ci: Refactor GitHub Actions

- simplify GitHub Actions
- remove old build/lint/release workflows
- add a reusable setup-go composite action
- add new ci workflow to run build, MegaLinter, tests, Sonar, and CodeQL
- add new release workflow with semantic‑release dry run and manual release

Author: refucktor

.github/actions/setup-go/action.yml

@@ -0,0 +1,25 @@
+name: Setup Go
+description: |
+  This action sets up the Go environment for your project, downloading the necessary modules
+  and preparing the environment for building or testing Go applications.
+inputs:
+  go-version-file:
+    description: Path to go.mod file
+    default: 'go.mod'
+  go-version:
+    description: Explicit Go version
+    required: false
+    default: '1.24'
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Go environment
+      uses: actions/setup-go@v5.5.0
+      with:
+        go-version-file: ${{ inputs.go-version-file }}
+        go-version: ${{ inputs.go-version }}
+        cache: true
+    - name: Download Go modules
+      run: go mod download
+      shell: bash

.github/workflows/build.yml

@@ -0,0 +1,137 @@
+name: Continuous Integration
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main, dev]
+  schedule:
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  build:
+    name: Go Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git Checkout
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
+      - name: Go Build
+        run: go build -v ./...
+
+  lint:
+    name: Linters
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Git Checkout
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
+      - name: GolangCI Lint
+        uses: golangci/golangci-lint-action@v8
+        with:
+          version: v2.1
+          args: --config=.linters/.golangci.yml
+      - name: MegaLinter
+        uses: oxsecurity/megalinter/flavors/go@v8
+        id: ml
+        env:
+          VALIDATE_ALL_CODEBASE: true
+          DEFAULT_WORKSPACE: ${{ github.workspace }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Archive reports
+        uses: actions/upload-artifact@v4
+        if: ${{ success() || failure() }}
+        with:
+          name: MegaLinter reports
+          path: |
+            .ml-reports/
+            mega-linter.log
+
+  tests:
+    name: Go All Tests
+    runs-on: ubuntu-latest
+    needs: build
+    strategy:
+      matrix:
+        tf-version: ['1.11.*', '1.12.*']
+    steps:
+      - name: Git Checkout
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ matrix.tf-version }}
+          terraform_wrapper: false
+      - name: Run Tests
+        run: go test ./internal/provider -v -coverprofile=tests-report.lcov -json > tests-report.log
+        env:
+          TF_ACC: '1'
+      - name: Codecov Upload Coverage
+        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          verbose: true
+          files: tests-report.lcov
+      - name: Codecov Upload Test Results
+        if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload Test Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: tests-report-${{ github.sha }}
+          path: |
+            tests-report.lcov
+            tests-report.log
+          retention-days: 7
+          overwrite: true
+
+  sonar:
+    name: SonarCloud Scan
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    needs: [tests]
+    steps:
+      - name: Git Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Download Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: tests-report-${{ github.sha }}
+      - name: Sonarqube Scan
+        uses: SonarSource/sonarqube-scan-action@v5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  codeql:
+    name: CodeQL Scan
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
+    needs: build
+    steps:
+      - name: Git Checkout
+        uses: actions/checkout@v4
+      - name: CodeQL Analysis
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+      - name: CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:go'