ci: add dotnet-ci workflow and Terraform config for GitHub environment

- Add .github/workflows/dotnet-ci.yml: unit-test job runs on every PR/push
  with no env vars (integration tests auto-skip); integration-test job is
  gated by vars.INTEGRATION_TESTS_ENABLED and uses the integration-tests
  GitHub environment provisioned by Terraform.
- Add terraform/ config backfilling the existing repo, team access, and
  branch ruleset; creates the integration-tests environment with
  SECRET_SERVER_* secrets and INTEGRATION_TESTS_ENABLED repo variable.
- State stored in Azure Blob (kfghtfstatesn84ro / tfstate container).

Author: spbsoluble

.github/workflows/dotnet-ci.yml

@@ -0,0 +1,53 @@
+name: Build and Test
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release-*
+
+jobs:
+  unit-test:
+    name: Build and Unit Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '10.x'
+
+      - name: Build
+        run: dotnet build delinea-secretserver-pam.sln -c Release
+
+      - name: Unit Test
+        # No SECRET_SERVER_* env vars set — IntegrationFactAttribute auto-skips integration tests
+        run: dotnet test delinea-secretserver-pam.Tests/delinea-secretserver-pam.Tests.csproj --no-build -c Release --logger "console;verbosity=normal"
+
+  integration-test:
+    name: Integration Test
+    runs-on: ubuntu-latest
+    needs: unit-test
+    # Skipped entirely when the environment hasn't been provisioned via Terraform
+    if: vars.INTEGRATION_TESTS_ENABLED == 'true'
+    environment: integration-tests
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '10.x'
+
+      - name: Build
+        run: dotnet build delinea-secretserver-pam.sln -c Release
+
+      - name: Integration Test
+        run: dotnet test delinea-secretserver-pam.Tests/delinea-secretserver-pam.Tests.csproj --no-build -c Release --logger "console;verbosity=normal"
+        env:
+          SECRET_SERVER_URL: ${{ secrets.SECRET_SERVER_URL }}
+          SECRET_SERVER_USERNAME: ${{ secrets.SECRET_SERVER_USERNAME }}
+          SECRET_SERVER_PASSWORD: ${{ secrets.SECRET_SERVER_PASSWORD }}
+          SECRET_SERVER_SECRET_ID: ${{ secrets.SECRET_SERVER_SECRET_ID }}
+          SECRET_SERVER_SKIP_TLS_VALIDATION: ${{ vars.SECRET_SERVER_SKIP_TLS_VALIDATION }}
+          KEYFACTOR_PAM_SKIP_TLS_VALIDATION: ${{ vars.SECRET_SERVER_SKIP_TLS_VALIDATION }}

terraform/.gitignore

@@ -0,0 +1,5 @@
+terraform.tfvars
+.terraform/
+.terraform.lock.hcl
+*.tfstate
+*.tfstate.backup

terraform/backend.hcl

@@ -0,0 +1,4 @@
+resource_group_name  = "rg-keyfactor-github-tfstate"
+storage_account_name = "kfghtfstatesn84ro"
+container_name       = "tfstate"
+key                  = "github/repos/delinea-secretserver-pam/terraform.tfstate"

