ci: add IaC host conformance gate

[intel352]

Summary

• add an IaC host conformance workflow that runs the plugin against its declared minimum Workflow engine and the current Workflow release
• add a gated Go smoke test that builds the plugin binary, loads it through Workflow's external plugin manager, asserts typed IaC service registration, and calls required typed RPCs
• bump the DO plugin Workflow dependency and minEngineVersion to v0.51.2, the first engine version that can load strict-cutover IaC plugins with intentionally unimplemented GetManifest

Why

Best practice for provider compatibility is to test the real host/plugin boundary, not just compile the provider. This follows the same shape as provider acceptance/smoke tests: build the provider artifact, load it via the host harness, and run the matrix against the declared minimum plus current engine.

Red/green proof:

With the new conformance test against v0.51.0:

$ ./scripts/workflow-iac-host-conformance.sh v0.51.0 current-red
FAIL — get manifest from plugin workflow-plugin-digitalocean: rpc error: code = Unimplemented desc = method GetManifest not implemented

With Workflow v0.51.2:

$ ./scripts/workflow-iac-host-conformance.sh v0.51.2 current
PASS

Antagonistic review: Mendel requested changes for release metadata scope and token cleanup. Release URL/version churn was removed; the token rewrite now has an always() cleanup step. Follow-up review verdict: SHIP-IT.

Verification

• GOWORK=off go test ./...
• GOWORK=off go vet ./...
• ./scripts/workflow-iac-host-conformance.sh v0.51.2 current
• wfctl plugin validate --file plugin.json --strict-contracts via Workflow v0.51.2

[intel352]

iac-codemod refactor-apply report

Mode: dry-run
Sites: 1
Errors: 0

Skipped (// wfctl:skip-iac-codemod)

• internal/provider.go:255 DOProvider.Apply skipped

Full report (90-day retention) attached as workflow artifact.

[Copilot]

Pull request overview

Adds a CI “host/plugin boundary” conformance gate that validates this provider can be loaded and exercised by real Workflow engine releases—specifically the declared minEngineVersion and the current Workflow release—so compatibility regressions are caught before merge/release.

Changes:

• Introduces a GitHub Actions workflow that runs a conformance script against the declared minimum and current Workflow engine versions.
• Adds a gated Go smoke test that builds the plugin binary, loads it via Workflow’s external plugin manager, asserts typed IaC service registration, and exercises required typed RPCs.
• Bumps the pinned Workflow dependency and plugin.json minEngineVersion to v0.51.2.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
scripts/workflow-iac-host-conformance.sh	Builds a temp repo copy and runs the host conformance smoke test against a selected Workflow engine version.
plugin.json	Updates declared minimum Workflow engine version to 0.51.2.
internal/host_conformance_test.go	Adds a gated smoke test that builds + loads the plugin through Workflow’s external host and calls required typed RPCs.
go.mod	Bumps github.com/GoCodeAlone/workflow to v0.51.2.
go.sum	Updates checksums to match the Workflow v0.51.2 dependency bump.
.github/workflows/iac-host-conformance.yml	Adds CI workflow to run conformance against minimum and current Workflow engine releases (with private-repo token handling + cleanup).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[intel352]

Fixed in follow-up PR #95 by changing the conformance release lookup to prefer secrets.RELEASES_TOKEN and fall back to github.token. Mirrored the same fix in workflow-plugin-aws#7.