Upgrade baton-sdk.

[ggreer]

Use github workflow for releases. Fix linter. Fix lint errors.

Summary by CodeRabbit

• Chores

  • Raised minimum Go version to 1.25; removed legacy toolchain directive.
  • Updated dependencies, including baton-sdk to v0.4.1 and compression library, improving performance, security, and compatibility.
  • Aligned account creation flow with the latest SDK expectations.

• Tests

  • Added LDAP DN parsing tests to increase coverage and confidence.
  • Cleaned up redundant imports in existing tests.

[coderabbitai]

Walkthrough

Raised Go version to 1.25 and removed toolchain directive. Updated dependencies, including baton-sdk to v0.4.1. Added a new LDAP DN parsing test. Removed a redundant blank import in a test. Changed CreateAccount to accept v2.LocalCredentialOptions and added an interface conformance check.

Changes

Cohort / File(s)	Summary
Go module and dependencies go.mod	Set go 1.25; removed toolchain go1.24.1; updated github.com/conductorone/baton-sdk to v0.4.1; bumped indirect github.com/klauspost/compress to v1.18.0.
Tests pkg/connector/connector_test.go, pkg/connector/helpers_test.go	Removed redundant blank import of embed in connector_test.go. Added helpers_test.go with TestParseDN validating LDAP DN parsing using go-ldap/ldap/v3.
User resource type pkg/connector/user.go	Added compile-time check: var _ builder.AccountManager = &userResourceType{}. Updated CreateAccount signature to use *v2.LocalCredentialOptions instead of *v2.CredentialOptions; body unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I thump my paw—new Go to run,
Dependencies groomed, the build is fun.
A DN parsed, neat as a bun,
Accounts now local—change well spun.
In fields of code, I hop and grin,
For tidy tests and types that win. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Upgrade baton-sdk." succinctly and accurately describes the primary change in this PR (updating the baton-sdk dependency) and is clear and concise enough for a teammate scanning the history to understand the main intent.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ggreer/upgrade-baton-sdk

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

pkg/connector/user.go (2)

157-164: containsBinaryData wrongly treats non‑ASCII UTF‑8 as binary (i18n bug).
Accented names and non‑Latin scripts will be dropped from profiles/logins.

Replace with UTF‑8 validity + control‑char check:

 func containsBinaryData(value string) bool {
-	for _, c := range value {
-		if c < 32 || c > 126 {
-			return true
-		}
-	}
-	return false
+	if !utf8.ValidString(value) {
+		return true
+	}
+	for _, r := range value {
+		if r < 0x20 && r != '\n' && r != '\r' && r != '\t' {
+			return true
+		}
+	}
+	return false
 }

Add import (outside this hunk):

import "utf8"

Specifically:

import (
  ...
+ "unicode/utf8"
)

---

396-397: Avoid logging PII and raw AddRequest payloads.
Current error logs can leak names, emails, and potentially passwords.

Apply:

-		l.Error("baton-ldap: create-account failed to extract profile", zap.Error(err), zap.Any("accountInfo", accountInfo))
+		l.Error("baton-ldap: create-account failed to extract profile", zap.Error(err))
@@
-		l.Error("baton-ldap: create-account failed to create account", zap.Error(err), zap.Any("userParams", user))
+		l.Error("baton-ldap: create-account failed to create account", zap.Error(err), zap.String("dn", dn))
@@
-		l.Error("baton-ldap: create-account failed to get account", zap.Error(err), zap.Any("accountInfo", accountInfo))
+		l.Error("baton-ldap: create-account failed to get account", zap.Error(err), zap.String("dn", dn))
@@
-		l.Error("baton-ldap: create-account failed to create resource", zap.Error(err), zap.Any("accountInfo", accountInfo))
+		l.Error("baton-ldap: create-account failed to create resource", zap.Error(err), zap.String("dn", dn))

Also applies to: 406-408, 413-414, 419-420

go.mod (1)

16-17: Replace golang.org/x/exp/slices with the standard library "slices" and run go mod tidy -compat=1.25.