terraform/branch_protection.tf

@@ -0,0 +1,48 @@
+# Ruleset ID 11607153 — "Protect default and release branches"
+# Covers ~DEFAULT_BRANCH and refs/heads/release-* (enforced, active).
+
+resource "github_repository_ruleset" "protect_default_and_release" {
+  name        = "Protect default and release branches"
+  repository  = github_repository.repo.name
+  target      = "branch"
+  enforcement = "active"
+
+  conditions {
+    ref_name {
+      include = ["~DEFAULT_BRANCH", "refs/heads/release-*"]
+      exclude = []
+    }
+  }
+
+  bypass_actors {
+    actor_id    = null
+    actor_type  = "OrganizationAdmin"
+    bypass_mode = "always"
+  }
+
+  bypass_actors {
+    actor_id    = null
+    actor_type  = "DeployKey"
+    bypass_mode = "always"
+  }
+
+  bypass_actors {
+    actor_id    = 5
+    actor_type  = "RepositoryRole"
+    bypass_mode = "always"
+  }
+
+  rules {
+    deletion         = true
+    non_fast_forward = true
+    update           = true
+
+    pull_request {
+      required_approving_review_count   = 0
+      dismiss_stale_reviews_on_push     = false
+      require_code_owner_review         = false
+      require_last_push_approval        = false
+      required_review_thread_resolution = false
+    }
+  }
+}

terraform/import.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+# Imports existing GitHub resources into Terraform state.
+# Run once after `terraform init -backend-config=backend.hcl`.
+# Safe to re-run — Terraform skips resources already in state.
+
+set -euo pipefail
+
+terraform import github_repository.repo                        delinea-secretserver-pam
+terraform import github_team_repository.integration_engineers  integration-engineers:delinea-secretserver-pam
+terraform import github_team_repository.release_builders       release_builders:delinea-secretserver-pam
+terraform import github_team_repository.private_access         private-access:delinea-secretserver-pam
+terraform import github_repository_ruleset.protect_default_and_release \
+  delinea-secretserver-pam:11607153

terraform/main.tf

@@ -0,0 +1,104 @@
+locals {
+  repo_name = "delinea-secretserver-pam"
+}
+
+# ── Repository ────────────────────────────────────────────────────────────────
+
+resource "github_repository" "repo" {
+  name        = local.repo_name
+  description = "The Delinea Secret Server PAM Provider allows for the retrieval of stored account credentials from a Delinea Secret Server secret. A valid username, password and secret share settings are required."
+  visibility  = "public"
+
+  has_issues      = true
+  has_projects    = true
+  has_wiki        = true
+  has_discussions = false
+
+  allow_merge_commit     = true
+  allow_squash_merge     = true
+  allow_rebase_merge     = true
+  squash_merge_commit_title   = "COMMIT_OR_PR_TITLE"
+  squash_merge_commit_message = "COMMIT_MESSAGES"
+
+  delete_branch_on_merge = false
+  allow_auto_merge       = false
+
+  topics = ["keyfactor-pam"]
+}
+
+resource "github_repository_dependabot_security_updates" "repo" {
+  repository = github_repository.repo.id
+  enabled    = true
+}
+
+# ── Team access ───────────────────────────────────────────────────────────────
+
+resource "github_team_repository" "integration_engineers" {
+  team_id    = "4319508"
+  repository = github_repository.repo.name
+  permission = "push"
+}
+
+resource "github_team_repository" "release_builders" {
+  team_id    = "6287033"
+  repository = github_repository.repo.name
+  permission = "admin"
+}
+
+resource "github_team_repository" "private_access" {
+  team_id    = "5888166"
+  repository = github_repository.repo.name
+  permission = "pull"
+}
+
+# ── Integration test environment ──────────────────────────────────────────────
+
+resource "github_repository_environment" "integration_tests" {
+  repository  = github_repository.repo.name
+  environment = "integration-tests"
+}
+
+resource "github_actions_environment_secret" "secret_server_url" {
+  repository      = github_repository.repo.name
+  environment     = github_repository_environment.integration_tests.environment
+  secret_name     = "SECRET_SERVER_URL"
+  value = var.secret_server_url
+}
+
+resource "github_actions_environment_secret" "secret_server_username" {
+  repository      = github_repository.repo.name
+  environment     = github_repository_environment.integration_tests.environment
+  secret_name     = "SECRET_SERVER_USERNAME"
+  value = var.secret_server_username
+}
+
+resource "github_actions_environment_secret" "secret_server_password" {
+  repository      = github_repository.repo.name
+  environment     = github_repository_environment.integration_tests.environment
+  secret_name     = "SECRET_SERVER_PASSWORD"
+  value = var.secret_server_password
+}
+
+resource "github_actions_environment_secret" "secret_server_secret_id" {
+  repository      = github_repository.repo.name
+  environment     = github_repository_environment.integration_tests.environment
+  secret_name     = "SECRET_SERVER_SECRET_ID"
+  value = var.secret_server_secret_id
+}
+
+resource "github_actions_environment_variable" "skip_tls_validation" {
+  repository    = github_repository.repo.name
+  environment   = github_repository_environment.integration_tests.environment
+  variable_name = "SECRET_SERVER_SKIP_TLS_VALIDATION"
+  value         = "true"
+}
+
+# ── Repository variable to gate integration tests in CI ───────────────────────
+# When this variable is absent (no terraform apply yet), the integration-test
+# job in dotnet-ci.yml is skipped entirely via `if: vars.INTEGRATION_TESTS_ENABLED == 'true'`.
+
+resource "github_actions_variable" "integration_tests_enabled" {
+  repository    = github_repository.repo.name
+  variable_name = "INTEGRATION_TESTS_ENABLED"
+  value         = "true"
+}

