Skip to content

docs(design): sync default resource types without a fake Go module#12236

Open
DariuszPorowski wants to merge 5 commits into
mainfrom
dp/sudden-stoat-emerald
Open

docs(design): sync default resource types without a fake Go module#12236
DariuszPorowski wants to merge 5 commits into
mainfrom
dp/sudden-stoat-emerald

Conversation

@DariuszPorowski

Copy link
Copy Markdown
Member

Description

Design: Sync default resource types without a fake Go module

Problem

Radius syncs its default resource-type manifests from radius-project/resource-types-contrib — a repo that contains only YAML manifests and recipes, no Go code. To fetch a pinned snapshot, the current model turns that repo into a "fake Go module" (a go.mod plus a placeholder doc.go) purely so Go's module cache can act as a versioned file downloader. That phantom dependency:

  • pollutes Radius's go.mod/go.sum and every supply-chain report (SBOM, license, vulnerability scanners, Dependabot) with a module that ships no code,
  • forces opaque Go pseudo-versions (v0.0.0-2026…-51ee446) instead of readable versions, and
  • requires a blank-import shim (pkg/resourcetypescontrib/import.go) whose only job is to stop go mod tidy from removing it.

Value

This design replaces only the fetch transport and keeps everything good about the current model — Radius-side ownership of the default set, full YAML-diff visibility in PRs, version pinning, and CI drift detection.

  • Phase A (today, no upstream changes): pin by git ref and fetch directly — removes the fake module, the phantom dependency, and the shim immediately.
  • Phase B (end state): a versioned GitHub Release asset verified by checksum (optionally a signed OCI artifact), aligned with the GoReleaser release-lifecycle refactor.

Result: a clean Go dependency graph, human-readable versions, and accurate supply-chain reports — with no change to runtime registration (RegisterDirectory) or the default set.

Type of change

  • This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

  • An overview of proposed schema changes is included in a linked GitHub issue.
    • Yes
    • Not applicable
  • A design document is added or updated under eng/design-notes/ in this repository, if new APIs are being introduced.
    • Yes
    • Not applicable
  • The design document has been reviewed and approved by Radius maintainers/approvers.
    • Yes
    • Not applicable
  • A PR for resource-types-contrib is created, if resource types or recipes are affected by the changes in this PR.
    • Yes
    • Not applicable
  • A PR for dashboard is created, if the Radius Dashboard is affected by the changes in this PR.
    • Yes
    • Not applicable
  • A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
    • Yes
    • Not applicable

@DariuszPorowski DariuszPorowski self-assigned this Jun 24, 2026
Copilot AI review requested due to automatic review settings June 24, 2026 17:54
@DariuszPorowski DariuszPorowski requested a review from a team as a code owner June 24, 2026 17:54
@DariuszPorowski DariuszPorowski requested a review from a team as a code owner June 24, 2026 17:54
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new design note describing how Radius should stop using a “fake” Go module dependency to pin and sync default resource-type manifests from radius-project/resource-types-contrib, replacing the transport with a direct, pinned fetch (Phase A) and outlining a longer-term release-asset / OCI-artifact model (Phase B).

Changes:

  • Adds a detailed design proposal for ref-based syncing (Phase A) that removes the Go module + blank-import shim pattern.
  • Specifies an end-state transport using GitHub Release assets (with optional OCI+cosign hardening) while keeping the existing copy/prune/drift-check skeleton.
  • Documents intended updates to Make targets and the CI drift workflow at a design level.

Contributor docs impact (advisory):

  • No updates required in docs/contributing/ or docs/architecture/ for this PR since it only adds a design note.
  • When this design is implemented, docs/contributing/contributing-releases/README.md will likely need updates because it currently describes bumping go.mod for resource-types-contrib (e.g., around the “Update default resource types” step).


1. **Remove the fake Go module.** Delete the `go.mod`/`doc.go` from `resource-types-contrib`, the `require` entry from Radius's `go.mod`/`go.sum`, and the blank-import shim `pkg/resourcetypescontrib/import.go`. Radius's Go dependency graph should contain only real Go dependencies.
2. **Preserve the 2026-04 outcome.** Keep Radius-side ownership of the default set (`defaults.yaml`), full YAML-diff visibility in Radius PRs, version pinning with an audit trail, and CI drift detection.
3. **Pin to an immutable, auditable revision** of upstream (commit SHA, tag, or OCI digest) with a readable record of what version is in use.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pinning to an immutable version: this is needed for recipe-pack too. Would it be in scope we able able to specify a single pin (corresponding to a resource-type-contrib "release") and let both recipe-pack and type use it?


#### Proposed Option

Adopt **Option 3 (pinned git-ref fetch) now** - it needs no upstream changes and removes the fake module immediately. Adopt **Option 4 (pinned GitHub Release asset) as the end state** - published by a minimal `resource-types-contrib` release workflow (not GoReleaser) and consumed on the radius side in line with the radius GoReleaser refactor - with **Option 5 (signed OCI artifact)** as an optional registry-and-signing upgrade. Phase B is sequenced with the radius core repo's GoReleaser work and the new contrib release workflow. Layer **Option 6 (sync bot)** on top once a transport is in place. This supersedes only the _transport_ of the [2026-04 design](2026-04-automated-default-resource-type-registration.md); its copy-based outcome (files committed in Radius, `defaults.yaml` in Radius, drift check) is preserved exactly.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should design for automated Dependabot-like sync from the start for releases and latest/main/edge

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Phase A + hybrid with sync (via PR)


This is an internal contributor/release workflow. There is no change to the `rad` CLI, Bicep authoring, or any end-user surface.

**Sample Input - bump the pinned version and re-sync (Phase A):**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is tagging resource-types-contrib to a release is a pre-requisite to this step ?

@brooke-hamilton brooke-hamilton left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this plan. I recommend approval.

repo: github.com/radius-project/resource-types-contrib
# Phase A: a commit SHA (immutable) or branch/tag.
# Phase B: a release tag; a checksum/digest is recorded alongside for verification.
ref: 51ee446a8fc6c0c0a1b2c3d4e5f6071829304152

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like how this approach keeps the sha with the schema registration in the same file.

@DariuszPorowski DariuszPorowski force-pushed the dp/sudden-stoat-emerald branch from 598dcfa to 7ed8192 Compare June 25, 2026 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants