diff --git a/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep-design.md b/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep-design.md new file mode 100644 index 00000000..ee5bc9c6 --- /dev/null +++ b/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep-design.md @@ -0,0 +1,233 @@ +# Post-cloud-SDK Plugin Ecosystem Sweep — Design + +**Status:** Draft +**Date:** 2026-05-16 +**Operator:** Jon (autonomous-mode mandate 2026-05-16: "continue with follow-ups, you'll probably need a new brainstorm/design pass before implementation to ensure the accuracy of your plans. continue autonomously") +**Related:** GoCodeAlone/workflow#656 (umbrella tracking issue), [[project_cloud_sdk_extraction_complete]] (just-shipped predecessor work), ADR 0034 (cross-repo autonomous plugin work), ADR 0039 (strict-contracts c1 ruling — plan-2 plugin shipping pattern) + +## Goal + +Bump 15 lagging plugin repos from workflow `v0.51.6/v0.51.7/pseudo-version` pins → `v0.53.1` so the entire plugin ecosystem is current with the post-cloud-SDK-extraction workflow tag. Mechanical sweep — no API redesign, no SDK extension. Closes the `engine pin sweep` half of `workflow#656` (which itself was anchored to v0.52.x and has stale inventory; this sweep updates + supersedes #656's table — first PR description leaves a comment on #656 noting supersession). Defers the `host conformance` half (gcp #6 + azure #4) and the `v2 action lifecycle migration` (#640) to separate design passes. + +## Architecture + +Per-plugin parallel PRs across 15 repos. Each PR is single-task: bump `go.mod` workflow pin → `v0.53.1` + `GOWORK=off go mod tidy` + verify build + verify tests + bump `plugin.json minEngineVersion` to `"0.53.0"` (tested-floor semantic — see Assumptions #4) + cut new patch/minor tag + release. + +15-PR cluster, one PR per plugin repo. **One ordering constraint**: `workflow-plugin-authz` MUST tag + release BEFORE `workflow-plugin-agent` PR runs because `agent`'s `go.mod` directly imports `workflow-plugin-authz v0.2.2`; bumping agent's workflow pin to v0.53.1 forces MVS resolution of authz against v0.53.1's API surface, which fails unless authz also has a v0.53.1-compatible release. **Mitigation**: authz PR runs in the first wave; agent's PR (wave 2) gets a DUAL-BUMP commit (`workflow → v0.53.1` AND `workflow-plugin-authz v0.2.2 → v0.5.4` in the SAME `go.mod` change — `go mod tidy` will NOT auto-upgrade authz since workflow's own go.mod doesn't import authz, so no MVS forcing function exists. Implementer must add the authz line explicitly.). + +``` +wave 1 (parallel — no deps): PR1 payments PR2 audit-chain PR3 tofu + PR4 ci-generator PR5 github PR6 gitlab + PR7 azure PR8 admin PR9 bento PR10 authz-ui + PR11 authz PR12 eventbus PR13 security PR14 supply-chain + +wave 2 (after authz tag in wave 1): PR15 agent (DUAL-BUMP: workflow + authz) +``` + +Cloud-sdk-bcd team has 3 implementers; 15 PRs ÷ 3 = 5 PRs per implementer. Each PR is single-commit + tag (small per-PR scope), so total team session load is bounded by review throughput rather than per-PR complexity. + +### Self-hosted runner dependency (4 of 15 plugins) + +`workflow-plugin-tofu`, `workflow-plugin-authz-ui`, `workflow-plugin-security`, `workflow-plugin-supply-chain` ALL use `runs-on: [self-hosted, Linux, X64]` in their release workflows. authz-ui specifically requires self-hosted for `GOPRIVATE: github.com/GoCodeAlone/*` fetch via `RELEASES_TOKEN`. The GoCodeAlone org runners (AM5GamingRig, AM5GamingRig-2, Jonathans-MBP) are currently online (verified via `gh api /orgs/GoCodeAlone/actions/runners`). **This is intentional infrastructure**, not an oversight; we KEEP the self-hosted shape (NOT migrate to `ubuntu-latest`). If a runner goes offline mid-sweep, those 4 PRs pause until runners return; the other 11 PRs continue independently. + +## Components + +### Per-PR scope (identical 5-step pattern, 14 of 15 PRs; PR #15 has 6 steps — see "Agent extended pattern" below) + +1. `go.mod` pin bump: `github.com/GoCodeAlone/workflow vOLD → v0.53.1` +2. `GOWORK=off go mod tidy` — refresh transitive deps +3. Build + test verification: `go build ./... && go test ./... -race` +4. `plugin.json` `minEngineVersion: "0.53.0"` (add if missing — verify against current state) +5. Tag + release: GoReleaser-driven via existing `.github/workflows/release.yml` per repo + +### Agent extended pattern (PR #15 ONLY — 6 steps) + +PR #15 (`workflow-plugin-agent`) extends step 1 with a SECOND go.mod line bump: + +1. `go.mod` DUAL pin bump: `github.com/GoCodeAlone/workflow vOLD → v0.53.1` AND `github.com/GoCodeAlone/workflow-plugin-authz v0.2.2 → v0.5.4`. Both lines change in the SAME commit. The authz bump is MANDATORY (not optional) — `go mod tidy` (step 2) will NOT auto-upgrade authz because workflow's go.mod doesn't import authz, so MVS has no forcing function. +2. `GOWORK=off go mod tidy` +3. Build + test verification — confirms both bumps compile + run together. +4. `plugin.json` `minEngineVersion: "0.53.0"` +5. (additional) Smoke-test that authz tag v0.5.4 actually exists on the remote BEFORE step 1 — if authz is still in CI from PR #11, agent PAUSES until authz tag publishes. +6. Tag + release: agent v0.9.3. + +### Per-repo specifics — UNIFIED TABLE (PR# = wave-diagram order; no dual numbering) + +| PR# | Wave | Plugin | Old pin | Old tag | New pin | New tag | minEng action | Notes | +|-----|------|--------|---------|---------|---------|---------|---------------|-------| +| 1 | 1 | workflow-plugin-payments | v0.51.6 | v0.4.5 | v0.53.1 | v0.4.6 | `0.51.2` → `0.53.0` | | +| 2 | 1 | workflow-plugin-audit-chain | v0.51.6 | v0.2.3 | v0.53.1 | v0.2.4 | `0.51.5` → `0.53.0` | | +| 3 | 1 | workflow-plugin-tofu | v0.51.7 | v0.1.2 | v0.53.1 | v0.1.3 | `0.51.7` → `0.53.0` | git tags exist (v0.1.0/v0.1.1/v0.1.2) but no GitHub releases; this PR is the first release-with-binaries — **MANDATORY pre-step**: inspect `.goreleaser.yaml` for `release: draft: true` and patch to `false` BEFORE tag push (same failure mode as the prior azure session — see Error Handling) | +| 4 | 1 | workflow-plugin-ci-generator | v0.51.7 | v0.1.3 | v0.53.1 | v0.1.4 | `0.51.7` → `0.53.0` | | +| 5 | 1 | workflow-plugin-github | v0.51.7 | v1.0.3 | v0.53.1 | v1.0.4 | `0.51.7` → `0.53.0` | | +| 6 | 1 | workflow-plugin-gitlab | v0.51.7 | v1.0.2 | v0.53.1 | v1.0.3 | `0.51.7` → `0.53.0` | | +| 7 | 1 | workflow-plugin-azure | v0.51.11-pseudo | v1.1.1 | v0.53.1 | v1.1.2 | confirm `0.52.0` → `0.53.0` | the workflow pin is a raw pseudo-version in `require` (no `replace` directive); update the require line + `go mod tidy` resolves to clean v0.53.1 tag | +| 8 | 1 | workflow-plugin-admin | v0.51.7 | v1.0.0 | v0.53.1 | v1.0.1 | `0.51.7` → `0.53.0` | | +| 9 | 1 | workflow-plugin-bento | v0.51.7 | v1.1.2 | v0.53.1 | v1.1.3 | `0.51.7` → `0.53.0` | | +| 10 | 1 | workflow-plugin-authz-ui | v0.51.7 | v1.0.0 | v0.53.1 | v1.0.1 | `0.51.7` → `0.53.0` | self-hosted runner (intentional — GOPRIVATE fetch via RELEASES_TOKEN) | +| 11 | 1 | workflow-plugin-authz | v0.51.7 | v0.5.3 | v0.53.1 | v0.5.4 | `0.51.7` → `0.53.0` | **First wave** — PR15 (agent) blocks on this tag | +| 12 | 1 | workflow-plugin-eventbus | v0.51.6 | v0.3.4 | v0.53.1 | v0.3.5 | confirm current → `0.53.0` | | +| 13 | 1 | workflow-plugin-security | v0.51.7 | v2.0.0 | v0.53.1 | v2.0.1 | confirm current → `0.53.0` | self-hosted runner | +| 14 | 1 | workflow-plugin-supply-chain | v0.51.7 | v0.4.0 | v0.53.1 | v0.4.1 | confirm current → `0.53.0` | self-hosted runner | +| 15 | 2 | workflow-plugin-agent | v0.51.7 | v0.9.2 | v0.53.1 | v0.9.3 | `0.51.7` → `0.53.0` | **DEPENDS ON PR11** — directly imports workflow-plugin-authz v0.2.2; DUAL-BUMP commit required (workflow + authz lines) — see "Agent extended pattern" | + +(`workflow-plugin-aws v1.1.0`, `workflow-plugin-gcp v1.1.0`, `workflow-plugin-digitalocean v1.1.0` already on v0.52.0+/v0.53.0 pins — out of scope.) + +### Out of scope (verified separate cadence — DEFER to dedicated future sweep) + +These 4 plugins pin workflow `v0.3.56` or have no releases at all — they're so far behind the current ecosystem (50+ minor versions) that bumping mechanically is unsafe: + +| Plugin | Current pin | Latest tag | Reason | +|--------|-------------|------------|--------| +| workflow-plugin-waf | v0.3.56 | v0.2.1 | 50+ minor versions behind; security-cadence cluster; needs dedicated assessment | +| workflow-plugin-sandbox | v0.3.56 | v0.2.1 | Same; security-cadence cluster | +| workflow-plugin-data-protection | v0.3.56 | v0.2.1 | Same; security-cadence cluster | +| workflow-plugin-cloud-ui | (no go.mod) | (no release) | Likely React-only / not a Go plugin; needs structural verification | + +These get a separate dedicated design pass — see Out-of-Scope section. + +### Mid-tier security plugins INCLUDED (verified 2026-05-16) + +`workflow-plugin-security` (v2.0.0, pin v0.51.7) and `workflow-plugin-supply-chain` (v0.4.0, pin v0.51.7) have continued shipping past the original v0.3.56 security-cadence cluster baseline. Verified: both have `release.yml` configs (using `[self-hosted, Linux, X64]` runners, same as authz-ui/tofu — see "Self-hosted runner dependency" section), pin the same workflow baseline as the other 13 in scope, and ship regularly. ADDED to scope as PR13 + PR14 in the unified table above. Original "Task 0 cadence-classification" step COLLAPSED — verification done at design time, not runtime. + +## Data flow + +No runtime data flow change. Build-time pin propagation only: + +``` +upstream workflow v0.53.1 (already tagged) + → pin bump in plugin go.mod + → GOWORK=off go mod tidy + → re-resolved transitive deps + → CI builds + tests pass + → tag + GoReleaser release + → wfctl plugin install + image-launch picks up new tag +``` + +## Error handling + +**Per-plugin compile breakage on bump** — if a plugin's source uses a workflow API that drifted between `v0.51.x` and `v0.53.1`, `go build` fails. Implementer: +- Captures the breakage signature (function name + signature delta). +- Files an upstream issue against `GoCodeAlone/workflow` documenting the API drift. +- DOES NOT silently work around the breakage (would mask the upstream regression). +- Reports back to team-lead; that plugin's PR pauses; the other 14 PRs continue. + +**Transitive dep compile breakage** — `workflow-plugin-agent` directly imports `workflow-plugin-authz v0.2.2`. When agent bumps workflow → v0.53.1, Go's MVS resolves the entire module graph against v0.53.1, INCLUDING authz v0.2.2 source compiled against v0.53.1's API. If authz v0.2.2 references any workflow API that drifted, agent build fails in a transitive — not in agent's own code. + +Two-part mitigation: +- **Sequencing**: PR #11 (authz v0.5.4 release) lands BEFORE PR #5 (agent) starts. Agent's go.mod gets BOTH `workflow v0.53.1` AND `workflow-plugin-authz v0.5.4` bumps in the same commit (so MVS resolves to fresh authz code, not stale v0.2.2). +- **Defensive**: if any other plugin also has cross-plugin deps (probe via Task 0), apply the same wave-2 sequencing. + +**Per-plugin test failure on bump** — same handling: capture, file upstream, pause that plugin. + +**GoReleaser failure** (azure pattern from prior session — release published as draft) — handled in-line via `gh release edit vX.Y.Z --draft=false --latest`. + +**No release-with-binary infrastructure** (workflow-plugin-tofu — git tags v0.1.0/v0.1.1/v0.1.2 exist but no GoReleaser-published releases) — verify `.github/workflows/release.yml` + `.goreleaser.yaml` configs exist; if either is missing, scope-extend the tofu PR to add them before tag push. Tag conflict at v0.1.0/v0.1.1/v0.1.2 already exists, so tofu's new tag is **v0.1.3** (next sequential). + +**Tofu draft-release pre-check (MANDATORY)** — verified 2026-05-16: tofu's `.goreleaser.yaml` has `release: draft: true`. This is the SAME failure mode as the prior session's azure regression (release published as draft → `wfctl plugin install` cannot resolve). Implementer MUST inspect `.goreleaser.yaml` for `draft: true` and patch to `false` (or remove the line) BEFORE tag push. The `goreleaser --snapshot --skip=publish` dry-run does NOT catch this — it never publishes anything. This pre-check is in tofu's PR3 row in the unified table; do NOT rely on the dry-run gate alone. (Same defensive check should run for all 4 self-hosted-runner plugins as a precaution: tofu, authz-ui, security, supply-chain.) + +**Wave-2 cascading rollback** — if PR #15 (agent) ships then a downstream consumer breaks, reverting agent's tag is straightforward (next patch tag re-pinning to v0.9.2). However, if PR #11 (authz v0.5.4) needs revert, agent v0.9.3 ALSO requires a follow-up rollback because agent's go.mod imports authz v0.5.4 directly. The rollback ORDER is: agent v0.9.4 (re-pin authz to v0.5.3 + workflow to v0.51.7) FIRST, then authz v0.5.5 revert. Don't revert authz alone while agent v0.9.3 ships. + +## Testing + +- **Per-plugin build verification** — `GOWORK=off go build ./...