Merged
Conversation
Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add comprehensive operationalization plan document
Add docs/OPERATIONALIZATION_PLAN.md
Feb 22, 2026
intel352
approved these changes
Feb 22, 2026
3 tasks
intel352
added a commit
that referenced
this pull request
Apr 24, 2026
…egistry, typed gRPC args, migrate image, teardown Five features bundled into v0.19.0 for shared config-file shape (wfctl.yaml + .wfctl-lock.yaml) and release boundary. Each addresses architectural debt surfaced during BMW tonight's deploy blocker chain. Features: - A. Plugin manifest + lockfile split (tasks #42/#43) - B. Multi-registry + IaCProvider.EnsureRegistryAuth (task #48) - C. Typed-args refactor for IaCProvider gRPC (task #41) - D. Official workflow-migrate Docker image (task #49) - E. wfctl infra teardown with mandatory dry-run + --approve flag (new) Non-goals: constraint-based plugin resolution (v0.20.0), transitive plugin deps, OCI chart/artifact registries, cross-registry mirroring. Autonomous pipeline target: v0.19.0 after BMW post-teardown stabilizes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
intel352
added a commit
that referenced
this pull request
Apr 24, 2026
* docs: v0.19.0 architectural cleanup design — plugin manifest, multi-registry, typed gRPC args, migrate image, teardown Five features bundled into v0.19.0 for shared config-file shape (wfctl.yaml + .wfctl-lock.yaml) and release boundary. Each addresses architectural debt surfaced during BMW tonight's deploy blocker chain. Features: - A. Plugin manifest + lockfile split (tasks #42/#43) - B. Multi-registry + IaCProvider.EnsureRegistryAuth (task #48) - C. Typed-args refactor for IaCProvider gRPC (task #41) - D. Official workflow-migrate Docker image (task #49) - E. wfctl infra teardown with mandatory dry-run + --approve flag (new) Non-goals: constraint-based plugin resolution (v0.20.0), transitive plugin deps, OCI chart/artifact registries, cross-registry mirroring. Autonomous pipeline target: v0.19.0 after BMW post-teardown stabilizes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: v0.19.0 design — add Features F, G, H (outputs, verify, secret sinks) Scope expanded from 5 to 7 features per user feedback on BMW CI gap audit: - F. wfctl infra outputs with masked-by-default sensitivity + GHA ::add-mask:: - G. wfctl deploy verify with multi-target healthcheck + retry/timeout gate - H. Declarative secret sinks (outputs.<field>.sinks[]) — plaintext never leaves wfctl process; built-in github_secret + github_env handlers; aws/gcp/azure sinks via plugin fan-out in v0.19.x Motivation: BMW's Capture staging DB URL step uses doctl + awk + gh secret set shell pipeline, leaking DATABASE_URL plaintext through stdout/env/argv. Declarative sink pattern (like terraform's output-to-secret-manager) writes the value in-process directly to the GitHub secrets API with libsodium encryption. Matches user's stated principle: "if BMW CI has provider-specific shell, fix it in workflow/wfctl so the CI stays declarative." Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: v0.19.0 implementation plan — 7 features × 9 phases Matches design doc 2026-04-24-v0.19.0-architectural-cleanup-design.md: - Phase 1 alpha.1: Feature A (plugin manifest + lockfile) - Phase 2 alpha.2: Feature C client-side (typed gRPC args) - Phase 3 (DO plugin v0.8.0): Feature C server-side + integration tests - Phase 4 alpha.3: Feature B (multi-registry) - Phase 5 (DO plugin v0.8.1): Feature B server-side (EnsureRegistryAuth) - Phase 6a rc1: Feature D (workflow-migrate image) - Phase 6b rc2: Feature E (wfctl infra teardown) - Phase 6c rc3: Features F + G + H (outputs + verify + sinks) - Phase 7: v0.19.0 final + changelog + docs - Phase 8: Plugin fan-out (aws/gcp/azure/tofu) in parallel - Phase 9: BMW migration PR (after v0.19.0 stabilizes) Timing: all phases can merge independently; final v0.19.0 tag and Phase 9 hold until BMW's tonight deploy chain reaches prod /healthz green (task #26). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: address PR #474 review — reconcile feature count, flag naming, source task column --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
intel352
added a commit
that referenced
this pull request
Apr 24, 2026
…nfra_output (#476) * docs: v0.19.0 architectural cleanup design — plugin manifest, multi-registry, typed gRPC args, migrate image, teardown Five features bundled into v0.19.0 for shared config-file shape (wfctl.yaml + .wfctl-lock.yaml) and release boundary. Each addresses architectural debt surfaced during BMW tonight's deploy blocker chain. Features: - A. Plugin manifest + lockfile split (tasks #42/#43) - B. Multi-registry + IaCProvider.EnsureRegistryAuth (task #48) - C. Typed-args refactor for IaCProvider gRPC (task #41) - D. Official workflow-migrate Docker image (task #49) - E. wfctl infra teardown with mandatory dry-run + --approve flag (new) Non-goals: constraint-based plugin resolution (v0.20.0), transitive plugin deps, OCI chart/artifact registries, cross-registry mirroring. Autonomous pipeline target: v0.19.0 after BMW post-teardown stabilizes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: v0.19.0 design — add Features F, G, H (outputs, verify, secret sinks) Scope expanded from 5 to 7 features per user feedback on BMW CI gap audit: - F. wfctl infra outputs with masked-by-default sensitivity + GHA ::add-mask:: - G. wfctl deploy verify with multi-target healthcheck + retry/timeout gate - H. Declarative secret sinks (outputs.<field>.sinks[]) — plaintext never leaves wfctl process; built-in github_secret + github_env handlers; aws/gcp/azure sinks via plugin fan-out in v0.19.x Motivation: BMW's Capture staging DB URL step uses doctl + awk + gh secret set shell pipeline, leaking DATABASE_URL plaintext through stdout/env/argv. Declarative sink pattern (like terraform's output-to-secret-manager) writes the value in-process directly to the GitHub secrets API with libsodium encryption. Matches user's stated principle: "if BMW CI has provider-specific shell, fix it in workflow/wfctl so the CI stays declarative." Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: v0.19.0 implementation plan — 7 features × 9 phases Matches design doc 2026-04-24-v0.19.0-architectural-cleanup-design.md: - Phase 1 alpha.1: Feature A (plugin manifest + lockfile) - Phase 2 alpha.2: Feature C client-side (typed gRPC args) - Phase 3 (DO plugin v0.8.0): Feature C server-side + integration tests - Phase 4 alpha.3: Feature B (multi-registry) - Phase 5 (DO plugin v0.8.1): Feature B server-side (EnsureRegistryAuth) - Phase 6a rc1: Feature D (workflow-migrate image) - Phase 6b rc2: Feature E (wfctl infra teardown) - Phase 6c rc3: Features F + G + H (outputs + verify + sinks) - Phase 7: v0.19.0 final + changelog + docs - Phase 8: Plugin fan-out (aws/gcp/azure/tofu) in parallel - Phase 9: BMW migration PR (after v0.19.0 stabilizes) Timing: all phases can merge independently; final v0.19.0 tag and Phase 9 hold until BMW's tonight deploy chain reaches prod /healthz green (task #26). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: address PR #474 review — reconcile feature count, flag naming, source task column * docs: v0.18.9 phase-continuation design — env-resolution consistency BMW deploy run 24888583717 created a duplicate DO App Platform app because wfctl infra apply used env-resolved name "bmw-staging" while wfctl ci run --phase deploy used base module name "bmw-app". Both paths call driver.Read by name; with different names they find different resources (or none) and each calls Create, producing duplicates. Root cause: cmd/wfctl/deploy_providers.go:769 reads m.Name directly after ResolveForEnv has been applied. Same class as v0.18.7's Task #32 fix but in the deploy-phase code path. Fix: refactor resolveModCfg closure to return *ResolvedModule, use resolved.Name at call sites. Audit + patch infra_output source resolution (task #56) with the same pattern. Ship as v0.18.9. Does not require state-sharing between IaC and CI phases; the bug is about names, not state. Both phases use driver.Read by name; aligning the names aligns the lookups. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: v0.18.9 phase-continuation implementation plan 9 tasks across Phase 1 (core fixes: deploy_providers.go + infra_secrets.go + regression tests) and Phase 2 (release + BMW unblock: PR, merge, tag, BMW bump, teardown, redeploy). Same-class fix as v0.18.7 Task #32: env-resolved Name used consistently wherever modules are consumed. Target: v0.18.9 hotfix; unblocks BMW staging deploy from run 24888583717 duplicate-resource failure. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(wfctl): ci run deploy uses env-resolved module name (not base) Refactored resolveModCfg closure in deploy_providers.go to return *config.ResolvedModule so callers see both resolved.Name (env-override lifted from Config["name"]) and resolved.Config. All three call sites (iac.provider lookup, findByType, fallback loop) now read resolved.Name instead of m.Name. Same class as v0.18.7 Task #32 fix for ResourceSpec.Name — env override of Config["name"] was lifted into ResolvedModule.Name but deploy_providers.go read m.Name directly, ignoring the override. Caused BMW deploy run 24888583717 to create duplicate DO apps (bmw-app vs bmw-staging). Regression tested via: - TestPluginDeployProvider_UsesEnvResolvedName (new, was failing) - TestPluginDeployProvider_FallsBackToModuleNameWhenNoEnv (new, baseline) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(wfctl): infra_output source module name flows through env resolution Introduces resolveInfraOutput(wfCfg, source, envName, stateOutputs) which translates the base module name in a "module.field" source string to its env-resolved name before looking up state. State is persisted under the env-resolved name (e.g. "bmw-staging-db"), so "bmw-database.uri" with --env staging now correctly finds the state entry. syncInfraOutputSecrets now accepts wfCfg and envName so the new resolution is applied for every infra_output secret in the generate list. The call site in infra.go (runInfraApply) loads the workflow config and passes it through. Closes task #56. Regression tested via: - TestInfraOutput_EnvResolvesModuleSource (new, was failing) - TestInfraOutput_NoEnvUsesBaseName (new, baseline) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: CHANGELOG v0.18.9 entry Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(wfctl): stateKeys actually sorts keys (comment matched implementation) Agent-Logs-Url: https://github.com/GoCodeAlone/workflow/sessions/a0429849-a053-4485-914d-ccb115be94e8 Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> * fix(wfctl): address 4 Copilot round-1 findings on v0.18.9 (#476) - resolveInfraOutput: ResolveForEnv ok=false now errors (config error) instead of silently falling back to base module name — prevents the env-resolution fix from being bypassed on misconfigured envs - stateKeys: add sort.Strings so error messages list available modules in deterministic order (comment already said "sorted") - infra.go: surface config.LoadFromFile error instead of discarding it — silent failure would regress env resolution to the pre-fix nil-wfCfg path - CHANGELOG: replace "Closes task #60" (ambiguous GitHub issue ref) with "Root cause from BMW deploy run 24888583717" Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(wfctl): accurate error message + test for explicitly-disabled module in resolveInfraOutput Agent-Logs-Url: https://github.com/GoCodeAlone/workflow/sessions/3accbfdf-259b-4b98-a44e-8b538d3f5857 Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> * fix(wfctl): gate LoadFromFile on envName + infra_output presence (#476) Skip config.LoadFromFile when env resolution is not needed: - envName="" → no env resolution, wfCfg=nil is correct - no infra_output generators → syncInfraOutputSecrets ignores wfCfg Avoids unnecessary file I/O on every infra apply when the caller has no infra_output secrets or is not running with --env. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the master operationalization plan documenting how the workflow engine will be deployed across SaaS/PaaS, self-hosted, and embedded modes.
Contents
wfctlCLI expansion, plugin registry, SaaS control plane, license server)workflow,ratchet,workflow-registry,workflow-cloudOriginal prompt
Create a comprehensive operationalization plan document at
docs/OPERATIONALIZATION_PLAN.mdthat serves as the master plan for how the workflow engine will be operationalized across multiple modes (SaaS, self-hosted, embedded).The document should contain the full plan below verbatim (in Markdown). Do NOT summarize or abbreviate — include every section, table, code block, and detail exactly as written.
Operationalization Plan: Layered Approach for Workflow Engine
Overview
This document is the master plan for operationalizing the GoCodeAlone/workflow engine across three modes of operation: SaaS/PaaS, Self-Hosted, and Embedded (like GoCodeAlone/ratchet). The approach is organized into five layers, each building on the one below.
Architecture Layers
Layer 1: Core Engine (
GoCodeAlone/workflow— public)The open-source workflow engine library and server binary. Everything in the
workflowrepo today, stabilized and released with semver.Current State
v0.0.0withreplace ../workflowgo:embedci.yml,release.yml,helm-lint.yml,osv-scanner.yml,dependency-update.yml)Actions
v0.1.0as baseline. Enhancerelease.yml: run tests + lint, build binaries (linux/darwin amd64/arm64), build admin UI, create GitHub Release with checksums. Every merge tomaincreates a pre-release; tag push creates stable release.replacedirective from Ratchetgo.modchanges fromreplace github.com/GoCodeAlone/workflow => ../workflowtorequire github.com/GoCodeAlone/workflow v0.x.y.go:embed.FALLBACK_PAGES,PLUGIN_VIEW_COMPONENTS.config,plugin,module,schema,capability,store) vs internal. Breaking changes require major version bump.Deliverables
github.com/GoCodeAlone/workflowas a versioned Go module (e.g.,v0.1.0)workflow-serverbinary downloadable from GitHub Releasesworkflow-admin-uitarball as a separate release artifactghcr.io/gocodalone/workflow:<version>Layer 2: Developer Tooling
Everything a software engineer needs to build, test, and deploy a workflow application.
2a.
wfctlCLI (already atcmd/wfctl/)Current capabilities:
validate,run,serve. Needs expansion:wfctl initwfctl validatewfctl runwfctl build-uiwfctl plugin initwfctl plugin testwfctl publishwfctl deploy...This pull request was created from Copilot chat.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.