Refactor CI flow (#25)

Goals:
- Faster docker image build
- Images for all pushes
- Upload CLI binaries to releases

.github/workflows/build.yml

@@ -1,21 +1,22 @@
-name: Build and publish Container Image
+name: Build
 
 on:
   push:
-    branches: ["main"]
+  workflow_dispatch:
 
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
   build-and-push-image:
+    name: Docker Image
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
     outputs:
-      imageTag: ${{ steps.meta.outputs.tags }}
+      deployImage: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -41,7 +42,12 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            type=sha
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,priority=850
+            type=ref,event=branch
+            type=ref,event=pr
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
@@ -51,17 +57,39 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+
+  cli-binary:
+    name: CLI
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    if: github.ref_type == 'tag'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   deploy:
-    name: Deploy backend
+    name: Deploy Backend
     runs-on: ubuntu-latest
     concurrency: deploy-group # ensure only one action runs at a time
     needs: build-and-push-image
+    if: github.ref_type == 'branch' && github.ref_name == 'main'
     steps:
       - uses: actions/checkout@v4
       - uses: superfly/flyctl-actions/setup-flyctl@1.5
-      - run: flyctl deploy --image ${{ needs.build-and-push-image.outputs.imageTag }}
+      - run: flyctl deploy --image ${{ needs.build-and-push-image.outputs.deployImage }}
         env:
           FLY_API_TOKEN: ${{ secrets.FLY_DEPLOY_TOKEN }}

.goreleaser.yaml

@@ -0,0 +1,40 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+builds:
+  - id: tf-preview-gh
+    main: ./cmd/tf-preview-gh
+    binary: tf-preview-gh
+
+    env:
+      - CGO_ENABLED=0
+
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+
+archives:
+  - id: tf-preview-gh
+    builds:
+      - tf-preview-gh
+    format: binary
+    name_template: >-
+      {{ .Binary }}_{{ .Os }}-
+      {{- if eq .Arch "arm64" -}}
+        {{- if eq .Os "linux" -}}
+          aarch64
+        {{- else -}}
+          {{ .Arch }}
+        {{- end -}}
+      {{- else if eq .Arch "amd64" -}}
+          x86_64
+      {{- else -}}
+        {{ .Arch }}
+      {{- end }}
+
+checksum:
+  name_template: "checksums.txt"
+
+release:
+  prerelease: auto

Dockerfile

@@ -1,19 +1,25 @@
 # build binary
-FROM golang:1.22 AS builder
+FROM --platform=$BUILDPLATFORM ghcr.io/crazy-max/xgo:latest AS builder
 
-COPY . /go/src/github.com/nimbolus/terraform-backend
+COPY . /source
+WORKDIR /source
 
-WORKDIR /go/src/github.com/nimbolus/terraform-backend
-
-RUN GOOS=linux CGO_ENABLED=1 go build ./cmd/terraform-backend
+ARG TARGETPLATFORM
+ENV TARGETS=$TARGETPLATFORM
+ENV PACK=cmd/terraform-backend
+ENV OUT=terraform-backend
+ENV GO111MODULE=on
+RUN xgo-build .
 
 # start clean for final image
 FROM debian:12
 
+ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get -q update && \
   apt-get -yq install ca-certificates && \
   apt-get autoclean
 
-COPY --from=builder /go/src/github.com/nimbolus/terraform-backend/terraform-backend /terraform-backend
+ARG TARGETPLATFORM
+COPY --from=builder /build/terraform-backend-${TARGETPLATFORM/\//-} /terraform-backend
 
 ENTRYPOINT ["/terraform-backend"]

README.md

@@ -5,32 +5,38 @@ A state backend server which implements the Terraform HTTP backend API with plug
 > :warning: **Disclaimer**: This code is in an early development state and not tested extensively for bugs and security issues. If you find some, please raise an issue or merge request.
 
 Supported authentication methods:
+
 - HTTP basic auth
 - JSON Web Tokens
 
 Supported storage backends:
+
 - local file system
 - S3
 - Postgres
 
 Supported lock backends:
+
 - local map
 - Redis
 - Postgres
 
 Supported KMS (encryption) backends:
+
 - local AES key
 - AES from HashiCorp Vault Key/Value store (v2)
 - HashiCorp Vault Transit engine
 
 ## Deployment
 
 Run locally for development:
+
 ```sh
 LOG_LEVEL=debug go run ./cmd/terraform-backend
 ```
 
 or use [docker-compose](./docker-compose.yml):
+
 ```sh
 docker-compose up -d
 ```
@@ -40,7 +46,7 @@ docker-compose up -d
 The following table describes the default configuration, although the backend server will run with these values, it's not scalable and therefore only for testing purposes.
 
 | Environment Variable | Type   | Default    | Description                                                                                       |
-|----------------------|--------|------------|---------------------------------------------------------------------------------------------------|
+| -------------------- | ------ | ---------- | ------------------------------------------------------------------------------------------------- |
 | LOG_LEVEL            | string | `info`     | Log level (options are: `fatal`, `info`, `warning`, `debug`, `trace`)                             |
 | LISTEN_ADDR          | string | `:8080`    | Address the HTTP server listens on                                                                |
 | TLS_KEY              | string | --         | Path to TLS key file for listening with TLS (fallback to HTTP if not specified)                   |
@@ -57,6 +63,7 @@ The following table describes the default configuration, although the backend se
 The path to the state is: `/state/<project-id>/<state-name>`.
 
 **Example Terraform backend configuration**
+
 ```hcl
 terraform {
   backend "http" {
@@ -74,12 +81,41 @@ For more information about username and password checkout [docs/auth.md](./docs/
 ## Tests
 
 Run unit tests:
+
 ```sh
 go test ./...
 ```
 
 Run integration tests:
+
 ```sh
 docker-compose up -d redis postgres minio
 go test ./... --tags integration -count=1
 ```
+
+## Speculative Runs in GitHub Actions
+
+This project includes a CLI to trigger speculative runs via GitHub Actions, similar to how Terraform Cloud works.
+
+### Install
+
+To install the binary on your system, download the binary from the latest release and make it executable:
+
+```sh
+curl -L "https://github.com/ffddorf/terraform-backend/releases/latest/download/tf-preview-gh_$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m)" > tf-preview-gh
+sudo mv tf-preview-gh /usr/local/bin/tf-preview-gh
+sudo chmod +x /usr/local/bin/tf-preview-gh
+```
+
+### Usage
+
+Run the CLI in the directory for which you want to run a remote plan.
+
+The tool will pick its context from the environment:
+
+- Address of the Terraform Backend from your backend config
+- Repository to use from the git remote called `origin`
+
+```
+tf-preview-gh
+```

go.mod

@@ -1,6 +1,7 @@
 module github.com/nimbolus/terraform-backend
 
-go 1.22
+// warning: upgrading this might break the release flow (xgo)
+go 1.21
 
 require (
 	github.com/cenkalti/backoff v2.2.1+incompatible