feat: Composite action for synchronizing SDK snippets (#82)

* feat(sync-snippets): composite action that pulls SDK snippets

New action at actions/sync-snippets/. Resolves the latest
launchdarkly/sdk-meta `snippets/*` GitHub Release, downloads the
platform's signed binary, cosign-verifies it (keyless / OIDC,
identity pinned to sdk-meta's release-please workflow), runs
`snippets render` against the consumer checkout, and opens or
updates a sync PR via peter-evans/create-pull-request when the
render produced any diff.

Designed for gonfalon (and future ld-docs-private use); both call
this with `@main`. Daily cron + workflow_dispatch on the consumer
side keeps the consumer current without a coordinated rollout.

Implementation notes:

- The `snippets` CLI binary embeds the canonical sdks/ tree at build
  time (sdk-meta side, separate PR). One artifact, one signature
  check, atomic content + engine pinning.
- `--certificate-identity-regexp` matches sdk-meta's release-please
  workflow path on main, so a token leaked from any other workflow
  cannot produce a matching OIDC claim.
- Per-platform archive name resolution mirrors goreleaser's default
  template (snippets_<version>_<os>_<arch>.tar.gz).

* feat(sync-snippets): switch to consumer-declared entrypoints

The CLI no longer asks each sdk.yaml which file in the consumer to
rewrite (see launchdarkly/sdk-meta#405); instead the consumer declares
its own list of search roots. Plumb that through:

- New required input `entrypoints` (newline-separated list of
  directories, relative to $GITHUB_WORKSPACE).
- Render step parses the input into individual `--entrypoint=` flags
  and passes them to `snippets render`.
- Empty / whitespace-only lines are tolerated and skipped; an empty
  list fails loudly.
- README + the in-action usage block updated to show the new shape.

Consumer wiring becomes:

    - uses: launchdarkly/gh-actions/actions/sync-snippets@main
      with:
        entrypoints: |
          static/ld/components/getStarted
        github-token: ${{ secrets.GITHUB_TOKEN }}

* feat(sync-snippets): switch to github attestation verification

The upstream sdk-meta release pipeline is moving from cosign keyless
sidecars to GitHub's first-party SLSA build-provenance attestation
(launchdarkly/sdk-meta#409). Match it on the verifier side:

- Replace `cosign verify-blob` with `gh attestation verify --signer-
  workflow launchdarkly/sdk-meta/.github/workflows/release-please.yml`.
  Same identity pinning, but the attestation is fetched from sdk-meta's
  repo-level attestation store rather than as `.sig`/`.pem` release
  assets.
- Drop the `sigstore/cosign-installer` step. `gh` ships preinstalled on
  every GitHub-hosted runner.
- Drop the `id-token: write` permission from the consumer wiring
  example — verification is read-only against sdk-meta's attestation
  store and doesn't need an OIDC token.
- Update README copy to match.

* fix(sync-snippets): drop literal ${{ from action description

The action manifest's description: field is template-evaluated at action-load
time. Embedding a copy-paste-able workflow snippet that contained
${{ secrets.GITHUB_TOKEN }} caused 'Unrecognized named-value: secrets'
parse failures whenever a consumer used the action — secrets aren't in
scope when the manifest itself is being loaded.

Replace the inline workflow example with a prose pointer to README.md,
which carries the full consumer wiring snippet.

* fix(sync-snippets): exclude drafts and pre-releases from latest resolution

A 'latest' lookup that catches sdk-meta's release-pipeline mid-publish
window would point at a draft release whose archives and attestations
haven't uploaded yet — and the subsequent 'gh release download' /
'gh attestation verify' would fail noisily but pointlessly. Pre-releases
are excluded under the same logic: consumers asking for 'latest' want
the latest stable, not a release-candidate the pipeline cut for testing.

Per @keelerm84 review on PR #82.

