Merge pull request #4 from linuxfoundation/build-and-release

Add CI for building and releasing v1-sync-helper with ko

Author: emsearcy

.github/workflows/ko-build-main.yaml

@@ -0,0 +1,37 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+name: Publish Main
+
+"on":
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Publish Main
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version-file: v1-sync-helper/go.mod
+      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d  # v0.9
+        with:
+          version: v0.18.0
+      - working-directory: ./v1-sync-helper
+        run: |
+          ko build github.com/linuxfoundation/lfx-v1-sync-helper \
+            -B \
+            --platform linux/amd64,linux/arm64 \
+            -t ${{ github.sha }} \
+            -t development \
+            --sbom spdx

.github/workflows/ko-build-tag.yaml

@@ -0,0 +1,127 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+name: Publish Tagged Release
+
+"on":
+  push:
+    tags:
+      - v*
+
+env:
+  COSIGN_VERSION: v2.6.1
+  HELM_VERSION: v4.0.1
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Publish Tagged Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      app_version: ${{ steps.prepare.outputs.app_version }}
+      chart_name: ${{ steps.prepare.outputs.chart_name }}
+      chart_version: ${{ steps.prepare.outputs.chart_version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
+      - name: Prepare versions and chart name
+        id: prepare
+        run: |
+          set -euo pipefail
+          APP_VERSION=$(echo ${{ github.ref_name }} | sed 's/v//g')
+          CHART_NAME="$(yq '.name' charts/*/Chart.yaml)"
+          CHART_VERSION="$(yq '.version' charts/*/Chart.yaml)"
+          {
+            echo "app_version=$APP_VERSION"
+            echo "chart_name=$CHART_NAME"
+            echo "chart_version=$CHART_VERSION"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Setup Go
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
+        with:
+          go-version-file: v1-sync-helper/go.mod
+
+      - name: Setup Ko
+        uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d  # v0.9
+        with:
+          version: v0.18.0
+
+      - name: Build and publish container image
+        working-directory: ./v1-sync-helper
+        run: |
+          ko build github.com/linuxfoundation/lfx-v1-sync-helper \
+            -B \
+            --platform linux/amd64,linux/arm64 \
+            -t ${{ github.ref_name }} \
+            -t ${{ steps.prepare.outputs.app_version }} \
+            -t latest \
+            --sbom spdx
+
+  release-helm-chart:
+    needs: publish
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+    outputs:
+      digest: ${{ steps.publish-ghcr.outputs.digest }}
+      image_name: ${{ steps.publish-ghcr.outputs.image_name }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
+
+      - name: Publish Chart to GHCR
+        id: publish-ghcr
+        uses: >-  # main
+          linuxfoundation/lfx-public-workflows/.github/actions/helm-chart-oci-publisher@c465d6571fa0b8be9d551d902955164ea04a00af
+        with:
+          name: ${{ needs.publish.outputs.chart_name }}
+          repository: ${{ github.repository }}/chart
+          chart_version: ${{ needs.publish.outputs.chart_version }}
+          app_version: ${{ needs.publish.outputs.app_version }}
+          helm_version: "${{ env.HELM_VERSION }}"
+          registry: ghcr.io
+          registry_username: ${{ github.actor }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+        with:
+          cosign-release: "${{ env.COSIGN_VERSION }}"
+
+      - name: Login to GitHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign the Helm chart in GHCR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          cosign sign --yes '${{ steps.publish-ghcr.outputs.image_name }}@${{ steps.publish-ghcr.outputs.digest }}'
+
+  create-ghcr-helm-provenance:
+    needs:
+      - release-helm-chart
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: >-  # v2.1.0
+      slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a
+    with:
+      image: ${{ needs.release-helm-chart.outputs.image_name }}
+      digest: ${{ needs.release-helm-chart.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

charts/lfx-v1-sync-helper/Chart.yaml

@@ -3,7 +3,6 @@
 ---
 apiVersion: v2
 name: lfx-v1-sync-helper
-description: LFX Platform V1 Sync Helper chart
+description: LFX Platform v1 Sync Helper chart
 type: application
 version: 0.1.0
-appVersion: "latest"

v1-sync-helper/README.md

@@ -6,7 +6,7 @@ The LFX v1 Sync Helper is a Go microservice that synchronizes v1 data from NATS
 
