Migrate to release process to CRT and Prepare for v2.3.5-alpha1 release (#412)

SBGoods · web-flow · commit df3832a77202 · 2025-04-28T12:19:11.000-04:00
* Add `issues: write` permission to close associated GitHub milestone

* Add CRT release configuration files

* Update changelog for `2.3.5-alpha1` release

* Rename artifacts file
diff --git a/.changes/2.3.5-alpha1.md b/.changes/2.3.5-alpha1.md
@@ -0,0 +1,6 @@
+## 2.3.5-alpha1 (April 28, 2025)
+
+NOTES:
+
+* all: This release is being used to test new build and release actions. ([#412](https://github.com/hashicorp/terraform-provider-external/issues/412))
+
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,186 @@
+# This workflow builds the product for all supported platforms and uploads the resulting
+# binaries as Actions artifacts. The workflow also uploads a build metadata file
+# (metadata.json) -- and a Terraform Registry manifest file (terraform-registry-manifest.json).
+#
+# Reference: https://github.com/hashicorp/terraform-provider-crt-example/blob/main/.github/workflows/README.md
+
+name: build
+
+# We default to running this workflow on every push to every branch.
+# This provides fast feedback when build issues occur, so they can be
+# fixed prior to being merged to the main branch.
+#
+# If you want to opt out of this, and only run the build on certain branches
+# please refer to the documentation on branch filtering here:
+#
+#   https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore
+#
+on: [workflow_dispatch, push]
+
+env:
+  PKG_NAME: "terraform-provider-external"
+
+jobs:
+  # Detects the Go toolchain version to use for product builds.
+  #
+  # The implementation is inspired by envconsul -- https://go.hashi.co/get-go-version-example
+  get-go-version:
+    name: "Detect Go toolchain version"
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.get-go-version.outputs.go-version }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Detect Go version
+        id: get-go-version
+        run: |
+          version="$(go list -f {{.GoVersion}} -m)"
+          echo "go-version=$version" >> "$GITHUB_OUTPUT"
+
+  # Parses the version/VERSION file. Reference: https://github.com/hashicorp/actions-set-product-version/blob/main/README.md
+  #
+  # > This action should be implemented in product repo `build.yml` files. The action is intended to grab the version
+  # > from the version file at the beginning of the build, then passes those versions (along with metadata, where
+  # > necessary) to any workflow jobs that need version information.
+  set-product-version:
+    name: "Parse version file"
+    runs-on: ubuntu-latest
+    outputs:
+      product-version: ${{ steps.set-product-version.outputs.product-version }}
+      product-base-version: ${{ steps.set-product-version.outputs.base-product-version }}
+      product-prerelease-version: ${{ steps.set-product-version.outputs.prerelease-product-version }}
+      product-minor-version: ${{ steps.set-product-version.outputs.minor-product-version }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set variables
+        id: set-product-version
+        uses: hashicorp/actions-set-product-version@v2
+
+  # Creates metadata.json file containing build metadata for consumption by CRT workflows.
+  #
+  # Reference: https://github.com/hashicorp/actions-generate-metadata/blob/main/README.md
+  generate-metadata-file:
+    needs: set-product-version
+    runs-on: ubuntu-latest
+    outputs:
+      filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
+    steps:
+      - name: "Checkout directory"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Generate metadata file
+        id: generate-metadata-file
+        uses: hashicorp/actions-generate-metadata@v1
+        with:
+          version: ${{ needs.set-product-version.outputs.product-version }}
+          product: ${{ env.PKG_NAME }}
+          repositoryOwner: "hashicorp"
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: metadata.json
+          path: ${{ steps.generate-metadata-file.outputs.filepath }}
+
+  # Uploads an Actions artifact named terraform-registry-manifest.json.zip.
+  #
+  # The artifact contains a single file with a filename that Terraform Registry expects
