Merged
Conversation
GitOrigin-RevId: fe718a08347d18423354cb344c2facf552aee85f
…r and module (#3958) ## Summary - Add Copybara workflows, GoReleaser config, GPG signing, and GitHub Actions release pipelines to publish the Terraform provider and HCL module to public repos and registries - Provision per-repo GitHub Actions secrets (`OP_RO_TOKEN`, `RELEASE_PAT`) via Terraform, following the existing `homebrew-overmind`/`actions` pattern - Public repos ([terraform-provider-overmind](https://github.com/overmindtech/terraform-provider-overmind), [terraform-overmind-aws-source](https://github.com/overmindtech/terraform-overmind-aws-source)) have been created and seeded with workflow files ## Linear Ticket - **Ticket**: [ENG-2673](https://linear.app/overmind/issue/ENG-2673/phase-5-copybara-and-publishing-for-terraform-provider-and-module) — Phase 5: Copybara and Publishing for Terraform Provider & Module - **Purpose**: Set up the full automated release pipeline from monorepo tags to Terraform/OpenTofu registries - **Plan approval**: [ENG-2674](https://linear.app/overmind/issue/ENG-2674/approve-plan-phase-5-copybara-and-publishing-for-terraform-provider) assigned to Lionel Wilson ## Changes ### Copybara (`copy.bara.sky`) Two new workflows: `terraform-provider` (syncs provider + Go libs with import rewriting) and `terraform-aws-source-module` (syncs HCL module with directory flattening). ### Monorepo sync workflows (`.github/workflows/`) - `terraform-provider-sync.yml` — triggers on `terraform-provider/v*` tags - `terraform-aws-source-module-sync.yml` — triggers on `terraform-aws-source-module/v*` tags ### Provider release files (`aws-source/module/provider/`) - `.goreleaser.yml` — cross-platform builds, zip archives, SHA256 checksums, GPG signing - `terraform-registry-manifest.json` — protocol version 6.0 - `.github/workflows/release.yml` — loads GPG key from 1Password, runs GoReleaser - `.github/workflows/finalize-copybara-sync.yml` — runs `go mod tidy`, creates PR - `.github/workflows/tag-on-merge.yml` — creates version tag on merge ### Module release files (`aws-source/module/terraform/`) - `.github/workflows/finalize-copybara-sync.yml` — creates PR (no `go mod tidy`) - `.github/workflows/tag-on-merge.yml` — creates version tag on merge ### Terraform / secrets - `deploy/1password.tf` — 4 new `github_actions_secret` resources for both public repos - `deploy/variables.tf` — new `terraform_provider_release_pat` and `terraform_module_release_pat` variables - `deploy/.env.op`, `deploy/.github/env/op.local.secret`, `.devcontainer/devcontainer.json` — wire new PAT variables through 1Password and devcontainer ### Provider code - `aws-source/module/provider/main.go` — `const version` changed to `var version = "dev"` for GoReleaser ldflags injection ## Before first release The following manual steps remain (documented in the plan): 1. Create 1Password items: `Terraform Provider Release Github Token`, `Terraform Module Release Github Token`, `Terraform Provider GPG Key` 2. Register GPG public key at registry.terraform.io/settings/gpg-keys 3. After merge, `terraform apply` provisions the repo secrets 4. Push monorepo tags to trigger first automated release 5. Enroll in Terraform Registry and OpenTofu Registry Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Mostly CI/release automation and secret provisioning changes, but misconfiguration could leak or break release/tagging flows for the public Terraform repos. > > **Overview** > Adds end-to-end **Copybara-based publishing pipelines** for the Terraform provider and AWS source Terraform module, driven by new tag-triggered GitHub Actions workflows (`terraform-provider/v*`, `terraform-aws-source-module/v*`) that sync code to public repos on `copybara/vX.Y.Z` branches. > > Introduces release automation in the provider/module repos: Copybara finalization workflows that open PRs from `copybara/v*`, `tag-on-merge` workflows that create version tags using a `RELEASE_PAT`, and (for the provider) a GoReleaser-based release with GPG-signed checksums plus a Terraform registry manifest; provider `main.go` now uses an ldflags-injected `version` variable. > > Updates `copy.bara.sky` with two new workflows (`terraform-provider`, `terraform-aws-source-module`) and wires new Terraform-managed GitHub Actions secrets/inputs (including new PAT variables) through `deploy/` and the devcontainer to support the public repo automation; ADR index is updated to include newly accepted ADRs. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d3a131760eadca87088922bf8eca86de2c1be730. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 800dbd7acd6e954106b6a2f1125fc7526c0b2634
Re-do https://github.com/overmindtech/workspace/pull/3959 as the change was merged out of order and got lost in rebasing; this depends on https://github.com/overmindtech/workspace/pull/3958 getting merged first. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Documentation and workflow tooling changes only; no runtime code paths or security-sensitive logic are modified. > > **Overview** > Updates Terraform AWS source module documentation and publishing references to use the new registry address `overmindtech/aws-source/overmind`, and adds clearer module development/testing guidance. > > Adds customer-facing docs at `docs.overmind.tech/docs/sources/aws/terraform.md`, expands the module README with import instructions, and introduces `aws-source/module/.cursor/BUGBOT.md` review rules to keep IAM policy changes read-only and Terraform provider errors using `diag.Diagnostics`. > > Enhances `.cursor/commands/open-pull-request.md` to capture an approved plan from Linear tickets and require a PR section explicitly documenting *deviations from the approved plan*. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9356970fb0d18ac929d804484030d0cafa6621f5. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 1a5dc90ab5d93ecf70bf377cf58172a34f763314
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Mostly administrative/test-stability changes; the only functional impact is allowing Terraform to use AWS provider v5, which could affect users depending on provider features/behavior. > > **Overview** > Adds Functional Source License (FSL 1.1 with Apache 2.0 future license) `LICENSE` files to the AWS provider and Terraform module directories. > > Relaxes the Terraform module’s AWS provider version constraint from `>= 6.0` to `>= 5.0`, and increases `TestCronJobAdapter`’s wait timeout from 60s to 120s to reduce CronJob-related test flakes. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit dcdd0b5c3c96e5b36e65c56be273f3453bf4cd3c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 9039e065ba8843a9059fc64027b21b8f278de48c
DavidS-ovm
approved these changes
Feb 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Copybara Sync - Release v0.1.0
This PR was automatically created by Copybara, syncing changes from the overmindtech/workspace monorepo.
Original author: David Schmitt (david.schmitt@overmind.tech)
What happens when this PR is merged?
tag-on-mergeworkflow will automatically create thev0.1.0tag on mainReview Checklist