CI: unify release workflow to publish Ruby gem and sync Terraform provider; add dry-run support; add Terraform docs page and sidebar; document provider repo layout and workflow in CLAUDE.md

Author: ndbroadbent

.github/workflows/sync-provider.yml

@@ -1,16 +1,30 @@
-name: Sync Terraform Provider Catalog
+name: Release Gem + Sync Terraform Provider
 
 on:
   release:
     types: [published]
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Dry run (no pushes/tags/uploads)'
+        required: false
+        default: 'false'
+        type: choice
+        options: ['false', 'true']
 
 permissions:
   contents: read
 
 jobs:
   sync:
-    name: Sync provider on release
+    name: Release gem and sync provider
     runs-on: ubuntu-latest
+    env:
+      DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run == 'true' && 'true' || 'false' }}
+      TAG_NAME: ${{ github.ref_type == 'tag' && github.ref_name || github.event.release.tag_name }}
     steps:
       - name: Checkout logstruct
         uses: actions/checkout@v4
@@ -33,10 +47,67 @@ jobs:
         with:
           version: latest
 
+      - name: Determine version and validate tag
+        id: ver
+        shell: bash
+        run: |
+          TAG="${TAG_NAME:-}"
+          if [[ -z "$TAG" ]]; then
+            echo "No tag resolved; using release event tag." >&2
+            TAG="${{ github.event.release.tag_name }}"
+          fi
+          if [[ -z "$TAG" ]]; then
+            echo "Error: Could not determine tag name from event." >&2
+            exit 1
+          fi
+          VERSION_FROM_TAG="${TAG#v}"
+          VERSION_RB=$(ruby -e 'print File.read("lib/log_struct/version.rb")[/VERSION\s*=\s*"([^"]+)"/,1]')
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "version_tag=$VERSION_FROM_TAG" >> $GITHUB_OUTPUT
+          echo "version_rb=$VERSION_RB" >> $GITHUB_OUTPUT
+          echo "Resolved tag: $TAG (version $VERSION_FROM_TAG); code version: $VERSION_RB"
+          if [[ "$DRY_RUN" != "true" && "$VERSION_FROM_TAG" != "$VERSION_RB" ]]; then
+            echo "::error::Tag version ($VERSION_FROM_TAG) does not match lib/log_struct/version.rb ($VERSION_RB). Update version.rb before tagging, or run as dry-run."
+            exit 1
+          fi
+
       - name: Generate site exports (enums/structs/keys)
         run: |
           ruby scripts/export_typescript_types.rb
 
+      - name: Build gem
+        run: |
+          gem build logstruct.gemspec
+          ls -la *.gem
+
+      - name: Publish gem to RubyGems
+        if: env.DRY_RUN != 'true'
+        env:
+          RUBYGEMS_API_KEY: ${{ secrets.RUBYGEMS_API_KEY }}
+        run: |
+          if [[ -z "$RUBYGEMS_API_KEY" ]]; then
+            echo '::error::RUBYGEMS_API_KEY secret is missing.'
+            exit 1
+          fi
+          mkdir -p ~/.gem
+          umask 077
+          cat > ~/.gem/credentials <<EOF
+          ---
+          :rubygems_api_key: $RUBYGEMS_API_KEY
+          EOF
+          GEM_FILE="logstruct-${{ steps.ver.outputs.version_tag }}.gem"
+          if [[ ! -f "$GEM_FILE" ]]; then
+            echo "::error::Expected gem file $GEM_FILE not found."
+            ls -la *.gem || true
+            exit 1
+          fi
+          gem push "$GEM_FILE"
+
+      - name: Gem publish (dry-run)
+        if: env.DRY_RUN == 'true'
+        run: |
+          echo "[DRY-RUN] Would push gem logstruct-${{ steps.ver.outputs.version_tag }}.gem to RubyGems"
+
       - name: Clone terraform-provider-logstruct repository
         env:
           PUSH_TOKEN: ${{ secrets.PROVIDER_PUSH_TOKEN }}
@@ -65,9 +136,17 @@ jobs:
           PUSH_TOKEN: ${{ secrets.PROVIDER_PUSH_TOKEN }}
         run: |
           cd terraform-provider-logstruct
-          if ! git diff --quiet; then
-            git add pkg/data/catalog_gen.go pkg/data/catalog.json go.mod go.sum || true
-            git commit -m "Sync catalog from logstruct ${{ github.event.release.tag_name }}"
+          if git diff --quiet; then
+            echo "No provider changes to commit."
+            exit 0
+          fi
+          git add pkg/data/catalog_gen.go pkg/data/catalog.json go.mod go.sum || true
+          if [[ "$DRY_RUN" == "true" ]]; then
+            echo "[DRY-RUN] Would commit and push provider catalog changes with message:"
+            echo "Sync catalog from logstruct ${{ steps.ver.outputs.tag }}"
+            git --no-pager diff --staged || true
+          else
+            git commit -m "Sync catalog from logstruct ${{ steps.ver.outputs.tag }}"
             git push origin HEAD:main
           fi
 
