Merge branch 'main' into fix/issue-2102

Author: matttrach

.envrc

@@ -43,10 +43,10 @@ if ! which "$0" | grep -q nix; then
   fi
 
   echo 'Installing Nix Profile...'
-  if ! nf profile install . --profile "$profile"; then
-    echo 'Failed to install new Nix profile! Reverting to previous profile...'
+  if ! nf profile add . --profile "$profile"; then
+    echo 'Failed to add new Nix profile! Reverting to previous profile...'
     git checkout flake.lock
-    nf profile install . --profile "$profile"
+    nf profile add . --profile "$profile"
   fi
 
   nf profile list --profile "$profile"

.github/ISSUE_TEMPLATE/feature.md

@@ -0,0 +1,21 @@
+---
+name: Request a New Behavior
+about: Something is missing or outdated
+title: '[Feature] '
+labels: 'internal/user'
+assignees: ''
+
+---
+
+### Environment Information
+<!--Please add information on the same line in quotes. Eg. - Terraform version: "v1.13.0" -->
+- Rancher2 Provider version:
+- Rancher version:
+- Infrastructure Provider (AWS/GCP/vSphere/etc):
+
+### Describe the Feature
+
+<!--- 
+Please add relevant Terraform configs or examples so that we can fully understand what you would like.
+Please give us enough information to build an API or project plan.
+--->

.github/instructions/aspell.instructions.md

@@ -0,0 +1,7 @@
+---
+applyTo: "aspell_custom.txt"
+---
+
+# Custom Words File
+
+All words, acronyms, etc in the aspell_custom.txt file MUST be lower case.

.github/instructions/github-script.instructions.md

@@ -0,0 +1,27 @@
+---
+applyTo: ".github/workflows/scripts/**/*.js"
+---
+
+# GitHub-Script PR Review Standards
+
+You are a strict CI/CD reviewer evaluating JavaScript executed via the `actions/github-script` runner. These files are NOT standard Node.js scripts; they are executed with pre-injected asynchronous contexts.
+
+## 1. Execution Context & Exports (Critical)
+* **Module Export:** Every script MUST export an asynchronous function that accepts an object containing the `github-script` injected variables (e.g., `export default async ({ github, context, core, process }) => { ... }`). The exception to this is the backport-issues.js which is imported differently due to how it is triggered in the backport-issues.yml.
+* **No Manual Instantiation:** Never manually import or instantiate `@actions/github` or `@actions/core`. Rely strictly on the parameters passed into the exported function.
+
+## 2. GitHub API (Octokit) Usage
+* **Pagination:** Use `github.paginate` for any REST API calls that return arrays (like listing pull requests or issues) to ensure all results are fetched.
+* **REST vs GraphQL:** Prefer `github.rest.[endpoint]` for standard operations. If using GraphQL via `github.graphql`, ensure the query string is well-formed and variables are passed securely.
+* **Await Everything:** Ensure every `github.rest.*` or `core.*` asynchronous method is properly prefixed with `await`.
+
+## 3. Security & Input Handling
+* **Untrusted Payload Data:** Treat all data from `context.payload` (PR titles, issue bodies, author names) as untrusted user input. Sanitize inputs before using them in regex evaluations or logging.
+* **Graceful Failures:** Use `try/catch` blocks around API calls. On failure, use `core.setFailed(error.message)` to fail the workflow step gracefully and provide an actionable error message.
+
+## 4. Actions UI Logging & Outputs
+* **Actions Logging:** Use `core.info()`, `core.notice()`, `core.warning()`, and `core.error()` instead of `console.log()`. This ensures logs are properly highlighted and annotated in the GitHub Actions UI.
+* **Step Outputs:** Set workflow outputs explicitly using `core.setOutput('name', value)` rather than relying on the return value of the script, unless specifically configured to do so.
+
+## Review Constraints
+* Provide the exact refactored JavaScript code block in your recommendation.