• Update import "golang.org/x/exp/slices" → "slices" in: pkg/connector/helpers.go, pkg/connector/user.go, pkg/connector/group.go.

🧹 Nitpick comments (5)

pkg/connector/helpers_test.go (1)

10-22: Make the test table‑driven and add invalid cases.
Improves coverage (escaping, multi‑valued RDNs, invalid DNs) and readability. Also safe to run in parallel.

Apply:

 func TestParseDN(t *testing.T) {
-	dn, err := ldap.ParseDN("cn=test,ou=test,dc=example,dc=com")
-	require.NoError(t, err)
-	require.Equal(t, "cn=test,ou=test,dc=example,dc=com", dn.String())
-
-	dn, err = ldap.ParseDN("dc=example,dc=com")
-	require.NoError(t, err)
-	require.Equal(t, "dc=example,dc=com", dn.String())
-
-	dn, err = ldap.ParseDN("ou=example")
-	require.NoError(t, err)
-	require.Equal(t, "ou=example", dn.String())
+	t.Parallel()
+	cases := []struct {
+		name string
+		in   string
+		ok   bool
+	}{
+		{"full", "cn=test,ou=test,dc=example,dc=com", true},
+		{"dcOnly", "dc=example,dc=com", true},
+		{"ouOnly", "ou=example", true},
+		{"escaped", `cn=a\,b,dc=example,dc=com`, true},
+		{"invalid", "cn==bad,dc=example,dc=com", false},
+	}
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			dn, err := ldap.ParseDN(tc.in)
+			if !tc.ok {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.Equal(t, tc.in, dn.String())
+		})
+	}
 }

pkg/connector/user.go (4)

19-19: Prefer stdlib slices over x/exp.
Reduces deps; Go 1.25 provides slices.Contains/Sort.

Apply:

-	"golang.org/x/exp/slices"
+	"slices"

---

135-136: Deterministic alias order (optional).
Helps stable outputs/tests.

Apply:

-	return login, aliases.ToSlice()
+	als := aliases.ToSlice()
+	slices.Sort(als)
+	return login, als

---

101-108: Handle nsAccountLock parse errors.
Currently ignores errors and may misclassify status.

Apply:

-	} else if nsAccountLockFlag != "" {
-		locked, _ := strconv.ParseBool(nsAccountLockFlag)
+	} else if nsAccountLockFlag != "" {
+		locked, err := strconv.ParseBool(nsAccountLockFlag)
+		if err != nil {
+			return userStatus, fmt.Errorf("invalid nsAccountLock value %q: %w", nsAccountLockFlag, err)
+		}

---

240-244: Comment contradicts code.
You try AD first (lastLogonTimestamp), then OpenLDAP (authTimestamp).

Apply:

-	// Try openldap format first, then fall back to Active Directory's format
+	// Try Active Directory format first, then fall back to OpenLDAP's format

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 579f401 and 95ad382.

⛔ Files ignored due to path filters (105)

