diff --git a/.aliases b/.aliases index d123c5f..819f753 100644 --- a/.aliases +++ b/.aliases @@ -1,17 +1,9 @@ #!/bin/env sh alias gs='git status' alias gd='git diff' +alias gc='git checkout' alias tf='terraform' -alias tfa='if [ -f ssh_key ]; then chmod 600 ssh_key && ssh-add ssh_key; fi; terraform init; terraform apply --auto-approve' +alias tfa='terraform apply --auto-approve' alias tfd='terraform destroy --auto-approve' -alias tfp='terraform init || terraform providers && terraform validate && terraform plan' -alias tfr='terraform destroy --auto-approve;if [ -f ssh_key ]; then chmod 600 ssh_key && ssh-add ssh_key; fi; terraform init; terraform apply --auto-approve' -alias tfl='terraform state list' alias k='kubectl' -alias tt='run_tests' -# expects AGE_ variables to be set, see .variables and .rcs -alias es='encrypt_secrets' # looks in the secret file list and converts the files into encrypted ones, see .functions -alias ds='decrypt_secrets' # looks in the secret file list and converts all the encrtypted files in to unencrypted ones, see .functions -alias ef='encrypt_file' # see .functions -alias cl='clear_local' # clears all of the temporary files from the directory, see .functions alias sc='shell_check' # runs shellcheck -x on all files with a shbang diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 2d4f0dc..46efa51 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @rancher/k3s +* @rancher/terraform-maintainers diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 38e8ce7..6a04bd0 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,16 +1,30 @@ +## Backport + +Is this a cherry-picked backport from the default branch? +If so, please delete all other sections and complete the sentence below: + +Cherry-pick #1236 (main PR) to release/v1 (release branch) +Addresses #1235 (backport issue) for #1234 (main issue) + + ## Related Issue -Fixes # +If this PR will target main, +please complete the below sentence and add labels for each version this should be released to. + +Addresses #1234 (main issue) +This should be backported to release/v0, release/v1 (comma separated list of target release branches) ## Description -In plain English, describe your approach to addressing the issue linked above. For example, if you made a particular design decision, let us know why you chose this path instead of another solution. +Describe your approach to addressing the issue linked above. +For example, if you made a particular design decision, let us know why you chose this path. - -## Rollback Plan +## Testing -- [ ] If a change needs to be reverted, we will roll out an update to the code within 7 days. +Please describe how you verified this change or why testing isn't relevant. -## Changes to Security Controls +## Breaking -Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain. +Does this change alter an interface that users of the provider will need to adjust to? +Will there be any existing configurations broken by this change? diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 63ad296..7db03ad 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,7 +3,8 @@ name: release on: push: branches: - - main + - release/v0 + - release/v1 permissions: write-all @@ -76,6 +77,44 @@ jobs: repo: "${{ github.event.repository.name }}", body: "Tests Failed!" }) + - name: retrieve GPG Credentials + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY; + - name: import_gpg_key + if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') + env: + GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }} + GPG_KEY_ID: ${{ env.GPG_KEY_ID }} + GPG_KEY: ${{ env.GPG_KEY }} + run: | + cleanup() { + # clear history just in case + history -c + } + trap cleanup EXIT TERM + + # sanitize variables + if [ -z "${GPG_PASSPHRASE}" ]; then echo "gpg passphrase empty"; exit 1; fi + if [ -z "${GPG_KEY_ID}" ]; then echo "key id empty"; exit 1; fi + if [ -z "${GPG_KEY}" ]; then echo "key contents empty"; exit 1; fi + + echo "Importing gpg key" + echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; } + - name: Run GoReleaser + if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') + uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action + with: + args: release --snapshot --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GPG_KEY_ID: ${{ env.GPG_KEY_ID }} + GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }} + + # These run after release-please generates a release, so when the release PR is merged - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 if: steps.release-please.outputs.version @@ -95,7 +134,6 @@ jobs: secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY; - name: import_gpg_key if: steps.release-please.outputs.version - id: import_gpg_key env: GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }} GPG_KEY_ID: ${{ env.GPG_KEY_ID }} @@ -106,10 +144,12 @@ jobs: history -c } trap cleanup EXIT TERM + # sanitize variables if [ -z "${GPG_PASSPHRASE}" ]; then echo "gpg passphrase empty"; exit 1; fi if [ -z "${GPG_KEY_ID}" ]; then echo "key id empty"; exit 1; fi if [ -z "${GPG_KEY}" ]; then echo "key contents empty"; exit 1; fi + echo "Importing gpg key" echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; } - name: Run GoReleaser diff --git a/.goreleaser.yml b/.goreleaser.yml index e729a12..2ed6f07 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,11 +1,10 @@ # Copyright (c) HashiCorp, Inc. -# Visit https://goreleaser.com for documentation on how to customize this -# behavior. +# https://goreleaser.com for documentation + version: 2 before: hooks: - # this is just an example and not a requirement for provider building/publishing - go mod tidy builds: - env: @@ -25,12 +24,8 @@ builds: - darwin goarch: - amd64 - - '386' - arm - arm64 - ignore: - - goos: darwin - goarch: '386' binary: '{{ .ProjectName }}_v{{ .Version }}' archives: - formats: [ 'zip' ] @@ -55,6 +50,10 @@ signs: - "${signature}" - "--sign" - "${artifact}" +snapshot: + # "snapshot" is the type of release we use for release candidates + # that are generated when a release branch gets a new merge + name_template: "{{ .ProjectName }}_{{ .ShortCommit }}" release: extra_files: - glob: 'terraform-registry-manifest.json' diff --git a/flake.lock b/flake.lock index d57185e..b999921 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1755082269, - "narHash": "sha256-Ix7ALeaxv9tW4uBKWeJnaKpYZtZiX4H4Q/MhEmj4XYA=", + "lastModified": 1755113249, + "narHash": "sha256-/bIVS2iP5mixEQWsaiiJ7EGLtk5Id9OehWbmTbzN6kE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d74de548348c46cf25cb1fcc4b74f38103a4590d", + "rev": "e9e0d35e5f735bf3d1e96815272f46fe7083232c", "type": "github" }, "original": {