Add GitHub workflows for Dependabot, build and test, code quality, and PR verification

Author: frasermolyneux

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    assignees: ["frasermolyneux"]
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/build-and-test.yml

@@ -0,0 +1,34 @@
+name: Build and Test
+
+on:
+  push:
+    branches:
+      - "feature/**"
+      - "bugfix/**"
+      - "hotfix/**"
+
+permissions: {}
+
+jobs:
+  bicep-validation:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    
+    - name: Setup Azure CLI
+      uses: azure/login@v2
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+    
+    - name: Validate Bicep modules
+      shell: bash
+      run: |
+        echo "Validating Bicep modules..."
+        for bicep_file in $(find modules -name "main.bicep"); do
+          echo "Validating $bicep_file"
+          az bicep build --file "$bicep_file"
+        done

.github/workflows/codequality.yml

@@ -0,0 +1,60 @@
+name: Code Quality
+
+on:
+  schedule:
+    - cron: "0 3 * * 1" # Monday 3am UTC
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions: {}
+
+jobs:
+  sonar-scanning:
+    permissions:
+      contents: read
+      pull-requests: read
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    
+    - name: SonarCloud Scan
+      uses: SonarSource/sonarcloud-github-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      with:
+        args: >
+          -Dsonar.projectKey=frasermolyneux_bicep-modules
+          -Dsonar.organization=frasermolyneux
+          -Dsonar.host.url=https://sonarcloud.io
+
+  devops-secure-scanning:
+    permissions:
+      contents: read
+      actions: read
+      id-token: write
+      security-events: write
+    uses: frasermolyneux/actions/.github/workflows/devops-secure-scanning.yml@main
+
+  dependency-review:
+    permissions:
+      contents: read
+      pull-requests: write
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          comment-summary-in-pr: always

.github/workflows/copilot-setup-steps.yml

@@ -0,0 +1,28 @@
+name: "Copilot Setup Steps"
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+permissions: {}
+
+jobs:
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v6
+    
+    - name: Checkout additional repo
+      uses: actions/checkout@v6
+      with:
+        repository: frasermolyneux/.github-copilot
+        path: .github-copilot

.github/workflows/dependabot-automerge.yml

@@ -0,0 +1,27 @@
+name: Dependabot Auto-Merge
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  dependabot:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+    - name: Dependabot metadata
+      id: metadata
+      uses: dependabot/fetch-metadata@v2
+      with:
+        github-token: "${{ secrets.GITHUB_TOKEN }}"
+    - name: Enable auto-merge for Dependabot PRs
+      run: gh pr merge --auto --squash "$PR_URL"
+      env:
+        PR_URL: ${{github.event.pull_request.html_url}}
+        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/pr-verify.yml

@@ -0,0 +1,34 @@
+name: PR Verify
+
+on:
+  pull_request:
+    branches:
+      - main
+    types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
+
+permissions: {}
+
+jobs:
+  bicep-validation:
+    permissions:
+      contents: read
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    
+    - name: Setup Azure CLI
+      uses: azure/login@v2
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+    
+    - name: Validate Bicep modules
+      shell: bash
+      run: |
+        echo "Validating Bicep modules..."
+        for bicep_file in $(find modules -name "main.bicep"); do
+          echo "Validating $bicep_file"
+          az bicep build --file "$bicep_file"
+        done