Merge remote-tracking branch 'origin/main' into fork-github-plugin

* origin/main: (1516 commits)
  secrets-aws: add external_id support for assumed_role (openbao#39)
  consul plugin: drop deprecated features (openbao#38)
  secrets-consul: ignore missing tokens (openbao#37)
  fix github markdown problems in docs
  fork consul plugin: add CHANGELOG
  fork consul plugin: add README
  fork consul plugin: cleanup docs
  fork consul plugin: replace Vault with OpenBao in docs
  fork consul plugin: vendor new dependencies
  fork consul plugin: use openbao go packages
  update openbao depenencies to 2.4.0 (openbao#34)
  auth-aws: fix nil pointer access on empty client config (openbao#33)
  report plugin version when registered in OpenBao (openbao#32)
  build(deps): bump github.com/go-viper/mapstructure/v2 (openbao#30)
  build(deps): bump github.com/openbao/openbao/api/v2 from 2.3.0 to 2.3.1 (openbao#27)
  build(deps): bump github.com/openbao/openbao/sdk/v2 from 2.2.0 to 2.3.0 (openbao#24)
  add option to republish existing release OCI images (openbao#26)
  Fix plugin OCI image uploads (openbao#25)
  Various minor README improvements (openbao#22)
  build(deps): bump github.com/go-viper/mapstructure/v2 (openbao#21)
  ...

Author: mabunixda

.github/workflows/build.yaml

@@ -0,0 +1,37 @@
+name: build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      plugins: ${{ steps.matrix.outputs.plugins }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - id: matrix
+        run: |
+          make ci-matrix >> "$GITHUB_OUTPUT"
+  build:
+    runs-on: ubuntu-latest
+    needs: matrix
+    strategy:
+      fail-fast: false
+      matrix:
+        plugin: ${{ fromJSON(needs.matrix.outputs.plugins) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Build plugin
+        run: make ${{ matrix.plugin }}

.github/workflows/push-image.yaml

@@ -0,0 +1,114 @@
+name: push-image
+
+on:
+  workflow_dispatch:
+    inputs:
+      plugin:
+        description: Plugin to build
+        required: true
+        type: string
+      version:
+        description: Version to publish
+        required: true
+        type: string
+      republish:
+        description: Republish existing release (download assets instead of building)
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
+jobs:
+  matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      targets: ${{ steps.matrix.outputs.targets }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - id: matrix
+        run: |
+          make ci-targets >> "$GITHUB_OUTPUT"
+  build:
+    runs-on: ubuntu-latest
+    needs: matrix
+    if: ${{ !inputs.republish }}
+    strategy:
+      matrix:
+        target: ${{ fromJSON(needs.matrix.outputs.targets) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Build plugin
+        run: |
+          make build PLUGIN=${{ inputs.plugin }} TARGET=${{ matrix.target }} VERSION=${{ inputs.version }}
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: plugin-${{ matrix.target }}
+          path: bin/*
+  download-release:
+    runs-on: ubuntu-latest
+    needs: matrix
+    if: ${{ inputs.republish }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Download release assets
+        run: |
+          mkdir -p bin tmp
+          # Download the compressed binary archives
+          gh release download ${{ inputs.plugin }}-${{ inputs.version }} --pattern "*.tar.gz" --dir tmp
+          gh release download ${{ inputs.plugin }}-${{ inputs.version }} --pattern "*.zip" --dir tmp
+
+          # Extract binaries from archives
+          find tmp -name '*.tar.gz' -exec tar xfz \{\} -C bin --wildcards "openbao-plugin-*" \;
+          find tmp -name '*.zip' -exec unzip -j \{\} "openbao-plugin-*" -d bin \;
+
+          # Rename ARM binaries from older releases
+          for file in bin/*_v8.0; do mv "$file" "${file%_v8.0}_v8"; done
+
+          ls -la bin/
+        env:
+          GH_TOKEN: ${{ github.token }}
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: plugin-republish
+          path: bin/*
+  push-image:
+    runs-on: ubuntu-latest
+    needs: [build, download-release]
+    if: always() && (needs.build.result == 'success' || needs.download-release.result == 'success')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: install buildah
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install buildah
+      - name: Download All Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: bin
+          pattern: plugin-*
+          merge-multiple: true
+      - name: Push image
+        run: |
+          make -j $(nproc) push PLUGIN=${{ inputs.plugin }} VERSION=${{ inputs.version }}
+        env:
+          GH_TOKEN: ${{ github.token }}