 ### Key implementation decisions
 
-1. **KV Bucket Watcher**: Instead of consuming NATS messages directly from streaming data sources, this service watches a NATS KV bucket (`v1-objects`) where V1 data is written by replication jobs (e.g. Meltano)
+1. **KV Bucket Watcher**: Instead of consuming NATS messages directly from streaming data sources, this service watches a NATS KV bucket (`v1-objects`) where v1 data is written by replication jobs (e.g. Meltano)
 2. **Direct API Calls**: With the exception of Meetings data, all data is routed into the LFX One platform via the appropriate API services, rather than the v1 Sync Helper writing directly to databases or platform-service queues.
 3. **JWT Authentication**: Reuses Heimdall's signing key to create JWT tokens for secure API authentication, supporting user impersonation while also bypassing LFX One permissions—as Heimdall tokens are not just proof of authentication, but are of *authorization*.
 4. **Mapping Storage**: Maintains v1-to-v2 ID mappings in a dedicated NATS KV bucket to track state and to avoid introducing "legacy ID" fields in LFX One data models.
@@ -107,7 +107,7 @@ indexer service).
 - **Subject**: `{client_id}` (without @clients suffix)
 - **Email**: Not included
 
-**User Impersonation** (when V1 `lastmodifiedbyid` is User Service platform ID):
+**User Impersonation** (when v1 `lastmodifiedbyid` is User Service platform ID):
 - Looks up user via LFX v1 User Service API: `GET /v1/users/{platformID}`
 - **Principal**: `{username}` (from API response)
 - **Subject**: `{username}` (same as principal)
@@ -200,7 +200,7 @@ The service uses structured JSON logging with the following levels:
 - `operation`: KV operation type (PUT, DELETE)
 - `slug`/`sfid`: Object identifiers
 - `project_uid`/`committee_uid`: Generated V2 UUIDs
-- `username`: Extracted from V1 `lastmodifiedbyid`
+- `username`: Extracted from v1 `lastmodifiedbyid`
 
 ## License
 

v1-sync-helper/go.mod

@@ -1,4 +1,6 @@
-module v1-sync-helper
+// Copyright The Linux Foundation and each contributor to LFX.
+// SPDX-License-Identifier: MIT
+module github.com/linuxfoundation/lfx-v1-sync-helper
 
 go 1.25.4
 

v1-sync-helper/handlers.go

@@ -55,7 +55,7 @@ func shouldSkipSync(ctx context.Context, v1Data map[string]any) bool {
 	return false
 }
 
-// extractUserInfo extracts user information from V1 data for API calls and JWT impersonation.
+// extractUserInfo extracts user information from v1 data for API calls and JWT impersonation.
 func extractUserInfo(ctx context.Context, v1Data map[string]any, mappingsKV jetstream.KeyValue) UserInfo {
 	// Extract platform ID from lastmodifiedbyid
 	if lastModifiedBy, ok := v1Data["lastmodifiedbyid"].(string); ok && lastModifiedBy != "" {

v1-sync-helper/handlers_committees.go

@@ -145,7 +145,7 @@ func handleCommitteeUpdate(ctx context.Context, key string, v1Data map[string]an
 		// Update existing committee.
 		logger.With("committee_uid", existingUID, "sfid", sfid).InfoContext(ctx, "updating existing committee")
 
-		// Map V1 data to update payload.
+		// Map v1 data to update payload.
 		var payload *committeeservice.UpdateCommitteeBasePayload
 		payload, err = mapV1DataToCommitteeUpdateBasePayload(ctx, existingUID, v1Data, mappingsKV)
 		if err != nil {
@@ -159,7 +159,7 @@ func handleCommitteeUpdate(ctx context.Context, key string, v1Data map[string]an
 		// Create new committee.
 		logger.With("sfid", sfid).InfoContext(ctx, "creating new committee")
 
-		// Map V1 data to create payload.
+		// Map v1 data to create payload.
 		var payload *committeeservice.CreateCommitteePayload
 		payload, err = mapV1DataToCommitteeCreatePayload(ctx, v1Data, mappingsKV)
 		if err != nil {
@@ -189,7 +189,7 @@ func handleCommitteeUpdate(ctx context.Context, key string, v1Data map[string]an
 	logger.With("committee_uid", uid, "sfid", sfid).InfoContext(ctx, "successfully synced committee")
 }
 
-// mapV1DataToCommitteeCreatePayload converts V1 committee data to a CreateCommitteePayload.
+// mapV1DataToCommitteeCreatePayload converts v1 committee data to a CreateCommitteePayload.
 func mapV1DataToCommitteeCreatePayload(ctx context.Context, v1Data map[string]any, mappingsKV jetstream.KeyValue) (*committeeservice.CreateCommitteePayload, error) {
 	// Extract required fields.
 	name := ""
@@ -263,7 +263,7 @@ func mapV1DataToCommitteeCreatePayload(ctx context.Context, v1Data map[string]an
 	return payload, nil
 }
 
-// mapV1DataToCommitteeUpdateBasePayload converts V1 committee data to an UpdateCommitteeBasePayload.
+// mapV1DataToCommitteeUpdateBasePayload converts v1 committee data to an UpdateCommitteeBasePayload.
 func mapV1DataToCommitteeUpdateBasePayload(ctx context.Context, committeeUID string, v1Data map[string]any, mappingsKV jetstream.KeyValue) (*committeeservice.UpdateCommitteeBasePayload, error) {
 	// Extract required fields.
 	name := ""
@@ -385,7 +385,7 @@ func handleCommitteeMemberUpdate(ctx context.Context, key string, v1Data map[str
 		// Update existing committee member.
 		logger.With("member_uid", existingMemberUID, "sfid", sfid, "committee_uid", committeeUID).InfoContext(ctx, "updating existing committee member")
 
-		// Map V1 data to update payload.
+		// Map v1 data to update payload.
 		var payload *committeeservice.UpdateCommitteeMemberPayload
 		payload, err = mapV1DataToCommitteeMemberUpdatePayload(ctx, committeeUID, existingMemberUID, v1Data, mappingsKV)
 		if err != nil {
@@ -399,7 +399,7 @@ func handleCommitteeMemberUpdate(ctx context.Context, key string, v1Data map[str
 		// Create new committee member.
 		logger.With("sfid", sfid, "committee_uid", committeeUID).InfoContext(ctx, "creating new committee member")
 
-		// Map V1 data to create payload.
+		// Map v1 data to create payload.
 		var payload *committeeservice.CreateCommitteeMemberPayload
 		payload, err = mapV1DataToCommitteeMemberCreatePayload(ctx, committeeUID, v1Data, mappingsKV)
 		if err != nil {
@@ -429,7 +429,7 @@ func handleCommitteeMemberUpdate(ctx context.Context, key string, v1Data map[str
 	logger.With("member_uid", memberUID, "sfid", sfid, "committee_uid", committeeUID).InfoContext(ctx, "successfully synced committee member")
 }
 
-// mapV1DataToCommitteeMemberCreatePayload converts V1 platform-community__c data to a CreateCommitteeMemberPayload.
+// mapV1DataToCommitteeMemberCreatePayload converts v1 platform-community__c data to a CreateCommitteeMemberPayload.
 func mapV1DataToCommitteeMemberCreatePayload(ctx context.Context, committeeUID string, v1Data map[string]any, mappingsKV jetstream.KeyValue) (*committeeservice.CreateCommitteeMemberPayload, error) {
 	// Extract email field (already validated by caller).
 	email := ""
@@ -593,7 +593,7 @@ func mapV1DataToCommitteeMemberCreatePayload(ctx context.Context, committeeUID s
 	return payload, nil
 }
 
-// mapV1DataToCommitteeMemberUpdatePayload converts V1 platform-community__c data to an UpdateCommitteeMemberPayload.
+// mapV1DataToCommitteeMemberUpdatePayload converts v1 platform-community__c data to an UpdateCommitteeMemberPayload.
 func mapV1DataToCommitteeMemberUpdatePayload(ctx context.Context, committeeUID, memberUID string, v1Data map[string]any, mappingsKV jetstream.KeyValue) (*committeeservice.UpdateCommitteeMemberPayload, error) {
 	// Extract email field (already validated by caller).
 	email := ""

v1-sync-helper/handlers_projects.go

@@ -100,15 +100,15 @@ func handleProjectUpdate(ctx context.Context, key string, v1Data map[string]any,
 		// Update existing project.
 		logger.With("project_uid", existingUID, "sfid", sfid, "slug", slug).InfoContext(ctx, "updating existing project")
 
-		// Map V1 data to update payload.
+		// Map v1 data to update payload.
 		var payload *projectservice.UpdateProjectBasePayload
 		payload, err = mapV1DataToProjectUpdateBasePayload(ctx, existingUID, v1Data, mappingsKV)
 		if err != nil {
 			logger.With(errKey, err, "sfid", sfid, "slug", slug).ErrorContext(ctx, "failed to map v1 data to update payload")
 			return
 		}
 
-		// Map V1 data to settings payload.
+		// Map v1 data to settings payload.
 		var settingsPayload *projectservice.UpdateProjectSettingsPayload
 		settingsPayload, err = mapV1DataToProjectUpdateSettingsPayload(ctx, existingUID, v1Data)
 		if err != nil {
@@ -122,7 +122,7 @@ func handleProjectUpdate(ctx context.Context, key string, v1Data map[string]any,
 		// Create new project.
 		logger.With("sfid", sfid, "slug", slug).InfoContext(ctx, "creating new project")
 
-		// Map V1 data to create payload.
+		// Map v1 data to create payload.
 		var payload *projectservice.CreateProjectPayload
 		payload, err = mapV1DataToProjectCreatePayload(ctx, v1Data, mappingsKV)
 		if err != nil {
@@ -152,7 +152,7 @@ func handleProjectUpdate(ctx context.Context, key string, v1Data map[string]any,
 	logger.With("project_uid", uid, "sfid", sfid, "slug", slug).InfoContext(ctx, "successfully synced project")
 }
 
