add direct GitHub OIDC release recording to registry API by gontzess · Pull Request #48 · ConductorOne/github-workflows

gontzess · 2026-02-18T16:57:52Z

Why

The connector registry API replaces the per-connector Lambda release recording pipeline. During dual-write migration, each release records to both the legacy Lambda path and the registry API. The registry API authenticates CI via GitHub OIDC with per-connector isolation through the repository claim.

What this changes

record-release Go command (cmd/record-release/main.go): Type-safe transformation from the merged manifest (protojson) to the registry API RecordRelease request format. Maps asset fields (href to downloadUrl, signatureHref to signatureUrl, etc.), extracts image refs, reads optional docs/connector.mdx, and POSTs with Bearer auth. Handles 200 (success) and 409 (already exists) as non-error for dual-write compatibility.

release.yaml workflow changes: Adds record-registry-api as a separate job that runs after both legacy recording jobs complete (record-connector-registry + record-lambda-registry). Uses the merged manifest output from the dist recording job. Steps:

Checkout connector repo and workflows repo
Detect documentation presence
Get GitHub OIDC token with connector-registry audience
Fetch release notes from GitHub release body
Run record-release with manifest, metadata, and OIDC token

Fields sent to the registry API:

Field	Source
org	GitHub context
name	GitHub context
version	GitHub context (tag)
repositoryUrl	GitHub context
commitSha	GitHub context
workflowRunId	GitHub context
assets	goreleaser binaries, windows MSI, checksums
images	container images (GHCR, ECR Public, Lambda ARM64)
config_schema	connector repo config_schema.json
capabilities	connector repo baton_capabilities.json
documentation	connector repo docs/connector.mdx
changelog	GitHub release body
signature_url	cosign manifest signing
certificate_url	cosign manifest signing

Bug fix: record-connector-registry job condition now checks goreleaser-docker result. Previously a failed docker build still triggered the manifest upload and S3 sync with incomplete artifacts (missing container images). Docker must now succeed or be skipped.

Testing

test release v0.1.120-test.7 on baton-github-test validated the full pipeline 3/11

┌───────────────┬───────────────────────────────────────────────┐
│     Field     │                    Result                     │
├───────────────┼───────────────────────────────────────────────┤
│ documentation │ 17,956 chars (full connector.mdx)             │
├───────────────┼───────────────────────────────────────────────┤
│ changelog     │ 371 chars (GitHub release body)               │
├───────────────┼───────────────────────────────────────────────┤
│ configSchema  │ 5,487 chars (valid JSON with fields)          │
├───────────────┼───────────────────────────────────────────────┤
│ capabilities  │ 4,645 chars (valid JSON with @type preserved) │
├───────────────┼───────────────────────────────────────────────┤
│ assets        │ 7 platforms                                   │
├───────────────┼───────────────────────────────────────────────┤
│ images        │ ecrPublic + ghcr                              │
├───────────────┼───────────────────────────────────────────────┤
│ repositoryUrl │ correct                                       │
├───────────────┼───────────────────────────────────────────────┤
│ commitSha     │ correct                                       │
└───────────────┴───────────────────────────────────────────────┘

All jobs succeeded: record-connector-registry (legacy dist), record-lambda-registry (legacy lambda), record-registry-api (new path), verify-release

coderabbitai · 2026-02-18T16:58:00Z

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

.github/workflows/release.yaml is excluded by none and included by none
cmd/record-release/main.go is excluded by none and included by none

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 829ec1b8-730e-4f5d-a8b8-f121b1827248

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch gontzess/ce332-workflow-token-exchange

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

jugonzalez12 · 2026-03-11T23:28:27Z

+	case http.StatusOK:
+		result, _ := json.Marshal(map[string]interface{}{
+			"status":  "success",
+			"code":    200,


nit: you had the status codes right here in the switch statement :)

Nice catch thank you

Add record-registry-api job that runs after both legacy recording paths complete (dist manifest + Lambda invocation). Uses GitHub OIDC for per-connector authentication. Includes record-release Go command that reads the merged manifest, connector repo files (docs, config_schema, capabilities), and GitHub release notes, then POSTs to the registry API. Also fixes record-connector-registry to gate on docker job success, preventing incomplete manifests when docker builds fail.

gontzess force-pushed the gontzess/ce332-workflow-token-exchange branch from 9ff5245 to cfe5c6a Compare February 27, 2026 21:30

gontzess changed the title ~~feat: C1 Workload Federation token exchange in release workflow~~ replace C1 WF token exchange with direct GitHub OIDC Feb 27, 2026

gontzess changed the title ~~replace C1 WF token exchange with direct GitHub OIDC~~ add direct GitHub OIDC release recording to registry API Feb 27, 2026

gontzess force-pushed the gontzess/ce332-workflow-token-exchange branch from 32266d1 to b06ec1f Compare March 6, 2026 16:15

gontzess marked this pull request as ready for review March 10, 2026 14:05

gontzess force-pushed the gontzess/ce332-workflow-token-exchange branch 6 times, most recently from 7ead725 to 15555a7 Compare March 11, 2026 19:38

jugonzalez12 reviewed Mar 11, 2026

View reviewed changes

jugonzalez12 approved these changes Mar 11, 2026

View reviewed changes

gontzess force-pushed the gontzess/ce332-workflow-token-exchange branch from 15555a7 to d25498c Compare March 11, 2026 23:43

gontzess merged commit 7ebddd9 into main Mar 11, 2026
1 check passed

gontzess deleted the gontzess/ce332-workflow-token-exchange branch March 11, 2026 23:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add direct GitHub OIDC release recording to registry API#48

add direct GitHub OIDC release recording to registry API#48
gontzess merged 1 commit intomainfrom
gontzess/ce332-workflow-token-exchange

gontzess commented Feb 18, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot commented Feb 18, 2026 •

edited

Loading

Review skipped

Uh oh!

jugonzalez12 Mar 11, 2026

Uh oh!

gontzess Mar 11, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

gontzess commented Feb 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why

What this changes

Testing

Uh oh!

coderabbitai Bot commented Feb 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Uh oh!

jugonzalez12 Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

gontzess Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

gontzess commented Feb 18, 2026 •

edited

Loading

coderabbitai Bot commented Feb 18, 2026 •

edited

Loading