feat: add record-release Go command, replace inline bash

Move the manifest-to-API transformation logic from 86 lines of inline
bash/jq into a type-safe Go command. Uses protojson to parse the merged
manifest (same pattern as merge-manifests), transforms asset and image
fields, reads optional docs/connector.mdx, and POSTs to the registry API.

Handles 200 (success) and 409 (already exists) as non-error responses
for dual-write migration compatibility.

Author: gontzess

.github/workflows/release.yaml

@@ -1216,88 +1216,23 @@ jobs:
         if: steps.registry-oidc.outcome == 'success'
         continue-on-error: true
         env:
-          REGISTRY_URL: ${{ vars.REGISTRY_API_URL }}
-          MANIFEST_FILE: _workflows/_output/manifest.json
+          REGISTRY_API_TOKEN: ${{ steps.registry-oidc.outputs.token }}
         run: |
-          set -euo pipefail
-
-          # Read documentation content if available
-          DOCS=""
+          DOCS_FLAG=""
           if [ "${{ steps.read-docs.outputs.has_docs }}" = "true" ]; then
-            DOCS=$(cat _connector/docs/connector.mdx)
+            DOCS_FLAG="-docs _connector/docs/connector.mdx"
           fi
 
-          # Transform merged manifest assets: href->downloadUrl, signatureHref->signatureUrl, etc.
-          ASSETS=$(jq '(.assets // {}) | to_entries | map({
-            key: .key,
-            value: {
-              platform: .key,
-              filename: .value.filename,
-              mediaType: .value.mediaType,
-              sizeBytes: .value.sizeBytes,
-              sha256: .value.sha256,
-              downloadUrl: .value.href,
-              signatureUrl: .value.signatureHref,
-              certificateUrl: .value.certificateHref,
-              sbomUrl: .value.sbomHref
-            }
-          }) | from_entries' "$MANIFEST_FILE")
-
-          # Transform merged manifest images: map key becomes platform
-          IMAGES=$(jq '(.images // {}) | to_entries | map({
-            key: .key,
-            value: {
-              ref: .value.ref,
-              digest: .value.digest,
-              platform: .key
-            }
-          }) | from_entries' "$MANIFEST_FILE")
-
-          # Manifest-level signature URLs (from cosign sign-blob of manifest.json)
-          SIG_URL=$(jq -r '.signatureHref // ""' "$MANIFEST_FILE")
-          CERT_URL=$(jq -r '.certificateHref // ""' "$MANIFEST_FILE")
-
-          BODY=$(jq -n \
-            --arg org "${{ github.event.repository.owner.login }}" \
-            --arg name "${{ github.event.repository.name }}" \
-            --arg version "${{ inputs.tag }}" \
-            --arg repositoryUrl "https://github.com/${{ github.repository }}" \
-            --arg commitSha "${{ github.sha }}" \
-            --arg workflowRunId "${{ github.run_id }}" \
-            --arg documentation "$DOCS" \
-            --arg signatureUrl "$SIG_URL" \
-            --arg certificateUrl "$CERT_URL" \
-            --argjson assets "$ASSETS" \
-            --argjson images "$IMAGES" \
-            '{
-              org: $org,
-              name: $name,
-              version: $version,
-              repositoryUrl: $repositoryUrl,
-              commitSha: $commitSha,
-              workflowRunId: $workflowRunId,
-              documentation: $documentation,
-              signatureUrl: $signatureUrl,
-              certificateUrl: $certificateUrl,
-              assets: $assets,
-              images: $images
-            }')
-
-          HTTP_CODE=$(curl -s -o /tmp/registry-response.json -w "%{http_code}" \
-            -X POST "${REGISTRY_URL}/api/v1/ingest/release" \
-            -H "Authorization: Bearer ${{ steps.registry-oidc.outputs.token }}" \
-            -H "Content-Type: application/json" \
-            -d "$BODY")
-
-          if [ "$HTTP_CODE" = "200" ]; then
-            echo "Registry API record: success (HTTP 200)"
-          elif [ "$HTTP_CODE" = "409" ]; then
-            echo "Registry API record: already exists (HTTP 409) -- expected during dual-write migration"
-          else
-            echo "::error::Registry API record failed: HTTP $HTTP_CODE"
-            cat /tmp/registry-response.json
-            exit 1
-          fi
+          go run ./_workflows/cmd/record-release \
+            -manifest _workflows/_output/manifest.json \
+            -org "${{ github.event.repository.owner.login }}" \
+            -name "${{ github.event.repository.name }}" \
+            -version "${{ inputs.tag }}" \
+            -repository-url "https://github.com/${{ github.repository }}" \
+            -commit-sha "${{ github.sha }}" \
+            -workflow-run-id "${{ github.run_id }}" \
+            -registry-url "${{ vars.REGISTRY_API_URL }}" \
+            $DOCS_FLAG
 
