          queries: '' # will be used 'default' queries
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        if: matrix.language == 'go'
         with:
           go-version-file: 'go.mod'
           cache: true
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         with:
           languages: ${{ matrix.language }}
+          build-mode: ${{ matrix['build-mode'] }}
+          queries: ${{ matrix.queries }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         with:
           category: "/language:${{matrix.language}}"
@@ -11,7 +11,9 @@ on:
       - opened
 jobs:
   respond-to-issue:
-    if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' && github.actor != 'githubactions[bot]' && github.actor != 'octokitbot' }}
+    if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' && 
+      github.actor != 'githubactions[bot]' && github.actor != 'octokitbot' && 
+      github.repository == 'integrations/terraform-provider-github' }}
     runs-on: ubuntu-latest
     steps:
       - name: Determine issue or PR number
 
@@ -0,0 +1,18 @@
+name: Pull Request Labeler
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write # Use this if all labels already exist in the repository (i.e., pre-defined in .github/labeler.yml).
+
+jobs:
+  labeler:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Labeler
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
+        with:
+          sync-labels: false # Whether or not to remove labels when matching files are reverted or no longer changed by the PR
@@ -1,36 +1,76 @@
-# Visit https://golangci-lint.run/ for usage documentation
-# and information on other useful linters
-
+version: "2"
 run:
-  deadline: 3m
   modules-download-mode: vendor
 
-issues:
-  max-per-linter: 0
-  max-same-issues: 0
-
 linters:
-  disable-all: true
+  default: none
+
   enable:
+    - copyloopvar
     - durationcheck
     - errcheck
-    - exportloopref
-    # - forcetypeassert
-    # - godot
-    - gofmt
-    - gosimple
+    - errname
+    - errorlint
+    # - forcetypeassert TODO: Re-enable when we can fix the issues
+    - godot
+    - govet
     - ineffassign
     - makezero
     - misspell
-    # - nilerr
-    # - predeclared
+    - modernize
+    - nilerr
+    - predeclared
     - staticcheck
-    - tenv
     - unconvert
-    # - unparam
+    - unparam
     - unused
-    - vet
+    - usetesting
+
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+    rules:
+      - path: _test\.go
+        linters:
+          - unparam
+        text: always receives
+
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+    - goimports
+
+  settings:
+    gofmt:
+      simplify: true
+      rewrite-rules:
+        - pattern: interface{}
+          replacement: any
+        - pattern: a[b:len(a)]
+          replacement: a[b:]
+    gofumpt:
+      module-path: github.com/integrations/terraform-provider-github
+      extra-rules: true
+    goimports:
+      local-prefixes:
+        - github.com/integrations/terraform-provider-github
 
-linters-settings:
-  errcheck:
-    ignore: github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema:ForceNew|Set,fmt:.*,io:Close
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$