[ENG-2673] Add Copybara and publishing pipeline for Terraform provider and module (#3958)

DavidS-ovm · actions-user · commit 04ac8adcb7af · 2026-02-20T19:41:59.000Z
## Summary - Add Copybara workflows, GoReleaser config, GPG signing, and GitHub Actions release pipelines to publish the Terraform provider and HCL module to public repos and registries - Provision per-repo GitHub Actions secrets (`OP_RO_TOKEN`, `RELEASE_PAT`) via Terraform, following the existing `homebrew-overmind`/`actions` pattern - Public repos ([terraform-provider-overmind](https://github.com/overmindtech/terraform-provider-overmind), [terraform-overmind-aws-source](https://github.com/overmindtech/terraform-overmind-aws-source)) have been created and seeded with workflow files ## Linear Ticket - **Ticket**: [ENG-2673](https://linear.app/overmind/issue/ENG-2673/phase-5-copybara-and-publishing-for-terraform-provider-and-module) — Phase 5: Copybara and Publishing for Terraform Provider & Module - **Purpose**: Set up the full automated release pipeline from monorepo tags to Terraform/OpenTofu registries - **Plan approval**: [ENG-2674](https://linear.app/overmind/issue/ENG-2674/approve-plan-phase-5-copybara-and-publishing-for-terraform-provider) assigned to Lionel Wilson ## Changes ### Copybara (`copy.bara.sky`) Two new workflows: `terraform-provider` (syncs provider + Go libs with import rewriting) and `terraform-aws-source-module` (syncs HCL module with directory flattening). ### Monorepo sync workflows (`.github/workflows/`) - `terraform-provider-sync.yml` — triggers on `terraform-provider/v*` tags - `terraform-aws-source-module-sync.yml` — triggers on `terraform-aws-source-module/v*` tags ### Provider release files (`aws-source/module/provider/`) - `.goreleaser.yml` — cross-platform builds, zip archives, SHA256 checksums, GPG signing - `terraform-registry-manifest.json` — protocol version 6.0 - `.github/workflows/release.yml` — loads GPG key from 1Password, runs GoReleaser - `.github/workflows/finalize-copybara-sync.yml` — runs `go mod tidy`, creates PR - `.github/workflows/tag-on-merge.yml` — creates version tag on merge ### Module release files (`aws-source/module/terraform/`) - `.github/workflows/finalize-copybara-sync.yml` — creates PR (no `go mod tidy`) - `.github/workflows/tag-on-merge.yml` — creates version tag on merge ### Terraform / secrets - `deploy/1password.tf` — 4 new `github_actions_secret` resources for both public repos - `deploy/variables.tf` — new `terraform_provider_release_pat` and `terraform_module_release_pat` variables - `deploy/.env.op`, `deploy/.github/env/op.local.secret`, `.devcontainer/devcontainer.json` — wire new PAT variables through 1Password and devcontainer ### Provider code - `aws-source/module/provider/main.go` — `const version` changed to `var version = "dev"` for GoReleaser ldflags injection ## Before first release The following manual steps remain (documented in the plan): 1. Create 1Password items: `Terraform Provider Release Github Token`, `Terraform Module Release Github Token`, `Terraform Provider GPG Key` 2. Register GPG public key at registry.terraform.io/settings/gpg-keys 3. After merge, `terraform apply` provisions the repo secrets 4. Push monorepo tags to trigger first automated release 5. Enroll in Terraform Registry and OpenTofu Registry Made with [Cursor](https://cursor.com)  --- > [!NOTE] > **Medium Risk** > Mostly CI/release automation and secret provisioning changes, but misconfiguration could leak or break release/tagging flows for the public Terraform repos. > > **Overview** > Adds end-to-end **Copybara-based publishing pipelines** for the Terraform provider and AWS source Terraform module, driven by new tag-triggered GitHub Actions workflows (`terraform-provider/v*`, `terraform-aws-source-module/v*`) that sync code to public repos on `copybara/vX.Y.Z` branches. > > Introduces release automation in the provider/module repos: Copybara finalization workflows that open PRs from `copybara/v*`, `tag-on-merge` workflows that create version tags using a `RELEASE_PAT`, and (for the provider) a GoReleaser-based release with GPG-signed checksums plus a Terraform registry manifest; provider `main.go` now uses an ldflags-injected `version` variable. > > Updates `copy.bara.sky` with two new workflows (`terraform-provider`, `terraform-aws-source-module`) and wires new Terraform-managed GitHub Actions secrets/inputs (including new PAT variables) through `deploy/` and the devcontainer to support the public repo automation; ADR index is updated to include newly accepted ADRs. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d3a131760eadca87088922bf8eca86de2c1be730. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  GitOrigin-RevId: 800dbd7acd6e954106b6a2f1125fc7526c0b2634
diff --git a/.github/workflows/finalize-copybara-sync.yml b/.github/workflows/finalize-copybara-sync.yml
@@ -0,0 +1,84 @@
+name: Finalize Copybara Sync
+
+on:
+  push:
+    branches:
+      - 'copybara/v*'
+
+concurrency:
+  group: copybara-sync-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  finalize:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Extract version from branch name
+        id: version
+        run: |
+          VERSION=$(echo "$GITHUB_REF" | sed 's|refs/heads/copybara/||')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+
+      - name: Extract original commit author
+        id: author
+        run: |
+          AUTHOR_EMAIL=$(git log -1 --format='%ae' --author='^(?!.*actions@github.com)' --perl-regexp 2>/dev/null || git log -1 --format='%ae')
+          AUTHOR_NAME=$(git log -1 --format='%an' --author='^(?!.*actions@github.com)' --perl-regexp 2>/dev/null || git log -1 --format='%an')
+          echo "email=$AUTHOR_EMAIL" >> $GITHUB_OUTPUT
+          echo "name=$AUTHOR_NAME" >> $GITHUB_OUTPUT
+
+          if [[ "$AUTHOR_EMAIL" =~ ^([^@]+)@users\.noreply\.github\.com$ ]]; then
+            GITHUB_USER=$(echo "${BASH_REMATCH[1]}" | sed 's/^[0-9]*+//')
+            echo "github_user=$GITHUB_USER" >> $GITHUB_OUTPUT
+          else
+            echo "github_user=" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Pull Request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ steps.version.outputs.version }}
+          AUTHOR_NAME: ${{ steps.author.outputs.name }}
+          AUTHOR_EMAIL: ${{ steps.author.outputs.email }}
+          GITHUB_USER: ${{ steps.author.outputs.github_user }}
+        run: |
+          PR_BODY="## Copybara Sync - Release ${VERSION}
+
+          This PR was automatically created by Copybara, syncing changes from the [overmindtech/workspace](https://github.com/overmindtech/workspace) monorepo.
+
+          **Original author:** ${AUTHOR_NAME} (${AUTHOR_EMAIL})
+
+          ### What happens when this PR is merged?
+
+          1. The \`tag-on-merge\` workflow will automatically create the \`${VERSION}\` tag on main
+          2. Terraform Registry will detect the tag via webhook and publish the module
+
+          ### Review Checklist
+
+          - [ ] Changes look correct and match the expected monorepo sync
+          "
+
+          PR_URL=$(gh pr create \
+            --base main \
+            --head "${{ github.ref_name }}" \
+            --title "Release ${VERSION}" \
+            --body "$PR_BODY")
+
+          echo "Created PR: $PR_URL"
+
+          if [ -n "$GITHUB_USER" ]; then
+            echo "Requesting review from original author: $GITHUB_USER"
+            gh pr edit "$PR_URL" --add-reviewer "$GITHUB_USER" || true
+          fi
+
+          echo "Requesting review from Engineering team"
+          gh pr edit "$PR_URL" --add-reviewer "overmindtech/Engineering" || true
diff --git a/.github/workflows/tag-on-merge.yml b/.github/workflows/tag-on-merge.yml
@@ -0,0 +1,52 @@
+name: Tag Release on Merge
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+
+jobs:
+  tag-release:
+    if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'copybara/v')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Extract version from branch name
+        id: version
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          VERSION=$(echo "$BRANCH" | sed 's|copybara/||')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Extracted version: $VERSION"
+
+      - uses: actions/checkout@v6
+        with:
+          ref: main
+          fetch-depth: 0
+          token: ${{ secrets.RELEASE_PAT }}
+
+      - name: Configure Git
+        run: |
+          git config user.name "GitHub Actions Bot"
+          git config user.email "actions@github.com"
+
+      - name: Create and push tag
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          echo "Creating tag: $VERSION"
+          git tag "$VERSION"
+          git push origin "$VERSION"
+          echo "Successfully pushed tag $VERSION"
+
+      - name: Delete copybara branch
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          echo "Deleting branch: $BRANCH"
+          git push origin --delete "$BRANCH" || echo "Branch may have already been deleted"
