fix: Backport 2208 to v15 (#2213)

Signed-off-by: matttrach <matt.trachier@suse.com>

Author: matttrach

.envrc

@@ -43,10 +43,10 @@ if ! which "$0" | grep -q nix; then
   fi
 
   echo 'Installing Nix Profile...'
-  if ! nf profile install . --profile "$profile"; then
-    echo 'Failed to install new Nix profile! Reverting to previous profile...'
+  if ! nf profile add . --profile "$profile"; then
+    echo 'Failed to add new Nix profile! Reverting to previous profile...'
     git checkout flake.lock
-    nf profile install . --profile "$profile"
+    nf profile add . --profile "$profile"
   fi
 
   nf profile list --profile "$profile"

.github/workflows/manual-rc-release.yml

@@ -13,16 +13,21 @@ on:
         description: 'The rc tag to create, e.g. v1.2.3-rc.1'
         required: true
 
-permissions:
-  contents: write
-  id-token: write
-  issues: write
-  pull-requests: write
-  actions: read
+env:
+  NIX_INSTALL_SHA: de490f61fcbaf9a5cabf2fa621ddb9ef93ad35d9a23a04e7d51b26e092b63691
+  NIX_INSTALL_VERSION: 2.34.4
+
+permissions: {}
 
 jobs:
   rc-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write
+      actions: read
     steps:
       - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script/commits/main
         id: check-user-in-maintainers
@@ -113,15 +118,35 @@ jobs:
           go-version-file: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.mod
           cache-dependency-path: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.sum
           cache: true
+      - name: install-nix
+        run: |
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          which nix
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
-        with:
-          args: release --clean --skip=validate --config ../../.goreleaser_rc.yml
-          workdir: ${{ github.workspace }}/tags/${{ inputs.tag }}
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep TAG --keep GPG_KEY_ID --keep GPG_PASSPHRASE --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+          TAG: ${{ inputs.tag }}
+        run: |-
+          cd ${{ github.workspace }}/tags/$TAG
+          goreleaser release --clean --skip=validate --config ../../.goreleaser_rc.yml
+          if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then
+            echo "Missing required file: dist/metadata.json"
+            exit 1
+          fi
+          if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then
+            echo "Missing required file: dist/artifacts.json"
+            exit 1
+          fi
+          echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}"
+          echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}"
       - name: 'Find Issues and Create Comments'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script
         env:

.github/workflows/manual-release.yml

@@ -10,14 +10,19 @@ on:
         description: 'The commit SHA to create the tag from, defaults to HEAD of the selected branch.'
         required: false
 
-permissions:
-  contents: write
-  id-token: write
-  actions: read
+env:
+  NIX_INSTALL_SHA: de490f61fcbaf9a5cabf2fa621ddb9ef93ad35d9a23a04e7d51b26e092b63691
+  NIX_INSTALL_VERSION: 2.34.4
+
+permissions: {}
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      actions: read
     steps:
       - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script/commits/main
         id: check-user-in-maintainers
@@ -106,12 +111,32 @@ jobs:
           go-version-file: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.mod
           cache-dependency-path: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.sum
           cache: true
+      - name: install-nix
+        run: |
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          which nix
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
-        with:
-          args: release --clean --skip=validate --config ../../.goreleaser.yml
-          workdir: ${{ github.workspace }}/tags/${{ inputs.tag }}
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep TAG --keep GPG_KEY_ID --keep GPG_PASSPHRASE --keep GITHUB_TOKEN --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+          TAG: ${{ inputs.tag }}
+        run: |-
+          cd ${{ github.workspace }}/tags/$TAG
+          goreleaser release --clean --skip=validate --config ../../.goreleaser.yml
+          if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then
+            echo "Missing required file: dist/metadata.json"
+            exit 1
+          fi
+          if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then
+            echo "Missing required file: dist/artifacts.json"
+            exit 1
+          fi
+          echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}"
+          echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}"

.github/workflows/release.yml

@@ -408,14 +408,33 @@ jobs:
 
           echo "Importing gpg key"
           echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; }
+      - name: install-nix
+        run: |
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          which nix
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
-        with:
-          args: release --clean --config .goreleaser_rc.yml
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GPG_KEY_ID --keep GPG_PASSPHRASE --keep GITHUB_TOKEN --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+        run: |-
+          goreleaser release --clean --config .goreleaser_rc.yml
+          if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then
+            echo "Missing required file: dist/metadata.json"
+            exit 1
+          fi
+          if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then
+            echo "Missing required file: dist/artifacts.json"
+            exit 1
+          fi
+          echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}"
+          echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}"
       - name: 'Find Issues and Create Comments'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script
         env:
@@ -473,11 +492,30 @@ jobs:
 
