From 4d9486e6e34fb172709d41edf2a9e3a20822d60f Mon Sep 17 00:00:00 2001 From: Steve Gontzes Date: Tue, 3 Mar 2026 12:09:48 -0500 Subject: [PATCH 1/3] fix: pass secrets to regression job, add verify workflow docs Add secrets: inherit to the regression job in verify.yaml so RELENG_GITHUB_TOKEN flows through to baton-regression for private repo checkout. Add README section and docs/verify-workflow.md covering the verify workflow's three jobs (lint, test, regression), inputs, and usage. --- .github/workflows/verify.yaml | 1 + README.md | 60 ++++++++++++++++++++ docs/verify-workflow.md | 103 ++++++++++++++++++++++++++++++++++ 3 files changed, 164 insertions(+) create mode 100644 docs/verify-workflow.md diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml index 85e21c3..39bf6f4 100644 --- a/.github/workflows/verify.yaml +++ b/.github/workflows/verify.yaml @@ -84,3 +84,4 @@ jobs: uses: ConductorOne/baton-regression/.github/workflows/regression.yml@main with: connector: ${{ inputs.connector }} + secrets: inherit diff --git a/README.md b/README.md index 926fcff..e7ef29c 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,66 @@ COPY ${TARGETPLATFORM}/${REPO_NAME} /${REPO_NAME} **Note:** Use `docker_extra_files` to include additional files or directories (comma-separated) in the Docker build context. These are paths relative to your connector repository root. +## Verify Workflow + +Runs linting, tests, and optional regression verification for connector repositories. See [detailed documentation](docs/verify-workflow.md) for all options. + +### Usage + +Create a `.github/workflows/verify.yaml` file: + +```yaml +name: Verify + +on: + pull_request: + types: [opened, reopened, synchronize] + push: + branches: + - main + +jobs: + verify: + uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: inherit +``` + +The verify workflow accepts the following parameters: + +| Parameter | Required | Default | Description | +|-|-|-|-| +| `ref` | Yes | - | Git ref to check out and verify | +| `run_tests` | No | `true` | Whether to run `go test` | +| `connector` | No | `""` | Connector name for regression testing (e.g., `baton-okta`). If set, runs baton-regression verification | + +### Jobs + +The workflow runs up to three jobs: + +1. **lint** — runs `golangci-lint` on the caller repo +2. **test** — runs `go test` (skipped if `run_tests: false`) +3. **regression** — runs [baton-regression](https://github.com/ConductorOne/baton-regression) verification (only when `connector` is provided) + +### Regression Testing + +When `connector` is provided, the verify workflow calls the baton-regression reusable workflow to run structural verification against the connector. This checks axiom compliance, branch coverage, and nil pointer safety. + +```yaml +jobs: + verify: + uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + connector: baton-okta + secrets: inherit +``` + +The `secrets: inherit` directive is required so that `RELENG_GITHUB_TOKEN` flows through to the regression workflow for private repo access. + +To disable regression for a connector that isn't ready, omit the `connector` parameter (controlled via `run_regression: false` in baton-admin's `connectors.yaml`). + ## Available Actions ### Get Baton diff --git a/docs/verify-workflow.md b/docs/verify-workflow.md new file mode 100644 index 0000000..c44e544 --- /dev/null +++ b/docs/verify-workflow.md @@ -0,0 +1,103 @@ +# Verify Workflow + +The `verify.yaml` workflow runs linting, tests, and optional regression verification for connector repositories. + +## Overview + +When a pull request is opened or code is pushed to main, the shared verify workflow: + +1. Runs `golangci-lint` on the connector code +2. Runs `go test` (optional, enabled by default) +3. Runs baton-regression verification (optional, when `connector` is provided) + +## Jobs + +### lint + +Checks out the caller repo and runs `golangci-lint` with a 6-minute timeout. If `RELENG_GITHUB_TOKEN` is available, configures git for private module access. + +### test + +Runs `go test -v -covermode=count -json ./...` and annotates results. Skipped if `run_tests: false`. + +### regression + +Calls the [baton-regression](https://github.com/ConductorOne/baton-regression) reusable workflow when `connector` is non-empty. The regression workflow: + +1. Checks out baton-regression and the connector repo +2. Builds both the regression tool and the connector binary +3. Runs axiom-based structural verification +4. Runs static nil pointer analysis +5. Uploads verification reports as artifacts +6. Posts a summary with coverage metrics + +The regression job requires `secrets: inherit` in the caller workflow so that `RELENG_GITHUB_TOKEN` flows through for private repo access. + +## Inputs + +| Parameter | Required | Default | Description | +|-|-|-|-| +| `ref` | Yes | - | Git ref to check out | +| `run_tests` | No | `true` | Whether to run `go test` | +| `connector` | No | `""` | Connector name (e.g., `baton-okta`). Triggers regression when set | + +## Secrets + +| Secret | Required | Description | +|-|-|-| +| `RELENG_GITHUB_TOKEN` | No | GitHub token for private module and repo access | + +## Usage + +### Basic (lint + test only) + +```yaml +name: Verify + +on: + pull_request: + types: [opened, reopened, synchronize] + push: + branches: + - main + +jobs: + verify: + uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: inherit +``` + +### With regression testing + +```yaml +jobs: + verify: + uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + connector: baton-okta + secrets: inherit +``` + +### Skip tests + +```yaml +jobs: + verify: + uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + run_tests: false + secrets: inherit +``` + +## Controlling Regression per Connector + +Regression is enabled when the connector's `verify.yaml` includes a `connector:` parameter. This is controlled by baton-admin's `connectors.yaml`: + +- `run_regression: false` in a connector's verify config omits the `connector:` parameter, disabling regression +- When `run_regression` is absent (default), the `connector:` parameter is included and regression runs + +To add a connector to regression testing, ensure it passes baton-regression verification locally before removing the `run_regression: false` flag. From cf696c92d44d017eb2423166d31159c50c751a1e Mon Sep 17 00:00:00 2001 From: Steve Gontzes Date: Tue, 3 Mar 2026 12:22:09 -0500 Subject: [PATCH 2/3] docs: trim README verify section, keep detail in docs file README now has just the usage example and parameter table. Detailed job descriptions, regression testing, secrets, and usage variants are in docs/verify-workflow.md. --- README.md | 37 ++++--------------------------------- 1 file changed, 4 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 43e83f7..9a54700 100644 --- a/README.md +++ b/README.md @@ -139,12 +139,10 @@ When `msi: false`, the `GORELEASER_PRO_KEY` secret is not required. ## Verify Workflow -Runs linting, tests, and optional regression verification for connector repositories. See [detailed documentation](docs/verify-workflow.md) for all options. +Runs linting, tests, and optional regression verification. See [detailed documentation](docs/verify-workflow.md) for jobs, regression testing, and all options. ### Usage -Create a `.github/workflows/verify.yaml` file: - ```yaml name: Verify @@ -160,42 +158,15 @@ jobs: uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} + connector: baton-okta # optional: enables regression testing secrets: inherit ``` -The verify workflow accepts the following parameters: - | Parameter | Required | Default | Description | |-|-|-|-| | `ref` | Yes | - | Git ref to check out and verify | -| `run_tests` | No | `true` | Whether to run `go test` | -| `connector` | No | `""` | Connector name for regression testing (e.g., `baton-okta`). If set, runs baton-regression verification | - -### Jobs - -The workflow runs up to three jobs: - -1. **lint** — runs `golangci-lint` on the caller repo -2. **test** — runs `go test` (skipped if `run_tests: false`) -3. **regression** — runs [baton-regression](https://github.com/ConductorOne/baton-regression) verification (only when `connector` is provided) - -### Regression Testing - -When `connector` is provided, the verify workflow calls the baton-regression reusable workflow to run structural verification against the connector. This checks axiom compliance, branch coverage, and nil pointer safety. - -```yaml -jobs: - verify: - uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 - with: - ref: ${{ github.event.pull_request.head.sha || github.sha }} - connector: baton-okta - secrets: inherit -``` - -The `secrets: inherit` directive is required so that `RELENG_GITHUB_TOKEN` flows through to the regression workflow for private repo access. - -To disable regression for a connector that isn't ready, omit the `connector` parameter (controlled via `run_regression: false` in baton-admin's `connectors.yaml`). +| `run_tests` | No | `true` | Run `go test` | +| `connector` | No | `""` | Connector name — triggers [regression testing](docs/verify-workflow.md#regression) when set | ## Available Actions From dffa049ca95c98e7df2a3b010d7243f3bcc39edd Mon Sep 17 00:00:00 2001 From: Steve Gontzes Date: Tue, 3 Mar 2026 12:24:36 -0500 Subject: [PATCH 3/3] fix: use explicit RELENG_GITHUB_TOKEN instead of secrets: inherit Pass only the specific secret needed for private repo access rather than all org secrets. Limits exposure in the reusable workflow chain. --- .github/workflows/verify.yaml | 3 ++- README.md | 3 ++- docs/verify-workflow.md | 11 +++++++---- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml index 39bf6f4..90e5322 100644 --- a/.github/workflows/verify.yaml +++ b/.github/workflows/verify.yaml @@ -84,4 +84,5 @@ jobs: uses: ConductorOne/baton-regression/.github/workflows/regression.yml@main with: connector: ${{ inputs.connector }} - secrets: inherit + secrets: + RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }} diff --git a/README.md b/README.md index 9a54700..c1b2025 100644 --- a/README.md +++ b/README.md @@ -159,7 +159,8 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.sha }} connector: baton-okta # optional: enables regression testing - secrets: inherit + secrets: + RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }} ``` | Parameter | Required | Default | Description | diff --git a/docs/verify-workflow.md b/docs/verify-workflow.md index c44e544..d75b70e 100644 --- a/docs/verify-workflow.md +++ b/docs/verify-workflow.md @@ -31,7 +31,7 @@ Calls the [baton-regression](https://github.com/ConductorOne/baton-regression) r 5. Uploads verification reports as artifacts 6. Posts a summary with coverage metrics -The regression job requires `secrets: inherit` in the caller workflow so that `RELENG_GITHUB_TOKEN` flows through for private repo access. +The regression job requires `RELENG_GITHUB_TOKEN` to be passed from the caller workflow for private repo access. ## Inputs @@ -66,7 +66,8 @@ jobs: uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - secrets: inherit + secrets: + RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }} ``` ### With regression testing @@ -78,7 +79,8 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.sha }} connector: baton-okta - secrets: inherit + secrets: + RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }} ``` ### Skip tests @@ -90,7 +92,8 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.sha }} run_tests: false - secrets: inherit + secrets: + RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }} ``` ## Controlling Regression per Connector