chore: align project workflows and metadata with fleet standards

Author: frasermolyneux

.github/copilot-instructions.md

@@ -1,11 +1,33 @@
 # Copilot Instructions
 
-- **Purpose**: Catalog of reusable Azure Bicep modules published to ACR `acrty7og2i6qpv3s` under `bicep/modules/{module}`; registry is provisioned by the platform-strategic-services project.
-- **Layout**: Each module lives in `modules/<name>/` with `main.bicep` plus `metadata.json` carrying `version.major|minor|revision`. Publishing fails if either file is missing.
-- **Versioning behavior**: Non-main builds publish `V{major}.{minor}.{revision}-preview` only. Main builds also push `V{major}.x`, `V{major}.{minor}.x`, and `latest` when the full version tag is new.
-- **Publish script**: [Publish-BicepModuleToAcr.ps1](../.azure-pipelines/scripts/Publish-BicepModuleToAcr.ps1) drives tagging; it skips publishing when the `V{major}.{minor}.{revision}` tag already exists. Repository prefix defaults to `bicep/modules`.
-- **Pipelines**: [devops-secure-scanning](../.azure-pipelines/devops-secure-scanning.yml) runs weekly and on PRs to main using `jobs/devops-secure-scanning.yml` from the `ado-pipeline-templates` repo. [release-to-production](../.azure-pipelines/release-to-production.yml) builds with `bicep-lint-code` then loops modules to publish via service connection `spn-bicep-modules-production`; scheduled weekly and on main.
-- **Local workflow**: Update `metadata.json` when changing `main.bicep`; validate with `az bicep build --file modules/<name>/main.bicep`. Manual publish example:
+## Project Overview
+
+This repository is a catalogue of reusable Azure Bicep modules published to Azure Container Registry (ACR) `acrty7og2i6qpv3s` under `bicep/modules/{module}`. The registry is provisioned by the `platform-strategic-services` project.
+
+## Repository Layout
+
+- `modules/<name>/` — Each module contains `main.bicep` and `metadata.json` (with `version.major|minor|revision`). Publishing fails if either file is missing.
+- `.azure-pipelines/` — Azure DevOps pipeline definitions and the publish script.
+- `.github/workflows/` — GitHub Actions workflows for CI, code quality, and PR verification.
+- `scripts/` — Utility scripts for app registration and role assignment.
+- `docs/` — Project documentation ([overview.md](../docs/overview.md), [development-workflows.md](../docs/development-workflows.md)).
+
+## Module Catalogue
+
+`apiManagementLogger`, `apiManagementSubscription`, `appConfigurationStore`, `appInsights`, `frontDoorCNAME`, `frontDoorEndpoint`, `keyVault`, `keyVaultAccessPolicy`, `keyVaultRoleAssignment`, `keyVaultSecret`, `sqlDatabase`, `storageAccount`, `webTest`.
+
+## Build and Validation
+
+- **Local validation**: `az bicep build --file modules/<name>/main.bicep`
+- **GitHub Actions**: `build-and-test.yml` validates all modules on feature/bugfix/hotfix branches; `pr-verify.yml` validates on PRs to main; `codequality.yml` runs SonarCloud scanning, DevOps secure scanning, and dependency review.
+- **Azure DevOps**: `release-to-production.yml` lints and publishes modules to ACR via `spn-bicep-modules-production`.
+
+## Versioning and Publishing
+
+- Non-main builds publish `V{major}.{minor}.{revision}-preview` only.
+- Main builds also push `V{major}.x`, `V{major}.{minor}.x`, and `latest` when the full version tag is new.
+- The publish script (`Publish-BicepModuleToAcr.ps1`) skips publishing when a tag already exists.
+- Manual publish example:
   ```powershell
   pwsh ./.azure-pipelines/scripts/Publish-BicepModuleToAcr.ps1 `
     -moduleName keyvault `
@@ -14,6 +36,15 @@
     -previewRelease $true
   ```
   Requires `az login` and rights to the registry.
-- **Module catalogue**: modules include `apiManagementLogger`, `apiManagementSubscription`, `appConfigurationStore`, `appInsights`, `frontDoorCNAME`, `frontDoorEndpoint`, `keyVault`, `keyVaultAccessPolicy`, `keyVaultRoleAssignment`, `keyVaultSecret`, `sqlDatabase`, `storageAccount`, `webTest`.
-- **Dependencies**: Pipelines consume templates from the `ado-pipeline-templates` GitHub repo and require Azure CLI with Bicep installed.
-- **Docs**: See [docs/overview.md](../docs/overview.md) and [docs/development-workflows.md](../docs/development-workflows.md) for module layout and pipeline details.
+
+## Conventions
+
+- Always update `metadata.json` when changing a module's `main.bicep`.
+- Bicep files should pass `az bicep build` without errors before committing.
+- Pipelines consume templates from the `ado-pipeline-templates` GitHub repo and require Azure CLI with Bicep installed.
+
+## Dependencies
+
+- Azure CLI with Bicep extension
+- `ado-pipeline-templates` repository (for Azure DevOps pipeline templates)
+- `frasermolyneux/actions` repository (for reusable GitHub Actions workflows)

