support an optional custom dockerfile input (#41)

adds new `dockerfile_template` and `docker_extra_files` inputs for the
shared release workflow. allows connectors like `baton-sap-grc` to use
custom Dockerfiles (e.g., Java-based) for building container images
pushed to the public ECR registry

Author: gontzess

.cursorrules

@@ -33,6 +33,6 @@ Before modifying this repository, read:
 These require extra care when modifying:
 
 - Sigstore/cosign signing steps
-- Provenance predicate generation (`templates/.slsa-provenance-predicate-template.json`)
+- Provenance predicate generation (`templates/.slsa-provenance-predicate-template.json.tmpl`)
 - Attestation bundle creation and upload
 - OIDC credential configuration

.github/workflows/release.yaml

@@ -27,6 +27,16 @@ on:
         type: boolean
         default: true
         description: "Whether to release with Docker image support."
+      dockerfile_template:
+        required: false
+        type: string
+        default: ""
+        description: "Path to a custom Dockerfile template in the caller repo (relative to repo root). Only valid when lambda is false. Supports ${REPO_NAME} substitution."
+      docker_extra_files:
+        required: false
+        type: string
+        default: ""
+        description: "Comma-separated list of extra files/directories from the caller repo to include in the Docker build context (e.g., 'java,config'). Only valid when dockerfile_template is set."
     secrets:
       RELENG_GITHUB_TOKEN:
         required: true
@@ -47,7 +57,35 @@ env:
   GENERATED_DIR: "_generated"
 
 jobs:
+  validate-inputs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate tag format
+        run: |
+          TAG="${{ inputs.tag }}"
+          # Strict semver regex with 'v' prefix (per https://semver.org)
+          # Supports: v1.2.3, v1.2.3-alpha, v1.2.3-alpha.1, v1.2.3+build, v1.2.3-rc.1+build.123
+          SEMVER_REGEX='^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(\+([0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*))?$'
+          if [[ ! "$TAG" =~ $SEMVER_REGEX ]]; then
+            echo "::error::Tag must be valid semver starting with 'v' (e.g., v1.2.3, v1.0.0-rc.1). Got: $TAG"
+            exit 1
+          fi
+          echo "✅ Tag format valid: $TAG"
+
+      - name: Validate dockerfile_template requires lambda=false
+        if: inputs.dockerfile_template != '' && inputs.lambda == true
+        run: |
+          echo "::error::dockerfile_template can only be used when lambda is false"
+          exit 1
+
+      - name: Validate docker_extra_files requires dockerfile_template
+        if: inputs.docker_extra_files != '' && inputs.dockerfile_template == ''
+        run: |
+          echo "::error::docker_extra_files can only be used when dockerfile_template is set"
+          exit 1
+
   determine-workflows-ref:
+    needs: validate-inputs
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -116,8 +154,8 @@ jobs:
 
           envsubst < .gon-amd64-template.json | tee "${GENERATED_DIR}/.gon-amd64.json"
           envsubst < .gon-arm64-template.json | tee "${GENERATED_DIR}/.gon-arm64.json"
-          envsubst < templates/.goreleaser-binaries-template.yaml | tee "${GENERATED_DIR}/.goreleaser.binaries.yaml"
-          envsubst < templates/.slsa-provenance-predicate-template.json | tee "${GENERATED_DIR}/predicate.json"
+          envsubst < templates/.goreleaser-binaries-template.yaml.tmpl | tee "${GENERATED_DIR}/.goreleaser.binaries.yaml"
+          envsubst < templates/.slsa-provenance-predicate-template.json.tmpl | tee "${GENERATED_DIR}/predicate.json"
 
       - name: Set up Gon
         run: brew tap conductorone/gon && brew install conductorone/gon/gon
@@ -345,13 +383,52 @@ jobs:
           # For provenance predicate template
           WORKFLOWS_REF: ${{ needs.determine-workflows-ref.outputs.ref }}
           RELEASE_TAG: ${{ inputs.tag }}
+          # Custom Dockerfile template from caller repo (if provided)
+          CUSTOM_DOCKERFILE_TEMPLATE: ${{ inputs.dockerfile_template }}
+          # Extra files to include in Docker build context (comma-separated)
+          DOCKER_EXTRA_FILES: ${{ inputs.docker_extra_files }}
         run: |
           mkdir -p "${GENERATED_DIR}"
           export BUILD_STARTED_ON=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
 
