This repository contains shared GitHub workflows for ConductorOne connector repositories.
The release workflow handles the release process for connector repos, including:
- Rendering the latest goreleaser and gon configuration files from template
- Building binaries for multiple platforms
- Creating GitHub releases
- Building and pushing Docker images
- Building and pushing ECR images
- Recording releases in the release tracking system
To use the release workflow in your connector repository:
- Create a
.github/workflows/release.yamlfile with the following content:
name: Release
on:
push:
tags:
- "*"
jobs:
release:
uses: ConductorOne/github-workflows/.github/workflows/release.yaml@v3
with:
tag: ${{ github.ref_name }}
# defaults to true
# lambda: false
secrets:
RELENG_GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
APPLE_SIGNING_KEY_P12: ${{ secrets.APPLE_SIGNING_KEY_P12 }}
APPLE_SIGNING_KEY_P12_PASSWORD: ${{ secrets.APPLE_SIGNING_KEY_P12_PASSWORD }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
AC_PROVIDER: ${{ secrets.AC_PROVIDER }}
DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}-
Ensure your repository has the following secrets configured:
RELENG_GITHUB_TOKEN: A GitHub token with permissions to create releasesAPPLE_SIGNING_KEY_P12: Base64-encoded Apple signing keyAPPLE_SIGNING_KEY_P12_PASSWORD: Password for the Apple signing keyAC_PASSWORD: Apple Connect passwordAC_PROVIDER: Apple Connect providerDATADOG_API_KEY: Datadog API key for monitoring releases
-
Remove all GoReleaser and gon files from your repository, if they were previously created there.
The release workflow accepts the following input parameters:
| Parameter | Required | Description |
|---|---|---|
tag |
Yes | The release tag (e.g., "v1.0.0") |
The get-baton action downloads the latest version of Baton and installs it to /usr/local/bin/baton.
- name: Install baton
uses: ConductorOne/github-workflows/actions/get-baton@v3You can then use the baton command in your workflow.
The sync-test action tests syncing, granting, and revoking for a baton connector.
- name: Test Connector Sync
uses: ConductorOne/github-workflows/actions/sync-test@v3
with:
connector: "./my-connector"
baton-entitlement: "admin-role"
baton-principal: "user123"
baton-principal-type: "user"The account-provisioning action tests account provisioning and deprovisioning for a baton connector that supports these capabilities.
- name: Test Account Provisioning
uses: ConductorOne/github-workflows/actions/account-provisioning@v3
with:
connector: "./my-connector"
account-email: "[email protected]"
account-login: "testuser" # optional
account-display-name: "Test User" # optional
account-profile: '{"first_name": "Test", "last_name": "User", "username": "testuser", "email": "[email protected]"}' # optional
account-type: "user" # optional, defaults to 'user'
search-method: "email" # optional, defaults to 'email'To modify these workflows:
- Make your changes in this repository
- Test the changes in a connector repository pointing at your branch
- Create a pull request for review
- Once approved, merge to main
- Tag the release:
git tag v3.0.1 - Push the tag:
git push origin v3.0.1 - Update the major version tag
git tag -f v3 v3.0.1 - Push the major version tag
git push origin v3 --force
The workflows are versioned using Git tags. When testing a new version of the workflows in your repository, you can specify a specific version:
uses: ConductorOne/github-workflows/.github/workflows/release.yaml@my-branchGithub does not resolve semantic versioning - tags must match exactly. The major version must float.