chore(ci): update

.github/workflows/golangci-lint.yml

@@ -1,4 +1,5 @@
-name: golangci-lint
+name: Linter
+
 on:
   push:
     tags:
@@ -11,29 +12,31 @@ permissions:
   pull-requests: read
 
 jobs:
-
-  golangci:
-    name: lint
+  golangci-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 #v2.2.1
+      - name: Filter paths
+        uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 #v2.2.1
         id: filter
         with:
           filters: |
             go:
               - '**/*.go'
               - 'tools/go.mod'
 
-      - uses: actions/setup-go@v5
+      - name: Setup Go
+        uses: actions/setup-go@v5
         if: steps.filter.outputs.go == 'true'
         with:
           go-version-file: 'go.mod'
 
-      - name: golangci-lint
+      - name: Lint code
         if: steps.filter.outputs.go == 'true'
         run: |
           go run -modfile=tools/go.mod github.com/golangci/golangci-lint/cmd/golangci-lint run -v --timeout 5m

.github/workflows/metrics.yml

@@ -1,23 +1,28 @@
-name: metrics
+name: Publish Metrics
 
 on:
-  schedule: [{cron: "0 0 * * *"}]
+  schedule:
+    - cron: "0 0 * * *" # every day at 00:00 UTC (8pm EST)
   workflow_dispatch:
-  push: {branches: ["main"]}
+  push: 
+    branches: 
+      - "main"
 
 jobs:
   github-metrics:
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
-      - uses: lowlighter/metrics@latest
+
+      - name: Generate Metrics
+        uses: lowlighter/metrics@latest
         with:
             template: repository
             filename: metrics.svg
             user: bpg
             repo: terraform-provider-proxmox
-            token: ${{ secrets.METRICS_TOKEN }}
+            token: "${{ secrets.METRICS_TOKEN }}"
             output_action: gist
             committer_gist: 2cc44ead81225542ed1ef0303d8f9eb9
             plugin_lines: yes

.github/workflows/publish.yml

@@ -6,21 +6,33 @@
 # secret. If you would rather own your own GPG handling, please fork this action
 # or use an alternative one for key handling.
 #
-name: publish
+name: Publish Release
+
 on:
   push:
     tags:
       - 'v*'
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
+
+      - name: Generate Short Lived OAuth App Token
+        uses: actions/create-github-app-token@f04aa94d10cf56334d1c580e077ce2e3569e805d #v1.6.3
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+          owner: "${{ github.repository_owner }}"
+          repositories: "${{ github.event.repository.name }}"
+
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Unshallow
         run: git fetch --prune --unshallow
-
+       
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
@@ -31,15 +43,14 @@ jobs:
         uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 #v6.1.0
         with:
           git_user_signingkey: true
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.PASSPHRASE }}
+          gpg_private_key: "${{ secrets.GPG_PRIVATE_KEY }}"
+          passphrase: "${{ secrets.PASSPHRASE }}"
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 #v5.0.0
         with:
           version: latest
           args: release --rm-dist
         env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
-          # GitHub sets this automatically
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_FINGERPRINT: "${{ steps.import_gpg.outputs.fingerprint }}"
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"

.github/workflows/release-please.yml

@@ -1,4 +1,4 @@
-name: release-please
+name: Release Please
 
 on:
   push:
@@ -9,10 +9,23 @@ on:
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 #v3.7.13
+
+      - name: Generate Short Lived OAuth App Token
+        uses: actions/create-github-app-token@f04aa94d10cf56334d1c580e077ce2e3569e805d #v1.6.3
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+          owner: "${{ github.repository_owner }}"
+          repositories: "${{ github.event.repository.name }}"
+
+      - name: Create / Update Release PR
+        uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 #v3.7.13
         with:
-          token: ${{ secrets.BOT_TOKEN }}
+          token: "${{ steps.app-token.outputs.token }}"
           release-type: go
           bump-minor-pre-major: true
           extra-files: |

.github/workflows/semgrep.yml

@@ -1,4 +1,6 @@
-on:
+name: Semgrep
+
+on: 
   pull_request: {}
   push:
     branches:
@@ -8,15 +10,18 @@ on:
   schedule:
   # random HH:MM to avoid a load spike on GitHub Actions at 00:00
   - cron: 29 16 * * *
-name: Semgrep
+
 jobs:
   semgrep:
-    name: Scan
     runs-on: ubuntu-latest
     env:
-      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      SEMGREP_APP_TOKEN: "${{ secrets.SEMGREP_APP_TOKEN }}"
     container:
       image: returntocorp/semgrep
     steps:
-    - uses: actions/checkout@v4
-    - run: semgrep ci
+
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Semgrep
+      run: semgrep ci

.github/workflows/stale.yaml

@@ -1,17 +1,30 @@
 name: Manage Stale Items
-'on':
+
+on:
   schedule:
     - cron: 00 00 * * *
+
 jobs:
   stale:
     runs-on: ubuntu-latest
     permissions:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@v9
+
+      - name: Generate Short Lived OAuth App Token
+        uses: actions/create-github-app-token@f04aa94d10cf56334d1c580e077ce2e3569e805d #v1.6.3
+        id: app-token
         with:
-          repo-token: '${{ secrets.GITHUB_TOKEN }}'
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+          owner: "${{ github.repository_owner }}"
+          repositories: "${{ github.event.repository.name }}"
+
+      - name: Stale Issues and Pull Requests
+        uses: actions/stale@v9
+        with:
+          repo-token: "${{ steps.app-token.outputs.token }}"
           days-before-stale: 180
           days-before-close: 30
           exempt-issue-labels: 'needs-triage, acknowledged, in-progress'

.github/workflows/test.yml

@@ -1,31 +1,31 @@
 name: Tests
+
 on:
   pull_request: {}
   push:
     branches:
       - main
       - "release/**"
 jobs:
-
   build:
-    name: Build
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
 
-      - name: Check out code into the Go module directory
+      - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 #v2.2.1
+      - name: Filter paths
+        uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 #v2.2.1
         id: filter
         with:
           filters: |
             go:
               - '**/*.go'
 
-      - name: Set up Go
+      - name: Setup Go
         if: steps.filter.outputs.go == 'true'
         uses: actions/setup-go@v5
         with:
@@ -40,23 +40,24 @@ jobs:
         run: go vet . && go build -v .
 
   test:
-    name: Unit Tests
     needs: build
     runs-on: ubuntu-latest
     steps:
 
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 #v2.2.1
+      - name: Filter paths
+        uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 #v2.2.1
         id: filter
         with:
           filters: |
             go:
               - '**/*.go'
 
-      - name: Set up Go
+      - name: Setup Go
         if: steps.filter.outputs.go == 'true'
         uses: actions/setup-go@v5
         with: