feat(sync-snippets): composite action that pulls SDK snippets

New action at actions/sync-snippets/. Resolves the latest
launchdarkly/sdk-meta `snippets/*` GitHub Release, downloads the
platform's signed binary, cosign-verifies it (keyless / OIDC,
identity pinned to sdk-meta's release-please workflow), runs
`snippets render` against the consumer checkout, and opens or
updates a sync PR via peter-evans/create-pull-request when the
render produced any diff.

Designed for gonfalon (and future ld-docs-private use); both call
this with `@main`. Daily cron + workflow_dispatch on the consumer
side keeps the consumer current without a coordinated rollout.

Implementation notes:

- The `snippets` CLI binary embeds the canonical sdks/ tree at build
  time (sdk-meta side, separate PR). One artifact, one signature
  check, atomic content + engine pinning.
- `--certificate-identity-regexp` matches sdk-meta's release-please
  workflow path on main, so a token leaked from any other workflow
  cannot produce a matching OIDC claim.
- Per-platform archive name resolution mirrors goreleaser's default
  template (snippets_<version>_<os>_<arch>.tar.gz).

Author: kinyoklion

actions/sync-snippets/README.md

@@ -0,0 +1,65 @@
+# sync-snippets
+
+A composite action that pulls the canonical SDK code snippets from the latest
+[`launchdarkly/sdk-meta`](https://github.com/launchdarkly/sdk-meta) release and
+opens a sync PR against the calling repository. Used by gonfalon (and future
+consumers like `ld-docs-private`) to stay current with snippet changes without
+hand-editing.
+
+## Usage
+
+```yaml
+name: Sync SDK snippets
+on:
+  schedule:
+    - cron: '0 12 * * *'      # daily at 12:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write              # required for cosign keyless verification
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: launchdarkly/gh-actions/actions/sync-snippets@main
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+## What it does
+
+1. Resolves the latest `snippets/vX.Y.Z` GitHub Release on `launchdarkly/sdk-meta` (override with `version:` if you need to pin or roll back).
+2. Downloads the platform-specific binary archive plus the cosign signature and certificate.
+3. Verifies the signature is keyless-signed by `launchdarkly/sdk-meta`'s `release-please` workflow on `main` via GitHub OIDC.
+4. Runs `snippets render --target=<adapter> --out=$GITHUB_WORKSPACE`. The binary embeds the canonical `sdks/` tree at build time — no separate snippet fetch.
+5. Opens (or updates) a pull request with the rewritten files. If `render` produced no diff, the action exits 0 without opening a PR.
+
+## Inputs
+
+| Name | Default | Description |
+|---|---|---|
+| `version` | `latest` | Release tag to install (e.g. `snippets/v0.3.0`). `latest` resolves to the most recent published `snippets/*` release. |
+| `target` | `ld-application` | Adapter target. `ld-application` for gonfalon. Future targets (e.g. `ld-docs`) plug in here. |
+| `branch` | `chore/sync-sdk-snippets` | Branch the action commits the rendered diff to. |
+| `pr-title` | `chore: sync SDK snippets` | Pull-request title. |
+| `pr-body` | (auto-generated) | Pull-request body. Defaults to a one-liner pointing at the upstream release notes. |
+| `pr-labels` | `sdk-snippets,automated-pr` | Comma-separated labels applied to the sync PR. |
+| `github-token` | (required) | Token used to download release assets and open the PR. The repo's default `GITHUB_TOKEN` is sufficient when the workflow has `contents: write` and `pull-requests: write`. |
+
+## Outputs
+
+| Name | Description |
+|---|---|
+| `version` | The release tag that was installed. |
+| `changes` | `true` if `render` produced any diff. |
+| `pr-number` | Pull-request number when one was opened or updated; empty otherwise. |
+
+## How the supply chain is locked down
+
+- **Signing identity is pinned to a specific workflow path.** `cosign verify-blob` checks `--certificate-identity-regexp` against `https://github.com/launchdarkly/sdk-meta/.github/workflows/release-please.yml@.+`. A token leaked from any other workflow in any other repo cannot produce a matching OIDC claim.
+- **No long-lived signing keys.** Each release signs itself using GitHub's OIDC token, so there is nothing to rotate, store, or accidentally check in.
+- **Snippet sources travel with the binary.** The CLI's `--sdks=` flag is optional; when omitted (the default for this action) it reads from `embed.FS`. Pinning a release version pins both the engine and the snippet content atomically.

actions/sync-snippets/action.yml

@@ -0,0 +1,215 @@
+name: 'Sync SDK Snippets'
+description: |
+  Pulls the canonical SDK code snippets from the latest sdk-meta `snippets/` release
+  into the current consumer checkout (gonfalon, ld-docs-private), then opens or
+  updates a sync pull request when the rendered output differs from `main`.
+
+  The action is a thin wrapper around the `snippets` CLI. The CLI binary is
+  downloaded from sdk-meta's GitHub Releases as a cosign-signed artifact;
+  signing is keyless (GitHub OIDC) and verification pins the signing identity
+  to launchdarkly/sdk-meta's own `release-please` workflow, so a compromised
+  release token can't substitute a different binary without also faking the
+  OIDC claim.
+
+  Consumer-side wiring:
+
+      jobs:
+        sync:
+          runs-on: ubuntu-latest
+          permissions:
+            contents: write
+            pull-requests: write
+            id-token: write   # for cosign keyless verification
+          steps:
+            - uses: actions/checkout@v4
+            - uses: launchdarkly/gh-actions/actions/sync-snippets@main
+              with:
+                github-token: ${{ secrets.GITHUB_TOKEN }}
+
+inputs:
+  version:
+    description: |
+      Release tag to install, e.g. `snippets/v0.3.0`. The default `latest`
+      resolves to the most recent published release whose tag begins with
+      `snippets/`.
+    required: false
+    default: 'latest'
+  target:
+    description: |
+      Adapter target. `ld-application` for gonfalon (and any other consumer that
+      uses TSX render markers); future targets (e.g. `ld-docs`) plug in here.
+    required: false
+    default: 'ld-application'
+  branch:
+    description: 'Branch the action commits the rendered diff to.'
+    required: false
+    default: 'chore/sync-sdk-snippets'
+  pr-title:
+    description: 'Pull-request title.'
+    required: false
+    default: 'chore: sync SDK snippets'
+  pr-body:
+    description: |
+      Pull-request body. The default points at the upstream release notes for
+      the version being synced.
+    required: false
+    default: ''
+  pr-labels:
+    description: 'Comma-separated labels applied to the sync PR.'
+    required: false
+    default: 'sdk-snippets,automated-pr'
+  github-token:
+    description: |
+      Token used to download release assets and open the PR. Needs `contents:
+      write` and `pull-requests: write` on the consumer repo. The repo's default
+      `GITHUB_TOKEN` is sufficient.
+    required: true
+
+outputs:
+  version:
+    description: 'The sdk-meta snippets release tag that was actually installed.'
+    value: ${{ steps.resolve.outputs.tag }}
+  changes:
+    description: 'true if `snippets render` produced any diff against the working tree.'
+    value: ${{ steps.diff.outputs.changes }}
+  pr-number:
+    description: 'Pull-request number when a sync PR was opened or updated; empty otherwise.'
+    value: ${{ steps.cpr.outputs.pull-request-number }}
+
+runs:
+  using: composite
+  steps:
+    # 1. Resolve the version. `latest` queries the GitHub API for the most
+    #    recent release whose tag starts with `snippets/`. Any other value is
+    #    used verbatim — caller pins, action obeys.
+    - id: resolve
+      name: 'Resolve snippets release tag'
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+      run: |
+        set -euo pipefail
+        if [ "${{ inputs.version }}" = "latest" ]; then
+          tag=$(gh release list --repo launchdarkly/sdk-meta --limit 100 \
+                  --json tagName --jq '.[] | .tagName | select(startswith("snippets/"))' \
+                | head -n 1)
+          if [ -z "$tag" ]; then
+            echo "::error::no snippets/* release found in launchdarkly/sdk-meta"
+            exit 1
+          fi
+        else
+          tag="${{ inputs.version }}"
+        fi
+        echo "tag=$tag" >> "$GITHUB_OUTPUT"
+        echo "Using snippets release: $tag"
+
+    # 2. Resolve the platform's archive name. goreleaser names archives
+    #    snippets_<version>_<os>_<arch>.tar.gz, where <version> is the
+    #    bare semver (the `snippets/` tag prefix is stripped).
+    - id: archive
+      name: 'Resolve archive filename'
+      shell: bash
+      run: |
+        set -euo pipefail
+        case "$RUNNER_OS" in