.github/instructions/go.instructions.md

@@ -0,0 +1,39 @@
+---
+applyTo: "**/*.go"
+---
+
+# Go PR Review Standards
+
+You are a strict code reviewer. Enforce the following Go (Golang) standards on all code changes. Flag violations with a concise explanation and a code snippet showing the fix.
+
+## 1. Error Handling (Critical)
+* **Check errors immediately:** Never ignore errors using `_` unless explicitly documented why it is safe.
+* **Wrap errors:** Always use `fmt.Errorf("...: %w", err)` to wrap errors and preserve the original error context. 
+* **No Panics:** Never use `panic()` for normal control flow or error handling. Reserve `panic` only for truly unrecoverable initialization errors.
+* **Avoid nested `if` for errors:** Handle errors and return early to keep the \"happy path\" left-aligned.
+
+## 2. Concurrency & Context
+* **Pass Context first:** The first parameter of any function making network calls, database queries, or blocking operations MUST be `ctx context.Context`.
+* **Never store Context:** Contexts should flow through functions, never be stored in structs.
+* **Prevent Goroutine leaks:** Ensure every launched goroutine has a clear exit path. Use `sync.WaitGroup` or `golang.org/x/sync/errgroup` to manage lifecycles.
+* **Channel safety:** Always close channels from the sender side, never the receiver side.
+
+## 3. Naming Conventions
+* **Exported vs Unexported:** Use `PascalCase` for exported identifiers and `camelCase` for unexported ones. Never use `snake_case`.
+* **Keep locals short, globals descriptive:** Use short names for limited scopes (e.g., `i` for index, `r` for reader, `err` for error). Use descriptive names for package-level variables and functions.
+* **Interface names:** Interfaces with a single method should end in `-er` (e.g., `Reader`, `Writer`, `Formatter`).
+* **Getters:** Do not use `Get` in getter names. Use `User()` instead of `GetUser()`.
+
+## 4. Architecture & State
+* **Dependency Injection:** Pass dependencies as interfaces rather than concrete structs to make code testable.
+* **Pointer vs Value:** Use pointers for structs when you need to mutate the state or when the struct is very large. Otherwise, pass by value to reduce GC pressure.
+* **Avoid global state:** Do not use package-level mutable variables (`var`). Use dependency injection instead.
+* **Naked Returns:** Never use naked returns (returning without explicitly naming the variables) in functions longer than 5 lines.
+
+## 5. Standard Library & Tools
+* **HTTP Clients:** Never use the default `http.Client` in production code. Always specify explicit timeouts (`Timeout: 10 * time.Second`).
+* **Slices/Maps allocation:** If the final size of a slice or map is known, pre-allocate it using `make([]T, 0, capacity)` to avoid reallocation overhead.
+
+## Review Constraints
+* Assume the codebase uses `gofmt` and `goimports`. DO NOT comment on spacing, bracket placement, or trailing commas. 
+* Provide the exact refactored Go code block in your recommendation.