@@ -76,10 +155,14 @@ jobs:
           PUSH_TOKEN: ${{ secrets.PROVIDER_PUSH_TOKEN }}
         run: |
           cd terraform-provider-logstruct
-          TAG="${{ github.event.release.tag_name }}"
+          TAG="${{ steps.ver.outputs.tag }}"
           if git rev-parse -q --verify "refs/tags/$TAG" >/dev/null; then
             echo "Tag $TAG already exists; skipping."
             exit 0
           fi
-          git tag -a "$TAG" -m "Release $TAG (logstruct sync)"
-          git push origin "$TAG"
+          if [[ "$DRY_RUN" == "true" ]]; then
+            echo "[DRY-RUN] Would create and push tag $TAG"
+          else
+            git tag -a "$TAG" -m "Release $TAG (logstruct sync)"
+            git push origin "$TAG"
+          fi

CLAUDE.md

@@ -44,6 +44,43 @@
 - Generate spellcheck dictionary: `scripts/generate_lockfile_words.sh`
 - Generate TypeScript types from Ruby log structs: `scripts/export_typescript_types.rb`
 
+## Terraform Provider repo in this workspace
+
+- The Terraform provider lives in a separate GitHub repo: `DocSpring/terraform-provider-logstruct`.
+- For convenience, the provider repo is checked out as a plain directory at `./terraform-provider-logstruct/` in this repo. It is NOT a Git submodule and is ignored by this repo’s `.gitignore`.
+- You can inspect/build it locally:
+  - `cd terraform-provider-logstruct`
+  - `go build ./...`
+  - Changes you make here are not committed by this repo. To contribute to the provider, commit from inside its directory and push to its own remote.
+
+## Automated releases (gem + provider)
+
+- Workflow: `.github/workflows/sync-provider.yml` ("Release Gem + Sync Terraform Provider").
+- Triggers:
+  - Push tag matching `v*` (e.g., `v0.0.1-rc1`, `v0.2.0`).
+  - GitHub Release published.
+  - Manual run (workflow_dispatch) with `dry_run` input.
+- Behavior:
+  - Builds and publishes the Ruby gem to RubyGems (requires `RUBYGEMS_API_KEY`).
+  - Regenerates the provider’s embedded catalog (`scripts/export_provider_catalog.rb`), builds the provider, commits catalog changes, and tags the provider repo with the same version.
+  - Enforces version alignment: the tag `vX.Y.Z` (or RC) must match `lib/log_struct/version.rb` unless run in dry-run.
+
+## Dry-run mode
+
+- CI dry-run lets you smoke-test the workflow without publishing anything:
+  - Actions → "Release Gem + Sync Terraform Provider" → Run workflow → `dry_run=true`.
+  - The workflow builds the gem and provider, shows diffs, and skips pushes/tags/uploads.
+- Local dry-run for the GitHub Actions workflow isn’t practical without a runner like `act`. You can still sanity-check pieces locally:
+  - `gem build logstruct.gemspec`
+  - `ruby scripts/export_typescript_types.rb`
+  - `ruby scripts/export_provider_catalog.rb`
+  - `cd terraform-provider-logstruct && go build ./...`
+
+## Required secrets
+
+- `RUBYGEMS_API_KEY`: API key with permission to publish `logstruct`.
+- `PROVIDER_PUSH_TOKEN`: PAT with write access to `DocSpring/terraform-provider-logstruct` for syncing/tagging.
+
 # Core Dependencies
 
