Skip to content

fix: pass token to regression job, add docs #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gontzess merged 4 commits into from
Mar 3, 2026
Merged

fix: pass token to regression job, add docs #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4d9486e
fix: pass secrets to regression job, add verify workflow docs
gontzess Mar 3, 2026
6e87c53
merge: resolve README conflict with main (MSI installer docs)
gontzess Mar 3, 2026
cf696c9
docs: trim README verify section, keep detail in docs file
gontzess Mar 3, 2026
dffa049
fix: use explicit RELENG_GITHUB_TOKEN instead of secrets: inherit
gontzess Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/verify.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,3 +84,5 @@ jobs:
uses: ConductorOne/baton-regression/.github/workflows/regression.yml@main
with:
connector: ${{ inputs.connector }}
secrets:
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
32 changes: 32 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,38 @@ To disable MSI builds entirely (e.g., for connectors that don't need Windows ins

When `msi: false`, the `GORELEASER_PRO_KEY` secret is not required.

## Verify Workflow

Runs linting, tests, and optional regression verification. See [detailed documentation](docs/verify-workflow.md) for jobs, regression testing, and all options.

### Usage

```yaml
name: Verify

on:
pull_request:
types: [opened, reopened, synchronize]
push:
branches:
- main

jobs:
verify:
uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
connector: baton-okta # optional: enables regression testing
secrets:
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
```

| Parameter | Required | Default | Description |
|-|-|-|-|
| `ref` | Yes | - | Git ref to check out and verify |
| `run_tests` | No | `true` | Run `go test` |
| `connector` | No | `""` | Connector name — triggers [regression testing](docs/verify-workflow.md#regression) when set |

## Available Actions

### Get Baton
Expand Down
106 changes: 106 additions & 0 deletions docs/verify-workflow.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
# Verify Workflow

The `verify.yaml` workflow runs linting, tests, and optional regression verification for connector repositories.

## Overview

When a pull request is opened or code is pushed to main, the shared verify workflow:

1. Runs `golangci-lint` on the connector code
2. Runs `go test` (optional, enabled by default)
3. Runs baton-regression verification (optional, when `connector` is provided)

## Jobs

### lint

Checks out the caller repo and runs `golangci-lint` with a 6-minute timeout. If `RELENG_GITHUB_TOKEN` is available, configures git for private module access.

### test

Runs `go test -v -covermode=count -json ./...` and annotates results. Skipped if `run_tests: false`.

### regression

Calls the [baton-regression](https://github.com/ConductorOne/baton-regression) reusable workflow when `connector` is non-empty. The regression workflow:

1. Checks out baton-regression and the connector repo
2. Builds both the regression tool and the connector binary
3. Runs axiom-based structural verification
4. Runs static nil pointer analysis
5. Uploads verification reports as artifacts
6. Posts a summary with coverage metrics

The regression job requires `RELENG_GITHUB_TOKEN` to be passed from the caller workflow for private repo access.

## Inputs

| Parameter | Required | Default | Description |
|-|-|-|-|
| `ref` | Yes | - | Git ref to check out |
| `run_tests` | No | `true` | Whether to run `go test` |
| `connector` | No | `""` | Connector name (e.g., `baton-okta`). Triggers regression when set |

## Secrets

| Secret | Required | Description |
|-|-|-|
| `RELENG_GITHUB_TOKEN` | No | GitHub token for private module and repo access |

## Usage

### Basic (lint + test only)

```yaml
name: Verify

on:
pull_request:
types: [opened, reopened, synchronize]
push:
branches:
- main

jobs:
verify:
uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
secrets:
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
```

### With regression testing

```yaml
jobs:
verify:
uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
connector: baton-okta
secrets:
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
```

### Skip tests

```yaml
jobs:
verify:
uses: ConductorOne/github-workflows/.github/workflows/verify.yaml@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
run_tests: false
secrets:
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
```

## Controlling Regression per Connector

Regression is enabled when the connector's `verify.yaml` includes a `connector:` parameter. This is controlled by baton-admin's `connectors.yaml`:

- `run_regression: false` in a connector's verify config omits the `connector:` parameter, disabling regression
- When `run_regression` is absent (default), the `connector:` parameter is included and regression runs

To add a connector to regression testing, ensure it passes baton-regression verification locally before removing the `run_regression: false` flag.