From 80e7cf69d46b08071e29c7c5a78d2a48f4d52351 Mon Sep 17 00:00:00 2001
From: Steve Gontzes <gontzess@gmail.com>
Date: Tue, 3 Mar 2026 15:34:50 -0500
Subject: [PATCH] fix: pass flags before positional arg, fix --source path in
 regression

Three fixes to the regression verify step:

1. Move flags before the positional arg so Go's flag.Parse sees them.
   Was: `verify mysql --binary ...` (flags silently ignored)
   Now: `verify --binary ... mysql`

2. Checkout connector to a path matching its name (e.g., baton-mysql)
   instead of generic `connector`. The --source flag derives the
   connector config name from the directory basename.

3. Re-add --source with the correct path so code coverage analysis
   works in CI.

Also validates the connector input is alphanumeric (with hyphens and
underscores) to prevent path traversal or injection via the checkout
path and shell arguments.
---
 .github/workflows/regression.yaml | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/regression.yaml b/.github/workflows/regression.yaml
index 76d5725..a2724bd 100644
--- a/.github/workflows/regression.yaml
+++ b/.github/workflows/regression.yaml
@@ -57,6 +57,14 @@ jobs:
       branch-coverage: ${{ steps.verify.outputs.branch-coverage }}
 
     steps:
+      - name: Validate connector input
+        run: |
+          CONNECTOR="${{ inputs.connector }}"
+          if [[ ! "$CONNECTOR" =~ ^baton-[a-zA-Z0-9_-]+$ ]]; then
+            echo "::error::Invalid connector name: must match baton-<name> with alphanumeric/hyphens/underscores"
+            exit 1
+          fi
+
       - name: Checkout baton-regression
         uses: actions/checkout@v4
         with:
@@ -69,7 +77,7 @@ jobs:
         with:
           repository: ${{ inputs.connector-repo || github.repository }}
           ref: ${{ inputs.connector-ref || github.sha }}
-          path: connector
+          path: ${{ inputs.connector }}
 
       - name: Set up Go
         uses: actions/setup-go@v5
@@ -77,7 +85,7 @@ jobs:
           go-version-file: baton-regression/go.mod
           cache-dependency-path: |
             baton-regression/go.sum
-            connector/go.sum
+            ${{ inputs.connector }}/go.sum
 
       - name: Build baton-regression
         working-directory: baton-regression
@@ -87,7 +95,7 @@ jobs:
             ./cmd/baton-regression
 
       - name: Build connector
-        working-directory: connector
+        working-directory: ${{ inputs.connector }}
         run: |
           CONNECTOR_NAME="${{ inputs.connector }}"
           # Handle both "okta" and "baton-okta" formats
@@ -115,15 +123,16 @@ jobs:
           BINARY_NAME="baton-$CONFIG_NAME"
 
           ARGS="--binary ./bin/$BINARY_NAME"
-          ARGS="$ARGS --source ../connector"
+          ARGS="$ARGS --source ../${{ inputs.connector }}"
           ARGS="$ARGS --max-probes ${{ inputs.max-probes }}"
+          ARGS="$ARGS --target-coverage 95"
 
           if [ "${{ inputs.verbose }}" = "true" ]; then
             ARGS="$ARGS -v"
           fi
 
-          echo "Running: ./bin/baton-regression verify $CONFIG_NAME $ARGS"
-          ./bin/baton-regression verify $CONFIG_NAME $ARGS 2>&1 | tee ./reports/verification.log
+          echo "Running: ./bin/baton-regression verify $ARGS $CONFIG_NAME"
+          ./bin/baton-regression verify $ARGS $CONFIG_NAME 2>&1 | tee ./reports/verification.log
           EXIT_CODE=${PIPESTATUS[0]}
 
           # Parse results from log