ci(runner): migrate inventory to terraform/ and adopt reusable deploy

.github/workflows/terraform.yml

@@ -1,21 +1,15 @@
 name: 'Deploy GitHub Terraform'
 
 on:
-  workflow_dispatch:
-    inputs:
-      skip_refresh:
-        description: >-
-          One-time heal only. Runs plan/apply with -refresh=false to clear
-          phantom state (repos deleted out-of-band that remain in state and make
-          the normal refresh 404). Skips drift detection for this run — use
-          solely to recover a plan that fails on 404 refresh errors, then return
-          to normal runs.
-        type: boolean
-        default: false
+  pull_request:
+    branches: [main]
+    paths:
+      - "terraform/**"
   push:
     branches: [main]
     paths:
-      - "repos/**"
+      - "terraform/**"
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -26,100 +20,16 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
-  terraform:
-    runs-on: ubuntu-latest
-    env:
-      TF_VAR_github_owner: "nwarila-platform"
-      TF_VAR_github_token: "${{ secrets.FINE_GRAINED_PERSONAL_ACCESS_TOKEN }}"
-
-    steps:
-      - name: 'Initialize Temporary AWS Credentials (via OIDC)'
-        uses: 'aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7'  # v6.0.0
-        with:
-          role-to-assume:      ${{ secrets.AWS_ROLE_TO_ASSUME }}
-          aws-region:          ${{ secrets.AWS_REGION }}
-          mask-aws-account-id: true
-
-      - name: 'Checkout This Repository'
-        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8'  # v5.0.0
-        with:
-          repository: "${{ github.repository }}"
-          ref: '${{ github.sha }}'
-          path: '${{ github.event.repository.name }}'
-
-      - name: "Checkout The 'GitHub Terraform Framework' Repository"
-        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8'  # v5.0.0
-        with:
-          repository: 'nwarila-platform/github-terraform-framework'
-          ref: 'main'
-          path: 'github-terraform-framework'
-
-      - name: 'Download Private Repo Definitions from S3'
-        run: |
-          # Sync every *.yml / *.yaml under the private-repos prefix. Keeping
-          # repo names out of this workflow is intentional — the names are
-          # private metadata and live only in the private S3 prefix. New repo
-          # YAMLs are picked up automatically without touching this file.
-          # Non-YAML objects in the prefix are filtered out.
-          DEST="${{ github.workspace }}/${{ github.event.repository.name }}/repos/private"
-          SRC="s3://${{ secrets.AWS_S3_BUCKET }}/nwarila-platform/${{ github.event.repository.name }}/repos"
-          mkdir -p "$DEST"
-          aws s3 sync "$SRC/" "$DEST/" \
-            --exclude "*" \
-            --include "*.yml" \
-            --include "*.yaml" \
-            --only-show-errors
-          echo "Downloaded $(ls -1 "$DEST" 2>/dev/null | wc -l) private repo definitions."
-
-      - name: 'Assemble Workspace'
-        run: |
-          cp -r "${{ github.workspace }}/${{ github.event.repository.name }}/repos/public/"*  "${{ github.workspace }}/github-terraform-framework/terraform/repos/public/"  2>/dev/null || true
-          cp -r "${{ github.workspace }}/${{ github.event.repository.name }}/repos/private/"* "${{ github.workspace }}/github-terraform-framework/terraform/repos/private/" 2>/dev/null || true
-
-      - name: 'Setup Terraform'
-        uses: 'hashicorp/setup-terraform@v3'
-        with:
-          terraform_version: "1.15.4"
-
-      - name: 'Terraform Init'
-        working-directory: "${{ github.workspace }}/github-terraform-framework/terraform"
-        run: |
-          terraform init                                                                              \
-            -backend-config="bucket=${{ secrets.AWS_S3_BUCKET }}"                                     \
-            -backend-config="encrypt=true"                                                            \
-            -backend-config="key=nwarila-platform/${{ github.event.repository.name }}/terraform.tfstate" \
-            -backend-config="region=${{ secrets.AWS_REGION }}"
-
-      - name: 'Terraform Validate'
-        working-directory: "${{ github.workspace }}/github-terraform-framework/terraform"
-        run: terraform validate
-
-      - name: 'Terraform Plan'
-        working-directory: "${{ github.workspace }}/github-terraform-framework/terraform"
-        run: |
-          REFRESH_FLAG=""
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ "${{ inputs.skip_refresh }}" = "true" ]; then
-            REFRESH_FLAG="-refresh=false"
-            echo "::warning::Terraform Plan running with -refresh=false (one-time phantom-state heal); drift detection is skipped this run."
-          fi
-          terraform plan ${REFRESH_FLAG} -out=tfplan
-          terraform show -no-color tfplan > plan-output.txt
-
-      - name: 'Archive Plan Output'
-        uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02'  # v4.6.2
-        if: always()
-        with:
-          name: terraform-plan-${{ github.sha }}
-          path: "${{ github.workspace }}/github-terraform-framework/terraform/plan-output.txt"
-          retention-days: 90
-
-      - name: 'Terraform Apply'
-        working-directory: "${{ github.workspace }}/github-terraform-framework/terraform"
-        run: terraform apply -auto-approve tfplan
-
-      - name: 'Cleanup Workspace'
-        if: always()
-        run: |
-          rm -f "${{ github.workspace }}/github-terraform-framework/terraform/tfplan"
-          rm -rf "${{ github.workspace }}/${{ github.event.repository.name }}"
-          rm -rf "${{ github.workspace }}/github-terraform-framework"
+  deploy:
+    uses: nwarila-platform/github-terraform-framework/.github/workflows/reusable-terraform-deploy.yaml@a8c17a921ada0e12a70001cf70c1c4fc1597a705  # F1: plan_only fix; config matches live last_push_approval=true, so no governance change
+    with:
+      github_owner: ${{ github.repository_owner }}
+      framework_ref: "a8c17a921ada0e12a70001cf70c1c4fc1597a705"
+      terraform_version: "1.15.4"
+      private_repos_files: ${{ vars.PRIVATE_REPOS_FILES }}
+      plan_only: ${{ github.event_name == 'pull_request' }}
+    secrets:
+      aws_role_arn:    ${{ secrets.AWS_ROLE_TO_ASSUME }}
+      aws_region:      ${{ secrets.AWS_REGION }}
+      backend_bucket:  ${{ secrets.AWS_S3_BUCKET }}
+      gh_token:        ${{ secrets.FINE_GRAINED_PERSONAL_ACCESS_TOKEN }}

.gitignore

@@ -7,8 +7,8 @@
 !/.github/**
 
 # Keep repo definition YAMLs (public only; private YAMLs live in S3).
-!/repos/
-!/repos/public/
-!/repos/public/**
-!/repos/private/
-!/repos/private/.gitkeep
+!/terraform/
+!/terraform/public/
+!/terraform/public/**
+!/terraform/private/
+!/terraform/private/.gitkeep