+          Linux)  os=linux ;;
+          macOS)  os=darwin ;;
+          *) echo "::error::unsupported runner OS: $RUNNER_OS"; exit 1 ;;
+        esac
+        case "$RUNNER_ARCH" in
+          X64)   arch=amd64 ;;
+          ARM64) arch=arm64 ;;
+          *) echo "::error::unsupported runner arch: $RUNNER_ARCH"; exit 1 ;;
+        esac
+        version="${{ steps.resolve.outputs.tag }}"
+        version="${version#snippets/v}"
+        archive="snippets_${version}_${os}_${arch}.tar.gz"
+        echo "archive=$archive" >> "$GITHUB_OUTPUT"
+
+    # 3. Pull the archive, its detached signature, and the OIDC certificate
+    #    from the GitHub Release.
+    - name: 'Download release assets'
+      shell: bash
+      working-directory: ${{ runner.temp }}
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+      run: |
+        set -euo pipefail
+        gh release download "${{ steps.resolve.outputs.tag }}" \
+          --repo launchdarkly/sdk-meta \
+          --pattern "${{ steps.archive.outputs.archive }}" \
+          --pattern "${{ steps.archive.outputs.archive }}.sig" \
+          --pattern "${{ steps.archive.outputs.archive }}.pem" \
+          --clobber
+
+    # 4. Install cosign and verify the signature. The identity regex pins
+    #    the signer to sdk-meta's release-please workflow on the main branch
+    #    — a token leaked from any other workflow couldn't produce a matching
+    #    OIDC claim.
+    - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.7.0
+    - name: 'Verify signature'
+      shell: bash
+      working-directory: ${{ runner.temp }}
+      run: |
+        set -euo pipefail
+        archive="${{ steps.archive.outputs.archive }}"
+        cosign verify-blob \
+          --certificate "${archive}.pem" \
+          --signature   "${archive}.sig" \
+          --certificate-identity-regexp 'https://github\.com/launchdarkly/sdk-meta/\.github/workflows/release-please\.yml@.+' \
+          --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+          "$archive"
+
+    # 5. Extract the CLI and stage it on $PATH for the render step.
+    - name: 'Install CLI'
+      shell: bash
+      working-directory: ${{ runner.temp }}
+      run: |
+        set -euo pipefail
+        mkdir -p bin
+        tar -xzf "${{ steps.archive.outputs.archive }}" -C bin snippets
+        chmod +x bin/snippets
+        echo "$PWD/bin" >> "$GITHUB_PATH"
+
+    # 6. Render against the consumer checkout. `snippets` is now on $PATH.
+    #    The CLI loads the canonical sdks/ tree from the binary's embedded FS
+    #    — no separate snippet sources to fetch.
+    - name: 'Render snippets'
+      shell: bash
+      run: |
+        snippets version
+        snippets render --target='${{ inputs.target }}' --out="$GITHUB_WORKSPACE"
+
+    # 7. Detect whether render touched anything. Empty diff means the consumer
+    #    is already current; we exit cleanly with no PR.
+    - id: diff
+      name: 'Check for changes'
+      shell: bash
+      run: |
+        set -euo pipefail
+        if [ -n "$(git status --porcelain)" ]; then
+          echo "changes=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "changes=false" >> "$GITHUB_OUTPUT"
+          echo "Consumer tree is already in sync with ${{ steps.resolve.outputs.tag }}."
+        fi
+
+    # 8. Open or update a PR with the rendered diff. peter-evans/create-pull-
+    #    request handles both cases: pushes to the same branch, force-updates
+    #    on collisions, and leaves an existing PR alone if the diff is
+    #    identical to what's already proposed.
+    - id: cpr
+      name: 'Open or update sync PR'
+      if: steps.diff.outputs.changes == 'true'
+      uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
+      with:
+        token: ${{ inputs.github-token }}
+        commit-message: 'chore: sync SDK snippets to ${{ steps.resolve.outputs.tag }}'
+        branch: ${{ inputs.branch }}
+        delete-branch: true
+        title: ${{ inputs.pr-title }}
+        body: |
+          ${{ inputs.pr-body != '' && inputs.pr-body || format('Syncs SDK snippets from upstream release [`{0}`](https://github.com/launchdarkly/sdk-meta/releases/tag/{0}).', steps.resolve.outputs.tag) }}
+
+          Generated by `launchdarkly/gh-actions/actions/sync-snippets@main`.
+        labels: ${{ inputs.pr-labels }}