.github/workflows/copilot-setup-steps.yml

@@ -16,13 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-    
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v6
-    
-    - name: Checkout additional repo
-      uses: actions/checkout@v6
-      with:
-        repository: frasermolyneux/.github-copilot
-        path: .github-copilot
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Checkout additional repo
+        uses: actions/checkout@v6
+        with:
+          repository: frasermolyneux/.github-copilot

README.md

@@ -1,14 +1,18 @@
 # Bicep Modules
 
-[![DevOps Secure Scanning](https://dev.azure.com/frasermolyneux/Personal-Public/_apis/build/status%2fbicep-modules.DevOpsSecureScanning?branchName=main)](https://dev.azure.com/frasermolyneux/Personal-Public/_build/latest?definitionId=209&branchName=main)
-[![Pipeline Build](https://dev.azure.com/frasermolyneux/Personal-Public/_apis/build/status%2fbicep-modules.OnePipeline?repoName=frasermolyneux%2fbicep-modules&branchName=main&stageName=Build)](https://dev.azure.com/frasermolyneux/Personal-Public/_build/latest?definitionId=175&repoName=frasermolyneux%2fbicep-modules&branchName=main)
-[![Pipeline Deploy](https://dev.azure.com/frasermolyneux/Personal-Public/_apis/build/status%2fbicep-modules.OnePipeline?repoName=frasermolyneux%2fbicep-modules&branchName=main&stageName=Deploy)](https://dev.azure.com/frasermolyneux/Personal-Public/_build/latest?definitionId=175&repoName=frasermolyneux%2fbicep-modules&branchName=main)
+[![Build and Test](https://github.com/frasermolyneux/bicep-modules/actions/workflows/build-and-test.yml/badge.svg)](https://github.com/frasermolyneux/bicep-modules/actions/workflows/build-and-test.yml)
+[![Code Quality](https://github.com/frasermolyneux/bicep-modules/actions/workflows/codequality.yml/badge.svg)](https://github.com/frasermolyneux/bicep-modules/actions/workflows/codequality.yml)
+[![Copilot Setup Steps](https://github.com/frasermolyneux/bicep-modules/actions/workflows/copilot-setup-steps.yml/badge.svg)](https://github.com/frasermolyneux/bicep-modules/actions/workflows/copilot-setup-steps.yml)
+[![Dependabot Auto-Merge](https://github.com/frasermolyneux/bicep-modules/actions/workflows/dependabot-automerge.yml/badge.svg)](https://github.com/frasermolyneux/bicep-modules/actions/workflows/dependabot-automerge.yml)
+[![PR Verify](https://github.com/frasermolyneux/bicep-modules/actions/workflows/pr-verify.yml/badge.svg)](https://github.com/frasermolyneux/bicep-modules/actions/workflows/pr-verify.yml)
 
 ## Documentation
+
 - [Overview](docs/overview.md) - Module layout, catalogue, and registry dependencies
 - [Development Workflows](docs/development-workflows.md) - Pipelines, local validation, and publish guidance
 
 ## Overview
+
 Reusable Azure Bicep modules for Integration Services workloads, published to `acrty7og2i6qpv3s` under `bicep/modules/{module}`. Modules ship with per-folder metadata for versioning and are linted/published through Azure DevOps using templates from `ado-pipeline-templates`. The registry itself is deployed by the `platform-strategic-services` project.
 
 ## Contributing