terraform/outputs.tf

@@ -0,0 +1,14 @@
+output "repository_url" {
+  description = "HTTPS URL of the repository."
+  value       = github_repository.repo.html_url
+}
+
+output "repository_ssh_clone_url" {
+  description = "SSH clone URL."
+  value       = github_repository.repo.ssh_clone_url
+}
+
+output "integration_tests_environment" {
+  description = "Name of the GitHub environment used for integration tests."
+  value       = github_repository_environment.integration_tests.environment
+}

terraform/providers.tf

@@ -0,0 +1,28 @@
+terraform {
+  required_version = ">= 1.6"
+
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
+    }
+  }
+
+  # Remote state in Azure Blob Storage (shared with other plugin repos).
+  # Run: terraform init -backend-config=backend.hcl
+  backend "azurerm" {}
+}
+
+provider "github" {
+  owner = "Keyfactor"
+  token = var.github_token
+}
+
+provider "azurerm" {
+  features {}
+  subscription_id = var.azure_subscription_id
+}

terraform/terraform.tfvars.example

@@ -0,0 +1,12 @@
+# Copy to terraform.tfvars and fill in real values.
+# terraform.tfvars is gitignored — never commit it.
+
+github_token = "ghp_YOUR_PERSONAL_ACCESS_TOKEN"
+
+# Optional — defaults to the Keyfactor Azure subscription
+# azure_subscription_id = "b3114ff1-bb92-45b6-9bd6-e4a1eed8c91e"
+
+secret_server_url       = "https://your-instance.secretservercloud.com/SecretServer"
+secret_server_username  = ""
+secret_server_password  = ""
+secret_server_secret_id = ""

terraform/variables.tf

@@ -0,0 +1,34 @@
+variable "github_token" {
+  description = "GitHub Personal Access Token with repo, admin:org, and workflow scopes."
+  type        = string
+  sensitive   = true
+}
+
+variable "azure_subscription_id" {
+  description = "Azure subscription ID for the Terraform remote state backend."
+  type        = string
+  default     = "b3114ff1-bb92-45b6-9bd6-e4a1eed8c91e"
+}
+
+variable "secret_server_url" {
+  description = "Delinea Secret Server base URL for integration tests."
+  type        = string
+  sensitive   = true
+}
+
+variable "secret_server_username" {
+  description = "Username for Secret Server integration test auth."
+  type        = string
+  sensitive   = true
+}
+
+variable "secret_server_password" {
+  description = "Password for Secret Server integration test auth."
+  type        = string
+  sensitive   = true
+}
+
+variable "secret_server_secret_id" {
+  description = "Secret ID to retrieve in integration tests."
+  type        = string
+}