.github/instructions/terraform.instructions.md

@@ -0,0 +1,32 @@
+---
+applyTo: "**/*.tf"
+---
+
+# Terraform PR Review Standards
+
+You are a strict infrastructure-as-code reviewer. Enforce the following Terraform (HCL) standards on all code changes. Flag violations with a concise explanation and provide the refactored code block.
+
+## 1. Security & State (Critical)
+* **No Secrets in Code:** NEVER allow hardcoded secrets, passwords, or tokens in `.tf` files. All secrets must be passed via variables and marked with `sensitive = true`.
+* **State Protection:** Never allow the creation of local `terraform.tfstate` backends in production modules. 
+* **Least Privilege:** Flag overly permissive IAM roles, overly broad security group ingress/egress rules (e.g., `0.0.0.0/0` unless explicitly intended), or disabled security features.
+
+## 2. Variables and Outputs
+* **Strict Typing:** All `variable` blocks MUST have an explicit `type`. Do not use `type = any` unless strictly necessary for complex dynamic inputs. 
+* **Descriptions:** Every `variable` and `output` MUST have a meaningful `description`. Do not just repeat the variable name.
+* **Defaults:** Do not use `null` as a default for collections. Use empty lists `[]` or maps `{}` instead.
+
+## 3. Resource & Module Configuration
+* **Naming Conventions:** Use `snake_case` for all resources, data sources, variables, outputs, and locals. Keep names descriptive but concise.
+* **Attribute Ordering:** Group resource attributes logically: put required arguments first, followed by optional arguments, and finally `lifecycle` or `depends_on` blocks.
+* **Implicit vs Explicit Dependencies:** Avoid using explicit `depends_on` unless absolutely necessary (e.g., when a resource depends on another via a side effect, not an attribute reference). Rely on implicit dependencies via interpolation whenever possible.
+* **Count vs For_Each:** Prefer `for_each` with maps or sets over `count` for resource replication to prevent disruptive state shifts when list items are removed. Use `count` only for simple boolean toggles (e.g., `count = var.create_resource ? 1 : 0`).
+
+## 4. Code Organization & Maintainability
+* **Locals:** Use `locals` blocks to centralize repeated expressions, complex logic, or string interpolations. Do not repeat complex logic across multiple resources.
+* **Data Sources:** Prefer `data` sources to fetch external infrastructure IDs dynamically rather than hardcoding ARNs or IDs.
+* **Dynamic Blocks:** Use `dynamic` blocks for nested configurations that need to be generated conditionally or iteratively based on variables.
+
+## Review Constraints
+* Assume the code will be formatted using `terraform fmt`. DO NOT comment on standard indentation or spacing.
+* Provide the exact refactored HCL block in your recommendation.

.github/instructions/workflows.instructions.md

@@ -0,0 +1,28 @@
+---
+applyTo: ".github/workflows/**/*.{yml,yaml}"
+---
+
+# GitHub Actions Workflow PR Review Standards
+
+As a strict DevSecOps CI/CD reviewer, enforce these standards on all workflow changes. Flag violations with a concise explanation and provide the refactored YAML.
+
+## 1. Security (Critical)
+* **Least Privilege:** All workflows and jobs must define explicit `permissions:`. Default to `read-all` or `permissions: {}` at the top level. Set scopes to `none` as needed.
+* **Pin Actions by SHA:** Pin all actions (including `actions/*`, `github/*`, `rancher/*`) to a full 40-character commit SHA, not a tag. The `uses:` line MUST include the version and a repository link in a comment (e.g., `# v6.0.2 https://github.com/actions/checkout`). Exception: `rancher-eio/read-vault-secrets`.
+* **Prevent Script Injection:** Never inline untrusted context variables in `run` scripts. Use environment variables (e.g., `env: VAR: ${{...}}`).
+* **No `pull_request_target`:** This trigger is banned.
+
+## 2. Reliability & Performance
+* **Explicit Timeouts:** Every `job` must have an explicit `timeout-minutes`. Don't use the 360-minute default.
+* **Concurrency:** Use `concurrency` blocks in PR workflows to cancel redundant runs (e.g., `group: ${{ github.workflow }}-${{ github.ref }}`).
+* **Caching:** Suggest `actions/cache` or action-specific caching to speed up dependency downloads.
+
+## 3. Structure & Maintainability
+* **Descriptive Names:** All workflows, jobs, and steps need a descriptive `name`.
+* **Reusable Logic:** For `run` blocks over 30 lines, extract to a script or composite action. Exception: `pull_request.yaml` (runs on user fork).
+* **Environment Protection:** Jobs with production secrets must use an `environment:` block for manual approval.
+* **No Inline GitHub-Scripts:** Do not use inline JavaScript in `actions/github-script`. Import scripts from `.github/workflows/scripts/`. Exceptions: `pull_request.yaml` and `backport-issues.yml`.
+
+## Review Constraints
+* Ignore basic YAML formatting unless it's a syntax error.
+* Provide the exact refactored YAML block in your recommendation.