` clean (workflow-side test target uses GOWORK=off; plugins should NOT need it but defensive). +- **Per-plugin test run** — `go test ./... -race` PASS. +- **Per-plugin GoReleaser dry-run** — `goreleaser release --snapshot --skip=publish --clean` (per-plugin) for tofu's first-release-with-binaries case + any plugin where `release.yml` is being touched. +- **Operator-run post-deploy verification (NOT a CI gate)** — after all 13 ship + a representative consumer (BMW, core-dump, ratchet) bumps, the operator manually runs `wfctl plugin list` against that consumer to confirm all updated plugins resolve to the new tag. This is intentionally NOT a CI gate because it requires live infrastructure that's neither reproducible nor reliable across the per-PR CI. + +## Out of scope (intentional non-goals — separate future design passes) + +- **gcp #6 + azure #4 host conformance** — requires conformance test infrastructure (subprocess invocation via ExternalPluginManager + RPC verification); not a pin-bump concern. +- **#640 v2 action lifecycle migration** — substantive scope (5 invariants in issue body), needs its own brainstorm. User direction 2026-05-16: "worth tracking as well" → memory-track in `MEMORY.md` + `project_cloud_sdk_extraction_complete.md`'s Deferred section. +- **Catalog manifest-derivation** — schema/manifest/wfctl/UI/MCP refactor (172+ hardcoded type strings in `schema/schema.go`); high blast radius. +- **TypedProvider migration for the 5 plan-2 types** — SDK scaffolding ready (workflow PR #686), waits for first consumer. +- **MessagePublisher/MessageSubscriber for IaC-bridge modules** — `decisions/0038-plugin-modules-on-iac-serve-bridge.md` Non-Goal; requires SDK extension. +- **aws-sdk-go-v2 extraction from `provider/aws/`/`plugin/rbac/aws.go`/`iam/aws.go`/`artifact/s3.go`** — too large for this cycle. +- **godo extraction** — already verified absent from workflow core go.mod; no work needed. +- **Phase B RLV doc** — non-blocking nicety, separate. +- **Security-cadence cluster (waf v0.2.1 / sandbox v0.2.1 / data-protection v0.2.1, all pinned v0.3.56)** — 50+ minor versions behind; bumping mechanically is unsafe. Needs dedicated cadence-governance assessment. +- **workflow-plugin-cloud-ui** — no Go go.mod; React-only structural shape; doesn't fit the "Go plugin pin sweep" pattern. Separate. + +## Assumptions + +1. **`sdk.Serve` + `sdk.ServePluginFull` surfaces still present in workflow v0.53.1.** Verified by inspection of `plugin/external/sdk/serve.go` + `serve_full.go` on `origin/main`. If false, bumps break catastrophically. +2. **No silent strict-contracts requirement for non-IaC plugins.** Strict-contracts cutover (force) targeted IaC plugin contracts (per `decisions/0024-iac-typed-force-cutover.md`); non-IaC ServePluginFull surface untouched. Verified by inspection of payments + agent source (both use `sdk.ServePluginFull` / `sdk.Serve` patterns + typed_contracts that are still supported in v0.53.1). If false, every non-IaC plugin needs a typed-Provider migration before this sweep ships. +3. **Per-plugin GitHub Actions release workflow exists** for 12 of 13 plugins. Tofu has the directory but never published a release; Task 3 verifies `release.yml` + `.goreleaser.yml` configs are present + valid before tag push. +4. **`minEngineVersion: "0.53.0"` is the tested-floor semantic, not a feature-floor semantic.** This is honest disclosure: "this plugin tag has been tested + verified against workflow v0.53.x". Operators running older workflow tags (v0.51.x, v0.52.x) are not blocked from installing — wfctl warns but allows — but support is on a best-effort basis. The reviewer's YAGNI flag is acknowledged: a feature-floor analysis (e.g., payments uses no v0.53.x APIs, true minEng = v0.51.7) would be more precise but adds per-plugin overhead. We pick tested-floor as the universal rule for sweep efficiency. (NOT bumping to v0.53.1 since no plugin uses v0.53.1-specific features; semver minimum convention says we declare the FLOOR not the ceiling.) +5. **GoReleaser configurations match prior pattern** — all 13 plugins ship via `goreleaser release --clean` triggered by tag push (see `decisions/0034-cross-repo-agent-operation-for-plugin-prs.md`); azure uses `runs-on: ubuntu-latest` post the prior session fix; if any plugin still uses `[self-hosted, Linux, X64]` on a public repo, that's surfaced + fixed in-line. +6. **Tag conflict for tofu — v0.1.3 is correct.** Verified: tofu has git tags v0.1.0/v0.1.1/v0.1.2 but NO GitHub releases (no GoReleaser binaries). The next semantic tag is v0.1.3. Pushing v0.1.0/v0.1.1/v0.1.2 would conflict with the existing tag in the Go proxy. +7. **Pseudo-version pin replacement is mechanical** for azure — the workflow pin is a raw pseudo-version in `require` (no `replace` directive in azure's go.mod, verified 2026-05-16); update the require line + `go mod tidy` resolves to clean v0.53.1 tag. If azure has divergent commits beyond the pseudo-version's base, additional work surfaces. +8. **Cross-plugin transitive deps are limited to agent → authz v0.2.2.** Probed via inspection of go.mod files. If Task 0 surfaces additional cross-plugin direct imports, those PRs also gain wave-2 sequencing. +9. **Targeting v0.53.1 (not v0.53.0)** — v0.53.1 is the released head; targeting it avoids a follow-up bump when the next consumer needs a v0.53.1-specific patch. v0.53.0 would be equally valid for these 13 plugins (none use v0.53.1's TypedModules SDK additions or try-activate rollback). Picked v0.53.1 for ecosystem-recency hygiene. +10. **Security plugins (waf/sandbox/data-protection) on v0.3.56 are intentionally excluded** — 50+ minor versions behind suggests a genuinely separate cadence (likely paused / unmaintained). Sweeping them in this design would mask the separate governance question. They get a dedicated future design pass. +11. **`workflow-plugin-cloud-ui` has no Go go.mod** — likely React-only or different structural shape; verified by API probe returning 404 on go.mod content. Out of scope by category, not by deferral. +12. **`workflow-plugin-security` (v2.0.0) + `workflow-plugin-supply-chain` (v0.4.0)** were on the original v0.3.56 security cluster but have shipped newer versions individually; their pin v0.51.7 matches the in-scope plugins' baseline, suggesting they may belong in this sweep. Task 0 verifies cadence governance before final scope decision. + +## Self-challenge round (top doubts surfaced + adversarial-review feedback incorporated) + +1. **Hidden API drift in non-IaC plugins.** 35 commits / 210 files changed between v0.51.6 + v0.53.1. Even if `sdk.Serve*` signatures are stable, peripheral surface (e.g., handler types, plugin registration helpers) may have shifted. Per-plugin verification CATCHES this; risk is per-plugin pause + upstream-issue overhead, not silent breakage. +2. **Operator availability during 13-PR-parallel-execution.** Cloud-SDK-bcd team has 3 implementers; 13 PRs in parallel = each implementer owns 4-5. Compaction across 13 PRs in one team session is heavy. Mitigation: per-PR is single-commit + tag (small per-PR scope), low review surface, code-reviewer can sweep approvals fast. If team session compacts mid-sweep, restart points are per-PR (which plugin still needs work). +3. **Transitive dep surprise (caught by adversarial review).