Add build-terraform-provider CI step to detect breaking changes (DataDog#3894)

* moves CLI testing to Go library repo

* Use PR description for terraform provider fix link instead of file

* Remove file-based terraform-provider-pr cleanup from release.yml

* Pass tf-provider-pr as input instead of re-parsing PR description

* Remove PR description parsing from go-client; use tf-provider-pr input or master

* Revert GO_CLIENT_BRANCH fallback, no longer needed without edited event

* Improve build failure message with force rebuild option

* Remove redundant explicit PR event types from test.yml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix rebuild instruction — a new commit is always required to re-trigger CI

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Restore inputs.target-branch fallback for GO_CLIENT_BRANCH

When called from api-spec, github.event.pull_request.head.sha is the
api-spec SHA, not a go-client SHA — the lookup fails. inputs.target-branch
carries the correct go-client branch name in that path.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: David Tapiador <david.tapiadordeldujo@datadoghq.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

.github/workflows/reusable-ci.yml

@@ -8,7 +8,11 @@ on:
         required: false
         type: string
         default: ''
-      
+      tf-provider-pr:
+        description: 'terraform-provider-datadog PR URL to test against (if already known, e.g. passed from ci-cd.yml)'
+        required: false
+        type: string
+        default: ''
     secrets:
       PIPELINE_GITHUB_APP_ID:
         required: false
@@ -38,6 +42,10 @@ jobs:
     uses: ./.github/workflows/reusable-go-test.yml
     with:
       target-branch: ${{ inputs.target-branch }}
+      tf-provider-pr: ${{ inputs.tf-provider-pr }}
+    secrets:
+      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
+      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   examples:
     uses: ./.github/workflows/reusable-examples.yml

.github/workflows/reusable-go-test.yml

@@ -8,6 +8,17 @@ on:
         required: false
         type: string
         default: ''
+      tf-provider-pr:
+        description: 'terraform-provider-datadog PR URL to test against (if already known, skips PR description parsing)'
+        required: false
+        type: string
+        default: ''
+
+    secrets:
+      PIPELINE_GITHUB_APP_ID:
+        required: false
+      PIPELINE_GITHUB_APP_PRIVATE_KEY:
+        required: false
 
 jobs:
   test:
@@ -34,3 +45,110 @@ jobs:
         env:
           TESTARGS: ${{ matrix.go-build-tags }}
 