• .github/workflows/ci.yaml is excluded by none and included by none
• .github/workflows/release.yaml is excluded by none and included by none
• .golangci.yml is excluded by none and included by none
• .gon-amd64.json is excluded by none and included by none
• .gon-arm64.json is excluded by none and included by none
• .goreleaser.docker.yaml is excluded by none and included by none
• .goreleaser.yaml is excluded by none and included by none
• go.sum is excluded by !**/*.sum and included by none
• vendor/github.com/conductorone/baton-sdk/internal/connector/connector.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/annotation_resource_tree.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/annotation_resource_tree.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/annotation_sync_id.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/annotation_sync_id.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/connector.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/event_feed.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/event_feed.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/resource.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connector/v2/resource.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connectorapi/baton/v1/baton.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connectorapi/baton/v1/baton.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connectorapi/baton/v1/session.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connectorapi/baton/v1/session.pb.validate.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pb/c1/connectorapi/baton/v1/session_grpc.pb.go is excluded by !**/*.pb.go, !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/annotations/annotations.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/bid/bid.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/cli/cli.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/cli/commands.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/cli/lambda_server__added.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/config/config.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/connectorbuilder/connectorbuilder.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/connectorrunner/runner.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/connectorstore/connectorstore.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/crypto/client_secret.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/crypto/crypto.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/crypto/password.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/crypto/providers/jwk/jwk.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/crypto/providers/registry.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/c1file.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/c1file_attached.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/clone_sync.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/decoder.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/diff.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/dotc1z.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/file.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/local/local.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/manager.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/manager/s3/s3.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/sql_helpers.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/dotc1z/sync_runs.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/field/defaults.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/field/validation.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/lambda/grpc/config/config.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/lambda/grpc/transport.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/provisioner/provisioner.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/ratelimit/mem_ratelimiter.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sdk/version.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/session/README.md is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/session/grpc_session.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/session/json.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/session/memory.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/session/session.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sync/client_wrapper.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sync/expand/cycle.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sync/expand/graph.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sync/expand/scc/bitset.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sync/expand/scc/scc.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sync/expand/scc/test_source.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sync/state.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/sync/syncer.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/synccompactor/attached/attached.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/synccompactor/compactor.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/synccompactor/naive/naive.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/synccompactor/naive/naive_unroll.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/tasks/c1api/delete_resource.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/tasks/c1api/full_sync.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/tasks/c1api/manager.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/tasks/c1api/service_client.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/tasks/local/syncer.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/types/session_cache.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/types/types.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/ugrpc/c1_credential_provider.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/ugrpc/interceptors.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/uhttp/dbcache.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/uhttp/wrapper.go is excluded by !vendor/** and included by none
• vendor/github.com/conductorone/baton-sdk/pkg/us3/s3.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/README.md is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/huff0/bitreader.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/internal/le/le.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/s2sx.mod is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/README.md is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/bitreader.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/blockdec.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/blockenc.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/decoder.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/enc_base.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/matchlen_generic.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/seqdec.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/seqdec_generic.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/seqenc.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/snappy.go is excluded by !vendor/** and included by none
• vendor/github.com/klauspost/compress/zstd/zstd.go is excluded by !vendor/** and included by none
• vendor/modules.txt is excluded by !vendor/** and included by none

📒 Files selected for processing (4)

• go.mod (2 hunks)
• pkg/connector/connector_test.go (0 hunks)
• pkg/connector/helpers_test.go (1 hunks)
• pkg/connector/user.go (2 hunks)

💤 Files with no reviewable changes (1)

• pkg/connector/connector_test.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Cursor Bugbot
• GitHub Check: test

🔇 Additional comments (5)

pkg/connector/helpers_test.go (1)

10-22: Sanity test looks good.
Covers common DN shapes and asserts round‑trip via String().

go.mod (2)

6-6: baton-sdk upgrade acknowledged.
Matches CreateAccount signature change in pkg/connector/user.go.

---

3-3: Ensure CI uses Go 1.25

go.mod contains "go 1.25", but I couldn't find any CI config in the repo (.github/workflows missing; no .circleci, .gitlab-ci.yml, azure-pipelines.yml, .go-version, or Dockerfiles). Confirm your CI (or external pipeline) is pinned to Go 1.25 (e.g., actions/setup-go@v4 with go-version: "1.25" or use golang:1.25 images) or add a toolchain directive in your CI to avoid toolchain drift.

pkg/connector/user.go (2)

58-59: Interface conformance check is good.
Early compile‑time breakage for AccountManager.

---

381-382: Signature updated to LocalCredentialOptions: LGTM.
Matches v0.4.1 API and capability details (NO_PASSWORD).
Ran rg -nP --type go '\bCredentialOptions\b' in the sandbox — no matches found; run the same command locally to confirm there are no lingering references.