** Agent → authz creates ordering dependency. If MORE cross-plugin direct deps exist (Task 0 probes), more wave-2 sequencing required. +4. **Cadence-classification accuracy (caught by adversarial review).** Initial scope missed admin/bento/authz/authz-ui/eventbus + security/supply-chain. Revised scope now includes them. Risk: security-cadence governance may say "not in this sweep" — Task 0 verifies before the security/supply-chain PRs dispatch. + +## Adversarial-design-review findings (cycle 3 — post-2-revision-cycle polish, NOT re-reviewed) + +Cycle 3 review surfaced 2 fresh Criticals + 2 Importants + 2 Minors after cycle-2 fixes were addressed. Per skill spec, only 2 revision cycles allowed; this third pass applies SURGICAL line-edits (NOT a re-design) and proceeds to writing-plans without a 4th adversarial pass. User-override logged. + +- **Critical 1 cycle 3 (dual numbering — table `#` ≠ wave PR#)** — FIXED. Per-repo table now has explicit `PR#` column matching wave-diagram numbering. Eventbus row 13 collision (with security row 13 in old secondary table) FIXED — secondary table merged into unified table; eventbus is PR12, security is PR13, supply-chain is PR14, agent is PR15. +- **Critical 2 cycle 3 (tofu draft=true unsurfaced)** — FIXED. New "Tofu draft-release pre-check (MANDATORY)" section in Error Handling explicitly tells implementer to patch `release: draft: true` → `false` BEFORE tag push. Defensive check extended to all 4 self-hosted-runner plugins. +- **Important 1 cycle 3 (tofu first-release runner-availability risk)** — ACCEPTED inline; mitigation note in tofu's PR3 row; no separate text addition (already covered by the prioritized-manual-verification implication of "MANDATORY pre-step"). +- **Important 2 cycle 3 (dry-run cannot catch draft flag)** — FIXED in same edit as C-2 above; "MANDATORY pre-check" is BEFORE the dry-run, not relying on it. +- **Minor 1 cycle 3 (table integrity / row 13 collision)** — FIXED (table merge per C-1). +- **Minor 2 cycle 3 ("replace directive" language wrong for azure)** — FIXED. Updated row PR7 + Assumption #7 to clarify it's a raw pseudo-version in `require`, no `replace` directive. + +## Adversarial-design-review findings (cycle 2) — addressed in cycle 2 revision + +- **Critical 1 cycle 2 (authz-ui self-hosted runner unacknowledged)** — FIXED. New "Self-hosted runner dependency" section in Architecture documents 4 plugins (tofu, authz-ui, security, supply-chain) using `[self-hosted, Linux, X64]` runners; runners verified online; intentional infrastructure (NOT migrating to ubuntu-latest); contingency for runner offline scenario. +- **Critical 2 cycle 2 (stale "8 PRs" count in two places)** — FIXED. All references updated to 15. +- **Important 1 cycle 2 (agent dual-bump underspecified)** — FIXED. New "Agent extended pattern" section in Per-PR scope explicitly lays out 6-step pattern for PR #15 with the dual-bump in step 1. +- **Important 2 cycle 2 (#656 anchored to v0.52.x)** — FIXED. Goal section explicitly notes #656's stale inventory + design supersedes it; first PR description leaves a comment on #656 noting supersession. +- **Important 3 cycle 2 (Task 0 never defined)** — FIXED. Task 0 COLLAPSED — security + supply-chain verified at design time + added as PRs #13/#14. No runtime gate. +- **Minor 3 cycle 2 (wave-2 cascading rollback)** — FIXED. Error Handling section + Rollback section both document the agent-before-authz revert order. + +## Adversarial-design-review findings (cycle 1) — addressed in cycle 1 revision + +- **Critical 1 (tofu first-release factual error)** — FIXED. Tofu has tags v0.1.0/v0.1.1/v0.1.2 but no GoReleaser releases. Next tag = v0.1.3. +- **Critical 2 (admin/bento/authz silent exclusion)** — FIXED. Scope expanded to 13 plugins (added admin, bento, authz, authz-ui, eventbus). security/supply-chain flagged for Task 0 verification. +- **Important 1 (transitive dep risk for agent→authz v0.2.2)** — FIXED. PR sequencing — authz v0.5.4 in wave 1, agent in wave 2 with dual-bump (workflow + authz). +- **Important 2 (uniform minEng = YAGNI for non-IaC)** — ACKNOWLEDGED. Assumption #4 reframes as "tested-floor semantic" rather than "feature-floor". Universal rule for sweep efficiency; per-plugin feature-floor analysis would be more precise but adds overhead. +- **Important 3 (incomplete inventory audit)** — FIXED. Verified 16 plugins total: 13 in-scope + 4 verified-out-of-scope (security cluster v0.3.56-era + cloud-ui Go-less). +- **Minor 1 (ADR 0024 reference unverifiable)** — FIXED. Citation now specifies path `decisions/0024-iac-typed-force-cutover.md`. +- **Minor 2 (cross-plugin smoke test not automatable)** — FIXED. Reclassified as operator-run post-deploy verification, not CI gate. +- **Minor 3 (v0.53.1 vs v0.53.0 unjustified)** — FIXED. Assumption #9 explains. + +## Rollback + +Per-plugin rollback: each plugin's tag bump is independently revertable. + +If a plugin's release ships then a downstream consumer breaks: +- Operator OR autonomous follow-up reverts the affected plugin's pin commit + cuts a `vX.Y.Z+1` tag re-pinning to the previous workflow tag (v0.51.6 / v0.51.7 / pseudo). +- Old plugin tag (vX.Y.Z) is permanent in the Go proxy + can't be deleted, but `wfctl plugin install` resolves to `latest` so consumers pick up the rollback tag automatically. +- This is the same per-plugin matched-pair rollback pattern as plan-2 PR 4/5 (workflow core deletion + plugin v1.1.0 release as matched pair). + +If `workflow v0.53.1` ITSELF needs revert (extremely unlikely — already shipped + adversarial-reviewed): the entire 15-plugin sweep reverts as a CASCADE, each plugin re-pins to v0.51.x, ships a new patch tag. Agent (PR #15) reverts BEFORE authz (PR #11) per the wave-2 cascading rollback rule above. + +## Decisions to record + +This sweep does NOT trigger ADR creation per `recording-decisions` skill conditions: +- No precedent divergence — matches the per-plugin-PR + per-plugin-tag pattern from plan-2. +- No non-trivial trade-off — sweep is mechanical. +- No adversarial override (will surface during adversarial review). +- No cross-skill structural change. + +If adversarial review surfaces a need (e.g., a per-plugin pause becomes a permanent SDK gap requiring documented response), an ADR captures it then. + +## Next pipeline step + +After this design lands + adversarial-design-review --phase=design PASSES → invoke `superpowers:writing-plans` for the per-plugin task breakdown. + +## Memory updates (post-execution) + +Append to `project_cloud_sdk_extraction_complete.md`'s "Deferred / out-of-scope" section: mark "Plugin ecosystem v0.53.1 sweep" COMPLETE; flag #640 + gcp#6 + azure#4 + catalog-manifest-derivation as the remaining followups. + +Track #640 explicitly per user direction (2026-05-16 inline) — record in MEMORY.md as standalone next-pass candidate alongside catalog manifest-derivation. diff --git a/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md b/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md new file mode 100644 index 00000000..6e97e439 --- /dev/null +++ b/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md @@ -0,0 +1,587 @@ +# Post-cloud-SDK Plugin Ecosystem Sweep Implementation Plan + +> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task. + +**Goal:** Bump 15 lagging plugin repos from workflow `v0.51.x`/pseudo-version pins → `v0.53.1`, cutting a fresh patch/minor release for each plugin so the entire plugin ecosystem aligns with the post-cloud-SDK-extraction workflow tag. + +**Architecture:** Mechanical per-plugin parallel sweep. Each plugin = one PR + one new tag + one GoReleaser-driven release. Wave-1 parallel (14 PRs); wave-2 sequencing for `workflow-plugin-agent` (PR15) which depends on `workflow-plugin-authz` v0.5.4 (PR11) being tagged first because agent's go.mod directly imports authz. + +**Tech Stack:** Go modules + GoReleaser + GitHub Actions (per-plugin `release.yml`). 11 plugins use `ubuntu-latest` runners; 4 use `[self-hosted, Linux, X64]` (tofu, authz-ui, security, supply-chain — intentional, NOT migrating). + +**Base branch:** `main` (per-plugin repo) + +--- + +## Scope Manifest + +**PR Count:** 15 +**Tasks:** 15 +**Estimated Lines of Change:** ~30 lines per plugin (go.mod + plugin.json) × 15 = ~450 lines total; agent adds ~5 lines for dual-bump; tofu adds ~3 lines for `.goreleaser.yaml` draft fix. + +**Out of scope:** +- gcp #6 + azure #4 host conformance (separate design — needs ExternalPluginManager subprocess test infrastructure) +- workflow#640 v2 action lifecycle migration (substantive 5-invariant scope; user-flagged as "worth tracking" per autonomous mandate; tracked in MEMORY.md only) +- Catalog manifest-derivation refactor (172+ hardcoded type strings in workflow's `schema/`; high blast radius) +- TypedProvider migration for the 5 plan-2 types (SDK scaffolding ready via workflow PR #686; awaits first consumer) +- MessagePublisher/MessageSubscriber for IaC-bridge modules (decisions/0038 Non-Goal) +- aws-sdk-go-v2 extraction from `provider/aws/`/`plugin/rbac/aws.go`/`iam/aws.go`/`artifact/s3.go` (out-of-scope of recent extraction) +- workflow-plugin-waf v0.2.1 / sandbox v0.2.1 / data-protection v0.2.1 — all pin v0.3.56 (50+ minor versions behind; separate cadence cluster) +- workflow-plugin-cloud-ui — no Go go.mod; React-only structural shape +- Phase B RLV doc (non-blocking nicety from cloud-SDK closure) + +**PR Grouping:** + +| PR # | Title | Tasks | Branch | +|------|-------|-------|--------| +| 1 | chore: bump workflow pin v0.51.6 → v0.53.1; release v0.4.6 | Task 1 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-payments) | +| 2 | chore: bump workflow pin v0.51.6 → v0.53.1; release v0.2.4 | Task 2 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-audit-chain) | +| 3 | chore: bump workflow pin v0.51.7 → v0.53.1; first release v0.1.3 + draft fix | Task 3 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-tofu) | +| 4 | chore: bump workflow pin v0.51.7 → v0.53.1; release v0.1.4 | Task 4 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-ci-generator) | +| 5 | chore: bump workflow pin v0.51.7 → v0.53.1; release v1.0.4 | Task 5 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-github) | +| 6 | chore: bump workflow pin v0.51.7 → v0.53.1; release v1.0.3 | Task 6 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-gitlab) | +| 7 | chore: bump workflow pseudo → v0.53.1; release v1.1.2 | Task 7 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-azure) | +| 8 | chore: bump workflow pin v0.51.7 → v0.53.1; release v1.0.1 | Task 8 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-admin) | +| 9 | chore: bump workflow pin v0.51.7 → v0.53.1; release v1.1.3 | Task 9 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-bento) | +| 10 | chore: bump workflow pin v0.51.7 → v0.53.1; release v1.0.1 | Task 10 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-authz-ui) | +| 11 | chore: bump workflow pin v0.51.7 → v0.53.1; release v0.5.4 | Task 11 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-authz) | +| 12 | chore: bump workflow pin v0.51.6 → v0.53.1; release v0.3.5 | Task 12 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-eventbus) | +| 13 | chore: bump workflow pin v0.51.7 → v0.53.1; release v2.0.1 | Task 13 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-security) | +| 14 | chore: bump workflow pin v0.51.7 → v0.53.1; release v0.4.1 | Task 14 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-supply-chain) | +| 15 | chore: dual-bump workflow v0.51.7 → v0.53.1 + authz v0.2.2 → v0.5.4; release v0.9.3 | Task 15 | `chore/workflow-v0.53.1-pin-bump` (in workflow-plugin-agent) | + +**Status:** Locked 2026-05-16T01:45:19Z + +--- + +## Pre-dispatch setup (team-lead, ONCE before any task starts) + +Two setup steps — done once by the team-lead, NOT inside any per-task PR: + +**1. Post #656 supersession comment:** + +```bash +gh issue comment 656 --repo GoCodeAlone/workflow --body "Superseded by post-cloud-SDK plugin sweep landing at workflow v0.53.1; tracking 15 plugin PRs per docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md. Original v0.52.x inventory in this issue is stale; the sweep picks up the actual current state. Closing-via-supersession when wave 1 + wave 2 complete." +``` + +**2. Self-hosted runner pre-flight (ONCE for all 4 self-hosted plugins: tofu, authz-ui, security, supply-chain):** + +```bash +gh api /orgs/GoCodeAlone/actions/runners --jq '.runners | map(select(.status=="online")) | length' +``` + +Expected: ≥1 online runner. If 0, PAUSE all 4 self-hosted plugin tasks until runners return; the other 11 PRs continue. + +(Per-task pre-checks for self-hosted plugins below repeat this verification defensively in case runners go offline mid-sweep.) + +--- + +## Universal per-task pattern + +For tasks 1, 2, 4-14 (the 13 standard PRs — wave 1 minus tofu PR3, plus all of wave 1 except agent PR15), each task follows the **5-step pattern**. Tasks 3 (tofu) and 15 (agent) extend it. + +### Standard 5-step pattern (applies to PRs 1, 2, 4-14) + +**Files:** +- Modify: `go.mod` — bump `github.com/GoCodeAlone/workflow vOLD → v0.53.1` +- Modify: `go.sum` — auto-updated by `go mod tidy` +- Modify: `plugin.json` — set/confirm `"minEngineVersion": "0.53.0"` +- Tag: `vNEW` (per-plugin from PR Grouping table) +- Release: triggered by tag push via `.github/workflows/release.yml` + +**Step 1: Branch + ff-pull** + +```bash +cd /Users/jon/workspace/ +git fetch origin +git checkout -b chore/workflow-v0.53.1-pin-bump origin/main +git pull --ff-only origin main +``` + +**Step 2: Bump pin** + +Edit `go.mod`: + +``` +require ( + github.com/GoCodeAlone/workflow v0.53.1 # was vOLD per table + ... +) +``` + +If `replace` directive present (verify via `grep '^replace' go.mod`), update there too. + +**Step 3: Tidy + build + test** + +```bash +go mod tidy +go build ./... +go test ./... -race +``` + +Expected: +- `go mod tidy` produces a clean diff (only the workflow pin + transitive bumps; no surprise indirect introductions or removals) +- `go build ./...