+  # (example: terraform-provider-crt-example_2.3.6-alpha1_manifest.json). The file contents
+  # are identical to the terraform-registry-manifest.json file in the source repository.
+  upload-terraform-registry-manifest-artifact:
+    needs: set-product-version
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout directory"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: ${{ env.PKG_NAME }}
+      - name: "Copy manifest from checkout directory to a file with the desired name"
+        id: terraform-registry-manifest
+        run: |
+          name="${{ env.PKG_NAME }}"
+          version="${{ needs.set-product-version.outputs.product-version }}"
+
+          source="${name}/terraform-registry-manifest.json"
+          destination="${name}_${version}_manifest.json"
+
+          cp "$source" "$destination"
+          echo "filename=$destination" >> "$GITHUB_OUTPUT"
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: terraform-registry-manifest.json
+          path: ${{ steps.terraform-registry-manifest.outputs.filename }}
+          if-no-files-found: error
+
+  # Builds the product for all platforms except macOS.
+  #
+  # With `reproducible: report`, this job also reports whether the build is reproducible,
+  # but does not enforce it.
+  #
+  # Reference: https://github.com/hashicorp/actions-go-build/blob/main/README.md
+  build:
+    needs:
+      - get-go-version
+      - set-product-version
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      # Verify expected Artifacts list for a workflow run.
+      matrix:
+        goos: [freebsd, windows, linux, darwin]
+        goarch: ["386", "amd64", "arm", "arm64"]
+        exclude:
+          - goos: freebsd
+            goarch: arm64
+          - goos: windows
+            goarch: arm64
+          - goos: windows
+            goarch: arm
+          - goos: darwin
+            goarch: 386
+          - goos: darwin
+            goarch: arm
+
+    name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: hashicorp/actions-go-build@v1
+        env:
+          CGO_ENABLED: 0
+          BASE_VERSION: ${{ needs.set-product-version.outputs.product-base-version }}
+          PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.product-prerelease-version}}
+          METADATA_VERSION: ${{ env.METADATA }}
+        with:
+          bin_name: "${{ env.PKG_NAME }}_v${{ needs.set-product-version.outputs.product-version }}_x5"
+          product_name: ${{ env.PKG_NAME }}
+          product_version: ${{ needs.set-product-version.outputs.product-version }}
+          go_version: ${{ needs.get-go-version.outputs.go-version }}
+          os: ${{ matrix.goos }}
+          arch: ${{ matrix.goarch }}
+          reproducible: report
+          instructions: |
+            go build \
+              -o "$BIN_PATH" \
+              -trimpath \
+              -buildvcs=false \
+              -ldflags "-s -w"
+            cp LICENSE "$TARGET_DIR/LICENSE.txt"
+
+  whats-next:
+    needs:
+      - build
+      - generate-metadata-file
+      - upload-terraform-registry-manifest-artifact
+    runs-on: ubuntu-latest
+    name: "What's next?"
+    steps:
+      - name: "Write a helpful summary"
+        run: |
+          github_dot_com="${{ github.server_url }}"
+          owner_with_name="${{ github.repository }}"
+          ref="${{ github.ref }}"
+
+          echo "### What's next?" >> "$GITHUB_STEP_SUMMARY"
+          echo "#### For a release branch (see \`.release/ci.hcl\`)" >> $GITHUB_STEP_SUMMARY
+          echo "After this \`build\` workflow run completes succesfully, you can expect the CRT \`prepare\` workflow to begin momentarily." >> "$GITHUB_STEP_SUMMARY"
+          echo "To find the \`prepare\` workflow run, [view the checks for this commit]($github_dot_com/$owner_with_name/commits/$ref)" >> "$GITHUB_STEP_SUMMARY"
diff --git a/.release/ci.hcl b/.release/ci.hcl
@@ -0,0 +1,89 @@
+# Reference: https://github.com/hashicorp/crt-core-helloworld/blob/main/.release/ci.hcl (private repository)
+
+schema = "2"
+
+project "terraform-provider-external" {
+  // team is currently unused and has no meaning
+  // but is required to be non-empty by CRT orchestator
