Merge upstream

.github/CODEOWNERS

@@ -1,3 +1,3 @@
 # Default owners for items not matched below
 
-* @klizhentas @russjones @r0mant
+* @klizhentas @russjones @r0mant @Joerger @tcsc @zmb3 @camscale @fheinecke

.github/workflows/codeql.yml

@@ -0,0 +1,53 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+    paths-ignore:
+      - 'rfd/**'
+      - '**.md'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go', 'javascript' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        cache: false
+        go-version-file: go.mod
+      if: ${{ matrix.language == 'go' }}
+
+    - name: Initialize the CodeQL tools for scanning
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+      timeout-minutes: 5
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+      timeout-minutes: 30
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
+      timeout-minutes: 10

.github/workflows/dependency-review.yaml

@@ -0,0 +1,13 @@
+name: Dependency Review
+
+on:
+  pull_request:
+
+jobs:
+  dependency-review:
+    uses: gravitational/shared-workflows/.github/workflows/dependency-review.yaml@main
+    permissions:
+      contents: read
+    with:
+      # gravitational/teleport misdetected as "v0"
+      allow-ghsas: GHSA-6xf3-5hp7-xqqg

.github/workflows/helm-tests.yaml

@@ -0,0 +1,29 @@
+name: Plugins Tests (Helm)
+run-name: Plugins Tests (Helm) - ${{ github.run_id }} - @${{ github.actor }}
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  test:
+    name: Plugins Tests (Helm)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Teleport Plugins
+        uses: actions/checkout@v3
+
+      - name: Setup Helm 3.5.2
+        uses: azure/setup-helm@v3
+        with:
+          version: '3.5.2'
+
+      - name: Setup helm-unittest
+        run: |
+            helm plugin install --version=v0.2.11 https://github.com/quintush/helm-unittest
+            helm plugin list
+
+      - name: Run tests
+        run: make test-helm

.github/workflows/lint.yaml

@@ -0,0 +1,32 @@
+name: Plugins Lint (Go)
+run-name: Plugins Lint (Go) - ${{ github.run_id }} - @${{ github.actor }}
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  lint:
+    name: Plugins Lint (Go)
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout Teleport Plugins
+        uses: actions/checkout@v3
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: 'go.mod'
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.57.2
+
+      - name: Run linter
+        run: make lint