           echo "Importing gpg key"
           echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; }
+      - name: install-nix
+        run: |
+          curl -L -o install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} install.sh" | sha256sum -c -
+          chmod +x install.sh
+          ./install.sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          which nix
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
-        with:
-          args: release --clean --config .goreleaser.yml
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GPG_KEY_ID --keep GPG_PASSPHRASE --keep GITHUB_TOKEN --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+        run: |-
+          goreleaser release --clean --config .goreleaser.yml
+          if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then
+            echo "Missing required file: dist/metadata.json"
+            exit 1
+          fi
+          if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then
+            echo "Missing required file: dist/artifacts.json"
+            exit 1
+          fi
+          echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}"
+          echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}"

aspell_custom.txt

@@ -19,6 +19,7 @@ pre-release
 prerelease
 rancher
 rc
+readme
 rke
 rke2
 sha

examples/use-cases/one/README.md

@@ -7,21 +7,38 @@ This shows the most basic use case for the provider, is functions as a good star
 ## Dependencies
 
 The `flake.nix` file in the root of the module explains all of the dependencies for the development of the module, it also includes the dependencies to run it.
-You can see the list on lines 50-80, but a more specific list is below (with explanations).
+You can see the list on lines 143-174, but a more specific list is below (with explanations).
 
-- bash -> born again shell with linux core utils facilitates CLI actions
-- tfswitch -> handy for installing Terraform at specific verisons
-- git -> required by Terraform
-- curl -> required by Terraform as well as dependent modules (when downloading RKE2 for install)
-- openssh -> required by Terraform and used in dependent modules to connect to servers for initial configuration
-- openssl -> required by Terraform and used in dependent modules to verify TLS certificates
-- ssh-agent -> used for connecting to remote server for initial configuration, you need to have the key you send into the module loaded in your agent
+- actionlint -> used to lint workflows
+- aspellWithDicts -> used to validate commit messages
+- awscli2 -> used in some dependent modules in some use cases (dualstack)
+- bashInteractive -> born again shell with linux core utils facilitates CLI actions
+- cmctl -> helpful to troubleshoot Rancher install issues
+- curl -> required for Terraform
+- eslint -> lint node scripts in CI
 - gh -> the github cli tool, used to find releases when downloading RKE2 for install
-- jq -> json parsing tool, used in dependent modules to parse submodule outputs
-- kubectl -> used in local exec to patch kubernetes objects
-- awscli2 -> the aws cli tool, used in some dependent modules in some use cases (dualstack)
-- yq -> yaml parsing tool, used in dependent modules to parse kubectl outputs
-- go -> necessary to run tests
+- git -> required by Terraform
+- gitleaks -> used in CI to detect potential key leaks
+- gnupg -> helpful when generating a new gpg key for releases
+- go -> necessary for building and testing
+- golangci-lint -> lint go code
+- gotestfmt -> necessary for gotestsum
+- gotestsum -> test harness that allows for better parsing and testing of go tests
+- kubernetes-helm -> helpful when troubleshooting helm issues
+- jq -> used in dependent modules to parse submodule outputs
+- kubectl -> necessary when pulling kubeconfig
+- less -> helpful when needing to read files
+- nodejs_24 -> used by eslint to validate github scripts
+- openssh -> necessary to connect to servers
+- openssl -> helpful when generating certs
+- shellcheck -> used by ci to validate shell scripts
+- tflint -> used by ci to validate Terraform examples
+- vim -> helpful when editing files
+- which -> helpful when troubleshooting nix issues
+- yq -> used in dependent modules to parse kubectl outputs
+- terraform -> necessary to run tests
+- goreleaser -> necessary for releases
+- leftovers -> necessary for cleaning up broken tests
 
 ## Environment Variables
 

examples/use-cases/production/README.md

@@ -8,21 +8,38 @@ The TLS certificate is externally generated and publicly verifiable (assuming yo
 ## Dependencies
 
