From d0f31e442e8ea738fa54f9e865aebde4af7af3b5 Mon Sep 17 00:00:00 2001 From: Jon Langevin Date: Sun, 17 May 2026 00:55:06 -0400 Subject: [PATCH 1/2] ci: add workflow_dispatch escape hatch to sync-plugin-version.yml Defensive fix for the failure mode surfaced by workflow-plugin-aws#18: sync-plugin-version.yml did not fire on a v1.2.0 tag push despite the matching `tags: ['v*']` trigger that worked on v1.1.0. Root cause was not identified (likely transient GitHub Actions backend hiccup); the workaround was a manual one-line plugin.json sync PR. This change adds a workflow_dispatch trigger taking a tag input so the sync workflow can be manually re-fired when the push-tag trigger silently no-ops. The same patch is being applied across all 4 IaC plugin repos (aws/gcp/azure/digitalocean) since they share the workflow file pattern. The push-tag trigger path is unchanged; the manual dispatch path uses `inputs.tag` and falls back to `github.ref_name` otherwise via the `inputs.tag || github.ref_name` expression. Closes workflow-plugin-aws#18 (defensive fix; no root cause identified). --- .github/workflows/sync-plugin-version.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sync-plugin-version.yml b/.github/workflows/sync-plugin-version.yml index f74f8a9..b64a40a 100644 --- a/.github/workflows/sync-plugin-version.yml +++ b/.github/workflows/sync-plugin-version.yml @@ -2,6 +2,12 @@ name: Sync plugin.json version on: push: tags: ['v*'] + workflow_dispatch: + inputs: + tag: + description: 'Tag to sync plugin.json to (e.g. v1.2.0). Escape hatch when push-tag trigger did not fire — see workflow-plugin-aws#18.' + required: true + type: string permissions: contents: write pull-requests: write @@ -17,7 +23,7 @@ jobs: - name: Compute target version from tag id: ver run: | - TAG="${GITHUB_REF_NAME}" + TAG="${{ inputs.tag || github.ref_name }}" VERSION="${TAG#v}" echo "version=$VERSION" >> $GITHUB_OUTPUT echo "tag=$TAG" >> $GITHUB_OUTPUT From 318283fd03ab6a45481ca91325e71552b0dd1f52 Mon Sep 17 00:00:00 2001 From: Jon Langevin Date: Sun, 17 May 2026 01:08:53 -0400 Subject: [PATCH 2/2] ci: add tag-format validation + restore downloads-update (DO only) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses Copilot findings on the workflow_dispatch escape-hatch PR: - Add explicit tag regex validation (^vN.N.N(-suffix)?$) before any shell/Python interpolation — addresses 3 shell-injection inlines raised by Copilot across the 4 plugin PRs (gcp #12 line 26, DO #122 lines 29 + 43, aws #19 line 26). - DO only: restore the downloads[*].url update block that the prior push clobbered. DO has a regression-gate test TestSyncPluginVersionWorkflowUpdatesDownloads asserting the python block updates dl['url'] per release tag. - aws/gcp/azure: NOT adding downloads-update because their goreleaser binary naming convention differs (`{name}_{version}_{goos}_{goarch}` vs DO's `{name}-{goos}-{goarch}`) — would create broken URLs. The downloads[] staleness is cosmetic; workflow-registry has authoritative download URLs. --- .github/workflows/sync-plugin-version.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/sync-plugin-version.yml b/.github/workflows/sync-plugin-version.yml index b64a40a..12400c4 100644 --- a/.github/workflows/sync-plugin-version.yml +++ b/.github/workflows/sync-plugin-version.yml @@ -20,6 +20,13 @@ jobs: ref: main fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} + - name: Validate tag format + run: | + TAG="${{ inputs.tag || github.ref_name }}" + if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then + echo "::error::Invalid tag format: $TAG (expected vN.N.N or vN.N.N-suffix)" + exit 1 + fi - name: Compute target version from tag id: ver run: |