Author: kinyoklion

actions/sync-snippets/README.md

@@ -0,0 +1,67 @@
+# sync-snippets
+
+A composite action that pulls the canonical SDK code snippets from the latest
+[`launchdarkly/sdk-meta`](https://github.com/launchdarkly/sdk-meta) release and
+opens a sync PR against the calling repository. Used by gonfalon (and future
+consumers like `ld-docs-private`) to stay current with snippet changes without
+hand-editing.
+
+## Usage
+
+```yaml
+name: Sync SDK snippets
+on:
+  schedule:
+    - cron: '0 12 * * *'      # daily at 12:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: launchdarkly/gh-actions/actions/sync-snippets@main
+        with:
+          entrypoints: |
+            static/ld/components/getStarted
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+## What it does
+
+1. Resolves the latest `snippets/vX.Y.Z` GitHub Release on `launchdarkly/sdk-meta` (override with `version:` if you need to pin or roll back).
+2. Downloads the platform-specific binary archive from the release.
+3. Verifies the SLSA build-provenance attestation issued by `launchdarkly/sdk-meta`'s `release-please` workflow via `gh attestation verify`.
+4. Runs `snippets render --target=<adapter> --entrypoint=<dir>...` with one `--entrypoint` flag per non-empty line of the `entrypoints:` input. The binary embeds the canonical `sdks/` tree at build time — no separate snippet fetch. The renderer walks each entrypoint recursively, picks up files with extensions it understands (`.tsx`/`.jsx`/`.ts`/`.js`/`.mdx`) that contain the `SDK_SNIPPET:RENDER:` sentinel, and skips junk dirs (`node_modules`, `.git`, `dist`, `build`, ...).
+5. Opens (or updates) a pull request with the rewritten files. If `render` produced no diff, the action exits 0 without opening a PR.
+
+## Inputs
+
+| Name | Default | Description |
+|---|---|---|
+| `entrypoints` | (required) | Newline-separated list of consumer-checkout directories the renderer should walk for snippet markers. Paths resolve against `$GITHUB_WORKSPACE`. |
+| `version` | `latest` | Release tag to install (e.g. `snippets/v0.3.0`). `latest` resolves to the most recent published `snippets/*` release. |
+| `target` | `ld-application` | Adapter target. `ld-application` for gonfalon. Future targets (e.g. `ld-docs`) plug in here. |
+| `branch` | `chore/sync-sdk-snippets` | Branch the action commits the rendered diff to. |
+| `pr-title` | `chore: sync SDK snippets` | Pull-request title. |
+| `pr-body` | (auto-generated) | Pull-request body. Defaults to a one-liner pointing at the upstream release notes. |
+| `pr-labels` | `sdk-snippets,automated-pr` | Comma-separated labels applied to the sync PR. |
+| `github-token` | (required) | Token used to download release assets and open the PR. The repo's default `GITHUB_TOKEN` is sufficient when the workflow has `contents: write` and `pull-requests: write`. |
+
+## Outputs
+
+| Name | Description |
+|---|---|
+| `version` | The release tag that was installed. |
+| `changes` | `true` if `render` produced any diff. |
+| `pr-number` | Pull-request number when one was opened or updated; empty otherwise. |
+
+## How the supply chain is locked down
+
+- **Signing identity is pinned to a specific workflow path.** `gh attestation verify --signer-workflow launchdarkly/sdk-meta/.github/workflows/release-please.yml` checks the SLSA build-provenance subject against that exact workflow file. A token leaked from any other workflow in any other repo cannot produce a matching OIDC claim.
+- **No long-lived signing keys.** Each release attests itself using GitHub's OIDC token, so there is nothing to rotate, store, or accidentally check in. The attestation is published to `launchdarkly/sdk-meta`'s repo-level attestation store, not as a release asset.
+- **Snippet sources travel with the binary.** The CLI's `--sdks=` flag is optional; when omitted (the default for this action) it reads from `embed.FS`. Pinning a release version pins both the engine and the snippet content atomically.

