From e45ab9a33ec1064ca8a1b2ae51943d9568162171 Mon Sep 17 00:00:00 2001 From: matttrach Date: Fri, 15 Aug 2025 10:51:24 -0500 Subject: [PATCH 1/2] fix: move release please to release branches Signed-off-by: matttrach --- .aliases | 12 +- .github/CODEOWNERS | 2 +- .github/pull_request_template.md | 28 +++- .github/workflows/release-v0.yml | 150 ++++++++++++++++++ .../workflows/{release.yml => release-v1.yml} | 2 +- .goreleaser.yml | 13 +- flake.lock | 6 +- 7 files changed, 184 insertions(+), 29 deletions(-) create mode 100644 .github/workflows/release-v0.yml rename .github/workflows/{release.yml => release-v1.yml} (99%) diff --git a/.aliases b/.aliases index d123c5f..819f753 100644 --- a/.aliases +++ b/.aliases @@ -1,17 +1,9 @@ #!/bin/env sh alias gs='git status' alias gd='git diff' +alias gc='git checkout' alias tf='terraform' -alias tfa='if [ -f ssh_key ]; then chmod 600 ssh_key && ssh-add ssh_key; fi; terraform init; terraform apply --auto-approve' +alias tfa='terraform apply --auto-approve' alias tfd='terraform destroy --auto-approve' -alias tfp='terraform init || terraform providers && terraform validate && terraform plan' -alias tfr='terraform destroy --auto-approve;if [ -f ssh_key ]; then chmod 600 ssh_key && ssh-add ssh_key; fi; terraform init; terraform apply --auto-approve' -alias tfl='terraform state list' alias k='kubectl' -alias tt='run_tests' -# expects AGE_ variables to be set, see .variables and .rcs -alias es='encrypt_secrets' # looks in the secret file list and converts the files into encrypted ones, see .functions -alias ds='decrypt_secrets' # looks in the secret file list and converts all the encrtypted files in to unencrypted ones, see .functions -alias ef='encrypt_file' # see .functions -alias cl='clear_local' # clears all of the temporary files from the directory, see .functions alias sc='shell_check' # runs shellcheck -x on all files with a shbang diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 2d4f0dc..46efa51 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @rancher/k3s +* @rancher/terraform-maintainers diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 38e8ce7..6a04bd0 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,16 +1,30 @@ +## Backport + +Is this a cherry-picked backport from the default branch? +If so, please delete all other sections and complete the sentence below: + +Cherry-pick #1236 (main PR) to release/v1 (release branch) +Addresses #1235 (backport issue) for #1234 (main issue) + + ## Related Issue -Fixes # +If this PR will target main, +please complete the below sentence and add labels for each version this should be released to. + +Addresses #1234 (main issue) +This should be backported to release/v0, release/v1 (comma separated list of target release branches) ## Description -In plain English, describe your approach to addressing the issue linked above. For example, if you made a particular design decision, let us know why you chose this path instead of another solution. +Describe your approach to addressing the issue linked above. +For example, if you made a particular design decision, let us know why you chose this path. - -## Rollback Plan +## Testing -- [ ] If a change needs to be reverted, we will roll out an update to the code within 7 days. +Please describe how you verified this change or why testing isn't relevant. -## Changes to Security Controls +## Breaking -Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain. +Does this change alter an interface that users of the provider will need to adjust to? +Will there be any existing configurations broken by this change? diff --git a/.github/workflows/release-v0.yml b/.github/workflows/release-v0.yml new file mode 100644 index 0000000..e663b2c --- /dev/null +++ b/.github/workflows/release-v0.yml @@ -0,0 +1,150 @@ +name: release + +on: + push: + branches: + - release/v0 + +permissions: write-all + +jobs: + release: + runs-on: ubuntu-latest + outputs: + release_pr: ${{ steps.release-please.outputs.pr }} + steps: + - uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0 https://github.com/googleapis/release-please-action/commits/main/ + id: release-please + with: + release-type: go + # These run only if a release PR was opened or modified, so not when the PR is merged + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main + if: steps.release-please.outputs.pr + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.createComment({ + issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }}, + owner: "${{ github.repository_owner }}", + repo: "${{ github.event.repository.name }}", + body: "Please make sure e2e tests pass before merging this PR! \n ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + }) + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + if: steps.release-please.outputs.pr + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + if: steps.release-please.outputs.pr + with: + go-version-file: 'go.mod' + cache: true + - name: run-unit-tests + id: run-unit-tests + if: steps.release-please.outputs.pr + run: | + go install gotest.tools/gotestsum@ddd0b05a6878e2e8257a2abe6e7df66cebc53d0e # v1.12.3 + make test + - name: install-nix + if: steps.release-please.outputs.pr + run: | + curl -L https://nixos.org/nix/install | sh + source /home/runner/.nix-profile/etc/profile.d/nix.sh + nix --version + which nix + - name: run-acc-tests + id: run-acc-tests + if: steps.release-please.outputs.pr + shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} + run: make testacc + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main + if: steps.release-please.outputs.pr && always() && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.createComment({ + issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }}, + owner: "${{ github.repository_owner }}", + repo: "${{ github.event.repository.name }}", + body: "Tests Passed!" + }) + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main + if: steps.release-please.outputs.pr && always() && ((steps.run-unit-tests.conclusion == 'failure') || (steps.run-acc-tests.conclusion == 'failure')) + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.createComment({ + issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }}, + owner: "${{ github.repository_owner }}", + repo: "${{ github.event.repository.name }}", + body: "Tests Failed!" + }) + - name: import_gpg_key + if: steps.release-please.outputs.pr && always() && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') + id: import_gpg_key + env: + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} + GPG_KEY: ${{ secrets.GPG_KEY }} + run: | + cleanup() { + # clear history just in case + history -c + } + trap cleanup EXIT TERM + + # sanitize variables + if [ -z "${GPG_PASSPHRASE}" ]; then echo "gpg passphrase empty"; exit 1; fi + if [ -z "${GPG_KEY_ID}" ]; then echo "key id empty"; exit 1; fi + if [ -z "${GPG_KEY}" ]; then echo "key contents empty"; exit 1; fi + + echo "Importing gpg key" + echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; } + - name: Run GoReleaser + if: steps.release-please.outputs.pr && always() && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') + uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action + with: + args: release --snapshot --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + + + # These run after release-please generates a release, so when the release PR is merged + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + if: steps.release-please.outputs.version + with: + fetch-depth: 0 + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + if: steps.release-please.outputs.version + with: + go-version-file: 'go.mod' + cache: true + - name: import_gpg_key + if: steps.release-please.outputs.version + id: import_gpg_key + env: + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} + GPG_KEY: ${{ secrets.GPG_KEY }} + run: | + cleanup() { + # clear history just in case + history -c + } + trap cleanup EXIT TERM + + # sanitize variables + if [ -z "${GPG_PASSPHRASE}" ]; then echo "gpg passphrase empty"; exit 1; fi + if [ -z "${GPG_KEY_ID}" ]; then echo "key id empty"; exit 1; fi + if [ -z "${GPG_KEY}" ]; then echo "key contents empty"; exit 1; fi + + echo "Importing gpg key" + echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; } + - name: Run GoReleaser + if: steps.release-please.outputs.version + uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 + with: + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.github/workflows/release.yml b/.github/workflows/release-v1.yml similarity index 99% rename from .github/workflows/release.yml rename to .github/workflows/release-v1.yml index bf3a6a0..20718f6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release-v1.yml @@ -3,7 +3,7 @@ name: release on: push: branches: - - main + - release/v1 permissions: write-all diff --git a/.goreleaser.yml b/.goreleaser.yml index e729a12..2ed6f07 