feat(repos): add proxmox iso manager#14
Open
NWarila wants to merge 8 commits into
Open
Conversation
Replaces the bespoke `.github/workflows/terraform.yml` with the unified
caller workflow set used by every consumer of NWarila/terraform-template.
Universal callers (terraform-template SHA bead9a47e36144999de0bfb1b476860d9fad8196):
- pr-validation.yaml (mode: runner — checks out the framework, overlays
repos/, runs `make ci` against the assembled tree)
- template-sync.yaml
- security.yaml
- codeql.yaml
- scorecard.yaml
- release-please.yaml
- auto-merge.yaml
Runner-only caller:
- terraform-deploy.yaml — calls
nwarila-platform/github-terraform-framework's reusable-terraform-deploy
workflow (SHA 2fe1bce). private_repos_source: s3-sync — private repo
YAMLs continue to live in S3 and are pulled at deploy time.
Adds the universal contract scaffolding (LICENSE, README, CHANGELOG,
release-please configs, docs/, policies/opa/, .github/PULL_REQUEST_TEMPLATE.md,
.template-type=runner) and the tests/fixtures/ directory used by
pr-validation as a public-safe overlay during CI.
.gitignore overhauled to deny-all + explicit allowlist style (no `*`
wildcards in allows, satisfying the contract's gitignore:wildcards rule).
Every public repo definition is enumerated by exact path.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Universal callers across all 6 satellites are now byte-identical: template-sync.yaml, security.yaml, codeql.yaml, scorecard.yaml, auto-merge.yaml, release-please.yaml The release-please dispatch target moves to the RELEASE_DISPATCH_WORKFLOW repo variable; the workflow file is now identical regardless of whether the consumer dispatches a follow-on workflow on tag. Framework pr-validation.yaml is byte-identical across the 3 frameworks (adopting the path-filter list from proxmox so docs-only changes do not trigger full Terraform validation). Runner pr-validation.yaml is byte-identical across the 3 runners and runs Terraform 1.15.1 to match the framework requirement (the previous 1.14.3 was a latent bug — the framework requires =1.15.1). Runner terraform-deploy.yaml is byte-identical across the 3 runners; per-runner deploy specifics move to repo Variables and Secrets: vars.PRIVATE_REPOS_SOURCE / PRIVATE_REPOS_S3_URL / PRIVATE_REPOS_FILES secrets.AWS_ROLE_TO_ASSUME / AWS_REGION / AWS_S3_BUCKET / *_TOKEN Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps every terraform-template caller workflow to SHA 62ff3607cc7549a3e5a7d63cf201cdfe09e669b3, which introduces the new universal reusable-release-evidence workflow. Adds .github/workflows/release-evidence.yaml — the 8th universal caller required by the new contract. Byte-identical fleet-wide. Generates a uniform evidence bundle on every release (terraform fmt/init/validate/ test JSON for frameworks; repos/ inventory + framework_ref pin for runners) and attaches it to the GitHub release. Drops the `with: dispatch_workflow_on_release` block from release-please.yaml — the reusable now hardcodes `gh workflow run release-evidence.yaml` since the caller is universal. Side effect: the RELEASE_DISPATCH_WORKFLOW repo variable is no longer referenced anywhere; you can delete it from repo Settings (no behavioral impact since the value is no longer read). .gitignore allowlists the new release-evidence.yaml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps every terraform-template caller workflow to SHA
5a9279e0514ab054d89430a4453409213f9f351f, which introduces the new
universal reusable-org-adr-sync workflow.
Adds .github/workflows/org-adr-sync.yaml — the 9th universal caller
required by the contract. Byte-identical fleet-wide. Verifies on each
PR (and weekly on schedule) that docs/decision-records/org/ mirrors
match upstream <owner>/.github byte-for-byte. Drift fails the workflow.
The reusable auto-detects the upstream as
${{ github.repository_owner }}/.github with path docs/decision-records/.
Repos in orgs without an .github repository (or without an ADR baseline)
are no-ops; the contract is satisfied by the caller workflow being
present, not by the upstream existing.
.gitignore allowlists the new file.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
terraform-deploy.yaml is now simpler: - Drops `private_repos_source` and `private_repos_s3_url` from `with:`. - Keeps `private_repos_files` as the single per-runner config. - Bumps to nwarila-platform/github-terraform-framework@40d21e78 which has the simplified reusable. Caller stays byte-identical across all three runners. Per-repo configuration (one-time): vars.PRIVATE_REPOS_FILES is now a newline-separated list of FILENAMES (e.g. `Personal.yml`). The reusable derives the S3 URL automatically from the convention `s3://<bucket>/<owner-lc>/<repo>/repos/<file>`. Old vars (no longer read; safe to delete): PRIVATE_REPOS_SOURCE PRIVATE_REPOS_S3_URL Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Populates the consumer-side org ADR mirror directory required by the universal org-adr-sync caller workflow. Files are byte-identical copies of the org `.github` source (per ADR-0001). Adds 5 ADR mirrors (or fewer where some were already present): 0001 use-architecture-decision-records 0002 adopt-diataxis-documentation-framework 0003 use-deny-all-gitignore-strategy 0004 use-renovate-for-dependency-updates 0005 pin-terraform-and-provider-versions-exactly .gitignore allowlist extended to track them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Drops the path filter on the pull_request trigger so org-adr-sync runs unconditionally on every PR (not only when the PR touches docs/decision- records/org or the workflow file itself). This makes the check suitable as a required status check in branch protection: branch protection requires status checks to be reported on every PR, and a path-filtered workflow does not produce a status when the paths do not match. After this lands, configure the repo branch protection on main to require the "Verify org ADR mirrors" check. Drift between this repo docs/decision-records/org and the upstream owner .github master will then block merges, not just be visible after the fact. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Validation
auto-generated by Codex