local dev support (#2088)

* support local dev command

Author: motatoes

CONTRIBUTING.md

@@ -20,7 +20,7 @@ and we would be happy to set you up.
 
 ## Introduction
 
-Digger is an open source terraform cloud alternative. We believe that open source software is important, and we welcome contributions from anyone who is interested in making our tool better.
+Digger is an open source terraform cloud alternative. We believe that open source software is important, and we welcome contributions from anyone who is interested in making our platform better.
 This document is intended to be a guide for people who want to contribute to Digger. We appreciate all contributions, no matter how big or small.
 
 ## How to contribute
@@ -51,6 +51,7 @@ libs/ # contains libraries that are common between digger cli and digger cloud b
 cli/cmd/ # contains the main cli files
 cli/pkg/ # contains packages that are used by the cli code, can import from libs/
 backend/ # contains the backend code, can import from libs/
+ee/ # contains the ee code, can import from libs/ and the other ce packages (but ce must not import from ee)
 docs/ # contains documentation pages
 ```
 
@@ -64,7 +65,7 @@ When you have made changes to the codebase that you would like to contribute bac
 4. Test out your changes in a demo GitHub repository using Github Actions.
 
    - You can test out the changes from your fork by referencing the Action within a Github workflow file: `uses: <github-username>/digger@your-branch`.
-   - Fork [this demo repository](https://github.com/diggerhq/digger_demo_multienv) to setup and assert your tests.
+   - Fork [this demo repository](https://github.com/diggerhq/demo-opentofu) to setup and assert your tests.
    - If you're adding new app level inputs that implies new environment variables, make sure to reference them **both within the `build digger` and `run digger` steps** in [`action.yml`](./action.yml).
 
 5. Update the documentation to reflect your changes, if applicable.
@@ -81,6 +82,11 @@ When you have made changes to the codebase that you would like to contribute bac
 - Once we are ready we tag the head of our release branch and perform a release on it.
 - Tagged releases are published as actions and they are the most suitable to be used in production.
 
+
+## How to test locally
+
+The easiest way to test locally is to follow our [Testing locally](https://docs.digger.dev/ce/contributing/setup-dev-environment) instructions.
+
 ## Code of Conduct
 
 We expect all contributors to follow our [Code of Conduct](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) when participating in our community. Please read it carefully before contributing.

action.yml

@@ -4,6 +4,14 @@ description: Manage terraform collaboration
 author: Digger
 
 inputs:
+  local-dev-mode:
+    description: run digger for local development?
+    required: false
+    default: false
+  local-dev-cli-path:
+    description: The path to where the compiled digger cli on the self-hosted runner exists (absolute path)
+    required: false
+    default: './digger'
   ee:
     description: use ee cli?
     required: false
@@ -365,7 +373,9 @@ runs:
 
     - name: Copy Digger CLI go.sum for cache key
       run: |
-        if [[ ${{ inputs.ee }} == "true" ]]; then
+        if [[ "${{ inputs.local-dev-mode }}" == "true" ]]; then 
+          echo "Digger CLI is in local dev mode, skipping go.sum copy"
+        elif [[ ${{ inputs.ee }} == "true" ]]; then
           cp "$GITHUB_ACTION_PATH/ee/cli/go.sum" "$GITHUB_WORKSPACE/.digger.go.sum"
         else
           cp "$GITHUB_ACTION_PATH/cli/go.sum" "$GITHUB_WORKSPACE/.digger.go.sum"
@@ -399,7 +409,7 @@ runs:
 
 
     - name: build and run digger
-      if: ${{ !startsWith(github.action_ref, 'v') }}
+      if: ${{ !startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }}
       shell: bash
       env:
         PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }}
@@ -448,7 +458,7 @@ runs:
           digger
 
     - name: run digger
-      if: ${{ startsWith(github.action_ref, 'v') }}
+      if: ${{ startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }}
       env:
         actionref: ${{ github.action_ref }}
         PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }}
@@ -495,6 +505,70 @@ runs:
         cd $GITHUB_WORKSPACE
         digger
 
+    - name: run digger in local dev mode
+      if:  ${{ inputs.local-dev-mode == 'true' }}
+      env:
+        actionref: ${{ github.action_ref }}
+        PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }}
