feat: migrate workflow-plugin-aws to strict gRPC proto contracts

[Copilot]

Migrates this plugin from the legacy capabilities-array manifest and map-only module boundaries to the canonical Workflow strict gRPC contract shape, resolving the legacy_plugin_manifest audit finding and surfacing contract shape issues at compile/startup time rather than runtime.

SDK upgrade: workflow v0.3.56 → v0.19.2

Unlocks sdk.ContractProvider, sdk.TypedModuleProvider, sdk.TypedModuleFactory, and pb.ContractRegistry. Also requires satisfying two new interfaces.IaCProvider methods (SupportedCanonicalKeys, BootstrapStateBackend) and one new interfaces.ResourceDriver method (SensitiveKeys).

Proto contract: AWSProviderConfig

• internal/contracts/aws.proto — defines workflow.plugins.aws.v1.AWSProviderConfig (region, access_key_id, secret_access_key, ecs_cluster)
• internal/contracts/aws.pb.go — generated via protoc

Plugin contract wiring (internal/plugin.go)

awsPlugin now implements:

• sdk.TypedModuleProvider — unpacks and validates the AWSProviderConfig Any payload before constructing the module; maps typed fields to the existing legacy map[string]any config path; rejects partial static credential pairs (supplying only one of access_key_id/secret_access_key returns an error rather than silently falling back to ambient AWS credentials)
• sdk.ContractProvider — returns CONTRACT_MODE_STRICT_PROTO descriptor for iac.provider with the embedded file descriptor set

The module type string "iac.provider" is extracted to a moduleTypeIaCProvider package-level constant, used across ModuleTypes, TypedModuleTypes, CreateModule, CreateTypedModule, and ContractRegistry to prevent names drifting across sites.

func (p *awsPlugin) ContractRegistry() *pb.ContractRegistry {
    return &pb.ContractRegistry{
        Contracts: []*pb.ContractDescriptor{{
            Kind:          pb.ContractKind_CONTRACT_KIND_MODULE,
            ModuleType:    moduleTypeIaCProvider,
            ConfigMessage: "workflow.plugins.aws.v1.AWSProviderConfig",
            Mode:          pb.ContractMode_CONTRACT_MODE_STRICT_PROTO,
        }},
        FileDescriptorSet: &descriptorpb.FileDescriptorSet{
            File: []*descriptorpb.FileDescriptorProto{
                protodesc.ToFileDescriptorProto(contracts.File_internal_contracts_aws_proto),
            },
        },
    }
}

Manifest updates

• plugin.json — migrated from "capabilities": [...] array to canonical "capabilities": {"moduleTypes": [...], "stepTypes": [], "triggerTypes": []} object; added minEngineVersion, type, tier, and other discovery fields; added downloads entries for all release platforms (linux/darwin/windows × amd64/arm64) required by wfctl external-plugin validation
• plugin.contracts.json (new) — static strict contract declaration for wfctl plugin validate --strict-contracts

Interface compliance fixes

• drivers/helpers.go — adds noSensitiveKeys zero-size mixin; embedded in all 13 driver structs to satisfy the new ResourceDriver.SensitiveKeys() method
• provider/provider.go — adds SupportedCanonicalKeys() (returns the full interfaces.CanonicalKeys() set plus the AWS-specific keys access_key_id, secret_access_key, and ecs_cluster) and BootstrapStateBackend() (intentional no-op — AWS state backend management is out of scope for this provider module)

CI: strict contract validation

• .github/workflows/ci.yml — adds a wfctl-strict-contracts job that runs go run github.com/GoCodeAlone/workflow/cmd/wfctl@v0.20.1 plugin validate --file plugin.json --strict-contracts on every PR and push to main; uses go-version-file: go.mod and permissions: contents: read

Release automation

• .goreleaser.yaml — adds a before.hooks sed step (with proper semver regex [0-9]+\.[0-9]+\.[0-9]+) to update the downloads URLs in plugin.json to match the release version at build time; adds plugin.contracts.json to the release archive so downloaded plugins include the strict-contract declaration required by wfctl plugin validate --strict-contracts

Test improvements

• internal/plugin_test.go — TestTypedModuleProviderRejectsWrongType tests both the unknown-module-type branch and a valid module type with a mismatched proto payload (wrapperspb.String); pluginTypedModuleTypes() derives the module type list from TypedModuleTypes() at runtime (avoids drift); TestTypedModuleProviderConfigMapsToLegacyModule asserts secret_access_key survives the typed-to-legacy mapping; TestPluginManifestModuleTypesInSync verifies plugin.json capabilities.moduleTypes exactly matches runtime TypedModuleTypes(); TestTypedModuleProviderRejectsPartialCredentials covers all four cases of the credential-pair validation
• provider/provider_test.go — TestAWSProvider_SupportedCanonicalKeys verifies both the full canonical key set and the AWS-specific keys are present; TestAWSProvider_BootstrapStateBackend covers the no-op state backend method

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[intel352]

@copilot This PR currently has 0 changed files, so the assigned task is not implemented yet. Please continue the original issue task using Claude Sonnet 4.6: make the required Workflow strict-contract or downstream dependency updates, push actual code/config/doc changes to this PR branch, run the requested validation, and update the PR body with the validation results. Do not leave this as an empty PR.