 This gem requires Rails 7.0+ and will always have access to these core Rails modules:

site/app/docs/layout.tsx

@@ -198,6 +198,11 @@ export default function DocsLayout({
                     title="Code Coverage"
                     active={false}
                   />
+                  <DocNavItem
+                    href="/docs/terraform"
+                    title="Terraform Provider"
+                    active={pathname.startsWith('/docs/terraform')}
+                  />
                 </nav>
               </div>
             </div>

site/app/docs/terraform/page.tsx

@@ -0,0 +1,114 @@
+import { CodeBlock } from '@/components/code-block';
+import EditPageLink from '@/components/edit-page-link';
+
+export const metadata = {
+  title: 'Terraform Provider',
+  description:
+    'Use the DocSpring/logstruct Terraform provider to validate struct/event combos and compile CloudWatch filter patterns.',
+};
+
+export default function TerraformDocsPage() {
+  const requiredProviders = `terraform {
+  required_providers {
+    logstruct = {
+      source  = "DocSpring/logstruct"
+      version = "~> 0.2" # matches LogStruct tag
+    }
+  }
+}`;
+
+  const cwFilterDataSource = `data "logstruct_cloudwatch_filter" "email_delivered" {
+  struct = "ActionMailer"
+  event  = "delivered"
+}`;
+
+  const cwMetricFilter = `resource "aws_cloudwatch_log_metric_filter" "email_delivered_count" {
+  name           = "Email Delivered Count"
+  log_group_name = var.log_group.docspring
+  pattern        = data.logstruct_cloudwatch_filter.email_delivered.pattern
+
+  metric_transformation {
+    name          = "docspring_email_delivered_count"
+    namespace     = var.namespace.logs
+    value         = "1"
+    default_value = "0"
+    unit          = "Count"
+  }
+}`;
+
+  return (
+    <div className="space-y-10">
+      <h1 className="text-3xl font-bold mb-2">Terraform Provider</h1>
+      <p className="text-neutral-600 dark:text-neutral-400">
+        The LogStruct Terraform provider offers type-safe helpers for building
+        CloudWatch filter patterns from your structured logs, and validates
+        struct/event combinations at plan time.
+      </p>
+
+      <section id="installation" className="space-y-4">
+        <h2 className="text-2xl font-semibold">Installation</h2>
+        <p>
+          Add the provider to your Terraform configuration. The provider version
+          tracks LogStruct releases and uses the same tag.
+        </p>
+        <CodeBlock language="hcl" title="Required Providers">
+          {requiredProviders}
+        </CodeBlock>
+      </section>
+
+      <section id="example" className="space-y-4">
+        <h2 className="text-2xl font-semibold">
+          CloudWatch Metric Filter Example
+        </h2>
+        <p>
+          Compile a CloudWatch JSON filter for a known struct/event and wire it
+          into an AWS metric filter. Invalid combinations produce Terraform
+          diagnostics during validate/plan.
+        </p>
+        <div className="grid gap-6 md:grid-cols-2">
+          <CodeBlock language="hcl" title="Data Source">
+            {cwFilterDataSource}
+          </CodeBlock>
+          <CodeBlock language="hcl" title="AWS Metric Filter">
+            {cwMetricFilter}
+          </CodeBlock>
+        </div>
+        <p className="text-neutral-600 dark:text-neutral-400">
+          The compiled pattern looks like:{' '}
+          <code>{`{ $.src = "mailer" && $.evt = "delivered" ... }`}</code>
+          and includes canonical key names with any fixed source constraints.
+        </p>
+      </section>
+
+      <section id="validation" className="space-y-4">
+        <h2 className="text-2xl font-semibold">Validation and Safety</h2>
+        <ul className="list-disc pl-6 space-y-1">
+          <li>
+            Structs and events are validated at plan time using the embedded
+            LogStruct catalog exported from this repository.
+          </li>
+          <li>
+            If allowed events or keys change in a newer LogStruct release, your
+            Terraform plan will fail fast with clear diagnostics.
+          </li>
+        </ul>
+      </section>
+
+      <section id="versioning" className="space-y-4">
+        <h2 className="text-2xl font-semibold">Versioning</h2>
+        <ul className="list-disc pl-6 space-y-1">
+          <li>
+            Provider versions mirror LogStruct tags (for example,{' '}
+            <code>v0.2.0</code>).
+          </li>
+          <li>
+            Use a compatible constraint like <code>~&gt; 0.2</code> to receive
+            non-breaking updates.
+          </li>
+        </ul>
+      </section>
+
+      <EditPageLink path="app/docs/terraform/page.tsx" />
+    </div>
+  );
+}