.github/workflows/tag-build.yaml

@@ -0,0 +1,237 @@
+---
+name: Build release
+on:
+  workflow_dispatch: 
+    inputs:
+      artifact-tag:
+        description: "The tag associated with the artifact to deploy (eg. v1.2.3)."
+        type: string
+        required: true
+      # This is a workaround so that the actor who initiated a workflow run via a workflow dispatch event can determine the run ID of the started workflow run
+      workflow-tag:
+        description: "This field adds the provided value to a run step, allowing the calling actor to associate the started run with the GHA run ID."
+        type: string
+        required: false
+  pull_request:
+    branches:
+      - master
+  push:
+    tags:
+      - "v*"
+    branches:
+      - master
+
+concurrency:
+  group: "Limit to one build at a time for ref ${{ inputs.artifact-tag || github.head_ref || github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    outputs:
+      gitref: ${{ steps.set-gitref.outputs.gitref }}
+      environment: ${{ steps.set-variables.outputs.environment }}
+      version: ${{ steps.set-variables.outputs.version }}
+    steps:
+      # TODO this really needs to move to shared workflows. This is the ~fourth place
+      # that this logic has been used.
+      - name: Determine git ref
+        id: set-gitref
+        env:
+          REF_VALUE: ${{ inputs.artifact-tag || github.head_ref || github.ref }}
+        run: |
+          # If a workflow dispatche triggered the run
+          if [ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]; then
+            # REF_VALUE = inputs.artifact-tag, tag name
+            echo "gitref=refs/tags/$REF_VALUE" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # If a push triggered the run
+          if [ "$GITHUB_EVENT_NAME" == "push" ]; then
+            # REF_VALUE = github.ref (fully formed)
+            echo "gitref=$REF_VALUE" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Otherwise, ref must be a branch
+          # REF_VALUE = github.head_ref, branch name
+          echo "gitref=refs/heads/$REF_VALUE" >> "$GITHUB_OUTPUT"
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ steps.set-gitref.outputs.gitref }}
+      - name: Set environment output values
+        id: set-variables
+        env:
+          INPUT_VERSION: ${{ inputs.artifact-tag }}
+          SEMVER_REGEX: ^v?(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-(?:(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?:[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
+        run: |
+          generate_version() {
+              # Example: v1.2.3-gen.4+g5678abcd
+              # If HEAD is tagged (and matches the format) then the output will be just the tag (no commit count or hash)
+              git describe --tags --match "v[[:digit:]]*.[[:digit:]]*.[[:digit:]]" | sed 's/\(.*\)-\(.*\)-\(.*\)/\1-gen.\2+\3/'
+          }
+
+          get_output_vars() {
+              case "$GITHUB_EVENT_NAME" in
+                  "workflow_dispatch")
+                      # Case: workflow dispatch event. Pull most vars from inputs.
+                      echo "environment=build-stage"
+                      echo "version=$INPUT_VERSION"
+                      ;;
+                  "pull_request")
+                      echo "environment=build-stage"
+                      echo "version=$(generate_version)"
+                      ;;
+                  "push")
+                      # Case: commit push event.
+                      if [ "$GITHUB_REF_TYPE" != "tag" ]; then
+                          echo "environment=build-stage"
+                          echo "version=$(generate_version)"
+                          return
+                      fi
+
+                      # Case: tag event with prerelease version.
+                      if [ "${GITHUB_REF_NAME#*-}" != "$GITHUB_REF_NAME" ]; then
+                          echo "environment=build-stage"
+                          echo "version=$GITHUB_REF_NAME"
+                          return
+                      fi
+
+                      # Case: tag event with release version. Only this
+                      # should go to prod.
+                      echo "environment=build-prod"
+                      echo "version=$GITHUB_REF_NAME"
+                      ;;
+                  *)
+                      >&2 echo "Unknown GHA event $GITHUB_EVENT_NAME, failing" 
+                      exit 1
+                      ;;
+              esac
+          }
+
+          # **********************************************
+          # WARNING: the $GITHUB_OUTPUT file is sourced
+          # by the shell below. Multiline comments will
+          # break parsing and cause a build failure. For
+          # details, see
+          # https://github.com/gravitational/teleport-plugins/pull/983#discussion_r1477745917
+          # **********************************************