actions/sync-snippets/action.yml

@@ -0,0 +1,236 @@
+name: 'Sync SDK Snippets'
+description: |
+  Pulls the canonical SDK code snippets from the latest sdk-meta `snippets/` release
+  into the current consumer checkout (gonfalon, ld-docs-private), then opens or
+  updates a sync pull request when the rendered output differs from `main`.
+
+  The action is a thin wrapper around the `snippets` CLI. The CLI binary is
+  downloaded from sdk-meta's GitHub Releases and verified against a
+  GitHub-issued SLSA build provenance attestation; verification pins the
+  signing workflow to launchdarkly/sdk-meta's `release-please.yml`, so a
+  compromised release token can't substitute a different binary without
+  also faking the OIDC claim issued at build time.
+
+  See actions/sync-snippets/README.md for a full consumer-side workflow
+  example. The action needs `contents: write` and `pull-requests: write`
+  permissions and the consumer's `GITHUB_TOKEN` passed via the
+  `github-token` input.
+
+inputs:
+  version:
+    description: |
+      Release tag to install, e.g. `snippets/v0.3.0`. The default `latest`
+      resolves to the most recent published release whose tag begins with
+      `snippets/`.
+    required: false
+    default: 'latest'
+  target:
+    description: |
+      Adapter target. `ld-application` for gonfalon (and any other consumer that
+      uses TSX render markers); future targets (e.g. `ld-docs`) plug in here.
+    required: false
+    default: 'ld-application'
+  entrypoints:
+    description: |
+      Newline-separated list of consumer-checkout directories the renderer
+      should walk for snippet markers. Paths are resolved relative to
+      $GITHUB_WORKSPACE (so a top-level `static/ld/components/getStarted` is
+      what gonfalon would pass). Each line becomes one `--entrypoint=` flag
+      to the CLI; the CLI walks each recursively, opens files with extensions
+      it understands (.tsx/.jsx/.ts/.js/.mdx), and skips junk dirs
+      (node_modules, .git, dist, build, ...).
+    required: true
+  branch:
+    description: 'Branch the action commits the rendered diff to.'
+    required: false
+    default: 'chore/sync-sdk-snippets'
+  pr-title:
+    description: 'Pull-request title.'
+    required: false
+    default: 'chore: sync SDK snippets'
+  pr-body:
+    description: |
+      Pull-request body. The default points at the upstream release notes for
+      the version being synced.
+    required: false
+    default: ''
+  pr-labels:
+    description: 'Comma-separated labels applied to the sync PR.'
+    required: false
+    default: 'sdk-snippets,automated-pr'
+  github-token:
+    description: |
+      Token used to download release assets and open the PR. Needs `contents:
+      write` and `pull-requests: write` on the consumer repo. The repo's default
+      `GITHUB_TOKEN` is sufficient.
+    required: true
+
+outputs:
+  version:
+    description: 'The sdk-meta snippets release tag that was actually installed.'
+    value: ${{ steps.resolve.outputs.tag }}
+  changes:
+    description: 'true if `snippets render` produced any diff against the working tree.'
+    value: ${{ steps.diff.outputs.changes }}
+  pr-number:
+    description: 'Pull-request number when a sync PR was opened or updated; empty otherwise.'
+    value: ${{ steps.cpr.outputs.pull-request-number }}
+
+runs:
+  using: composite
+  steps:
+    # 1. Resolve the version. `latest` queries the GitHub API for the most
+    #    recent published release whose tag starts with `snippets/`. Drafts
+    #    and pre-releases are excluded — drafts especially matter because
+    #    sdk-meta's release pipeline cuts a draft, uploads assets, then
+    #    flips it to published. A `latest` query that catches the draft
+    #    window would point at a release whose assets and attestations may
+    #    not have been uploaded yet. Any non-`latest` value is used
+    #    verbatim — caller pins, action obeys.
+    - id: resolve
+      name: 'Resolve snippets release tag'
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+      run: |
+        set -euo pipefail
+        if [ "${{ inputs.version }}" = "latest" ]; then
+          tag=$(gh release list --repo launchdarkly/sdk-meta --limit 100 \
+                  --exclude-drafts --exclude-pre-releases \
+                  --json tagName --jq '.[] | .tagName | select(startswith("snippets/"))' \
+                | head -n 1)
+          if [ -z "$tag" ]; then
+            echo "::error::no published snippets/* release found in launchdarkly/sdk-meta"
+            exit 1
+          fi
+        else
+          tag="${{ inputs.version }}"
+        fi
+        echo "tag=$tag" >> "$GITHUB_OUTPUT"
+        echo "Using snippets release: $tag"
+
+    # 2. Resolve the platform's archive name. The release workflow names
+    #    archives snippets_<version>_<os>_<arch>.tar.gz, where <version> is
+    #    the bare semver (the `snippets/` tag prefix is stripped).
+    - id: archive
+      name: 'Resolve archive filename'
