Cross-driver IaC ownership-tagging convention (phase 2 of gocodealone-dns import)

[intel352]

Context

gocodealone-dns (private) now imports DigitalOcean DNS state via GH Action. To detect cross-repo IaC conflicts (e.g. one repo asserts ownership of a record another repo also manages), we need a uniform "who owns this resource" marker convention across IaC drivers.

DigitalOcean DNS records have no native tagging facility, so we adopted a TXT record convention:

_dns-managed-by.<domain>.   IN   TXT   "<owner>"

This issue tracks generalizing the convention across all IaC drivers in the workflow plugin ecosystem.

Proposed convention by resource class

Resource class	Mechanism	Examples
DNS records	TXT _dns-managed-by.<zone>	digitalocean, hover, cloudflare, namecheap
Natively-taggable resources	Tag managed-by:<owner>	DO Droplets/Spaces/Volumes/K8s; AWS EC2/S3/EKS; GCP/Azure equivalents
Untagged + no TXT analogue	Naming prefix mgd-<owner>-<resource>	rare edge cases

Scope

1. Add OwnershipTagger interface to plugin/external/sdk (or extend existing IaC interfaces)
2. Each IaC driver implements:
   • Read: GetOwner(resource) (owner string, source string, error)
   • Write: SetOwner(resource, owner string) error (called on first apply if not already set)
3. wfctl plugin apply reads ownership before mutating; refuses if owner mismatches caller (unless --force)
4. wfctl plugin enumerate-owners --owner <name> lists all resources tagged for owner

Drivers to update

• workflow-plugin-digitalocean (DNS via TXT; everything else via Tags)
• workflow-plugin-aws (Tags everywhere)
• workflow-plugin-azure (Tags everywhere)
• workflow-plugin-gcp (Labels everywhere)
• workflow-plugin-hover (DNS via TXT)
• workflow-plugin-cloudflare (DNS via TXT)
• workflow-plugin-namecheap (DNS via TXT)

Reference

• gocodealone-dns README.md (TXT convention) — https://github.com/GoCodeAlone/gocodealone-dns
• Filed 2026-05-25 as Phase 2 followup to the gocodealone-dns import scaffold.

[intel352]

Audit result: still relevant.

Verified against latest origin/main: there is no OwnershipTagger, GetOwner, SetOwner, enumerate-owners, or _dns-managed-by implementation in workflow core/wfctl/plugin SDK. The request still matches the repository direction because ownership checks belong at the IaC plugin/wfctl mutation boundary and require a multi-driver cascade.

[intel352]

Progress update while addressing this issue:

• Verified latest workflow main now has DNS ownership enforcement through wfctl dns-policy and the _workflow-dns-policy.<zone> TXT convention. That supersedes the older per-record _dns-managed-by.<domain> proposal for DNS.
• Opened PR docs: clarify DNS ownership policy #821 to document that current DNS ownership mechanism and narrow the issue scope.
• Remaining scope is the generic cloud-resource side: natively taggable resources should converge on a provider-appropriate managed-by:<owner>/label convention, and wfctl/provider plugins still need a concrete ownership read/write/enumeration contract for those resources.

I am leaving this issue open until that generic tag/label ownership pass is implemented across the provider plugins.

[intel352]

Progress update:

• Core ownership contract shipped in workflow PR feat(iac): add resource ownership contract #824 and released as GoCodeAlone/workflow@v0.69.1.
• DigitalOcean cascade shipped in GoCodeAlone/workflow-plugin-digitalocean PR build(deps-dev): bump minimatch from 3.1.2 to 3.1.5 in /ui in the npm_and_yarn group across 1 directory #180 and released as v2.1.8.
• The workflow release includes grpc-versions.txt, and the DigitalOcean release workflow passed contract validation, runtime capability truth-check, post-build manifest validation, and registry notification.
• Copilot review threads on PR build(deps-dev): bump minimatch from 3.1.2 to 3.1.5 in /ui in the npm_and_yarn group across 1 directory #180 were resolved before admin merge.

Leaving this issue open because the original scope is cross-driver. Remaining cascades still need evaluation/implementation for AWS, Azure, GCP, Hover, Cloudflare, and Namecheap ownership providers/conventions.