 The `flake.nix` file in the root of the module explains all of the dependencies for the development of the module, it also includes the dependencies to run it.
-You can see the list on lines 50-80, but a more specific list is below (with explanations).
-
-- bash -> born again shell with linux core utils facilitates CLI actions
-- tfswitch -> handy for installing Terraform at specific verisons
-- git -> required by Terraform
-- curl -> required by Terraform as well as dependent modules (when downloading RKE2 for install)
-- openssh -> required by Terraform and used in dependent modules to connect to servers for initial configuration
-- openssl -> required by Terraform and used in dependent modules to verify TLS certificates
-- ssh-agent -> used for connecting to remote server for initial configuration, you need to have the key you send into the module loaded in your agent
+You can see the list on lines 143-174, but a more specific list is below (with explanations).
+
+- actionlint -> used to lint workflows
+- aspellWithDicts -> used to validate commit messages
+- awscli2 -> used in some dependent modules in some use cases (dualstack)
+- bashInteractive -> born again shell with linux core utils facilitates CLI actions
+- cmctl -> helpful to troubleshoot Rancher install issues
+- curl -> required for Terraform
+- eslint -> lint node scripts in CI
 - gh -> the github cli tool, used to find releases when downloading RKE2 for install
-- jq -> json parsing tool, used in dependent modules to parse submodule outputs
-- kubectl -> used in local exec to patch kubernetes objects
-- awscli2 -> the aws cli tool, used in some dependent modules in some use cases (dualstack)
-- yq -> yaml parsing tool, used in dependent modules to parse kubectl outputs
-- go -> necessary to run tests
+- git -> required by Terraform
+- gitleaks -> used in CI to detect potential key leaks
+- gnupg -> helpful when generating a new gpg key for releases
+- go -> necessary for building and testing
+- golangci-lint -> lint go code
+- gotestfmt -> necessary for gotestsum
+- gotestsum -> test harness that allows for better parsing and testing of go tests
+- kubernetes-helm -> helpful when troubleshooting helm issues
+- jq -> used in dependent modules to parse submodule outputs
+- kubectl -> necessary when pulling kubeconfig
+- less -> helpful when needing to read files
+- nodejs_24 -> used by eslint to validate github scripts
+- openssh -> necessary to connect to servers
+- openssl -> helpful when generating certs
+- shellcheck -> used by ci to validate shell scripts
+- tflint -> used by ci to validate Terraform examples
+- vim -> helpful when editing files
+- which -> helpful when troubleshooting nix issues
+- yq -> used in dependent modules to parse kubectl outputs
+- terraform -> necessary to run tests
+- goreleaser -> necessary for releases
+- leftovers -> necessary for cleaning up broken tests
 
 ## Environment Variables
 

examples/use-cases/three/README.md

@@ -13,21 +13,38 @@ This module was developed working closely with specific customer feedback.
 ## Dependencies
 
 The `flake.nix` file in the root of the module explains all of the dependencies for the development of the module, it also includes the dependencies to run it.
-You can see the list on lines 50-80, but a more specific list is below (with explanations).
-
-- bash -> born again shell with linux core utils facilitates CLI actions
-- tfswitch -> handy for installing Terraform at specific verisons
-- git -> required by Terraform
-- curl -> required by Terraform as well as dependent modules (when downloading RKE2 for install)
-- openssh -> required by Terraform and used in dependent modules to connect to servers for initial configuration
-- openssl -> required by Terraform and used in dependent modules to verify TLS certificates
-- ssh-agent -> used for connecting to remote server for initial configuration, you need to have the key you send into the module loaded in your agent
+You can see the list on lines 143-174, but a more specific list is below (with explanations).
+
+- actionlint -> used to lint workflows
+- aspellWithDicts -> used to validate commit messages
+- awscli2 -> used in some dependent modules in some use cases (dualstack)
+- bashInteractive -> born again shell with linux core utils facilitates CLI actions
+- cmctl -> helpful to troubleshoot Rancher install issues
+- curl -> required for Terraform
+- eslint -> lint node scripts in CI
 - gh -> the github cli tool, used to find releases when downloading RKE2 for install
-- jq -> json parsing tool, used in dependent modules to parse submodule outputs
-- kubectl -> used in local exec to patch kubernetes objects
-- awscli2 -> the aws cli tool, used in some dependent modules in some use cases (dualstack)
-- yq -> yaml parsing tool, used in dependent modules to parse kubectl outputs
-- go -> necessary to run tests
+- git -> required by Terraform
+- gitleaks -> used in CI to detect potential key leaks
+- gnupg -> helpful when generating a new gpg key for releases
+- go -> necessary for building and testing
+- golangci-lint -> lint go code
+- gotestfmt -> necessary for gotestsum
+- gotestsum -> test harness that allows for better parsing and testing of go tests
+- kubernetes-helm -> helpful when troubleshooting helm issues
+- jq -> used in dependent modules to parse submodule outputs
+- kubectl -> necessary when pulling kubeconfig
+- less -> helpful when needing to read files
+- nodejs_24 -> used by eslint to validate github scripts
+- openssh -> necessary to connect to servers
+- openssl -> helpful when generating certs
+- shellcheck -> used by ci to validate shell scripts
+- tflint -> used by ci to validate Terraform examples
+- vim -> helpful when editing files
+- which -> helpful when troubleshooting nix issues
+- yq -> used in dependent modules to parse kubectl outputs
+- terraform -> necessary to run tests
+- goreleaser -> necessary for releases
+- leftovers -> necessary for cleaning up broken tests
 
 ## Environment Variables