+      shell: bash
+      run: |
+        set -euo pipefail
+        case "$RUNNER_OS" in
+          Linux)  os=linux ;;
+          macOS)  os=darwin ;;
+          *) echo "::error::unsupported runner OS: $RUNNER_OS"; exit 1 ;;
+        esac
+        case "$RUNNER_ARCH" in
+          X64)   arch=amd64 ;;
+          ARM64) arch=arm64 ;;
+          *) echo "::error::unsupported runner arch: $RUNNER_ARCH"; exit 1 ;;
+        esac
+        version="${{ steps.resolve.outputs.tag }}"
+        version="${version#snippets/v}"
+        archive="snippets_${version}_${os}_${arch}.tar.gz"
+        echo "archive=$archive" >> "$GITHUB_OUTPUT"
+
+    # 3. Pull the archive from the GitHub Release. Attestations are
+    #    fetched separately by `gh attestation verify` from sdk-meta's
+    #    repo-level attestations — they aren't release assets.
+    - name: 'Download release archive'
+      shell: bash
+      working-directory: ${{ runner.temp }}
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+      run: |
+        set -euo pipefail
+        gh release download "${{ steps.resolve.outputs.tag }}" \
+          --repo launchdarkly/sdk-meta \
+          --pattern "${{ steps.archive.outputs.archive }}" \
+          --clobber
+
+    # 4. Verify the SLSA build-provenance attestation. `--signer-workflow`
+    #    pins the signing workflow to sdk-meta's release-please.yml — a
+    #    token leaked from any other workflow couldn't produce a matching
+    #    OIDC claim. `gh` ships preinstalled on every GitHub-hosted
+    #    runner, so no separate install step is required.
+    - name: 'Verify attestation'
+      shell: bash
+      working-directory: ${{ runner.temp }}
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+      run: |
+        set -euo pipefail
+        gh attestation verify "${{ steps.archive.outputs.archive }}" \
+          --repo launchdarkly/sdk-meta \
+          --signer-workflow launchdarkly/sdk-meta/.github/workflows/release-please.yml
+
+    # 5. Extract the CLI and stage it on $PATH for the render step.
+    - name: 'Install CLI'
+      shell: bash
+      working-directory: ${{ runner.temp }}
+      run: |
+        set -euo pipefail
+        mkdir -p bin
+        tar -xzf "${{ steps.archive.outputs.archive }}" -C bin snippets
+        chmod +x bin/snippets
+        echo "$PWD/bin" >> "$GITHUB_PATH"
+
+    # 6. Render against the consumer checkout. `snippets` is now on $PATH.
+    #    The CLI loads the canonical sdks/ tree from the binary's embedded FS
+    #    — no separate snippet sources to fetch. Each line of the
+    #    `entrypoints:` input becomes one `--entrypoint=` flag (relative paths
+    #    resolve against $GITHUB_WORKSPACE).
+    - name: 'Render snippets'
+      shell: bash
+      env:
+        ENTRYPOINTS: ${{ inputs.entrypoints }}
+      run: |
+        set -euo pipefail
+        snippets version
+        cd "$GITHUB_WORKSPACE"
+        args=()
+        while IFS= read -r line; do
+          # Strip surrounding whitespace; skip empty lines.
+          line="${line#"${line%%[![:space:]]*}"}"
+          line="${line%"${line##*[![:space:]]}"}"
+          [ -z "$line" ] && continue
+          args+=("--entrypoint=$line")
+        done <<< "$ENTRYPOINTS"
+        if [ ${#args[@]} -eq 0 ]; then
+          echo "::error::sync-snippets: at least one non-empty entrypoint must be provided"
+          exit 1
+        fi
+        snippets render --target="${{ inputs.target }}" "${args[@]}"
+
+    # 7. Detect whether render touched anything. Empty diff means the consumer
+    #    is already current; we exit cleanly with no PR.
+    - id: diff
+      name: 'Check for changes'
+      shell: bash
+      run: |
+        set -euo pipefail
+        if [ -n "$(git status --porcelain)" ]; then
+          echo "changes=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "changes=false" >> "$GITHUB_OUTPUT"
+          echo "Consumer tree is already in sync with ${{ steps.resolve.outputs.tag }}."
+        fi
+
+    # 8. Open or update a PR with the rendered diff. peter-evans/create-pull-
+    #    request handles both cases: pushes to the same branch, force-updates
+    #    on collisions, and leaves an existing PR alone if the diff is
+    #    identical to what's already proposed.
+    - id: cpr
+      name: 'Open or update sync PR'
+      if: steps.diff.outputs.changes == 'true'
+      uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
+      with:
+        token: ${{ inputs.github-token }}
+        commit-message: 'chore: sync SDK snippets to ${{ steps.resolve.outputs.tag }}'
+        branch: ${{ inputs.branch }}
+        delete-branch: true
+        title: ${{ inputs.pr-title }}
+        body: |
+          ${{ inputs.pr-body != '' && inputs.pr-body || format('Syncs SDK snippets from upstream release [`{0}`](https://github.com/launchdarkly/sdk-meta/releases/tag/{0}).', steps.resolve.outputs.tag) }}
+
+          Generated by `launchdarkly/gh-actions/actions/sync-snippets@main`.
+        labels: ${{ inputs.pr-labels }}