feat(repos): add proxmox iso manager

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,14 @@
+## Summary
+
+<!-- 1-3 bullets describing what this PR changes and why. -->
+
+## Risk
+
+<!-- What could break? What did you test? Reference any incident drills. -->
+
+## Test plan
+
+- [ ] `make ci` passes locally
+- [ ] PR Validation green in CI
+- [ ] Security Scan green in CI
+- [ ] Documentation reflects the change (when applicable)

.github/workflows/auto-merge.yaml

@@ -0,0 +1,24 @@
+name: Auto-Merge
+# Caller for nwarila/terraform-template reusable-auto-merge workflow.
+# Enables GitHub auto-merge on trusted-bot PRs (Renovate, template-sync,
+# release-please) once required status checks pass. Human-authored PRs are
+# never auto-merged. Renovate manages the SHA pin.
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review, labeled]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: auto-merge-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  auto-merge:
+    permissions:
+      contents: write
+      pull-requests: write
+    uses: NWarila/terraform-template/.github/workflows/reusable-auto-merge.yaml@5a9279e0514ab054d89430a4453409213f9f351f

.github/workflows/codeql.yaml

@@ -0,0 +1,25 @@
+name: CodeQL Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  merge_group:
+  schedule:
+    - cron: "30 6 * * 0"
+  workflow_dispatch:
+
+permissions: {}
+
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    uses: NWarila/terraform-template/.github/workflows/reusable-codeql.yaml@5a9279e0514ab054d89430a4453409213f9f351f

.github/workflows/org-adr-sync.yaml

@@ -0,0 +1,26 @@
+name: Org ADR Sync
+# Caller for nwarila/terraform-template reusable-org-adr-sync workflow.
+# Verifies that org-baseline ADRs mirrored under docs/decision-records/org/
+# match upstream <owner>/.github byte-for-byte. Runs on every PR so the
+# check is always available as a required status check in branch
+# protection. Renovate manages the SHA pin.
+
+on:
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: org-adr-sync-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify:
+    permissions:
+      contents: read
+    uses: NWarila/terraform-template/.github/workflows/reusable-org-adr-sync.yaml@5a9279e0514ab054d89430a4453409213f9f351f

.github/workflows/pr-validation.yaml

@@ -0,0 +1,37 @@
+name: PR Validation
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  merge_group:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: pr-validation-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    uses: NWarila/terraform-template/.github/workflows/reusable-terraform-validation.yaml@5a9279e0514ab054d89430a4453409213f9f351f
+    with:
+      # renovate: datasource=github-releases depName=hashicorp/terraform extractVersion=^v(?<version>.*)$ versioning=hashicorp
+      terraform_version: "1.15.1"
+      # renovate: datasource=github-releases depName=terraform-linters/tflint extractVersion=^v(?<version>.*)$
+      tflint_version: "0.59.1"
+      # renovate: datasource=github-releases depName=terraform-docs/terraform-docs extractVersion=^v(?<version>.*)$
+      terraform_docs_version: "0.20.0"
+      # renovate: datasource=github-releases depName=open-policy-agent/opa extractVersion=^v(?<version>.*)$
+      opa_version: "1.10.0"
+      template_ref: 5a9279e0514ab054d89430a4453409213f9f351f
+      mode: runner
+      framework_repo: nwarila-platform/github-terraform-framework
+      # Renovate keeps this in lockstep with terraform-deploy.yaml.
+      framework_ref: 2fe1bceb4f2aadfab703244f899e378fa738d1d2
+      overlay_paths: |
+        repos/public/=>terraform/repos/public/
+        tests/fixtures/repos/private/=>terraform/repos/private/

.github/workflows/release-evidence.yaml

@@ -0,0 +1,29 @@
+name: Release Evidence
+# Caller for nwarila/terraform-template reusable-release-evidence workflow.
+# Generates a uniform evidence bundle on every release and attaches it to
+# the GitHub release. Renovate manages the SHA pin.
+#
+# Dispatched explicitly by reusable-release-please.yaml (via `gh workflow
+# run`) on every release. The release-published trigger is included as a
+# defensive fallback for manual releases.
+
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: release-evidence-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  evidence:
+    permissions:
+      contents: write
+    uses: NWarila/terraform-template/.github/workflows/reusable-release-evidence.yaml@5a9279e0514ab054d89430a4453409213f9f351f
+    with:
+      # renovate: datasource=github-releases depName=hashicorp/terraform extractVersion=^v(?<version>.*)$ versioning=hashicorp
+      terraform_version: "1.15.1"

