Fetch terraform provider and publish in Harbor for usage with OpenTofu

gistfile1.txt

#!/bin/sh

set -eu

echo "This script should be run locally to publish tf providers to the harbor registry."
echo "Use case when the runners only have access to harbor instance, but not the Internet."

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
TF_DIR=${SCRIPT_DIR}/../deployment
TF_PROVIDER_DIR="${SCRIPT_DIR}/../tf-providers"
mkdir -p ${TF_PROVIDER_DIR} && cd ${TF_PROVIDER_DIR}

# vars
HELM_PROVIDER_VERSION=3.1.1
REPO=harbor.internal/keycloak/opentofu-providers/hashicorp/helm

# Init requires overwriting backend
# tofu -chdir=${TF_DIR} init
tofu -chdir=${TF_DIR} providers mirror -platform=linux_amd64 ${TF_PROVIDER_DIR}

# locate the downloaded zip
ZIP=./registry.opentofu.org/hashicorp/helm/terraform-provider-helm_${HELM_PROVIDER_VERSION}_linux_amd64.zip

# 2) Build minimal OCI config describing the binary
cat > ${TF_PROVIDER_DIR}/config.json <<EOF
{"os":"linux","architecture":"amd64","filename":"$(basename "$ZIP")"}
EOF

# 3) Push to Harbor as an OCI artifact
# Run manually 
# echo "oras login harbor.akdb.de -u '$HARBOR_ROBOT_NAME' -p $HARBOR_ROBOT_SECRET"
# This works but not accepted by opentofu
oras push $REPO:${HELM_PROVIDER_VERSION}-amd64 \
  --artifact-type application/vnd.opentofu.provider-target \
  --config ${TF_PROVIDER_DIR}/config.json:application/vnd.opentofu.provider.v1+json \
  "$ZIP:archive/zip"

oras manifest index create \
  $REPO \
  ${HELM_PROVIDER_VERSION}-amd64 \
  --output ${TF_PROVIDER_DIR}/index.json \
  --artifact-type application/vnd.opentofu.provider

oras manifest push $REPO:${HELM_PROVIDER_VERSION} ${TF_PROVIDER_DIR}/index.json