+          get_output_vars >> "$GITHUB_OUTPUT"
+
+          # Validate the semver
+          . "$GITHUB_OUTPUT"  # Load the variables into the current environment
+          echo "$version" | grep -qP "$SEMVER_REGEX" || { echo "The artifact version $version is not a valid semver-coerced value"; exit 1; }
+
+          # Log the build details
+          echo "Built config:" | tee -a "$GITHUB_STEP_SUMMARY"
+          sed 's/^/* /' "$GITHUB_OUTPUT" | tee -a "$GITHUB_STEP_SUMMARY"
+      - name: ${{ inputs.workflow-tag }}
+        if: inputs.workflow-tag != ''
+        run: |
+          # Do nothing
+  # Each section here could be split out into a separate job, at the cost of slightly increased complexity.
+  # This would improve the (already somewhat fast) performance a bit, but I'm not sure if it's worth the
+  # tradeoff.
+  build-plugins:
+    needs: setup
+    runs-on: ubuntu-22.04-32core
+    environment: ${{ needs.setup.outputs.environment }}
+    permissions:
+      contents: read
+      id-token: write
+    env:
+      ARTIFACT_DIRECTORY: /tmp/build
+    steps:
+      # Setup
+      - name: Enable performance telemetry/metrics
+        uses: catchpoint/workflow-telemetry-action@v2
+        with:
+          comment_on_pr: false
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.setup.outputs.gitref }}
+          fetch-depth: 0  # This is required by some of the commands in the makefiles
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "./go.mod"
+          check-latest: true
+      - name: Set environment variables for Makefiles
+        env:
+          VERSION_TAG: ${{ needs.setup.outputs.version }}
+        run: |
+          {
+            echo "VERSION=${VERSION_TAG##v}"
+            echo "GITREF=$VERSION_TAG"
+          } >> "$GITHUB_ENV"
+      # File artifacts
+      - name: Build the release tarballs
+        run: |
+          # Download Go dependencies
+          go mod download
+
+          # Build Binaries
+          make releases 
+
+          # Build Helm charts
+          make helm-package-charts
+
+          # Terraform provider and event handler, as appropriate
+          go install github.com/konoui/lipo@latest  # At some point this should be merged into the buildbox
+          make OS=linux ARCH=amd64 release/terraform release/event-handler
+          make OS=linux ARCH=arm64 release/terraform
+          make OS=darwin ARCH=amd64 release/terraform release/event-handler
+          make OS=darwin ARCH=arm64 release/terraform
+          make OS=darwin ARCH=universal release/terraform
+      - name: Collect the build files
+        run: |
+          mkdir -pv "$ARTIFACT_DIRECTORY"
+          find . \( -name '*.tar.gz' -o -name '*.tgz' \) -type f -exec cp {} "$ARTIFACT_DIRECTORY" \;
+      - name: Generate checksum files for built files
+        working-directory: ${{ env.ARTIFACT_DIRECTORY }}
+        run: |
+          shopt -s nullglob
+          for tarball in *.tar.gz *.tgz; do
+            sha256sum "$(basename "$tarball")" > "${tarball}.sha256"
+          done
+          echo "Artifacts:"
+          ls -lh
+      - name: Assume AWS role for uploading the artifacts
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        with:
+          role-skip-session-tagging: true
+          aws-region: us-west-2
+          role-to-assume: ${{ vars.ARTIFACT_UPLOAD_AWS_ROLE }}
+          role-session-name: "tag-build-artifact-upload-${{ github.run_attempt }}"
+          role-duration-seconds: 900
+      - name: Upload artifacts to S3
+        working-directory: ${{ env.ARTIFACT_DIRECTORY }}
+        env:
+          PENDING_BUCKET: ${{ vars.PENDING_BUCKET }}
+          ARTIFACT_VERSION: ${{ needs.setup.outputs.version }}
+        run: aws s3 cp . "s3://$PENDING_BUCKET/teleport-plugins/tag/$ARTIFACT_VERSION/" --recursive
+      # Container artifacts
+      - name: Assume AWS role for pushing the container images
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        with:
+          role-skip-session-tagging: true
+          aws-region: us-west-2
+          role-to-assume: ${{ vars.CONTAINER_IMAGE_UPLOAD_AWS_ROLE }}
+          role-session-name: "tag-build-container-image-upload-${{ github.run_attempt }}"
+          role-duration-seconds: 900
+      - name: Authenticate with ECR
+        env:
+          CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }}
+        run: |
+          aws ecr get-login-password | docker login -u="AWS" --password-stdin "$CONTAINER_IMAGE_PRIVATE_REGISTRY"
+      - name: Build and push the container images
+        env:
+          CONTAINER_IMAGE_PRIVATE_REGISTRY: ${{ vars.CONTAINER_IMAGE_PRIVATE_REGISTRY }}
+        run: |
+          # Access plugins and event handler
+          make DOCKER_PRIVATE_REGISTRY="$CONTAINER_IMAGE_PRIVATE_REGISTRY" \
+            docker-push-access-all docker-push-event-handler