   record-lambda-registry:
     if: inputs.lambda == true

cmd/record-release/main.go

@@ -0,0 +1,244 @@
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"google.golang.org/protobuf/encoding/protojson"
+
+	pb "github.com/ConductorOne/github-workflows/pb/artifacts/v1"
+)
+
+// RecordReleaseRequest is the JSON body sent to the registry API.
+type RecordReleaseRequest struct {
+	Org            string                   `json:"org"`
+	Name           string                   `json:"name"`
+	Version        string                   `json:"version"`
+	RepositoryURL  string                   `json:"repositoryUrl"`
+	CommitSha      string                   `json:"commitSha"`
+	WorkflowRunID  string                   `json:"workflowRunId"`
+	Documentation  string                   `json:"documentation,omitempty"`
+	SignatureURL   string                   `json:"signatureUrl,omitempty"`
+	CertificateURL string                   `json:"certificateUrl,omitempty"`
+	Assets         map[string]*ReleaseAsset `json:"assets,omitempty"`
+	Images         map[string]*ReleaseImage `json:"images,omitempty"`
+}
+
+// ReleaseAsset is the transformed asset for the registry API.
+type ReleaseAsset struct {
+	Platform       string `json:"platform"`
+	Filename       string `json:"filename"`
+	MediaType      string `json:"mediaType"`
+	SizeBytes      int64  `json:"sizeBytes"`
+	Sha256         string `json:"sha256"`
+	DownloadURL    string `json:"downloadUrl"`
+	SignatureURL   string `json:"signatureUrl,omitempty"`
+	CertificateURL string `json:"certificateUrl,omitempty"`
+	SbomURL        string `json:"sbomUrl,omitempty"`
+}
+
+// ReleaseImage is the transformed image for the registry API.
+type ReleaseImage struct {
+	Ref      string `json:"ref"`
+	Digest   string `json:"digest"`
+	Platform string `json:"platform"`
+}
+
+func main() {
+	var (
+		manifestPath  string
+		docsPath      string
+		org           string
+		name          string
+		version       string
+		repositoryURL string
+		commitSha     string
+		workflowRunID string
+		registryURL   string
+		token         string
+	)
+
+	flag.StringVar(&manifestPath, "manifest", "", "Path to merged manifest.json file (required)")
+	flag.StringVar(&docsPath, "docs", "", "Path to docs/connector.mdx file (optional)")
+	flag.StringVar(&org, "org", "", "GitHub organization (required)")
+	flag.StringVar(&name, "name", "", "Repository/connector name (required)")
+	flag.StringVar(&version, "version", "", "Release version tag (required)")
+	flag.StringVar(&repositoryURL, "repository-url", "", "Full repository URL (required)")
+	flag.StringVar(&commitSha, "commit-sha", "", "Git commit SHA (required)")
+	flag.StringVar(&workflowRunID, "workflow-run-id", "", "GitHub Actions workflow run ID (required)")
+	flag.StringVar(&registryURL, "registry-url", "", "Registry API base URL (required)")
+	flag.StringVar(&token, "token", "", "Bearer token (or set REGISTRY_API_TOKEN env var)")
+	flag.Parse()
+
+	// Validate required flags
+	var missing []string
+	if manifestPath == "" {
+		missing = append(missing, "-manifest")
+	}
+	if org == "" {
+		missing = append(missing, "-org")
+	}
+	if name == "" {
+		missing = append(missing, "-name")
+	}
+	if version == "" {
+		missing = append(missing, "-version")
+	}
+	if repositoryURL == "" {
+		missing = append(missing, "-repository-url")
+	}
+	if commitSha == "" {
+		missing = append(missing, "-commit-sha")
+	}
+	if workflowRunID == "" {
+		missing = append(missing, "-workflow-run-id")
+	}
+	if registryURL == "" {
+		missing = append(missing, "-registry-url")
+	}
+	if len(missing) > 0 {
+		fmt.Fprintf(os.Stderr, "record-release: error: missing required flags: %s\n", strings.Join(missing, ", "))
+		flag.Usage()
+		os.Exit(1)
+	}
+
+	// Resolve token: flag > env var
+	if token == "" {
+		token = os.Getenv("REGISTRY_API_TOKEN")
+	}
+	if token == "" {
+		fmt.Fprintf(os.Stderr, "record-release: error: bearer token required (use -token flag or REGISTRY_API_TOKEN env var)\n")