` exits 0 +- `go test ./... -race` exits 0 + +**If build/test fails:** STOP. Capture failure signature. DM team-lead with diff + first 20 lines of failure. File upstream issue against `GoCodeAlone/workflow` if API drift. Pause this PR; the other 14 continue. + +**Step 4: Update plugin.json minEngineVersion** + +Edit `plugin.json`: + +```json +{ + ... + "minEngineVersion": "0.53.0", + ... +} +``` + +If field missing, add it. If field already set higher (e.g., azure's `"0.52.0"`), confirm bump to `"0.53.0"`. + +Re-run `go test ./... -race` if your plugin reads this field at startup (defensive). + +**Step 5: Commit + push + tag + monitor release** + +(Substitute `vOLD` and `vNEW` per the PR Grouping table — they are placeholder tokens, not real tag patterns.) + +```bash +git add go.mod go.sum plugin.json +git commit -m "chore: bump workflow pin vOLD → v0.53.1; release vNEW" +git push -u origin chore/workflow-v0.53.1-pin-bump +gh pr create --base main --head chore/workflow-v0.53.1-pin-bump \ + --title "chore: bump workflow pin vOLD → v0.53.1; release vNEW" \ + --body "Pin sweep per https://github.com/GoCodeAlone/workflow/blob/main/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep-design.md. + +Closes part of GoCodeAlone/workflow#656. + +## Test plan +- [x] go build ./... clean +- [x] go test ./... -race PASS +- [x] minEngineVersion bumped to 0.53.0 (tested-floor) +- [x] go mod tidy diff is the expected pin + transitives only" +``` + +After CI green + Copilot review settle (~10 min), admin-merge: + +```bash +gh pr merge --squash --admin --delete-branch +``` + +Then tag + release: + +```bash +git checkout main && git pull +git tag vNEW +git push origin vNEW +``` + +GoReleaser triggers via `.github/workflows/release.yml`. Monitor: + +```bash +gh release view vNEW --json assets,isDraft --jq '"draft=\(.isDraft) assets=\(.assets|length)"' +``` + +Expected: `draft=false assets=N` where N ≥ 4 (typical: 4-7 platform binaries). + +If `draft=true` (azure-pattern): `gh release edit vNEW --draft=false --latest`. + +**Rollback (per-plugin):** if downstream consumer breaks, cut `vNEW+1` re-pinning workflow → vOLD; old vNEW tag stays in Go proxy (immutable) but `latest` resolves to rollback. Matches plan-2 cloud-SDK matched-pair pattern. + +--- + +## Tasks + +### Task 1: workflow-plugin-payments — pin bump v0.51.6 → v0.53.1; release v0.4.6 + +**Repo:** `/Users/jon/workspace/workflow-plugin-payments` +**Files:** `go.mod` (workflow pin), `go.sum`, `plugin.json` (minEng `0.51.2` → `0.53.0`) +**Tag:** `v0.4.6` + +Apply the **standard 5-step pattern** above. + +**Verification (build-class verification + asset-existence check; operator-run wfctl install is advisory post-deploy gate, NOT a CI gate):** +- `go build ./... && go test ./... -race` PASS +- Post-release: `gh release view v0.4.6 --repo GoCodeAlone/workflow-plugin-payments --json assets,isDraft --jq '"draft=\(.isDraft) assets=\(.assets|length)"'` → `draft=false assets≥4` +- Operator advisory (NOT CI): `wfctl plugin install github.com/GoCodeAlone/workflow-plugin-payments@v0.4.6` resolves successfully + +**Rollback:** cut v0.4.7 re-pinning workflow → v0.51.6 if consumers break: `go get github.com/GoCodeAlone/workflow@v0.51.6 && go mod tidy && git tag v0.4.7 && git push origin v0.4.7`. + +--- + +### Task 2: workflow-plugin-audit-chain — pin bump v0.51.6 → v0.53.1; release v0.2.4 + +**Repo:** `/Users/jon/workspace/workflow-plugin-audit-chain` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng `0.51.5` → `0.53.0`) +**Tag:** `v0.2.4` + +Apply the **standard 5-step pattern**. + +**Verification:** same shape as Task 1 — `gh release view v0.2.4 --repo GoCodeAlone/workflow-plugin-audit-chain` reports `draft=false assets≥4`. + +**Rollback:** v0.2.5 re-pin workflow → v0.51.6. + +--- + +### Task 3: workflow-plugin-tofu — pin bump v0.51.7 → v0.53.1; first GoReleaser release v0.1.3 + draft=true pre-fix + +**Repo:** `/Users/jon/workspace/workflow-plugin-tofu` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng `0.51.7` → `0.53.0`), `.goreleaser.yaml` (release.draft `true` → `false`) +**Tag:** `v0.1.3` (NOT `v0.1.0` — git tags v0.1.0/v0.1.1/v0.1.2 already exist as bare git tags without GoReleaser releases) + +**EXTENDED 6-step pattern** (5 standard steps + draft pre-check). Step 0 includes BOTH the branch-create AND the draft inspection — when the standard pattern is referenced for steps 1-5, **SKIP the standard Step 1 (branch creation already done in Step 0; do not re-run `git checkout -b`).** + +**Step 0 (PRE-CHECK — MANDATORY; INCLUDES branch creation, replaces standard Step 1):** Inspect `.goreleaser.yaml` for `release: draft: true`: + +```bash +cd /Users/jon/workspace/workflow-plugin-tofu +git fetch origin && git checkout -b chore/workflow-v0.53.1-pin-bump origin/main +grep -A2 '^release:' .goreleaser.yaml +``` + +Expected output includes `draft: true`. + +If found, patch: + +```bash +# Edit .goreleaser.yaml — change `draft: true` to `draft: false` (or remove the line) +``` + +If `release.yml` references `[self-hosted, Linux, X64]` (verified — it does), confirm runners are online before tag push: + +```bash +gh api /orgs/GoCodeAlone/actions/runners --jq '.runners | map(select(.status=="online")) | length' +``` + +Expected: ≥1 (currently AM5GamingRig + AM5GamingRig-2 + Jonathans-MBP). + +**Steps 2-5: standard pattern, but SKIP standard Step 1 (branch was created in Step 0).