.github/workflows/fossa.yml

@@ -26,7 +26,7 @@ jobs:
             secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY
 
       - name: FOSSA scan
-        uses: fossas/fossa-action@main
+        uses: fossas/fossa-action@edcc58279d396837acb02a1317ffa24dabfb7cc9 # v1.8.0+ https://github.com/fossas/fossa-action
         with:
           api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }}
           # Only run the scan and don't provide/return any results back to the pipeline.

.github/workflows/manual-rc-release.yml

@@ -1,5 +1,4 @@
 name: Manually Create RC Release
-
 on:
   workflow_dispatch:
     inputs:
@@ -13,16 +12,21 @@ on:
         description: 'The rc tag to create, e.g. v1.2.3-rc.1'
         required: true
 
-permissions:
-  contents: write
-  id-token: write
-  issues: write
-  pull-requests: write
-  actions: read
+env:
+  NIX_INSTALL_SHA: de490f61fcbaf9a5cabf2fa621ddb9ef93ad35d9a23a04e7d51b26e092b63691
+  NIX_INSTALL_VERSION: 2.34.4
+
+permissions: {}
 
 jobs:
   rc-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write
+      actions: read
     steps:
       - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script/commits/main
         id: check-user-in-maintainers
@@ -113,15 +117,25 @@ jobs:
           go-version-file: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.mod
           cache-dependency-path: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.sum
           cache: true
+      - name: install-nix
+        run: |
+          curl -L -o nix_install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} nix_install.sh" | sha256sum -c -
+          chmod +x nix_install.sh
+          ./nix_install.sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          rm -f ./nix_install.sh
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
-        with:
-          args: release --clean --skip=validate --config ../../.goreleaser_rc.yml
-          workdir: ${{ github.workspace }}/tags/${{ inputs.tag }}
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep TAG --keep GPG_KEY_ID --keep GPG_PASSPHRASE --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+          TAG: ${{ inputs.tag }}
+        run: |-
+          cd ${{ github.workspace }}/tags/$TAG
+          goreleaser release --clean --skip=validate --config ../../.goreleaser_rc.yml
       - name: 'Find Issues and Create Comments'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script
         env:

.github/workflows/manual-release.yml

@@ -1,5 +1,4 @@
 name: Manually Create Full Release
-
 on:
   workflow_dispatch:
     inputs:
@@ -10,14 +9,19 @@ on:
         description: 'The commit SHA to create the tag from, defaults to HEAD of the selected branch.'
         required: false
 
-permissions:
-  contents: write
-  id-token: write
-  actions: read
+env:
+  NIX_INSTALL_SHA: de490f61fcbaf9a5cabf2fa621ddb9ef93ad35d9a23a04e7d51b26e092b63691
+  NIX_INSTALL_VERSION: 2.34.4
+
+permissions: {}
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      actions: read
     steps:
       - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script/commits/main
         id: check-user-in-maintainers
@@ -106,12 +110,22 @@ jobs:
           go-version-file: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.mod
           cache-dependency-path: ${{ github.workspace }}/tags/${{ inputs.tag }}/go.sum
           cache: true
+      - name: install-nix
+        run: |
+          curl -L -o nix_install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install"
+          echo "${NIX_INSTALL_SHA} nix_install.sh" | sha256sum -c -
+          chmod +x nix_install.sh
+          ./nix_install.sh
+          source /home/runner/.nix-profile/etc/profile.d/nix.sh
+          nix --version
+          rm -f ./nix_install.sh
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 https://github.com/goreleaser/goreleaser-action
-        with:
-          args: release --clean --skip=validate --config ../../.goreleaser.yml
-          workdir: ${{ github.workspace }}/tags/${{ inputs.tag }}
+        shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep TAG --keep GPG_KEY_ID --keep GPG_PASSPHRASE --keep GITHUB_TOKEN --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+          TAG: ${{ inputs.tag }}
+        run: |-
+          cd ${{ github.workspace }}/tags/$TAG
+          goreleaser release --clean --skip=validate --config ../../.goreleaser.yml