+  team = "_UNUSED_"
+
+  slack {
+    notification_channel = "C02BASDVCDT" // #feed-terraform-sdk
+  }
+
+  github {
+    organization     = "hashicorp"
+    repository       = "terraform-provider-external"
+    release_branches = ["main", "release/**"]
+  }
+}
+
+event "merge" {
+}
+
+event "build" {
+  action "build" {
+    depends = ["merge"]
+
+    organization = "hashicorp"
+    repository   = "terraform-provider-external"
+    workflow     = "build"
+  }
+}
+
+event "prepare" {
+  # `prepare` is the Common Release Tooling (CRT) artifact processing workflow.
+  # It prepares artifacts for potential promotion to staging and production.
+  # For example, it scans and signs artifacts.
+
+  depends = ["build"]
+
+  action "prepare" {
+    organization = "hashicorp"
+    repository   = "crt-workflows-common"
+    workflow     = "prepare"
+    depends      = ["build"]
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "trigger-staging" {
+}
+
+event "promote-staging" {
+  action "promote-staging" {
+    organization = "hashicorp"
+    repository   = "crt-workflows-common"
+    workflow     = "promote-staging"
+    depends      = null
+    config       = "release-metadata.hcl"
+  }
+
+  depends = ["trigger-staging"]
+
+  notification {
+    on = "always"
+  }
+}
+
+event "trigger-production" {
+}
+
+event "promote-production" {
+  action "promote-production" {
+    organization = "hashicorp"
+    repository   = "crt-workflows-common"
+    workflow     = "promote-production"
+    depends      = null
+    config       = ""
+  }
+
+  depends = ["trigger-production"]
+
+  notification {
+    on = "always"
+  }
+}
diff --git a/.release/release-metadata.hcl b/.release/release-metadata.hcl
@@ -1,2 +1,4 @@
-url_source_repository      = "https://github.com/hashicorp/terraform-provider-external"
-url_license                = "https://github.com/hashicorp/terraform-provider-external/blob/main/LICENSE"
+url_source_repository         = "https://github.com/hashicorp/terraform-provider-external"
+url_project_website           = "https://registry.terraform.io/providers/hashicorp/external"
+url_license                   = "https://github.com/hashicorp/terraform-provider-external/blob/main/LICENSE"
+url_release_notes             = "https://github.com/hashicorp/terraform-provider-external/blob/main/CHANGELOG.md"
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
@@ -0,0 +1,11 @@
+# Reference: https://github.com/hashicorp/security-scanner/blob/main/CONFIG.md#binary (private repository)
+
+binary {
+  secrets {
+    all = true
+  }
+  go_modules   = true
+  osv          = true
+  oss_index    = false
+  nvd          = false
+}
diff --git a/.release/terraform-provider-external-artifacts.hcl b/.release/terraform-provider-external-artifacts.hcl
@@ -0,0 +1,16 @@
+schema = 1
+artifacts {
+  zip = [
+    "terraform-provider-external_${version}_darwin_amd64.zip",
+    "terraform-provider-external_${version}_darwin_arm64.zip",
+    "terraform-provider-external_${version}_freebsd_386.zip",
+    "terraform-provider-external_${version}_freebsd_amd64.zip",
+    "terraform-provider-external_${version}_freebsd_arm.zip",
+    "terraform-provider-external_${version}_linux_386.zip",
+    "terraform-provider-external_${version}_linux_amd64.zip",
+    "terraform-provider-external_${version}_linux_arm.zip",
+    "terraform-provider-external_${version}_linux_arm64.zip",
+    "terraform-provider-external_${version}_windows_386.zip",
+    "terraform-provider-external_${version}_windows_amd64.zip",
+  ]
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 2.3.5-alpha1 (April 28, 2025)
+
+NOTES:
+
+* all: This release is being used to test new build and release actions. ([#412](https://github.com/hashicorp/terraform-provider-external/issues/412))
+
 ## 2.3.4 (September 10, 2024)
 
 NOTES:
diff --git a/version/VERSION b/version/VERSION
@@ -0,0 +1 @@
+2.3.5-alpha1

-Original file line number
+Diff line change
@@ @@ -0,0 +1,6 @@ @@
 +## 2.3.5-alpha1 (April 28, 2025)
++
 +NOTES:
++
 +* all: This release is being used to test new build and release actions. ([#412](https://github.com/hashicorp/terraform-provider-external/issues/412))
++