+  build-terraform-provider:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get GitHub App token
+        id: get_token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 #v1.11.1
+        with:
+          app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
+          private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
+          owner: DataDog
+
+      - name: Setup to use the GitHub token
+        run: |-
+          git config --global --add url."https://${APP_ID}:${APP_TOKEN}@github.com/".insteadOf "https://github.com/"
+        env:
+          APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
+          APP_TOKEN: ${{ steps.get_token.outputs.token }}
+
+      - name: Detect linked terraform-provider-datadog PR
+        id: detect_tf_pr
+        env:
+          GH_TOKEN: ${{ steps.get_token.outputs.token }}
+          TF_PROVIDER_PR_INPUT: ${{ inputs.tf-provider-pr }}
+        run: |
+          # The terraform fix PR URL is optionally passed in via the tf-provider-pr input
+          # (set by datadog-api-spec's detect-tf-pr-change job). If not provided, fall back
+          # to master — direct go-client PRs don't carry a terraform fix link.
+          if [ -n "$TF_PROVIDER_PR_INPUT" ]; then
+            tf_pr_number=$(echo "$TF_PROVIDER_PR_INPUT" | grep -oE '[0-9]+$')
+            tf_state=$(gh pr view "$tf_pr_number" --repo DataDog/terraform-provider-datadog --json state --jq '.state')
+
+            if [ "$tf_state" = "OPEN" ]; then
+              tf_branch=$(gh pr view "$tf_pr_number" --repo DataDog/terraform-provider-datadog --json headRefName --jq '.headRefName')
+              echo "branch=${tf_branch}" >> $GITHUB_OUTPUT
+              echo "✅ Using terraform-provider-datadog PR #${tf_pr_number} (branch: ${tf_branch})"
+            else
+              echo "branch=master" >> $GITHUB_OUTPUT
+              echo "ℹ️ terraform-provider-datadog PR #${tf_pr_number} is ${tf_state} — using master"
+            fi
+          else
+            echo "branch=master" >> $GITHUB_OUTPUT
+            echo "ℹ️ No tf-provider-pr input provided, using master"
+          fi
+
+      - name: Checkout terraform-provider-datadog
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: DataDog/terraform-provider-datadog
+          ref: ${{ steps.detect_tf_pr.outputs.branch }}
+          token: ${{ steps.get_token.outputs.token }}
+
+      - name: Set up Go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version-file: go.mod
+
+      - name: Resolve generated branch to commit SHA
+        id: resolve_sha
+        run: |
+          # go get rejects branch names with slashes (e.g. datadog-api-spec/generated/1234),
+          # so we resolve the branch to its commit SHA first.
+          COMMIT_SHA=$(gh api "repos/DataDog/datadog-api-client-go/commits/${GO_CLIENT_BRANCH}" --jq '.sha')
+          echo "commit_sha=${COMMIT_SHA}" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ steps.get_token.outputs.token }}
+          # When called from api-spec via reusable-ci, inputs.target-branch is the go-client branch
+          # name (e.g. datadog-api-spec/generated/1234). Without it, github.event.pull_request.head.sha
+          # is the api-spec commit SHA, which doesn't exist in the go-client repo.
+          GO_CLIENT_BRANCH: ${{ inputs.target-branch || github.event.pull_request.head.sha || github.sha }}
+
+      - name: Update datadog-api-client-go to generated commit
+        run: |
+          # GOPROXY=direct bypasses the module proxy, which won't have unreleased
+          # commits from the private datadog-api-client-go repo.
+          GOPROXY=direct go get "github.com/DataDog/datadog-api-client-go/v2@${COMMIT_SHA}"
+          go mod tidy
+        env:
+          COMMIT_SHA: ${{ steps.resolve_sha.outputs.commit_sha }}
+
+      - name: Build terraform provider
+        run: |
+          if ! go build ./...; then
+            echo ""
+            echo "🚨 BUILD FAILED"
+            echo "This Go client change breaks the terraform-provider-datadog build."
+            echo ""
+            if [ "${TF_BRANCH}" = "master" ]; then
+              echo "The build was tested against the terraform-provider-datadog 'master' branch."
+              echo ""
+              echo "To fix this:"
+              echo "  1. Create a PR on DataDog/terraform-provider-datadog with the necessary code changes"
+              echo "  2. Add the following line to your PR description:"
+              echo "     Fix Terraform Provider PR: https://github.com/DataDog/terraform-provider-datadog/pull/1234"
+              echo "  3. Save the PR description"
+              echo "  4. Push a new commit to trigger the check:"
+              echo "     git commit --allow-empty -m \"force rebuild\""
+              echo "     or use the opportunity to update the branch with any other pending changes"
+            else
+              echo "The build was tested against the terraform-provider-datadog branch '${TF_BRANCH}'."
+              echo "The linked PR also fails to build with the generated Go client — please fix it."
+            fi
+            exit 1
+          fi
+          echo ""
+          echo "✅ Build succeeded — terraform-provider-datadog builds correctly with the generated Go client."
+        env:
+          TF_BRANCH: ${{ steps.detect_tf_pr.outputs.branch }}

.github/workflows/test.yml

@@ -39,6 +39,9 @@ jobs:
        !contains(github.event.pull_request.head.ref, 'datadog-api-spec/test/')) ||
       github.event_name == 'schedule'
     uses: ./.github/workflows/reusable-go-test.yml
+    secrets:
+      PIPELINE_GITHUB_APP_ID: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
+      PIPELINE_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
 
   examples:
     if: >