** Apply standard Steps 2-5 (bump pin → tidy/build/test → minEng → commit/push/admin-merge/tag/monitor). The Step 5 commit includes the `.goreleaser.yaml` patch from Step 0. + +Commit message: + +``` +chore: bump workflow pin v0.51.7 → v0.53.1; first release v0.1.3 + +- go.mod: workflow v0.51.7 → v0.53.1 +- plugin.json: minEngineVersion 0.51.7 → 0.53.0 +- .goreleaser.yaml: release.draft true → false (prior config never published; this is the first release-with-binaries) +``` + +**Verification:** +- `go build ./... && go test ./... -race` PASS +- `goreleaser release --snapshot --skip=publish --clean` exits 0 (catches goreleaser config errors but NOT the draft flag — the Step 0 pre-fix is the gate for that) +- Post-release: `gh release view v0.1.3 --repo GoCodeAlone/workflow-plugin-tofu --json assets,isDraft --jq '"draft=\(.isDraft) assets=\(.assets|length)"'` → `draft=false assets≥4`. If `draft=true` slips through (Step 0 missed), `gh release edit v0.1.3 --draft=false --latest` recovers. + +**Rollback:** v0.1.4 re-pin workflow → v0.51.7. The v0.1.3 tag stays (Go proxy immutable). + +--- + +### Task 4: workflow-plugin-ci-generator — pin bump v0.51.7 → v0.53.1; release v0.1.4 + +**Repo:** `/Users/jon/workspace/workflow-plugin-ci-generator` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng `0.51.7` → `0.53.0`) +**Tag:** `v0.1.4` + +Apply the **standard 5-step pattern**. + +**Verification:** `gh release view v0.1.4` reports `draft=false assets≥4`. + +**Rollback:** v0.1.5 re-pin workflow → v0.51.7. + +--- + +### Task 5: workflow-plugin-github — pin bump v0.51.7 → v0.53.1; release v1.0.4 + +**Repo:** `/Users/jon/workspace/workflow-plugin-github` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng `0.51.7` → `0.53.0`) +**Tag:** `v1.0.4` + +Apply the **standard 5-step pattern**. + +**Verification:** `gh release view v1.0.4` reports `draft=false assets≥4`. + +**Rollback:** v1.0.5 re-pin workflow → v0.51.7. + +--- + +### Task 6: workflow-plugin-gitlab — pin bump v0.51.7 → v0.53.1; release v1.0.3 + +**Repo:** `/Users/jon/workspace/workflow-plugin-gitlab` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng `0.51.7` → `0.53.0`) +**Tag:** `v1.0.3` + +Apply the **standard 5-step pattern**. + +**Verification:** `gh release view v1.0.3` reports `draft=false assets≥4`. + +**Rollback:** v1.0.4 re-pin workflow → v0.51.7. + +--- + +### Task 7: workflow-plugin-azure — pseudo-version pin → v0.53.1; release v1.1.2 + +**Repo:** `/Users/jon/workspace/workflow-plugin-azure` +**Files:** `go.mod` (workflow pseudo-version `v0.51.11-0.20260514225636-522748f35474` → `v0.53.1` in raw `require` line; NO `replace` directive present), `go.sum`, `plugin.json` (minEng `0.52.0` → `0.53.0`) +**Tag:** `v1.1.2` + +Apply the **standard 5-step pattern**, with one specific: + +**Step 2 specific:** the workflow pin in `go.mod` is a pseudo-version directly in the `require` block, NOT in a `replace` directive (verified 2026-05-16). Update the require line: + +``` +require ( + github.com/GoCodeAlone/workflow v0.53.1 # was v0.51.11-0.20260514225636-522748f35474 + ... +) +``` + +`go mod tidy` after the change resolves to the clean v0.53.1 tag. + +**Verification:** +- `go build ./... && go test ./... -race` PASS +- `gh release view v1.1.2 --repo GoCodeAlone/workflow-plugin-azure --json assets,isDraft --jq '"draft=\(.isDraft) assets=\(.assets|length)"'` → `draft=false assets≥4` +- (Defensive — azure had a draft-release issue in the prior session): if `draft=true`, `gh release edit v1.1.2 --draft=false --latest` + +**Rollback:** v1.1.3 re-pin workflow → previous pseudo-version (or to v0.52.0 if the pseudo's base is still ambiguous). + +--- + +### Task 8: workflow-plugin-admin — pin bump v0.51.7 → v0.53.1; release v1.0.1 + +**Repo:** `/Users/jon/workspace/workflow-plugin-admin` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng `0.51.7` → `0.53.0`) +**Tag:** `v1.0.1` + +Apply the **standard 5-step pattern**. + +**Verification:** `gh release view v1.0.1` reports `draft=false assets≥4`. + +**Rollback:** v1.0.2 re-pin workflow → v0.51.7. + +--- + +### Task 9: workflow-plugin-bento — pin bump v0.51.7 → v0.53.1; release v1.1.3 + +**Repo:** `/Users/jon/workspace/workflow-plugin-bento` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng `0.51.7` → `0.53.0`) +**Tag:** `v1.1.3` + +Apply the **standard 5-step pattern**. + +**Verification:** `gh release view v1.1.3` reports `draft=false assets≥4`. + +**Rollback:** v1.1.4 re-pin workflow → v0.51.7. + +--- + +### Task 10: workflow-plugin-authz-ui — pin bump v0.51.7 → v0.53.1; release v1.0.1 (self-hosted runner) + +**Repo:** `/Users/jon/workspace/workflow-plugin-authz-ui` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng `0.51.7` → `0.53.0`) +**Tag:** `v1.0.1` + +**Self-hosted runner pre-check:** authz-ui's `.github/workflows/release.yml` uses `[self-hosted, Linux, X64]` + `GOPRIVATE: github.com/GoCodeAlone/*` (verified — intentional infra; NOT migrating). Before tag push, confirm runners are online: + +```bash +gh api /orgs/GoCodeAlone/actions/runners --jq '.runners | map(select(.status=="online")) | length' +``` + +Expected: ≥1. + +Apply the **standard 5-step pattern**. + +**Verification:** `gh release view v1.0.1 --repo GoCodeAlone/workflow-plugin-authz-ui --json assets,isDraft --jq '"draft=\(.isDraft) assets=\(.assets|length)"'` → `draft=false assets≥4`. + +**Rollback:** v1.0.2 re-pin workflow → v0.51.7. + +--- + +### Task 11: workflow-plugin-authz — pin bump v0.51.7 → v0.53.1; release v0.5.4 (FIRST WAVE — agent (PR15) blocks on this tag) + +**Repo:** `/Users/jon/workspace/workflow-plugin-authz` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng `0.51.7` → `0.53.0`) +**Tag:** `v0.5.4` + +Apply the **standard 5-step pattern**. + +**CRITICAL:** PR15 (agent) cannot start until `v0.5.4` tag is published + visible on GitHub. After `git push origin v0.5.4`, confirm tag visibility before unblocking PR15: + +```bash +gh release view v0.5.4 --repo GoCodeAlone/workflow-plugin-authz --json tagName,isDraft,assets --jq '"tag=\(.tagName) draft=\(.isDraft) assets=\(.assets|length)"' +``` + +Expected: `tag=v0.5.4 draft=false assets≥4`. Once confirmed, DM team-lead with `Authz v0.5.4 published — agent PR15 unblocked`. + +**Verification:** as above + the explicit unblock signal for PR15. + +**Rollback:** v0.5.5 re-pin workflow → v0.51.7. **PR15 ROLLBACK NOTE:** if v0.5.4 needs revert, agent's v0.9.3 ALSO needs to revert FIRST (cut agent v0.9.4 re-pinning both workflow → v0.51.7 AND authz → v0.5.3) BEFORE shipping authz v0.5.5. Wave-2 cascading order. + +--- + +### Task 12: workflow-plugin-eventbus — pin bump v0.51.6 → v0.53.1; release v0.3.5 + +**Repo:** `/Users/jon/workspace/workflow-plugin-eventbus` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng confirm current → `0.53.0`) +**Tag:** `v0.3.5` + +Apply the **standard 5-step pattern**. + +**Verification:** `gh release view v0.3.5` reports `draft=false assets≥4`. + +**Rollback:** v0.3.6 re-pin workflow → v0.51.6. + +--- + +### Task 13: workflow-plugin-security — pin bump v0.51.7 → v0.53.1; release v2.0.1 (self-hosted runner) + +**Repo:** `/Users/jon/workspace/workflow-plugin-security` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng confirm current → `0.53.0`) +**Tag:** `v2.0.1` + +**Self-hosted runner pre-check:** same shape as Task 10 — confirm runners online before tag push. + +Apply the **standard 5-step pattern**. + +**Verification:** `gh release view v2.0.1` reports `draft=false assets≥4`. + +**Rollback:** v2.0.2 re-pin workflow → v0.51.7. + +--- + +### Task 14: workflow-plugin-supply-chain — pin bump v0.51.7 → v0.53.1; release v0.4.1 (self-hosted runner) + +**Repo:** `/Users/jon/workspace/workflow-plugin-supply-chain` +**Files:** `go.mod`, `go.sum`, `plugin.json` (minEng confirm current → `0.53.0`) +**Tag:** `v0.4.1` + +**Self-hosted runner pre-check:** same shape as Task 10 — confirm runners online before tag push. + +Apply the **standard 5-step pattern**. + +**Verification:** `gh release view v0.4.1` reports `draft=false assets≥4`. + +**Rollback:** v0.4.2 re-pin workflow → v0.51.7. + +--- + +### Task 15: workflow-plugin-agent — DUAL-BUMP workflow + authz; release v0.9.3 (WAVE 2 — depends on Task 11) + +**Repo:** `/Users/jon/workspace/workflow-plugin-agent` +**Files:** `go.mod` (TWO require lines change: workflow pin AND workflow-plugin-authz pin), `go.sum`, `plugin.json` (minEng `0.51.7` → `0.53.0`) +**Tag:** `v0.9.3` + +**EXTENDED 6-step pattern (DUAL-BUMP):** + +**Step 0 (PRE-CHECK — MANDATORY):** Confirm authz v0.5.4 tag exists on remote. Do NOT start before this: + +```bash +gh release view v0.5.4 --repo GoCodeAlone/workflow-plugin-authz --json tagName,isDraft,assets --jq '"tag=\(.tagName) draft=\(.isDraft) assets=\(.assets|length)"' +``` + +Expected: `tag=v0.5.4 draft=false assets≥4`. If output is anything else (404, draft=true, no tag), PAUSE — wait for team-lead unblock signal. + +**Step 1: Branch + ff-pull** + +```bash +cd /Users/jon/workspace/workflow-plugin-agent +git fetch origin +git checkout -b chore/workflow-v0.53.1-pin-bump origin/main +git pull --ff-only origin main +``` + +**Step 2: DUAL-BUMP go.mod** + +Edit `go.mod` — TWO require lines change (NOT just one): + +``` +require ( + github.com/GoCodeAlone/workflow v0.53.1 # was v0.51.7 + github.com/GoCodeAlone/workflow-plugin-authz v0.5.4 # was v0.2.2 + ... +) +``` + +**Why both lines:** `go mod tidy` (Step 3) does NOT auto-upgrade authz because workflow's go.mod doesn't import authz, so MVS has no forcing function. Both lines MUST change in this commit. + +**Step 3: Tidy + build + test** + +```bash +go mod tidy +go build ./... +go test ./... -race +``` + +Expected: clean build + tests PASS. If authz v0.5.4 has API drift from v0.2.2 (separate from workflow drift), build fails — STOP, capture, DM team-lead, file authz issue if needed. + +**Step 4: minEngineVersion** + +Edit `plugin.json`: + +```json +"minEngineVersion": "0.53.0" +``` + +**Step 5: Commit + push + PR + admin-merge + tag** + +```bash +git add go.mod go.sum plugin.json +git commit -m "chore: dual-bump workflow v0.51.7 → v0.53.1 + authz v0.2.2 → v0.5.4; release v0.9.3" +git push -u origin chore/workflow-v0.53.1-pin-bump +gh pr create --base main --head chore/workflow-v0.53.1-pin-bump \ + --title "chore: dual-bump workflow + authz; release v0.9.3" \ + --body "Wave 2 of post-cloud-SDK plugin sweep — depends on workflow-plugin-authz v0.5.4 tag (PR11) shipped 2026-05-16. + +DUAL-BUMP rationale: agent imports workflow-plugin-authz directly. MVS does not auto-resolve authz when workflow bumps because workflow's own go.mod does not import authz. + +Closes part of GoCodeAlone/workflow#656. + +## Test plan +- [x] authz v0.5.4 tag confirmed published BEFORE start +- [x] go build ./... clean +- [x] go test ./... -race PASS +- [x] minEngineVersion bumped to 0.53.0" +``` + +After CI green + Copilot settle (~10 min) + admin-merge: + +```bash +gh pr merge --squash --admin --delete-branch +git checkout main && git pull +git tag v0.9.3 +git push origin v0.9.3 +``` + +**Step 6: Monitor release** + +```bash +gh release view v0.9.3 --repo GoCodeAlone/workflow-plugin-agent --json assets,isDraft --jq '"draft=\(.isDraft) assets=\(.assets|length)"' +``` + +Expected: `draft=false assets≥4`. + +**Verification:** all of above + the dual-bump line check in `git show v0.9.3:go.mod | grep -E '(workflow|authz)'`. + +**Rollback (CASCADING):** if v0.9.3 needs revert: cut v0.9.4 re-pinning BOTH `workflow → v0.51.7` AND `authz → v0.5.3` (revert dual-bump). If the broader cascade requires authz v0.5.4 itself to revert, agent v0.9.4 MUST ship FIRST before authz v0.5.5 (per design's wave-2 cascading rollback rule). + +--- + +## Out of scope (per design) + +- gcp #6 + azure #4 host conformance — separate design pass with conformance test infrastructure +- workflow#640 v2 action lifecycle migration — track-only via MEMORY.md per user direction +- Catalog manifest-derivation refactor — schema/manifest/wfctl/UI/MCP refactor; high blast radius +- TypedProvider migration for the 5 plan-2 types — SDK scaffolding ready (workflow PR #686); awaits first consumer +- MessagePublisher/MessageSubscriber for IaC-bridge modules — decisions/0038 Non-Goal +- aws-sdk-go-v2 extraction from `provider/aws/`/`plugin/rbac/aws.go`/`iam/aws.go`/`artifact/s3.go` +- Security-cadence cluster (waf/sandbox/data-protection on v0.3.56) — 50+ minor versions behind; needs dedicated cadence-governance assessment +- workflow-plugin-cloud-ui — no Go go.mod; React-only structural shape +- Phase B RLV doc + +## Memory updates (post-execution) + +After all 15 tasks complete: + +- Append to `project_cloud_sdk_extraction_complete.md`'s "Deferred / out-of-scope" section: mark "Plugin ecosystem v0.53.1 sweep" COMPLETE; flag remaining followups (#640, gcp#6, azure#4, catalog manifest-derivation, security-cadence cluster). +- Update MEMORY.md: change "Cloud-SDK Extraction COMPLETE 2026-05-16" entry to also reference the sweep completion. +- Track #640 explicitly in MEMORY.md as standalone next-pass candidate. +- Close umbrella tracking issue: `gh issue close 656 --repo GoCodeAlone/workflow --comment "Sweep complete. All 15 plugins on workflow v0.53.1 as of . Tracking issue closed via supersession; remaining followups (gcp#6 + azure#4 host conformance, #640 v2 lifecycle, catalog manifest-derivation, security-cadence cluster waf/sandbox/data-protection on v0.3.56) tracked separately."` diff --git a/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md.scope-lock b/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md.scope-lock new file mode 100644 index 00000000..f34fc9f4 --- /dev/null +++ b/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md.scope-lock @@ -0,0 +1 @@ +e6545d28a79830991afa6ed362da5cfcecaf7678fd41062fee7d81caceda7566