feat(deploy): restore reusable-terraform-deploy.yaml

[NWarila]

Summary

Restores .github/workflows/reusable-terraform-deploy.yaml to main (442 lines, verbatim from commit 12ad292 on the unmerged chore/standardize-fleet-bead9a4 branch). Allowlists the file in .gitignore per the deny-all strategy.

Why

Every *-runner repo's terraform-deploy.yaml caller pins:

uses: nwarila-platform/github-terraform-framework/.github/workflows/reusable-terraform-deploy.yaml@<framework-main-sha>

That file has never been on main. The deploys silently worked through 2026-05-21 because runner repos hadn't touched terraform/** and the workflow filter never fired; today's NWarila/github-terraform-runner#38 was the first push to terraform/** since the gap was introduced, and it failed at workflow resolution before any job ran.

The unmerged branch had ~10 iterations of bug fixes against the reusable (fix(deploy): use terraform console flag order, fix(deploy): show ruleset console errors, fix(deploy): adopt existing rulesets before plan, etc.). Bringing the tip of that work (12ad292) onto main captures all that prior debugging.

Caller signature (already in place across all runner repos)

| Inputs | github_owner, framework_ref, terraform_version, private_repos_files, private_repos_prefix |
| Secrets | aws_role_arn, aws_region, backend_bucket, gh_token |

Test plan

• Framework CI green (existing tests on terraform/, drift-gate, security)
• actionlint against the new file (local: clean)
• zizmor against the new file (local: 0 findings, 2 suppressed)
• After merge: bump SHA pin in NWarila/github-terraform-runner/.github/workflows/terraform-deploy.yaml (and any other runner repo) — follow-up PR.

Follow-up

After this lands, the runner's terraform-deploy.yaml uses: SHA + framework_ref: input must move to the new framework main HEAD. Renovate's git-refs datasource will eventually propose the bump; a manual PR can move it sooner so that NWarila/packer-runner-template gets created from the still-pending inventory entry.

[github-actions]

Terraform Framework Test Results

Check	Status
Format	✅
Init	✅
Validate	✅
Test Suite	✅

Runs: 55 total, 55 passed, 0 failed, 0 skipped

Full test output

tests/normalization.tftest.hcl... in progress
  run "pattern_blocks_with_only_pattern_field_plans_clean"... pass
  run "merge_queue_with_partial_fields_plans_clean"... pass
  run "pull_request_with_only_merge_methods_plans_clean"... pass
  run "pages_partial_fields_plans_clean"... pass
  run "repo_with_environments_plans_clean"... pass
  run "archived_repo_plans_clean"... pass
  run "empty_repo_set_plans_clean"... pass
  run "org_mode_explicit_codeowners_plans_clean"... pass
  run "personal_mode_synthesizes_codeowners"... pass
  run "push_ruleset_on_private_when_supported_plans_clean"... pass
  run "license_template_defaults_null_not_MIT"... pass
  run "good_minimal_produces_expected_resource_counts"... pass
  run "good_minimal_carries_expected_defaults"... pass
  run "archived_repo_filters_out_downstream_locals"... pass
  run "empty_repo_set_exercises_every_filter_on_zero_input"... pass
  run "good_minimal_produces_zero_environments_zero_codeowners"... pass
  run "explicit_security_and_analysis_overrides_baseline"... pass
  run "multi_branch_sources_all_from_default_not_serially"... pass
  run "fork_repo_passes_through_source_fields"... pass
tests/normalization.tftest.hcl... tearing down
tests/normalization.tftest.hcl... pass
tests/preconditions.tftest.hcl... in progress
  run "rejects_invalid_visibility_enum"... pass
  run "rejects_public_repo_without_description"... pass
  run "rejects_invalid_ruleset_enforcement"... pass
  run "rejects_org_mode_codeowners_required_but_missing"... pass
  run "rejects_env_wait_timer_out_of_range"... pass
  run "rejects_env_branch_policy_mutually_exclusive"... pass
  run "rejects_actions_allowed_actions_enum"... pass
  run "rejects_actions_selected_without_config"... pass
tests/preconditions.tftest.hcl... tearing down
tests/preconditions.tftest.hcl... pass
tests/security.tftest.hcl... in progress
  run "strict_mode_no_gap_plans_clean"... pass
  run "compatibility_mode_no_gap_plans_clean_with_empty_preview"... pass
  run "strict_mode_reports_gaps_across_multiple_visibilities"... pass
  run "no_baseline_no_yaml_collapses_security_to_null"... pass
  run "baseline_feature_enabled_when_capability_matches"... pass
tests/security.tftest.hcl... tearing down
tests/security.tftest.hcl... pass
tests/validation.tftest.hcl... in progress
  run "good_minimal_plans_clean"... pass
  run "rejects_unknown_top_level_key"... pass
  run "rejects_unknown_nested_key"... pass
  run "rejects_allow_forking"... pass
  run "rejects_duplicate_repo_keys"... pass
  run "rejects_unsupported_push_ruleset"... pass
  run "rejects_code_scanning_tool_typo"... pass
  run "rejects_multiple_nested_typos_in_one_repo"... pass
  run "rejects_secrets_written_as_map"... pass
  run "rejects_token_mode_missing_token"... pass
  run "rejects_app_mode_missing_app_auth"... pass
  run "rejects_token_mode_with_app_auth_also_set"... pass
  run "rejects_app_mode_with_token_also_set"... pass
  run "valid_app_auth_plans_clean"... pass
  run "strict_mode_fails_on_capability_gap"... pass
  run "compatibility_mode_tolerates_capability_gap"... pass
  run "push_ruleset_public_supports_true_still_fails"... pass
  run "push_ruleset_private_supports_false_fails"... pass
  run "push_ruleset_internal_supports_true_passes"... pass
  run "push_ruleset_internal_supports_false_fails"... pass
  run "rejects_invalid_github_owner_regex"... pass
  run "rejects_invalid_auth_mode_enum"... pass
  run "rejects_invalid_baseline_mode_enum"... pass
tests/validation.tftest.hcl... tearing down
tests/validation.tftest.hcl... pass

Success! 55 passed, 0 failed.

Commit: ec12fe8