terraform-provider-jamfpro icon indicating copy to clipboard operation
terraform-provider-jamfpro copied to clipboard

Published 20 hours ago verified publisher icon deploymenttheory

[DNM (before settings changes)] auto version bumping & suggested repo settings changes

Open w0de opened this issue 6 months ago • 1 comments

This PR should not be merged before several changes are made to the repo's settings.

Changes

  • Adds an auto-version bump job to release.yml. Uses mathieudutour/github-tag-action.
  • Adds two triggers to same workflow: on pushes to main and release branches.
  • Adds an environment: value to the Terraform Provider Release job. This makes the job a Github Deployment.
  • Adds releases documentation to README.
  • Adds yamllint step to lint job; adds permissive yamllint config; fixes some yamllint'd issues in various yamls.

Required settings changes

  • Create a new environment (Settings -> Environments) named 'terraform registry'. Set 'Deployment branches and tags' to 'Protected branches only': Screenshot 2024-08-14 at 6 45 45 PM

  • This will restrict the Terraform Provider job from ever running - that is, deploying to 'hashicorp registry' - on an unprotected branch.

  • Set the main branch as protected (Settings -> Branches) (believe it already is).

  • Create a release branch and protect it similarly - but also restrict admins' ability to evade protection w/ a force push.

How this will change release & dev flows

In this design, every time you merge a PR with main, a new prerelease will be automatically built and deployed to the Terraform Registry (provided tests.yml passes). When you're ready to make a full release, open a PR main->release. Admins can still push their changes directly to main, but doing so should be done more judiciously.

Tag pushes can still be used to manually create a release from any branch (but deployment will fail if the branch is not protected). The auto version bump is skipped in these cases.

Some possible variations on this design

  • You may optionally enable 'Required reviewers' for the 'terraform registry' environment. This will prevent the release job from proceeding until approved.
  • We can create a prerelease branch instead of deploying main. This would allow folks to continue to commit to main - and permit manual releases from main w/ version tag - while still at least notionally locking down releases.
  • Or just use the release branch, and never deploy prereleases or releases from main or any other branch (save when a protected branch is tagged).

If any of these - or any other delta - seems better to y'all, let me know and I'll amend this patch accordingly.

w0de avatar Aug 15 '24 01:08 w0de