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,11 +1,10 @@ # Copyright (c) HashiCorp, Inc. -# Visit https://goreleaser.com for documentation on how to customize this -# behavior. +# https://goreleaser.com for documentation + version: 2 before: hooks: - # this is just an example and not a requirement for provider building/publishing - go mod tidy builds: - env: @@ -25,12 +24,8 @@ builds: - darwin goarch: - amd64 - - '386' - arm - arm64 - ignore: - - goos: darwin - goarch: '386' binary: '{{ .ProjectName }}_v{{ .Version }}' archives: - formats: [ 'zip' ] @@ -55,6 +50,10 @@ signs: - "${signature}" - "--sign" - "${artifact}" +snapshot: + # "snapshot" is the type of release we use for release candidates + # that are generated when a release branch gets a new merge + name_template: "{{ .ProjectName }}_{{ .ShortCommit }}" release: extra_files: - glob: 'terraform-registry-manifest.json' diff --git a/flake.lock b/flake.lock index d57185e..b999921 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1755082269, - "narHash": "sha256-Ix7ALeaxv9tW4uBKWeJnaKpYZtZiX4H4Q/MhEmj4XYA=", + "lastModified": 1755113249, + "narHash": "sha256-/bIVS2iP5mixEQWsaiiJ7EGLtk5Id9OehWbmTbzN6kE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d74de548348c46cf25cb1fcc4b74f38103a4590d", + "rev": "e9e0d35e5f735bf3d1e96815272f46fe7083232c", "type": "github" }, "original": { From 72b92629051ec88da0fb10f9adb3b986dc433e64 Mon Sep 17 00:00:00 2001 From: matttrach Date: Fri, 15 Aug 2025 11:19:56 -0500 Subject: [PATCH 2/2] fix: use one file and get vault secrets Signed-off-by: matttrach --- .github/workflows/release-v1.yml | 123 ------------------ .../workflows/{release-v0.yml => release.yml} | 41 ++++-- 2 files changed, 27 insertions(+), 137 deletions(-) delete mode 100644 .github/workflows/release-v1.yml rename .github/workflows/{release-v0.yml => release.yml} (78%) diff --git a/.github/workflows/release-v1.yml b/.github/workflows/release-v1.yml deleted file mode 100644 index 872b1e7..0000000 --- a/.github/workflows/release-v1.yml +++ /dev/null @@ -1,123 +0,0 @@ -name: release - -on: - push: - branches: - - release/v1 - -permissions: write-all - -jobs: - release: - runs-on: ubuntu-latest - outputs: - release_pr: ${{ steps.release-please.outputs.pr }} - steps: - - uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0 https://github.com/googleapis/release-please-action/commits/main/ - id: release-please - with: - release-type: go - # These run only if a release PR was opened or modified, so not when the PR is merged - - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main - if: steps.release-please.outputs.pr - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - github.rest.issues.createComment({ - issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }}, - owner: "${{ github.repository_owner }}", - repo: "${{ github.event.repository.name }}", - body: "Please make sure e2e tests pass before merging this PR! \n ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" - }) - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - if: steps.release-please.outputs.pr - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - if: steps.release-please.outputs.pr - with: - go-version-file: 'go.mod' - cache: true - - name: run-unit-tests - id: run-unit-tests - if: steps.release-please.outputs.pr - run: | - go install gotest.tools/gotestsum@ddd0b05a6878e2e8257a2abe6e7df66cebc53d0e # v1.12.3 - make test - - name: install-nix - if: steps.release-please.outputs.pr - run: | - curl -L https://nixos.org/nix/install | sh - source /home/runner/.nix-profile/etc/profile.d/nix.sh - nix --version - which nix - - name: run-acc-tests - id: run-acc-tests - if: steps.release-please.outputs.pr - shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} - run: make testacc - - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main - if: steps.release-please.outputs.pr && always() && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - github.rest.issues.createComment({ - issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }}, - owner: "${{ github.repository_owner }}", - repo: "${{ github.event.repository.name }}", - body: "Tests Passed!" - }) - - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commits/main - if: steps.release-please.outputs.pr && always() && ((steps.run-unit-tests.conclusion == 'failure') || (steps.run-acc-tests.conclusion == 'failure')) - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - github.rest.issues.createComment({ - issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }}, - owner: "${{ github.repository_owner }}", - repo: "${{ github.event.repository.name }}", - body: "Tests Failed!" - }) - # These run after release-please generates a release, so when the release PR is merged - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - if: steps.release-please.outputs.version - with: - fetch-depth: 0 - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - if: steps.release-please.outputs.version - with: - go-version-file: 'go.mod' - cache: true - - name: retrieve GPG Credentials - uses: rancher-eio/read-vault-secrets@main - with: - secrets: | - secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ; - secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID; - secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY; - - name: import_gpg_key - if: steps.release-please.outputs.version - id: import_gpg_key - env: - GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }} - GPG_KEY_ID: ${{ env.GPG_KEY_ID }} - GPG_KEY: ${{ env.GPG_KEY }} - run: | - cleanup() { - # clear history just in case - history -c - } - trap cleanup EXIT TERM - # sanitize variables - if [ -z "${GPG_PASSPHRASE}" ]; then echo "gpg passphrase empty"; exit 1; fi - if [ -z "${GPG_KEY_ID}" ]; then echo "key id empty"; exit 1; fi - if [ -z "${GPG_KEY}" ]; then echo "key contents empty"; exit 1; fi - echo "Importing gpg key" - echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; } - - name: Run GoReleaser - if: steps.release-please.outputs.version - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 - with: - args: release --clean - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GPG_KEY_ID: ${{ env.GPG_KEY_ID }} - GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }} diff --git a/.github/workflows/release-v0.yml b/.github/workflows/release.yml similarity index 78% rename from .github/workflows/release-v0.yml rename to .github/workflows/release.yml index e663b2c..7db03ad 100644 --- a/.github/workflows/release-v0.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,7 @@ on: push: branches: - release/v0 + - release/v1 permissions: write-all @@ -76,13 +77,19 @@ jobs: repo: "${{ github.event.repository.name }}", body: "Tests Failed!" }) + - name: retrieve GPG Credentials + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY; - name: import_gpg_key - if: steps.release-please.outputs.pr && always() && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') - id: import_gpg_key + if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') env: - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} - GPG_KEY: ${{ secrets.GPG_KEY }} + GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }} + GPG_KEY_ID: ${{ env.GPG_KEY_ID }} + GPG_KEY: ${{ env.GPG_KEY }} run: | cleanup() { # clear history just in case @@ -98,14 +105,14 @@ jobs: echo "Importing gpg key" echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; } - name: Run GoReleaser - if: steps.release-please.outputs.pr && always() && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') + if: steps.release-please.outputs.pr && (steps.run-unit-tests.conclusion == 'success') && (steps.run-acc-tests.conclusion == 'success') uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action with: args: release --snapshot --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_KEY_ID: ${{ env.GPG_KEY_ID }} + GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }} # These run after release-please generates a release, so when the release PR is merged @@ -118,13 +125,19 @@ jobs: with: go-version-file: 'go.mod' cache: true + - name: retrieve GPG Credentials + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg passphrase | GPG_PASSPHRASE ; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKeyId | GPG_KEY_ID; + secret/data/github/repo/rancher/${{ github.repository }}/signing/gpg privateKey | GPG_KEY; - name: import_gpg_key if: steps.release-please.outputs.version - id: import_gpg_key env: - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} - GPG_KEY: ${{ secrets.GPG_KEY }} + GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }} + GPG_KEY_ID: ${{ env.GPG_KEY_ID }} + GPG_KEY: ${{ env.GPG_KEY }} run: | cleanup() { # clear history just in case @@ -146,5 +159,5 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_KEY_ID: ${{ env.GPG_KEY_ID }} + GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}