-          envsubst '$REPO_NAME' < templates/.Dockerfile-template | tee "${GENERATED_DIR}/Dockerfile"
-          envsubst < templates/.goreleaser-docker-oci-template.yaml | tee "${GENERATED_DIR}/.goreleaser.docker.yaml"
-          envsubst < templates/.slsa-provenance-predicate-template.json | tee "${GENERATED_DIR}/predicate.json"
+          # Generate Dockerfile from custom template or default
+          if [ -n "${CUSTOM_DOCKERFILE_TEMPLATE}" ]; then
+            CUSTOM_PATH="../_caller/${CUSTOM_DOCKERFILE_TEMPLATE}"
+            if [ ! -f "${CUSTOM_PATH}" ]; then
+              echo "::error::Custom Dockerfile template not found: ${CUSTOM_DOCKERFILE_TEMPLATE}"
+              exit 1
+            fi
+            echo "Using custom Dockerfile template: ${CUSTOM_DOCKERFILE_TEMPLATE}"
+            envsubst '$REPO_NAME' < "${CUSTOM_PATH}" | tee "${GENERATED_DIR}/Dockerfile"
+          else
+            echo "Using default Dockerfile template"
+            envsubst '$REPO_NAME' < templates/.Dockerfile-template.tmpl | tee "${GENERATED_DIR}/Dockerfile"
+          fi
+
+          # Build EXTRA_FILES_BLOCK for goreleaser template substitution
+          # This will be empty string if no extra files, or the YAML block if specified
+          export EXTRA_FILES_BLOCK=""
+          if [ -n "${DOCKER_EXTRA_FILES}" ]; then
+            echo "Adding extra files to Docker build context: ${DOCKER_EXTRA_FILES}"
+            
+            # Validate files exist and build the YAML block
+            EXTRA_FILES_BLOCK="    extra_files:"$'\n'
+            IFS=',' read -ra FILES <<< "${DOCKER_EXTRA_FILES}"
+            for file in "${FILES[@]}"; do
+              file=$(echo "$file" | xargs)  # trim whitespace
+              if [ ! -e "../_caller/${file}" ]; then
+                echo "::error::Extra file/directory not found: ${file}"
+                exit 1
+              fi
+              EXTRA_FILES_BLOCK="${EXTRA_FILES_BLOCK}      - ${file}"$'\n'
+            done
+            export EXTRA_FILES_BLOCK
+          fi
+
+          # Generate goreleaser config with all substitutions
+          envsubst < templates/.goreleaser-docker-oci-template.yaml.tmpl | tee "${GENERATED_DIR}/.goreleaser.docker.yaml"
+
+          envsubst < templates/.slsa-provenance-predicate-template.json.tmpl | tee "${GENERATED_DIR}/predicate.json"
 
       - name: Generate configs for Lambda
         if: inputs.lambda == true
@@ -362,8 +439,8 @@ jobs:
           DIST_DIR: dist/lambda
         run: |
           mkdir -p "${GENERATED_DIR}"
-          envsubst '$REPO_NAME' < templates/.Dockerfile-lambda-template | tee "${GENERATED_DIR}/Dockerfile.lambda"
-          envsubst < templates/.goreleaser-docker-lambda-template.yaml | tee "${GENERATED_DIR}/.goreleaser.lambda.yaml"
+          envsubst '$REPO_NAME' < templates/.Dockerfile-lambda-template.tmpl | tee "${GENERATED_DIR}/Dockerfile.lambda"
+          envsubst < templates/.goreleaser-docker-lambda-template.yaml.tmpl | tee "${GENERATED_DIR}/.goreleaser.lambda.yaml"
 
       - name: Docker Login
         if: inputs.docker == true

README.md

@@ -34,11 +34,13 @@ jobs:
 
 The release workflow accepts the following input parameters:
 
-| Parameter | Required | Default | Description                                  |
-| --------- | -------- | ------- | -------------------------------------------- |
-| `tag`     | Yes      | -       | The release tag (e.g., "v1.0.0")             |
-| `lambda`  | No       | `true`  | Whether to release with Lambda image support |
-| `docker`  | No       | `true`  | Whether to release with Docker image support |
+| Parameter             | Required | Default | Description                                                                 |
+| --------------------- | -------- | ------- | --------------------------------------------------------------------------- |
+| `tag`                 | Yes      | -       | The release tag (must be valid semver with `v` prefix, e.g., `v1.0.0`)      |
+| `lambda`              | No       | `true`  | Whether to release with Lambda image support                                |
+| `docker`              | No       | `true`  | Whether to release with Docker image support                                |
+| `dockerfile_template` | No       | `""`    | Path to a custom Dockerfile in your repo (only valid when `lambda: false`)  |
+| `docker_extra_files`  | No       | `""`    | Comma-separated list of extra files/dirs to include in Docker build context |
 
 2. Ensure your repository has the following secrets configured:
 
@@ -51,6 +53,47 @@ The release workflow accepts the following input parameters:
 
 3. Remove all GoReleaser, gon files, Dockerfile, and Dockerfile.lambda files from your connector repository, if they were previously created there.
 
+### Custom Dockerfiles
+
+For connectors that require a non-standard base image (e.g., Java runtime), you can provide a custom Dockerfile:
+
+```yaml
+jobs:
+  release:
+    uses: ConductorOne/github-workflows/.github/workflows/release.yaml@v4
+    with:
+      tag: ${{ github.ref_name }}
+      lambda: false
+      dockerfile_template: Dockerfile
+      docker_extra_files: java # Include the java/ directory in the build context
+    secrets:
+      # ... secrets ...
+```
+
+Your custom Dockerfile must:
+
+1. Use `ARG TARGETPLATFORM` for multi-arch build support
+2. Copy the binary from `${TARGETPLATFORM}/<connector-name>`
+
+Example for a Java-based connector:
+
+```dockerfile
+FROM gcr.io/distroless/java17-debian11:nonroot
+ARG TARGETPLATFORM
+ENTRYPOINT ["/baton-example"]
+
+COPY ${TARGETPLATFORM}/baton-example /baton-example
+COPY java /java
+```
+
+The workflow substitutes `${REPO_NAME}` in your Dockerfile if present, so you can also use:
+
+```dockerfile
+COPY ${TARGETPLATFORM}/${REPO_NAME} /${REPO_NAME}
+```
+
+**Note:** Use `docker_extra_files` to include additional files or directories (comma-separated) in the Docker build context. These are paths relative to your connector repository root.
+
 ## Available Actions
 
 ### Get Baton

docs/diagrams/release-workflow.dot

@@ -13,6 +13,8 @@ digraph ReleaseWorkflow {
     style="filled";
     color="#dbeafe";
 
+    validate [label="validate-inputs\n• semver tag, input constraints", fillcolor="#f9fafb"];
+
     determine_ref [label="determine-workflows-ref\n• resolve workflow SHA", fillcolor="#f9fafb"];
 
     binaries [label="goreleaser-binaries\n• build archives\n• gon codesign\n• SBOMs (syft)\n• provenance attestations\n• SBOM attestations\n• upload to S3", fillcolor="#ecfeff"];
@@ -33,7 +35,8 @@ digraph ReleaseWorkflow {
 
   // Flow
   connector_repo -> tag;
-  tag -> determine_ref;
+  tag -> validate;
+  validate -> determine_ref;
   determine_ref -> binaries;
   determine_ref -> docker;
   binaries -> record;

docs/diagrams/release-workflow.png

@@ -17,6 +17,14 @@ When a tag is pushed to a connector repository, the shared release workflow:
 
 ## Jobs
 
+### validate-inputs
+
+Validates workflow inputs before proceeding:
+
+- Ensures tag is valid semver starting with 'v' (e.g., `v1.2.3`)
+- Ensures `dockerfile_template` is only used when `lambda: false`
+- Ensures `docker_extra_files` is only used when `dockerfile_template` is set
+
 ### determine-workflows-ref
 
 Resolves the exact SHA of the shared workflow being used. This pinned reference is embedded in all provenance attestations, ensuring verifiability.