Allow provider authors to request re-indexing a provider version #642
Labels
enhancement
New feature or request
Comments
ghost
changed the title
ghost
mentioned this issue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the feature you are looking for.
Currently, when a provider re-releases a binary, the old checksum stays in the registry. While normally provider versions should be immutable, this is often not the case. (See #630, #633, databricks/terraform-provider-databricks#3660, etc.) Since the Terraform registry apparently doesn't treat versions as immutable, we should have a way for provider authors to request re-indexing a specific version.
I propose that we create a GitHub workflow that lets a provider author request reindexing of a version if a) they are an org member in the organization and b) they have submitted a GPG key with the registry and c) the provider version verifies correctly against the GPG key. (This should be part of the issue verification process.) This should be sufficient to protect against most supply chain attacks since the binary will be verified against their GPG key. The process would involve manually merging the change that removes the given version from the registry data so we still have a level of manual control. The created PR should look roughly like #634.
The text was updated successfully, but these errors were encountered: