feat: improves our pipelines for roots

[seagyn]

Summary

Overhaul of the AWS Terraform root workflows to support automatic change detection, plan-as-artifact, PR comments, optional AI summaries, and approval-gated applies.

Changes

Removed

• terraform-root-continuous-integration.yaml — replaced by the new CI workflow
• terraform-root-detect-changes.yaml — logic baked directly into CI

New

• terraform-root-ci.yaml — full PR pipeline:
  • Accepts a JSON array of all root directories to monitor
  • Auto-detects which roots have file changes (git diff against PR base)
  • Runs lint (fmt -check, validate, tflint) only on changed roots
  • Runs terraform plan only on changed roots
  • Uploads plan as a workflow artifact (viewable in Actions UI)
  • Posts a formatted, collapsible PR comment per root
  • Optionally generates an AI summary via actions/ai-inference@v1 (GitHub Models, openai/gpt-4o-mini) — opt-in with ai-summary: true

Updated

• terraform-root-plan.yaml — single-root plan workflow:

  • Input renamed from workflow to root
  • Saves plan to file (-out=tfplan)
  • Uploads plan + readable output as artifact
  • Posts PR comment with optional AI summary
  • Can be used standalone or composed into other workflows

• terraform-root-apply.yaml — two-job plan → approve → apply:

  1. Plan job — runs on main, generates a saved plan, renders it in the workflow step summary, uploads as artifact
  2. Apply job — references a GitHub environment (approval gate via required reviewers), downloads the saved plan, applies with terraform apply tfplan

• terraform-root-destroy.yaml — now includes:

  • root input for specifying the target directory
  • environment input for GitHub environment approval gate
  • Reviewers must approve before destroy executes

Not changed

• All Azure workflows (*-azure.yaml) — untouched

How approval works

Approval uses GitHub's native environment protection rules. To enable:

1. Go to Settings → Environments in the consuming repo
2. Create an environment (e.g. production)
3. Enable Required reviewers and add approvers
4. Pass that environment name as the environment input when calling the apply/destroy workflows

The workflow will pause at the apply/destroy job and show an Approve/Reject button in the Actions UI.

How AI summaries work

Uses GitHub's actions/ai-inference@v1 action which calls GitHub Models (free tier). The plan output is sent to openai/gpt-4o-mini with a prompt asking for a risk assessment and change summary. Opt-in via ai-summary: true — no API keys required, just the models: read permission on the workflow.