+		os.Exit(1)
+	}
+
+	// Read and parse manifest using protojson (same pattern as merge-manifests)
+	manifestBytes, err := os.ReadFile(manifestPath)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "record-release: error: reading manifest: %v\n", err)
+		os.Exit(1)
+	}
+
+	manifest := &pb.Manifest{}
+	unmarshalOpts := protojson.UnmarshalOptions{
+		DiscardUnknown: true,
+	}
+	if err := unmarshalOpts.Unmarshal(manifestBytes, manifest); err != nil {
+		fmt.Fprintf(os.Stderr, "record-release: error: parsing manifest: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Read optional documentation
+	var documentation string
+	if docsPath != "" {
+		docsBytes, err := os.ReadFile(docsPath)
+		if err != nil {
+			// Not fatal -- docs are optional
+			fmt.Fprintf(os.Stderr, "record-release: warning: could not read docs file: %v\n", err)
+		} else {
+			documentation = string(docsBytes)
+		}
+	}
+
+	// Transform manifest assets: href->downloadUrl, signatureHref->signatureUrl, etc.
+	assets := make(map[string]*ReleaseAsset)
+	for platform, asset := range manifest.GetAssets() {
+		assets[platform] = &ReleaseAsset{
+			Platform:       platform,
+			Filename:       asset.GetFilename(),
+			MediaType:      asset.GetMediaType(),
+			SizeBytes:      asset.GetSizeBytes(),
+			Sha256:         asset.GetSha256(),
+			DownloadURL:    asset.GetHref(),
+			SignatureURL:   asset.GetSignatureHref(),
+			CertificateURL: asset.GetCertificateHref(),
+			SbomURL:        asset.GetSbomHref(),
+		}
+	}
+
+	// Transform manifest images: extract ref, digest, add platform from map key
+	images := make(map[string]*ReleaseImage)
+	for platform, image := range manifest.GetImages() {
+		images[platform] = &ReleaseImage{
+			Ref:      image.GetRef(),
+			Digest:   image.GetDigest(),
+			Platform: platform,
+		}
+	}
+
+	// Build request body
+	req := &RecordReleaseRequest{
+		Org:            org,
+		Name:           name,
+		Version:        version,
+		RepositoryURL:  repositoryURL,
+		CommitSha:      commitSha,
+		WorkflowRunID:  workflowRunID,
+		Documentation:  documentation,
+		SignatureURL:   manifest.GetSignatureHref(),
+		CertificateURL: manifest.GetCertificateHref(),
+		Assets:         assets,
+		Images:         images,
+	}
+
+	bodyBytes, err := json.Marshal(req)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "record-release: error: marshaling request body: %v\n", err)
+		os.Exit(1)
+	}
+
+	// POST to registry API
+	endpoint := strings.TrimRight(registryURL, "/") + "/api/v1/ingest/release"
+	httpReq, err := http.NewRequest(http.MethodPost, endpoint, bytes.NewReader(bodyBytes))
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "record-release: error: creating HTTP request: %v\n", err)
+		os.Exit(1)
+	}
+	httpReq.Header.Set("Authorization", "Bearer "+token)
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	client := &http.Client{
+		Timeout: 30 * time.Second,
+	}
+	resp, err := client.Do(httpReq)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "record-release: error: HTTP request failed: %v\n", err)
+		os.Exit(1)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "record-release: error: reading response body: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Handle response codes
+	switch resp.StatusCode {
+	case http.StatusOK:
+		result, _ := json.Marshal(map[string]interface{}{
+			"status":  "success",
+			"code":    200,
+			"version": version,
+		})
+		fmt.Println(string(result))
+	case http.StatusConflict:
+		// 409 = already exists, not an error (expected during dual-write migration)
+		result, _ := json.Marshal(map[string]interface{}{
+			"status":  "already_exists",
+			"code":    409,
+			"version": version,
+		})
+		fmt.Println(string(result))
+	default:
+		fmt.Fprintf(os.Stderr, "::error::Registry API record failed: HTTP %d\n", resp.StatusCode)
+		fmt.Fprintf(os.Stderr, "%s\n", string(respBody))
+		os.Exit(1)
+	}
+}