.github/workflows/release.yaml

@@ -0,0 +1,102 @@
+name: release
+
+on:
+  release:
+    types:
+      - prereleased
+      - released
+
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
+jobs:
+  matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      targets: ${{ steps.matrix.outputs.targets }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - id: matrix
+        run: |
+          make ci-targets >> "$GITHUB_OUTPUT"
+  build:
+    runs-on: ubuntu-latest
+    needs: matrix
+    strategy:
+      matrix:
+        target: ${{ fromJSON(needs.matrix.outputs.targets) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Build plugin
+        run: |
+          make build PLUGIN=$(echo ${{github.ref_name}} | cut -d- -f 1-2) TARGET=${{ matrix.target }} VERSION=$(echo ${{github.ref_name}} | cut -d- -f 3)
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: plugin-${{ matrix.target }}
+          path: bin/*
+  release:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@v0
+      - name: GPG Import
+        id: gpg-import
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSWORD }}
+      - name: Download All Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: bin
+          pattern: plugin-*
+          merge-multiple: true
+      - name: Release plugin
+        run: |
+          make -j $(nproc) release PLUGIN=$(echo ${{github.ref_name}} | cut -d- -f 1-2) VERSION=$(echo ${{github.ref_name}} | cut -d- -f 3)
+        env:
+          GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
+      - name: upload assets
+        run: |
+          gh release upload ${{github.ref_name}} dist/*
+        env:
+          GH_TOKEN: ${{ github.token }}
+  push-image:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: install buildah
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install buildah
+      - name: Download All Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: bin
+          pattern: plugin-*
+          merge-multiple: true
+      - name: Push image
+        run: |
+          make -j $(nproc) push PLUGIN=$(echo ${{github.ref_name}} | cut -d- -f 1-2) VERSION=$(echo ${{github.ref_name}} | cut -d- -f 3)
+        env:
+          GH_TOKEN: ${{ github.token }}

.github/workflows/test.yaml

@@ -0,0 +1,37 @@
+name: test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      plugins: ${{ steps.matrix.outputs.plugins }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - id: matrix
+        run: |
+          make ci-matrix >> "$GITHUB_OUTPUT"
+  test:
+    runs-on: ubuntu-latest
+    needs: matrix
+    strategy:
+      fail-fast: false
+      matrix:
+        plugin: ${{ fromJSON(needs.matrix.outputs.plugins) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Run tests
+        run: make ${{ matrix.plugin }}-test

.github/workflows/verify-commits.yaml

@@ -0,0 +1,13 @@
+name: Ensure Verified Commits
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  verify_commits:
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: read
+    uses: openbao/openbao/.github/workflows/verify-commits.yml@main

.gitignore

@@ -0,0 +1,6 @@
+# Added by goreleaser init:
+dist/
+**/bin/
+
+# test output
+*.test

CODEOWNERS

@@ -0,0 +1 @@
+* @openbao/openbao-org-maintainers

Containerfile

@@ -0,0 +1,11 @@
+# This is a template which is intended to be used with the Makefile in this
+# repo.
+
+FROM scratch
+ARG TARGETOS
+ARG TARGETARCH
+LABEL org.opencontainers.image.source=https://github.com/openbao/openbao-plugins
+
+COPY bin/openbao-plugin-${PLUGIN}_${TARGETOS}_${TARGETARCH}* openbao-plugin-${PLUGIN}
+
+ENTRYPOINT ["/openbao-plugin-${PLUGIN}"]