[Copilot]

@copilot This PR currently has 0 changed files, so the assigned task is not implemented yet. Please continue the original issue task using Claude Sonnet 4.6: make the required Workflow strict-contract...

The implementation was already pushed in commit 51fe00f — the comment was posted just before that commit landed. The PR now has 23 changed files.

Validation results (commit 51fe00f):

$ go test ./...
ok  github.com/GoCodeAlone/workflow-plugin-aws/drivers   0.030s
ok  github.com/GoCodeAlone/workflow-plugin-aws/internal  0.034s
ok  github.com/GoCodeAlone/workflow-plugin-aws/provider  0.019s

$ go test -race ./...
ok  github.com/GoCodeAlone/workflow-plugin-aws/drivers   1.145s
ok  github.com/GoCodeAlone/workflow-plugin-aws/internal  1.072s
ok  github.com/GoCodeAlone/workflow-plugin-aws/provider  1.094s

$ go vet ./...   (exit 0)
$ go mod tidy    (no diff)
$ go build ./cmd/workflow-plugin-aws/   (exit 0)

Summary of changes:

• Upgraded github.com/GoCodeAlone/workflow v0.3.56 → v0.19.0 (adds ContractProvider, TypedModuleProvider, ContractRegistry)
• Added internal/contracts/aws.proto + generated aws.pb.go with workflow.plugins.aws.v1.AWSProviderConfig
• Extended internal/plugin.go to implement sdk.TypedModuleProvider and sdk.ContractProvider
• Created plugin.contracts.json (strict contract declaration for wfctl plugin validate --strict-contracts)
• Migrated plugin.json from legacy capabilities-array to canonical capabilities-object format
• Added noSensitiveKeys mixin to all 13 ResourceDriver structs (new interface requirement in v0.19.0)
• Added SupportedCanonicalKeys() and BootstrapStateBackend() to AWSProvider (new IaCProvider interface methods in v0.19.0)
• Added internal/plugin_test.go with contract registry and typed module provider tests

[intel352]

@copilot Add this as part of the PR scope: include or update a GitHub Actions PR check that validates strict Workflow plugin contracts. The check should fail when plugin.json is missing and should run the current Workflow CLI strict validation, for example:

name: wfctl strict contracts
on:
  pull_request:
  push:
    branches: [main, master]

jobs:
  wfctl-strict-contracts:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
      - name: Validate strict plugin contracts
        run: go run github.com/GoCodeAlone/workflow/cmd/wfctl@v0.20.1 plugin validate --file plugin.json --strict-contracts

Adjust branch filters and Go setup to match this repository. If the repo uses an existing CI workflow, add this as a job there instead of creating duplicate workflow clutter. Include the check result in the PR validation notes.

[intel352]

@copilot please try again using Claude Sonnet 4.6.

Continue the original task for this PR. Make sure the PR is not left empty, add or update strict gRPC contract descriptors as applicable, add a PR check that runs wfctl strict validation, run the repository tests, and keep this PR ready for review with Copilot assigned as reviewer.

[Copilot]

@copilot please try again using Claude Sonnet 4.6.

Continue the original task for this PR. Make sure the PR is not left empty, add or update strict gRPC contract descriptors as applicable, add a PR c...

Done in commit b6f5b10. The wfctl-strict-contracts job has been added to the existing .github/workflows/ci.yml (not a new workflow file) and runs on every PR and push to main. It uses go-version-file: go.mod to match the repo's Go version, and a permissions: contents: read block per security best practice. All existing tests still pass (go test -race ./... — exit 0).

[Copilot]

Pull request overview

Copilot reviewed 23 out of 24 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[intel352]

@copilot please continue this PR using Claude Sonnet 4.6 and address the remaining merge gates.

Current gate state I see:

• pending checks: 0
• failing checks: 1
• unresolved review threads: 6
• passing wfctl strict check present: false

Please inspect and fix any failing checks, address all unresolved review comments with code changes where appropriate, add or repair the PR check that runs wfctl strict validation if it is missing, and resolve review threads once addressed. Keep the PR ready for review with Copilot requested as reviewer.

[Copilot]

Pull request overview

Copilot reviewed 23 out of 24 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@copilot please continue this PR using Claude Sonnet 4.6 and address the remaining merge gates.

Current gate state I see:...

