ci: add CI workflow with fmt, validate, docs, lint, and release-please jobs

Replace the standalone release-please workflow with a unified CI
workflow that runs formatting checks, terraform validate, docs
freshness, and tflint on every push. Release-please is now handled
by jimeh/release-please-manifest-action with GitHub App auth.

Also:
- Move release-please config files under .github/
- Add changelog-sections and always-update to release-please config
- Add tflint with recommended terraform plugin preset
- Add .gitignore for .terraform/ and .terraform.lock.hcl
- Add lint and lint-fix Make targets
- Clean .terraform.lock.hcl before terraform-docs runs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.github/release-please-config.json

@@ -0,0 +1,31 @@
+{
+  "packages": {
+    ".": {
+      "release-type": "simple",
+      "changelog-path": "CHANGELOG.md",
+      "bump-minor-pre-major": true,
+      "bump-patch-for-minor-pre-major": true,
+      "draft": false,
+      "prerelease": false,
+      "always-update": true,
+      "include-component-in-tag": false,
+      "extra-files": [
+        "README.md"
+      ],
+      "changelog-sections": [
+        { "type": "feat", "section": "Features" },
+        { "type": "fix", "section": "Bug Fixes" },
+        { "type": "perf", "section": "Performance Improvements" },
+        { "type": "revert", "section": "Reverts" },
+        { "type": "docs", "section": "Documentation" },
+        { "type": "style", "section": "Styles", "hidden": true },
+        { "type": "chore", "section": "Miscellaneous", "hidden": true },
+        { "type": "refactor", "section": "Code Refactoring", "hidden": true },
+        { "type": "test", "section": "Tests", "hidden": true },
+        { "type": "build", "section": "Build System", "hidden": true },
+        { "type": "ci", "section": "CI", "hidden": true }
+      ]
+    }
+  },
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json"
+}

.github/workflows/ci.yml

@@ -0,0 +1,49 @@
+---
+name: CI
+on: [push]
+
+permissions:
+  contents: read
+
+jobs:
+  fmt:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
+      - run: terraform fmt -check -recursive -diff
+      - run: prettier --check README.md
+
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
+      - run: terraform init -backend=false
+      - run: terraform validate
+
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
+      - run: terraform-docs --output-check .
+      - run: prettier --check README.md
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
+      - run: tflint --init
+      - run: tflint --format compact
+
+  release-please:
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/heads/')
+    steps:
+      - uses: jimeh/release-please-manifest-action@84f33fd2828210488c36f3e0a7e3209252d2ae7d # v3.0.0
+        with:
+          target-branch-pattern: "^(main|master)$"
+          app-id: ${{ secrets.RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}

.github/workflows/release-please.yml

@@ -1,16 +0,0 @@
----
-on: push
-
-jobs:
-  release-please:
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
-    outputs:
-      release_created: ${{ steps.release-please.outputs.release_created }}
-      tag_name: ${{ steps.release-please.outputs.tag_name }} # e.g. v1.0.0
-      version: ${{ steps.release-please.outputs.version }} # e.g. 1.0.0
-    steps:
-      - uses: google-github-actions/release-please-action@v3
-        id: release-please
-        with:
-          command: manifest

.gitignore

@@ -0,0 +1,2 @@
+.terraform/
+.terraform.lock.hcl

.mise.toml

@@ -3,3 +3,4 @@
 node = "lts"
 terraform = "latest"
 terraform-docs = "latest"
+tflint = "latest"

.tflint.hcl

@@ -0,0 +1,4 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}

Makefile

@@ -1,13 +1,23 @@
-.PHONY: docs fmt check
+.PHONY: docs fmt lint lint-fix check
 
 docs:
+	rm -f .terraform.lock.hcl
 	terraform-docs .
 	prettier --write README.md
 
 fmt: docs
 	terraform fmt -recursive
 
-check:
+lint:
+	tflint --init
+	tflint --format compact
+
+lint-fix:
+	tflint --init
+	tflint --fix
+
+check: lint
+	rm -f .terraform.lock.hcl
 	terraform-docs --output-check .
 	prettier --check README.md
 	terraform fmt -check -recursive

release-please-config.json

@@ -1,16 +0,0 @@
-{
-  "packages": {
-    ".": {
-      "release-type": "simple",
-      "changelog-path": "CHANGELOG.md",
-      "bump-minor-pre-major": true,
-      "bump-patch-for-minor-pre-major": true,
-      "draft": false,
-      "prerelease": false,
-      "extra-files": [
-        "README.md"
-      ]
-    }
-  },
-  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json"
-}