opentofu/scripts
1
0
Fork 0
mirror of https://github.com/opentofu/scripts synced 2026-04-05 19:10:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
No description
121 commits 9 branches 1 tag 249 KiB
  • Go 82.6%
  • Shell 17.4%
Find a file
Exact
Diógenes Fernandes 9a3db04d28
 deps: sha-pin all github actions (#49) 
Signed-off-by: Diogenes Fernandes <diofeher@gmail.com>
2026-04-02 11:38:31 -03:00
.github/workflows deps: sha-pin all github actions (#49) 2026-04-02 11:38:31 -03:00
go Add readme for go/workflows 2026-01-12 15:07:24 +02:00
sh Rework documentation and scripts in the sh directory 2026-01-12 15:07:22 +02:00
.gitignore Rework documentation and scripts in the sh directory 2026-01-12 15:07:22 +02:00
dist_ignore Update dist_ignore for latest boundary versions 2025-12-20 06:23:33 -05:00
gomod.disable Disable gomod for mysql provider version 2023-09-22 16:19:25 +02:00
goreleaser_terraform-provider-boundary.yaml set buildvcs to false for boundary provider, fix Os env var 2026-02-06 09:38:31 +00:00
goreleaser_v1.yaml Set buildvcs=false for all provider releases 2026-01-21 10:05:21 -05:00
goreleaser_v2.yaml Set buildvcs=false for all provider releases 2026-01-21 10:05:21 -05:00
goreleaser_v3.yaml Set buildvcs=false for all provider releases 2026-01-21 10:05:21 -05:00
LICENSE.md add license (#22) 2024-05-15 14:44:33 +02:00
project_dir.override Override project dir for auth0 provider version 2023-09-25 12:29:04 +02:00
README.md Add some words about the situation when the GPG key used to sign provider releases expires 2026-01-12 15:07:24 +02:00

README.md

OpenTofu Scripts

This repository contains a collection of scripts and github actions which are used by OpenTofu to manage and maintain repositories and their contents. The scripts are made to be executed using GitHub Actions.

You opened this repository because you want to...

  • Blacklist a specific terraform-provider-* repository tag because the build is failing due to a reason outside of our control, check the last step from sync.yml.
  • Refresh the terraform-provider-* .github/workflows content, you might need to run ./sh/reset_repos.sh (details in sh/readme.md).
  • Disable newly introduced workflows from upstream on a terraform-provider-* repository that we are not interested in. You could run ./sh/disable_unwanted_workflows.sh (details in sh/readme.md).
  • There is a new provider that you want to fork on our side:
    • run the fork.yml workflow for that specific upstream repo to fork it on the OpenTofu's organisation.
    • run the env.yml workflow for the newly forked repo to setup the build environment with the GPG private key.
    • run the secret.yml workflow for the newly forked repo to configure other secrets than the GPG related information.
    • run the reset_repos.sh script to configure the newly provider with the OpenTofu's specific workflows.
    • run the disable_unwanted_workflows.sh to disable all the other workflows that are not needed by OpenTofu from that repo.

Contents

The repository contains several directories and files:

  • .github/workflows: Contains workflow files for GitHub Actions. These workflows automate various tasks and are either inherited by other repositories or executed directly from this repository. Details below.
  • go: Contains various go scripts that are executed from different GitHub workflows.
  • sh: Contains various Shell scripts for different operations. Details can be found in sh/readme.md.

The scripts in this repository are designed to work in conjunction with GitHub Actions, an automation feature provided by GitHub. For more information on how to use GitHub Actions, you can refer to the GitHub Actions Cheat Sheet.

How to

Resign All Releases of a provider

Each provider has a GitHub action called Artifacts Resign, which can be executed to resign all releases in that repository. The script executed during the resigning process for a provider can be found here.

Note

Note: Keep in mind github rate limits when executing this action. All repositories use the same PAT meaning that if the action is exected on all providers at the same time, the request limit of 5000 will be exceeded.

Generate a New Private GPG Key

Warning

EXECUTING THIS WILL ERASE THE CURRENT KEY

Generate a new key using the Run GPG script action. The script accepts inputs for testing, but by default, you should provide:

  • Organization: opentofu
  • Repo: scripts
  • Secret Name: GPG_PRIVATE_KEY (Provide a different value if you do not wish to erase the current key)

After generating a new key, propagate it to all providers by calling Update repository environments and using terraform-provider- as the repository prefix to match.

Check if All Tags Have Releases

Easily check which tags have releases and which do not by using the Check releases GitHub action.

Details on the workflows from this repo

secret.yml

Use this when you want to update or add a secret to a repository that you don't have access otherwise.

fork.yml

This can fork a repository from another organisation to the OpenTofu organisation.

status.yml

Prints the statuses of the workflows of specified repositories.

check_releases.yml

Checks all the terraform-provider-* repos from the OpenTofu organisation and reports what tags have no release associated.

env.yml

Used to create a deployment environment in a newly forked repository that will contain the GPG key necessary for releasing new versions of that provider.

sign.yml

Necessary when required to regenerate the SHA256SUM.sig of all the releases of a provider. Generally this should be used if ever the GPG key is changed for that provider repository.

gpg.yml

This can generate new GPG keys for the provider repositories to use those for signing new releases.

Warning

From the looks of it, in the gpg script, the lifespan of such keys is hardcoded to 3 years.

As noted in this comment, several days before the 3 years mark, we will have to run this to regenerate the keys for the provider repositories. Since OpenTofu allows expired keys for releases, even if this is forgotten, the releases should be created nonetheless. This ensures that even the releases will be signed with an expired key, the day by day activities will not be disrupted.

workflows.yml

This can trigger a workflow in a terraform-provider-* repository. Generally, we don't have access to trigger the workflows manually in those repositories so we can use this one to do so.

release.yml (template)

Note

This workflow is not meant to be executed directly from this repository but from the terraform-provider-* repositories. If such a repository does not have this workflow, consider the reset_repos.sh script to add that.

A template workflow that is used by each provider via the artifact-release.yml workflow that creates a new release for the given tag of the repository that it's running against.

sync.yml (template)

Note

This workflow is not meant to be executed directly from this repository but from the terraform-provider-* repositories. If such a repository does not have this workflow, consider the reset_repos.sh script to add that.

A template workflow that is used by each provider via the fork_sync.yml workflow that checks the upstream repository for new tags and if any missing on the OpenTofu's fork, it will create it and trigger the artifact-release.yml workflow for that tag.

trigger.yml (template)

Note

This workflow is not meant to be executed directly from this repository but from the terraform-provider-* repositories. If such a repository does not have this workflow, consider the reset_repos.sh script to add that.

A template workflow that is used by each provider via the artifact-release-trigger.yml workflow that is just another way to trigger the artifact-release.yml workflow for a given tag.

Note

This repository does not accept contributions. It's a collection of scripts used to manage OpenTofu repositories.

Please note that these scripts are specifically tailored for the needs of OpenTofu and may not be suitable for other use cases.