.github/workflows/release-please.yaml

@@ -0,0 +1,26 @@
+name: Release Please
+# Caller for nwarila/terraform-template reusable-release-please workflow.
+# Renovate manages the SHA pin. The reusable always dispatches
+# release-evidence.yaml on every release; no per-repo configuration is
+# needed.
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: release-please
+  cancel-in-progress: false
+
+jobs:
+  release:
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      actions: write
+    uses: NWarila/terraform-template/.github/workflows/reusable-release-please.yaml@5a9279e0514ab054d89430a4453409213f9f351f

.github/workflows/scorecard.yaml

@@ -0,0 +1,24 @@
+name: Scorecard
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: "17 6 * * 2"
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions: read-all
+
+concurrency:
+  group: scorecard
+  cancel-in-progress: false
+
+jobs:
+  analysis:
+    permissions:
+      security-events: write
+      id-token: write
+      actions: read
+      contents: read
+    uses: NWarila/terraform-template/.github/workflows/reusable-scorecard.yaml@5a9279e0514ab054d89430a4453409213f9f351f

.github/workflows/security.yaml

@@ -0,0 +1,25 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  merge_group:
+  schedule:
+    - cron: "0 8 * * 1"
+  workflow_dispatch:
+
+permissions: {}
+
+concurrency:
+  group: security-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    uses: NWarila/terraform-template/.github/workflows/reusable-iac-security.yaml@5a9279e0514ab054d89430a4453409213f9f351f

.github/workflows/template-sync.yaml

@@ -0,0 +1,22 @@
+name: Template Sync
+# Caller for nwarila/terraform-template reusable-template-sync workflow.
+# Renovate manages the SHA pin (both `uses:` and `template_ref:`).
+
+on:
+  schedule:
+    - cron: "17 6 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: template-sync
+  cancel-in-progress: false
+
+jobs:
+  sync:
+    uses: NWarila/terraform-template/.github/workflows/reusable-template-sync.yaml@5a9279e0514ab054d89430a4453409213f9f351f
+    with:
+      template_ref: 5a9279e0514ab054d89430a4453409213f9f351f

.github/workflows/terraform-deploy.yaml

@@ -0,0 +1,51 @@
+name: Deploy GitHub Terraform
+
+# Calls nwarila-platform/github-terraform-framework reusable deploy
+# workflow. This file is byte-identical across all three github-terraform-
+# runner repos; per-runner specifics live in repo Variables and Secrets:
+#
+#   secrets.AWS_ROLE_TO_ASSUME              full IAM role ARN for OIDC
+#   secrets.AWS_REGION                      e.g. us-east-1
+#   secrets.AWS_S3_BUCKET                   tfstate backend + private-repo source bucket
+#   secrets.FINE_GRAINED_PERSONAL_ACCESS_TOKEN  GH PAT for Terraform
+#
+#   vars.PRIVATE_REPOS_FILES   newline-separated list of private-repo
+#                              filenames to download from S3 before deploy.
+#                              Each line is a bare filename (e.g.
+#                              `Personal.yml`); the reusable derives the S3
+#                              URL via the convention
+#                              `s3://<bucket>/<owner-lc>/<repo>/repos/<file>`.
+#                              Leave empty to skip S3 fetch entirely (the
+#                              committed `repos/private/` is still overlaid).
+#
+# github_owner is derived from ${{ github.repository_owner }} so the file
+# itself stays identical across the three runners.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "repos/**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+concurrency:
+  group: tf-${{ github.event.repository.name }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    uses: nwarila-platform/github-terraform-framework/.github/workflows/reusable-terraform-deploy.yaml@40d21e78004ae11e3a2cb4b2d9319643e114743b
+    with:
+      github_owner: ${{ github.repository_owner }}
+      # renovate: datasource=github-releases depName=hashicorp/terraform extractVersion=^v(?<version>.*)$ versioning=hashicorp
+      terraform_version: "1.15.1"
+      private_repos_files: ${{ vars.PRIVATE_REPOS_FILES }}
+    secrets:
+      aws_role_arn: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+      aws_region: ${{ secrets.AWS_REGION }}
+      backend_bucket: ${{ secrets.AWS_S3_BUCKET }}
+      github_token: ${{ secrets.FINE_GRAINED_PERSONAL_ACCESS_TOKEN }}