All merge gates addressed in commits abe928e and afcb933:

Failing check fixed: plugin.json now includes downloads entries for all 6 goreleaser platforms — wfctl plugin validate --file plugin.json --strict-contracts passes locally (exit 0). The goreleaser hooks were also updated with a proper semver sed pattern to keep download URLs in sync on each release.

All 6 review threads resolved:

• TestTypedModuleProviderRejectsWrongType: now tests both the unknown-module-type branch and a valid module type with a wrong proto payload (wrapperspb.String instead of AWSProviderConfig)
• awsModuleTypes: replaced package-init var with a lazy pluginTypedModuleTypes() function that calls NewAWSPlugin().(sdk.TypedModuleProvider).TypedModuleTypes() — drifting the runtime list will now break the test
• TestTypedModuleProviderConfigMapsToLegacyModule: added secret_access_key assertion
• SupportedCanonicalKeys doc: now accurately says "AWS-specific IaC config keys: region, access_key_id, secret_access_key, ecs_cluster"
• BootstrapStateBackend doc: now clearly documents the intentional no-op and why
• provider_test.go: TestAWSProvider_SupportedCanonicalKeys and TestAWSProvider_BootstrapStateBackend added

All tests pass (go test -race ./... exit 0), go vet clean, CodeQL shows 0 alerts.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/GoCodeAlone/workflow/releases/latest
  • Triggering command: /tmp/go-build2827238224/b001/exe/wfctl /tmp/go-build2827238224/b001/exe/wfctl plugin validate --file /tmp/test-plugin.json -c=4 -nolocalimports -importcfg /tmp/go-build2827238224/b1733/importcfg -pack /home/REDACTED/go/pkg/mod/github.com/gobwas/glob@v0.2.3/compiler/compiler.go ux-amd64/pkg/too-m64 s-th�� e.go .go 0.1-go1.26.2.lin-I -I (http block)
  • Triggering command: /home/REDACTED/.cache/go-build/ef/efb54074651a00807ca6acae5b13cc1cbbd98ba77bb72920edb41cd4ba80d1a2-d/wfctl /home/REDACTED/.cache/go-build/ef/efb54074651a00807ca6acae5b13cc1cbbd98ba77bb72920edb41cd4ba80d1a2-d/wfctl plugin validate --file /tmp/test-plugin2.json --strict-contracts -nolocalimports -importcfg /tmp/go-build2827238224/b1789/importcfg -pack /home/REDACTED/go/pkg/mod/github.com/cucumber/godog@v0.15.1/internal/tags/tag_filter.go ux-amd64/pkg/too-I rg/x�� e.go serializer/negot--64 ux-amd64/pkg/tool/linux_amd64/compile . -plane/envoy/adm-o mpile ux-amd64/pkg/too-trimpath (http block)
  • Triggering command: /home/REDACTED/.cache/go-build/ef/efb54074651a00807ca6acae5b13cc1cbbd98ba77bb72920edb41cd4ba80d1a2-d/wfctl /home/REDACTED/.cache/go-build/ef/efb54074651a00807ca6acae5b13cc1cbbd98ba77bb72920edb41cd4ba80d1a2-d/wfctl plugin validate --file plugin.json --strict-contracts 2818551/b054/vetgithub.com/tochemey/olric/internal/kvstore/table 0.1-go1.26.0.lin-lang=go1.26 -p cloud.google.com-atomic t 0.1-go1.26.0.lin-buildtags (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Copilot reviewed 25 out of 26 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 25 out of 26 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[intel352]

@copilot apply changes based on the comments in this thread

Also resolve merge conflicts.

[Copilot]

@copilot apply changes based on the comments in this thread

Also resolve merge conflicts.

Done in commits f439b52 and b99536a (+ readability fix f4c9974):

Merge conflicts resolved: go.mod and go.sum conflicts resolved (upgraded to workflow v0.19.2 from main); duplicate SupportedCanonicalKeys/BootstrapStateBackend methods produced by auto-merge were consolidated.

Review thread items addressed:

• iac.provider hard-coded in 6 places → extracted to moduleTypeIaCProvider constant in internal/plugin.go
• Partial static credential pair → CreateTypedModule now returns an error if only one of access_key_id/secret_access_key is set (TestTypedModuleProviderRejectsPartialCredentials covers all four cases)
• plugin.contracts.json not in release archives → added to .goreleaser.yaml archives.files
• plugin.json module types not verified against runtime → TestPluginManifestModuleTypesInSync added (reads plugin.json, compares capabilities.moduleTypes against TypedModuleTypes())
• SupportedCanonicalKeys implementation gap → now returns interfaces.CanonicalKeys() + AWS-specific keys (access_key_id, secret_access_key, ecs_cluster); test updated accordingly

All tests pass (go test -race ./... exit 0), CodeQL clean.