Plugin version sourced from build-time ldflags + registry-side semver validation (architecture)

[intel352]

Context

Today every plugin repo carries a duplicated `plugin.json.version` field that must be kept in sync with the git tag. The `sync-plugin-version.yml` workflow opens a PR after each tag to bump the field, but those PRs accumulate (13 stale in `workflow-plugin-digitalocean` alone before sweep 2026-05-23). The whole class of drift is preventable by not committing the version at all.

Proposed direction

Adopt an architecture where:

1. Plugin binary version comes from build-time `-ldflags` at release time. The `version` field is removed from committed `plugin.json`. Plugin contract requires every plugin binary expose its version via a standard symbol (e.g. `pluginsdk.Version()` backed by an `-X` linker var).
2. Registry-side validation rejects publish of any plugin whose version string does not match strict semver (`vN.N.N` or `vN.N.N-prerelease`). Branch-tagged or dirty builds (e.g. `v0.1.0-feat-foo.dirty`) are allowed locally and in test installs but rejected from public registry publish.
3. wfctl grows a publish-gate validation (e.g. `wfctl plugin validate --for-publish`) that performs the same semver check before push to the registry. Local installs / test branches do not trigger the gate.
4. All plugin repos audited to adopt the new approach: drop `plugin.json.version`, ensure goreleaser `-ldflags -X` is wired, ensure plugin binary surfaces version via the contract symbol.
5. `sync-plugin-version.yml` workflow removed from every repo where it currently exists.

Affected surfaces

• workflow (this repo): wfctl validation + plugin contract symbol definition
• workflow-registry: publish-time semver gate
• workflow-plugin-{admin, agent, auth, authz, authz-ui, aws, azure, bento, ci-generator, cloud-ui, compute, cms, data-protection, digitalocean, edge-compute, edge-risk, gcp, github, payments, sandbox, security, supply-chain, tofu, waf, ...}: audit + drop committed version + verify ldflags wiring
• Any plugin repo running `sync-plugin-version.yml`: workflow removal

Why now

Surfaced 2026-05-23 by user when 13 stale sync-PRs piled up in workflow-plugin-digitalocean. Closing those was a sweep; this issue eliminates the root cause.

Acceptance criteria

• Plugin contract documents the version-symbol requirement
• wfctl `plugin validate --for-publish` rejects non-semver versions
• workflow-registry rejects non-semver publishes
• All public plugins migrated; `plugin.json.version` removed; goreleaser ldflags verified
• All private plugins migrated
• `sync-plugin-version.yml` removed from every plugin repo
• One full release cycle on one plugin proves end-to-end (tag → ldflags-baked version → install → contract surface)

Out of scope here

Refer to workflow-plugin-digitalocean#159 for unrelated true-blue/green deploy work.

[intel352]

Design + plan drafted on branch feat/758-plugin-version-ldflag (commit 6d25311).

Design (cycle 3, PASS): docs/plans/2026-05-23-plugin-version-ldflag-design.md — pivoted from cycle-1's full ldflag-replacement (3 Critical) to: keep plugin.json.version field, fix sync mechanism (direct-push or auto-merge), add tag-format semver gate in release.yml + registry, restore ldflag-contract via new sdk.ResolveBuildVersion + IaCServeOptions.BuildVersion + lint script.

Plan (cycle 1 FAIL): docs/plans/2026-05-23-plugin-version-ldflag.md — 26 PRs / 29 tasks drafted. Adversarial cycle 1 found 6 Critical + 9 Important against the plan:

• Audit table factually wrong on 8 of 23 listed plugin repos (missing release pipelines): agent, cms, compute, cloud-ui, data-protection, edge-compute, sandbox, waf
• sdk.Serve (non-IaC plugins) has no WithBuildVersion option; Task 2 only covers IaCServeOptions
• Lint script delivery via curl|bash from main is a supply-chain footgun
• Branch-nature deliverable unmet on go test path (debug.ReadBuildInfo emits no vcs.* in tests)
• Task 2 bridge wiring underspecified
• Hardcoded cmd/plugin/main.go path; actual layout is cmd/workflow-plugin-<name>/main.go for 9 repos

Pausing. Plan-rebuild is a user-intent-line decision (which repos to include in scope; how to handle the gap repos). Awaiting authorization on rework direction. See plan's final section "Plan adversarial cycle 1 — FAIL" for full enumeration.

[intel352]

Pilot complete

Layer 1 + Layer 2 + Layer 3 pilot (5 plugins) all merged 2026-05-23 21:04-21:05Z.

Layer	Repo	PR	Merge SHA
1	workflow	#759	43153f6
2	workflow-registry	#110	940ecc405c
3	workflow-plugin-digitalocean	#165	0568b5b01e
3	workflow-plugin-aws	#26	52f2af5fa7
3	workflow-plugin-gcp	#19	641555b664
3	workflow-plugin-azure	#22	7b02379e46
3	workflow-plugin-github	#19	925e7bfafc

workflow v0.61.0 tagged + released.

Layer 3b sweep (56 remaining plugin repos) tracked in #760 — awaits authorization based on pilot outcome.

Retro: PR #761 (in flight).

Closing once retro PR lands. Layer 3b remains open.

[intel352]

Pilot shipped (5 plugins) + retro merged. Layer 3b sweep tracked separately at #760.