-// mapV1DataToProjectCreatePayload converts V1 project data to a CreateProjectPayload.
+// mapV1DataToProjectCreatePayload converts v1 project data to a CreateProjectPayload.
 func mapV1DataToProjectCreatePayload(ctx context.Context, v1Data map[string]any, mappingsKV jetstream.KeyValue) (*projectservice.CreateProjectPayload, error) {
 	// Extract required fields.
 	name, nameOK := v1Data["name"].(string)
@@ -285,7 +285,7 @@ func mapV1DataToProjectCreatePayload(ctx context.Context, v1Data map[string]any,
 	var checkPublicParentUID string
 
 	if parentProjectID != "" {
-		// Project has a parent in V1, look up the parent's V2 UID from SFID mappings.
+		// Project has a parent in v1, look up the parent's V2 UID from SFID mappings.
 		parentMappingKey := fmt.Sprintf("project.sfid.%s", parentProjectID)
 		if entry, err := mappingsKV.Get(ctx, parentMappingKey); err == nil {
 			payload.ParentUID = string(entry.Value())
@@ -300,7 +300,7 @@ func mapV1DataToProjectCreatePayload(ctx context.Context, v1Data map[string]any,
 			return nil, fmt.Errorf("could not find project parent UID in mappings for SFID %s", parentProjectID)
 		}
 	} else {
-		// Project has no parent in V1, so it should be a child of ROOT in V2.
+		// Project has no parent in v1, so it should be a child of ROOT in V2.
 		rootUID, err := getRootProjectUID(ctx)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get ROOT project UID: %w", err)
@@ -324,7 +324,7 @@ func mapV1DataToProjectCreatePayload(ctx context.Context, v1Data map[string]any,
 	return payload, nil
 }
 
-// mapV1DataToProjectUpdateBasePayload converts V1 project data to an UpdateProjectBasePayload.
+// mapV1DataToProjectUpdateBasePayload converts v1 project data to an UpdateProjectBasePayload.
 func mapV1DataToProjectUpdateBasePayload(ctx context.Context, projectUID string, v1Data map[string]any, mappingsKV jetstream.KeyValue) (*projectservice.UpdateProjectBasePayload, error) {
 	// Extract required fields.
 	name, nameOK := v1Data["name"].(string)
@@ -447,7 +447,7 @@ func mapV1DataToProjectUpdateBasePayload(ctx context.Context, projectUID string,
 	var checkPublicParentUID string
 
 	if parentProjectID != "" {
-		// Project has a parent in V1, look up the parent's V2 UID from SFID mappings.
+		// Project has a parent in v1, look up the parent's V2 UID from SFID mappings.
 		parentMappingKey := fmt.Sprintf("project.sfid.%s", parentProjectID)
 		if entry, err := mappingsKV.Get(ctx, parentMappingKey); err == nil {
 			payload.ParentUID = string(entry.Value())
@@ -462,7 +462,7 @@ func mapV1DataToProjectUpdateBasePayload(ctx context.Context, projectUID string,
 			return nil, fmt.Errorf("could not find project parent UID in mappings for SFID %s", parentProjectID)
 		}
 	} else {
-		// Project has no parent in V1, so it should be a child of ROOT in V2.
+		// Project has no parent in v1, so it should be a child of ROOT in V2.
 		rootUID, err := getRootProjectUID(ctx)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get ROOT project UID: %w", err)
@@ -486,7 +486,7 @@ func mapV1DataToProjectUpdateBasePayload(ctx context.Context, projectUID string,
 	return payload, nil
 }
 
-// mapV1DataToProjectUpdateSettingsPayload converts V1 project data to an UpdateProjectSettingsPayload.
+// mapV1DataToProjectUpdateSettingsPayload converts v1 project data to an UpdateProjectSettingsPayload.
 func mapV1DataToProjectUpdateSettingsPayload(_ context.Context, projectUID string, v1Data map[string]any) (*projectservice.UpdateProjectSettingsPayload, error) {
 	payload := &projectservice.UpdateProjectSettingsPayload{
 		UID: &projectUID,

v1-sync-helper/lfx_v2_client.go

@@ -289,8 +289,8 @@ func generateCachedJWTToken(audience string, userInfo UserInfo) (string, error)
 //  2. Fallback Client: If no user info is provided, uses v1_sync_helper client credentials
 //     with principal="v1_sync_helper@clients" and sub="v1_sync_helper"
 //
-// The impersonation approach allows V1 sync operations to be attributed to the actual
-// user who made the changes in V1, rather than a generic service account.
+// The impersonation approach allows v1 sync operations to be attributed to the actual
+// user who made the changes in v1, rather than a generic service account.
 func generateJWTToken(audience string, userInfo UserInfo) (string, error) {
 	now := time.Now()