+        PLAN_UPLOAD_S3_ENCRYPTION_ENABLED: ${{ inputs.upload-plan-destination-s3-encryption-enabled }}
+        PLAN_UPLOAD_S3_ENCRYPTION_TYPE: ${{ inputs.upload-plan-destination-s3-encryption-type }}
+        PLAN_UPLOAD_S3_ENCRYPTION_KMS_ID: ${{ inputs.upload-plan-destination-s3-encryption-kms-key-id }}
+        PLAN_UPLOAD_AZURE_STORAGE_CONTAINER_NAME: ${{ inputs.upload-plan-destination-azure-container }}
+        PLAN_UPLOAD_AZURE_STORAGE_ACCOUNT_NAME: ${{ inputs.upload-plan-destination-azure-storage-account }}
+        GOOGLE_STORAGE_LOCK_BUCKET: ${{ inputs.google-lock-bucket }}
+        GOOGLE_STORAGE_PLAN_ARTEFACT_BUCKET: ${{ inputs.upload-plan-destination-gcp-bucket }}
+        AWS_S3_BUCKET: ${{ inputs.upload-plan-destination-s3-bucket }}
+        ACTIVATE_VENV: ${{ inputs.setup-checkov == 'true' }}
+        DISABLE_LOCKING: ${{ inputs.disable-locking == 'true' }}
+        DIGGER_PRIVATE_KEY: ${{ inputs.digger-private-key }}
+        DIGGER_TOKEN: ${{ inputs.digger-token }}
+        DIGGER_ORGANISATION: ${{ inputs.digger-organisation }}
+        DIGGER_HOSTNAME: ${{ inputs.digger-hostname }}
+        DIGGER_FILENAME: ${{ inputs.digger-filename }}
+        ACCUMULATE_PLANS: ${{ inputs.post-plans-as-one-comment == 'true' }}
+        REPORTING_STRATEGY: ${{ inputs.reporting-strategy }}
+        INPUT_DIGGER_PROJECT: ${{ inputs.project }}
+        INPUT_DIGGER_MODE: ${{ inputs.mode }}
+        INPUT_DIGGER_COMMAND: ${{ inputs.command }}
+        INPUT_DRIFT_DETECTION_SLACK_NOTIFICATION_URL: ${{ inputs.drift-detection-slack-notification-url }}
+        INPUT_DRIFT_DETECTION_ADVANCED_SLACK_NOTIFICATION_URL: ${{ inputs.drift-detection-advanced-slack-notification-url }}
+        NO_BACKEND: ${{ inputs.no-backend }}
+        TG_PROVIDER_CACHE: ${{ inputs.cache-dependencies == 'true' && 1 || 0 }}
+        TERRAGRUNT_PROVIDER_CACHE: ${{ inputs.cache-dependencies == 'true' && 1 || 0 }}
+        DIGGER_RUN_SPEC: ${{inputs.digger-spec}}
+      id: digger-local-run
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        cd $GITHUB_WORKSPACE
+        
+        echo "🚀 Running digger..."
+        RAW="${{ inputs.local-dev-cli-path }}"
+        
+        # Validate path to prevent command injection
+        if [[ "$RAW" =~ [^a-zA-Z0-9_./-] ]]; then
+          echo "❌ Invalid characters in local-dev-cli-path"
+          exit 1
+        fi
+        
+        if "$RAW" in [!A-Za-z0-9_./-]; then
+          echo "❌ bad chars" ; exit 1
+        fi
+
+        if [[ "$RAW"  =~ \.\. || "$RAW" == : || "$RAW" != /* ]]; then
+          echo "❌ traversal/colon/relative not allowed"; exit 1
+        fi        
+
+        DIR=$(realpath -- "$RAW") || { echo "❌ not found"; exit 1; }
+        [[ -d "$DIR" ]] || { echo "❌ not a dir"; exit 1; }        
+
+        BIN="$DIR/digger"
+        [[ -x "$BIN" ]] || { echo "❌ digger not executable at $BIN"; exit 1; }        
+        
+        $BIN
+        echo "✅ digger completed"
+
     - uses: actions/cache/save@v4
       name: cache-save
       if: ${{ always() && inputs.cache-dependencies == 'true' && steps.restore_cache.outputs.cache-hit != 'true' }}

cli/.gitignore

@@ -1,3 +1,4 @@
 **/digger
 !/pkg/digger
 !/cmd/digger
+actions-runner/

docs/ce/contributing/setup-dev-environment.mdx

@@ -0,0 +1,129 @@
+---
+title: "Setting up a local development environment"
+---
+
+
+## Setting up the backend
+
+To get started running the backend service you will need:
+
+- digger’s repo cloned https://github.com/diggerhq/digger
+- some kind of ngrok to tunnel connections to port 3000 - this is needed to receive github webhooks to the service
+- go 1.24 running on your machine
+
+<Steps>
+    <Step title="Install ngrok">
+        You can use ngrok to tunnel connections to port 3000. You can find installation instructions [here](https://ngrok.com/docs/getting-started).
+        The reason we need this is so that we can receive github webhooks to the service
+    </Step>
+
+    <Step title="Create a local database">
+        I usually start one with docker:
+
+        ```
+        docker run --name digger-pg \
+        -e POSTGRES_PASSWORD='SuperSecurePasswordWithAtLeast14Characters' \
+        -e POSTGRES_USER=postgres \
+        -e POSTGRES_DB=digger \
+        -p 54312:5432 \
+        -d postgres:15
+        ```
+
+        which will create this connections tring:
+
+        ```
+        export DATABASE_URL=postgres://postgres:SuperSecurePasswordWithAtLeast14Characters@localhost:54312/digger?sslmode=disable
+        ```
+    </Step>
+
+    <Step title="Clone the repo">
+        If you are planning to contribute you would need to fork the repo and clone it locally:
+
+        ```
+        # replace diggerhq with your username
+        git clone https://github.com/diggerhq/digger.git
+        ```
+    </Step>
+
+    <Step title="Creating environment variables">
+        Create a `.env` file in the folder backend/ of the repo and add the following:
+        ```
+        GITHUB_ORG=your_github_org # this is your github org where an app will be installed, leave it out to install in your personal account
+        HOSTNAME=your_public_digger_hostname # the ngrok hostname (include https://)
+        DATABASE_URL=postgres://.....
+        HTTP_BASIC_AUTH=1
+        HTTP_BASIC_AUTH_USERNAME=mydiggerorg
+        HTTP_BASIC_AUTH_PASSWORD=$(openssl rand -base64 12)
+        ALLOW_DIRTY=false # set to true if the database has already a schema configured
+        ```
+
+        note that you would need to source this file before running the backend service
+
+        ```
+        set -a
+        source .env
+        set +a
+        ```
+
+        And after that you can run the service with:
+
+        ```
+        go run backend/main.go
+        ```
+
+        You should see a message that the service is listening on port 3000. Visiting that url should show you a ui screen that digger is up and running.
+    </Step>
+
+    <Step title="Next steps">
+        From here on you can follow the steps in the self hosting binary guide [here](/ce/self-host/deploy-binary)
+    </Step>
+
+</Steps>
+
+## Setting up the cli
+
+The cli is mainly meant to be used and invoked in CI systems. So in order to test cli changes the easiest way is to push it to your digger branch and then update the step to point to the branch directly:
+
+```
+      - name: digger
+        uses: diggerhq/digger@feat/my-test-branch
+        with:
+            ....
+```
+
+Digger will then build the cli on your test runs and so you can test your changes from branch. It can be time consuming to build the cli on every run so we also added a way to use it from local
+via self-hosted runners on your machine. In order to achieve this you would need to create a self-hosted runner connected to your repo.
+
+Visit the repo with your test terraform and then click on "actions" -> "runners" -> "self-hosted runners" -> "new runner".
+Follow the instructions for your local machine and to set it up. Once set up you should see it in the list of runners.
+
+From here you will need to build a version of your cli locally.
+
+```
+cd cli
+go build -o digger ./cmd/digger
+chmod +x digger
+```
+
+Test run the local cli - it should display a message like "no CI detected". Now we can modify our workflow file to use our self-hosted runner and to invoke the local cli during processing:
+
+```
+      - name: digger
+        uses: diggerhq/digger@vLatest # this version doesn't matter when using local dev
+        with:
+          # ...
+          local-dev-mode: "true"
+          local-dev-cli-path: "/Users/myname/dev/digger/digger/cli"
+```
+
+The value of "local-dev-cli-path" should be an absolute path to the location compiled binary from the previous step (excluding the binary name). You should see this line when you try to run it:
+
+![](/images/contributing/self-hosted-cli-local-dev.png)
+
+> **Security Warning**: Self-hosted runners have significant security implications. When using self-hosted runners, be aware that:
+> - Code from pull requests can run on your self-hosted runner, potentially executing malicious code on your machine
+> - If your repository is public, anyone can fork it and submit a pull request that could run code on your runner
+> - Only use self-hosted runners in private repositories where you trust all contributors, or implement proper security controls
+> - For more information, see [GitHub's security considerations for self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security)
+
+From here onwards the cycle is to make a local change, rebuild the cli and then trigger in github to test that change. Its a much faster iterative cycle in comparison to building from a branch each time.

docs/images/contributing/self-hosted-cli-local-dev.png

@@ -155,6 +155,13 @@
         "ce/azure-specific/azure-devops-locking-connection-methods"
       ]
     },
+    {
+      "group": "Contributing",
+      "pages": [
+        "ce/contributing/setup-dev-environment"
+      ]
+    },
+
     {
       "group": "Troubleshooting",
       "pages": [