ci(infrastructure): add terraform fmt and validate reusable CI workflow

[katriendg]

Description

Adds automated terraform fmt and terraform validate enforcement to the CI pipeline, closing the last gap in Terraform quality checks. TFLint was added in #229 but formatting and validation remained manual-only. This PR adds a reusable workflow that runs both checks on every PR and main branch push.

Closes #288

Implementation

A new PowerShell script (Invoke-TerraformValidation.ps1) runs terraform fmt -check -recursive across all Terraform files and terraform init -backend=false && terraform validate in each of the four deployment directories (., vpn/, dns/, automation/). The changed-files-only workflow input scopes PR validation to directories with modified .tf or .tfvars files, skipping unaffected directories.

Both pr-validation.yml and main.yml wire in the workflow with soft-fail: true, matching the pattern used by terraform-lint.yml. The lint:tf:validate npm script exposes the same check locally.

Files changed

File	Change
.github/workflows/terraform-validation.yml	New reusable workflow
shared/ci/linting/Invoke-TerraformValidation.ps1	New validation script (249 lines)
shared/ci/tests/Invoke-TerraformValidation.Tests.ps1	Pester test suite (363 lines)
.github/workflows/pr-validation.yml	Wired in terraform-validation job
.github/workflows/main.yml	Wired in terraform-validation job
package.json	Added lint:tf:validate script
.gitignore	Excluded dependency-pinning-artifacts/
docs/contributing/ (3 files)	Updated validation commands to use npm run lint:tf:validate
.github/copilot-instructions.md	Updated validation reference table

Type of Change

• 🐛 Bug fix (non-breaking change fixing an issue)
• ✨ New feature (non-breaking change adding functionality)
• 💥 Breaking change (fix or feature causing existing functionality to change)
• 📚 Documentation update
• 🏗️ Infrastructure change (Terraform/IaC)
• ♻️ Refactoring (no functional changes)

Component(s) Affected

• infrastructure/terraform/prerequisites/ - Azure subscription setup
• infrastructure/terraform/ - Terraform infrastructure
• infrastructure/setup/ - OSMO control plane / Helm
• workflows/ - Training and evaluation workflows
• training/ - Training pipelines and scripts
• docs/ - Documentation

Testing Performed

• Terraform plan reviewed (no unexpected changes)
• Terraform apply tested in dev environment
• Training scripts tested locally with Isaac Sim
• OSMO workflow submitted successfully
• Smoke tests passed (smoke_test_azure.py)

Pester tests (npm run test:ps) passed. No Azure credentials required — terraform init -backend=false skips all remote backend calls. Terraform plan is not applicable to CI workflow and script changes.

Documentation Impact

• Documentation updated in this PR

Checklist

• My code follows the project conventions
• Commit messages follow conventional commit format
• I have performed a self-review
• Documentation impact assessed above
• No new linting warnings introduced

Note

Also updated .gitignore to not track files in the ephemeral folder ./dependency-pinning-artifacts/

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.9	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/upload-artifact	bbbca2ddaa5d8feaa63e36b76fdaad77386f024f	🟢 5.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 4 4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits
actions/hashicorp/setup-terraform	b9cd54a3c349d3f38e8881555d616ced269862dd	🟢 6.2	Details Check Score Reason Code-Review 🟢 4 Found 2/5 approved changesets -- score normalized to 4 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 12 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/terraform-validation.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 9.79%. Comparing base (01ea384) to head (406f0e6).

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #293   +/-   ##
=====================================
  Coverage   9.79%   9.79%           
=====================================
  Files         29      29           
  Lines       3881    3881           
  Branches     497     497           
=====================================
  Hits         380     380           
  Misses      3491    3491           
  Partials      10      10           

Flag	Coverage Δ		*Carryforward flag
pester	79.87% <ø> (ø)
pytest	6.89% <ø> (ø)		Carriedforward from a3aff2f

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.