diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml index 85e21c3..90e5322 100644 --- a/.github/workflows/verify.yaml +++ b/.github/workflows/verify.yaml @@ -84,3 +84,5 @@ jobs: uses: ConductorOne/baton-regression/.github/workflows/regression.yml@main with: connector: ${{ inputs.connector }} + secrets: + RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }} diff --git a/README.md b/README.md index 5511484..c1b2025 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,38 @@ To disable MSI builds entirely (e.g., for connectors that don't need Windows ins When `msi: false`, the `GORELEASER_PRO_KEY` secret is not required. +## Verify Workflow + +Runs linting, tests, and optional regression verification. See [detailed documentation](docs/verify-workflow.md) for jobs, regression testing, and all options. + +### Usage + +```yaml +name: Verify + +on: + pull_request: + types: [opened, reopened, synchronize] + push: + branches: + - main + +jobs: + verify: + uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + connector: baton-okta # optional: enables regression testing + secrets: + RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }} +``` + +| Parameter | Required | Default | Description | +|-|-|-|-| +| `ref` | Yes | - | Git ref to check out and verify | +| `run_tests` | No | `true` | Run `go test` | +| `connector` | No | `""` | Connector name — triggers [regression testing](docs/verify-workflow.md#regression) when set | + ## Available Actions ### Get Baton diff --git a/docs/verify-workflow.md b/docs/verify-workflow.md new file mode 100644 index 0000000..d75b70e --- /dev/null +++ b/docs/verify-workflow.md @@ -0,0 +1,106 @@ +# Verify Workflow + +The `verify.yaml` workflow runs linting, tests, and optional regression verification for connector repositories. + +## Overview + +When a pull request is opened or code is pushed to main, the shared verify workflow: + +1. Runs `golangci-lint` on the connector code +2. Runs `go test` (optional, enabled by default) +3. Runs baton-regression verification (optional, when `connector` is provided) + +## Jobs + +### lint + +Checks out the caller repo and runs `golangci-lint` with a 6-minute timeout. If `RELENG_GITHUB_TOKEN` is available, configures git for private module access. + +### test + +Runs `go test -v -covermode=count -json ./...` and annotates results. Skipped if `run_tests: false`. + +### regression + +Calls the [baton-regression](https://github.com/ConductorOne/baton-regression) reusable workflow when `connector` is non-empty. The regression workflow: + +1. Checks out baton-regression and the connector repo +2. Builds both the regression tool and the connector binary +3. Runs axiom-based structural verification +4. Runs static nil pointer analysis +5. Uploads verification reports as artifacts +6. Posts a summary with coverage metrics + +The regression job requires `RELENG_GITHUB_TOKEN` to be passed from the caller workflow for private repo access. + +## Inputs + +| Parameter | Required | Default | Description | +|-|-|-|-| +| `ref` | Yes | - | Git ref to check out | +| `run_tests` | No | `true` | Whether to run `go test` | +| `connector` | No | `""` | Connector name (e.g., `baton-okta`). Triggers regression when set | + +## Secrets + +| Secret | Required | Description | +|-|-|-| +| `RELENG_GITHUB_TOKEN` | No | GitHub token for private module and repo access | + +## Usage + +### Basic (lint + test only) + +```yaml +name: Verify + +on: + pull_request: + types: [opened, reopened, synchronize] + push: + branches: + - main + +jobs: + verify: + uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }} +``` + +### With regression testing + +```yaml +jobs: + verify: + uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + connector: baton-okta + secrets: + RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }} +``` + +### Skip tests + +```yaml +jobs: + verify: + uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + run_tests: false + secrets: + RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }} +``` + +## Controlling Regression per Connector + +Regression is enabled when the connector's `verify.yaml` includes a `connector:` parameter. This is controlled by baton-admin's `connectors.yaml`: + +- `run_regression: false` in a connector's verify config omits the `connector:` parameter, disabling regression +- When `run_regression` is absent (default), the `connector:` parameter is included and regression runs + +To add a connector to regression testing, ensure it passes baton-regression verification locally before removing the `run_regression: false` flag.