tofu-module-publish¶
Publishes the repository as a module to the GitLab Terraform Module Registry on release tags:
Consumers then reference it as:
Auth defaults to $CI_JOB_TOKEN, which carries write access to its own
project's package registry — publishing needs no personal/group access
token and works on GitLab Free. The job picks the right auth header
automatically (JOB-TOKEN for the job token, PRIVATE-TOKEN otherwise).
Runs only on tags matching tag_pattern (strict semver vX.Y.Z by
default); the published version is the tag with the leading v stripped.
Defaults to the built-in .post stage so it runs after — and only on
success of — every other job in the tag pipeline, with no consumer stage
wiring required. A re-run over an already-published version is treated as
success (idempotent retry).
Jobs¶
| Job | What it runs |
|---|---|
tofu-module-publish |
git archive the tagged tree (tracked files only), curl --request PUT to the module registry endpoint with the chosen auth header. |
Inputs¶
| Input | Type | Default | Description |
|---|---|---|---|
image_version |
string | "v0.3.0" |
infra-tools image tag (needs git + curl). |
stage |
string | .post |
GitLab built-in stage — runs last, on success of all prior stages. |
module_name |
string | (required) | Module name in the registry path, e.g. bootstrap. Unique within the top-level namespace. |
module_system |
string | "aws" |
Module system / target segment of the registry path, e.g. aws, azure, google. |
tag_pattern |
string | '^v[0-9]+\.[0-9]+\.[0-9]+$' |
RE2 pattern a tag must match to publish. Rejects prereleases, build metadata, arbitrary tags. |
token |
string | "$CI_JOB_TOKEN" |
Token authenticating the upload. Override with a PAT carrying api/write_package_registry only for cross-project publishing. |
Usage¶
include:
- component: gitlab.com/phpboyscout/cicd/[email protected]
inputs:
module_name: bootstrap
module_system: aws
See also¶
- Spec:
2026-05-27-module-publish-v0.7 - Explanation: the token-input convention