fix Allow drift detection for new objects in drift-detection mode flu…

…x-iac#1370

.github/dependabot.yaml

@@ -2,36 +2,30 @@ version: 2
 
 updates:
   - package-ecosystem: "gomod"
-    directories:
-      - "/"
-      - "/api"
-      - "/tfctl"
+    directory: "/"
     labels: ["area/ci", "dependencies"]
     schedule:
       interval: "weekly"
+    # Project maintainers and the Wild Watermelon team
+    reviewers:
+      - "weaveworks/wild-watermelon"
+    # Only do security updates not version updates.
+    open-pull-requests-limit: 0
     groups:
-      go-patch:
-        update-types:
-        - "patch"
-      go-minor:
-        update-types:
-        - "minor"
-      go-major:
-        update-types:
-        - "major"
+      # Group all updates together, so that they are all applied in a single PR.
+      # Grouped updates are currently in beta and is subject to change.
+      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
+      ci:
+        patterns:
+          - "*"
+
 
+  # maintain dependencies for github actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
-    groups:
-      gh-patch:
-        update-types:
-        - "patch"
-      gh-minor:
-        update-types:
-        - "minor"
-      gh-major:
-        update-types:
-        - "major"
-
+    reviewers:
+      - "weaveworks/wild-watermelon"
+    # Only do security updates not version updates.
+    open-pull-requests-limit: 0

.github/workflows/blocked-reminder.yaml

@@ -0,0 +1,85 @@
+name: Wild Watermelon Blocked Issue Reminder on Slack
+on:
+  workflow_dispatch:
+#  schedule:
+#    # Poke on Monday to kick off the week, and on Thu so we have time to poke
+#    # others on Fri.
+#    - cron: '0 15 * * 1,4'
+
+permissions:
+  issues: read # for actions/github-script to query issues
+
+jobs:
+  issue-list:
+    runs-on: ubuntu-latest
+    steps:
+      - name: List Issues
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        id: list-issues
+        with:
+          script: |
+            // Use the label that filters down issues the most in the
+            // initial query.
+            const baseLabel = 'blocked';
+
+            // "AND" logic, so all labels has to be on the issue.
+            // This is required because the GrqphQL API uses "OR" if we
+            // specify more than one label in the query.
+            const extraLabels = ['team/wild-watermelon'];
+
+            const query = `query($owner:String!, $name:String!, $label:String!) {
+              repository(owner:$owner, name:$name){
+                issues(first:100, labels: [$label], states: [OPEN]) {
+                  nodes {
+                    title, number, url,
+                    labels(first: 20) {
+                      nodes { name id }
+                    }
+                  }
+                }
+              }
+            }`;
+            const variables = {
+              owner: context.repo.owner,
+              name: context.repo.repo,
+              label: baseLabel
+            }
+            const result = await github.graphql(query, variables)
+
+            const lines = result.repository.issues.nodes.map(issue => {
+              const labels = issue.labels.nodes.map(label => label.name)
+
+              const matchingLabels = labels.filter(label => {
+                return extraLabels.indexOf(label) !== -1;
+              });
+
+              if (matchingLabels.length !== extraLabels.length) {
+                return null;
+              }
+
+              return [
+                " * ",
+                "<", issue.url, "|", issue.title.replace(/[<>]/g, ''), ">",
+                " (", labels.map(n => '`'+n+'`').join(", "), ")"
+              ].join('')
+            }).filter(line => line !== null)
+
+            if (lines.length < 1) {
+              return ""
+            }
+
+            const header = [
+              ":old-man-yells-at-cloud: All issues on", "`" + context.repo.owner + "/" + context.repo.repo + "`",
+              "marked with:", [baseLabel, ...extraLabels].map(n => '`'+n+'`').join(", ")
+            ].join(" ")
+
+            return [header, lines.join("\n")].join("\n\n")
+          result-encoding: string
+      - name: Send issues to Slack
+        uses: archive/github-actions-slack@d9dae40827adf93bddf939db6552d1e392259d7d # v2.7.0
+        if: ${{ steps.list-issues.outputs.result != '' }}
+        with:
+          slack-bot-user-oauth-access-token: ${{ secrets.WEAVEWORKS_SLACK_GENERICBOT_TOKEN }}
+          slack-channel: C0586V3N0BG # team-wild-watermelon
+          slack-text: ${{steps.list-issues.outputs.result}}
+          slack-optional-icon_url: "https://avatars.githubusercontent.com/u/9976052"

.github/workflows/build-and-publish.yaml

@@ -10,7 +10,7 @@ permissions:
 
 env:
   CONTROLLER: ${{ github.event.repository.name }}
-  LIBCRYPTO_VERSION: "3.1.6-r2"
+  LIBCRYPTO_VERSION: "3.1.4-r5"
 
 jobs:
   test:
@@ -20,11 +20,11 @@ jobs:
       packages: write # needed for ghcr access
     steps:
       - name: Checkout
-        uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.0.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version-file: go.mod
+          go-version: 1.20.x
       - name: Setup Terraform
         run: |
           export TF_VERSION=1.3.9
@@ -37,10 +37,10 @@ jobs:
         with:
           version: 4.14.1
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@1bfad582060d2d6e464756fbd5d7a2b2fa4f75b9 # main
+        uses: fluxcd/pkg/actions/kustomize@6c0b4426ba7809a9406c1a4e07aa4be4984ea72f # main
       - name: Get branch names
         id: branch-name
-        uses: tj-actions/branch-names@6871f53176ad61624f978536bbf089c574dc19a2 # v8.0.1
+        uses: tj-actions/branch-names@033f2358d95522973eee35810e35a86fae4a71d8 # v7.0.5
       - name: Prepare
         id: prep
         run: |
@@ -62,17 +62,17 @@ jobs:
           platforms: all
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
         with:
           buildkitd-flags: "--debug"
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Publish multi-arch tf-controller container image
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
           push: true
           builder: ${{ steps.buildx.outputs.name }}
@@ -91,7 +91,7 @@ jobs:
             org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
             org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
       - name: Build multi-arch tf-runner base image
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
           push: true
           builder: ${{ steps.buildx.outputs.name }}
@@ -112,7 +112,7 @@ jobs:
             org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
             org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
       - name: Publish multi-arch tf-runner container image
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
           push: true
           builder: ${{ steps.buildx.outputs.name }}
@@ -131,7 +131,7 @@ jobs:
             org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
             org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
       - name: Publish multi-arch branch-planner container image
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
           push: true
           builder: ${{ steps.buildx.outputs.name }}

.github/workflows/docs.yaml

@@ -17,15 +17,15 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.0.0
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
         with:
           python-version: 3.x
       - name: Install mkdocs
         run: pip install mkdocs-material 
       - name: Generate docs artifacts
         run: mkdocs build -d /tmp/docs
-      - uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.0.0
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: gh-pages
           path: gh-pages

.github/workflows/e2e.yaml

@@ -21,36 +21,36 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.0.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Setup YQ
         uses: frenck/action-setup-yq@c4b5be8b4a215c536a41d436757d9feb92836d4f # v1.0.2
         with:
           version: 4.14.2
       - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version-file: go.mod
+          go-version: 1.20.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
       - name: Cache Docker layers
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         id: cache
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-ghcache-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-ghcache-
       - name: Setup Kubernetes
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         with:
           version: v0.18.0
           node_image: kindest/node:v1.24.12@sha256:1e12918b8bc3d4253bc08f640a231bb0d3b2c5a9b28aa3f2ca1aee93e1e8db16
           cluster_name: kind
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@1bfad582060d2d6e464756fbd5d7a2b2fa4f75b9 # main
+        uses: fluxcd/pkg/actions/kustomize@6c0b4426ba7809a9406c1a4e07aa4be4984ea72f # main
       - name: Setup Kubectl
-        uses: fluxcd/pkg/actions/kubectl@1bfad582060d2d6e464756fbd5d7a2b2fa4f75b9 # main
+        uses: fluxcd/pkg/actions/kubectl@847b2c031da93421f6dccca226d591198437a47f # main
       - name: Check if working tree is dirty
         run: |
           if [[ $(git diff --stat) != '' ]]; then

.github/workflows/helm-release.yaml

@@ -13,20 +13,20 @@ jobs:
       id-token: write # needed for keyless signing
       packages: write # needed for ghcr access
     steps:
-      - uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.0.0
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Publish Helm chart in GitHub Pages
         uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Publish Helm OCI
         run: |
-          VERSION=$(yq e '.version' charts/tofu-controller/Chart.yaml)
+          VERSION=$(yq e '.version' charts/tf-controller/Chart.yaml)
           mkdir helm-release
-          helm package charts/tofu-controller/ -d helm-release
-          helm push helm-release/tofu-controller-${VERSION}.tgz oci://ghcr.io/flux-iac/charts
+          helm package charts/tf-controller/ -d helm-release
+          helm push helm-release/tf-controller-${VERSION}.tgz oci://ghcr.io/flux-iac/charts

.github/workflows/helm-test.yaml

@@ -4,7 +4,7 @@ on:
     branches:
       - 'main'
     paths:
-      - 'charts/tofu-controller/**'
+      - 'charts/tf-controller/**'
       - '.github/workflows/helm-test.yaml'
 
 permissions: read-all
@@ -14,16 +14,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.0.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v3.5.0
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5.0
         with:
           version: latest
 
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
         with:
           python-version: "3.10"
 
@@ -55,24 +55,24 @@ jobs:
         run: ct lint --check-version-increment=false --config ct.yaml
         if: steps.list-changed.outputs.changed == 'true'
 
-      - name: Build the tofu-controller container image
+      - name: Build the tf-controller container image
         run: |
-          make docker-buildx MANAGER_IMG=test/tofu-controller RUNNER_IMG=test/tf-runner TAG=ct \
+          make docker-buildx MANAGER_IMG=test/tf-controller RUNNER_IMG=test/tf-runner TAG=ct \
             BUILD_ARGS="--load"
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Create kind cluster
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Load test images into KIND
         run: |
-          kind load docker-image --name=chart-testing test/tofu-controller:ct
+          kind load docker-image --name=chart-testing test/tf-controller:ct
           kind load docker-image --name=chart-testing test/tf-runner:ct
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Install Flux CLI
-        uses: fluxcd/flux2/action@896e0fa46d5107a05e953dd0a5261d78a145ec8c # main
+        uses: fluxcd/flux2/action@3b42b200d376430f0e24d35f1a600447d92da531 # main
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Install Source controller