[intel352]

AWS cascade update for workflow#779:

• Implemented AWS ownership tagging in feat: add AWS ownership tagging workflow-plugin-aws#37.
  • Adds IaCProviderOwnership via AWS Resource Groups Tagging API.
  • Uses workflow-owner tag key for ARN-backed resources.
  • Bumps workflow dependency to v0.69.7 and minEngineVersion to 0.69.1.
  • Adds manifest parity coverage for root vs embedded iacServices.
• PR Define and Document Application UI Build/Serve Contract for Workflow Engine #37 passed CI, host conformance, CodeQL, Copilot review, and was admin-merged.
• Released workflow-plugin-aws v2.2.0: https://github.com/GoCodeAlone/workflow-plugin-aws/releases/tag/v2.2.0
• Registry cascade chore: sync aws to v2.2.0 workflow-registry#192 updated plugins/aws/manifest.json to v2.2.0 with SHA-256 checksums restored, passed registry validation/CodeQL/Copilot, and was admin-merged.

Remaining provider cascades for this issue still include Azure, GCP, Hover, Cloudflare, and Namecheap.

[intel352]

Azure ownership cascade for this issue is complete.

Completed:

• workflow-plugin-azure PR feat: add ownership tagging workflow-plugin-azure#35 merged (42e5e5021bbaa0df4819832da0aa62983734a0e6).
• Added IaCProviderOwnership backed by Azure ARM workflow-owner tags.
• Updated blob storage driver to return ARM container IDs as ProviderID so ownership works for infra.storage too.
• Released workflow-plugin-azure v2.2.0: https://github.com/GoCodeAlone/workflow-plugin-azure/releases/tag/v2.2.0
• Registry sync PR chore: sync azure to v2.2.0 workflow-registry#193 merged (5c49a6a4bef5a7082e46065c6a1b653a0660412e) with release SHA-256 checksums preserved.

Verification:

• Azure local: focused ownership/blob tests, GOWORK=off go test ./... -count=1, GOWORK=off go vet ./..., git diff --check.
• Azure PR CI: CodeQL, Build & Test, typed-iac-engine-range, Analyze(actions), Strict Contract Validation all passed.
• Azure post-merge main workflows and release workflow all passed.
• Registry local validation and PR CI all passed.

Remaining provider cascades still include GCP, Hover, Cloudflare, and Namecheap.

[intel352]

GCP cascade completed.

• workflow-plugin-gcp PR Potential fix for code scanning alert no. 17: Database query built from user-controlled sources #31 merged: added IaCProviderOwnership support backed by workflow-owner labels, with Cloud Asset owner lookup/listing and label updates across supported drivers.
• Released workflow-plugin-gcp v2.2.0. The release workflow failed only in the final draft-publish step after GoReleaser had uploaded assets; I published the draft release manually.
• workflow-registry PR feat: add step.s3_upload pipeline step for S3-compatible object storage #194 merged: registry now points gcp at v2.2.0 with current capabilities, min engine 0.69.1, asset URLs, and checksums.
• workflow-plugin-gcp PR Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 in /example in the go_modules group across 1 directory #32 merged: release workflow now publishes drafts with gh release edit --draft=false, matching the AWS/Azure pattern and avoiding the draft lookup race.

Follow-up release sweep from the GCP failure:

• Current AWS v2.2.0 and Azure v2.2.0 release workflows are green.
• Fixed and merged additional release workflow failures in workflow-plugin-compute Fix 3 UI bugs found during exploratory testing #21, workflow-plugin-crypto [WIP] Upgrade Modular #4, and workflow-plugin-volunteer-science [WIP] Upgrade Modular #4; post-merge CI is green for all three.
• Cloudflare's failed registry notify path was already fixed on current main; no new PR needed.

[intel352]

Final remaining-provider audit for workflow#779:

• Hover, Cloudflare, and Namecheap were rechecked against latest origin/main.
• All three expose infra.dns through strict-contract ResourceDriver implementations, and current workflow core routes DNS ownership through wfctl dns-policy / _workflow-dns-policy.<zone> via dns/gate.DriverReader.
• cmd/wfctl/dns_policy.go and dns/gate/gate.go explicitly document support for DO / CF / NC / Hover through IaCProvider.ResourceDriver("infra.dns"); no per-provider IaCProviderOwnership implementation is needed for these DNS-only ownership semantics.
• Cloudflare and Namecheap have registrar/domain-transfer surfaces, but they are not natively taggable cloud resources and do not fit the workflow-owner tag/label contract shipped for DO/AWS/Azure/GCP. Adding ownership providers there would duplicate the DNS policy mechanism or invent an unsupported owner side channel.

With DO, AWS, Azure, and GCP ownership providers released and registry-synced, and DNS providers covered by the shipped DNS policy mechanism, I consider this issue complete.