feat: Composite action for synchronizing SDK snippets

[kinyoklion]

Summary

New composite action at actions/sync-snippets/. Consumers call it via workflow_dispatch (or a daily cron) to stay current with snippet changes published by launchdarkly/sdk-meta.

on:
  workflow_dispatch:
  schedule: [ { cron: '0 12 * * *' } ]

permissions:
  contents: write
  pull-requests: write

jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: launchdarkly/gh-actions/actions/sync-snippets@main
        with:
          entrypoints: |
            static/ld/components/getStarted
          github-token: ${{ secrets.GITHUB_TOKEN }}

How it works

1. Resolves the latest snippets/v* GitHub Release on launchdarkly/sdk-meta (override with version:).
2. Downloads the platform-specific archive (snippets_<version>_<os>_<arch>.tar.gz).
3. Verifies the SLSA build-provenance attestation via gh attestation verify --signer-workflow launchdarkly/sdk-meta/.github/workflows/release-please.yml. Sigstore-backed keyless OIDC under the hood, but no cosign install required — gh ships preinstalled on every GitHub-hosted runner.
4. Runs snippets render --target=<adapter> --entrypoint=<dir>... with one --entrypoint= flag per non-empty line of the entrypoints: input. The CLI walks each directory, picks up files containing the SDK_SNIPPET:RENDER: sentinel, and rewrites their marked regions in place. The binary embeds the canonical sdks/ tree at build time, so there is nothing else to fetch.
5. Opens or updates a sync PR via peter-evans/create-pull-request when the render produced any diff. Empty diff → exit 0, no PR.

Inputs / outputs

See actions/sync-snippets/README.md. Required: entrypoints, github-token. Everything else has a sensible default.

How the supply chain is locked down

• Signer pinned to a specific workflow path. gh attestation verify --signer-workflow launchdarkly/sdk-meta/.github/workflows/release-please.yml rejects any artifact whose attestation was issued by a different workflow file. A token leaked from any other workflow in any other repo cannot produce a matching OIDC claim.
• No long-lived signing keys. Each release issues its own attestation via the GitHub-hosted Sigstore Fulcio CA against the workflow's OIDC token. Nothing to rotate, store, or accidentally check in.
• Snippet sources travel with the binary. The CLI's --sdks= flag is optional; when omitted (the default for this action) it reads from embed.FS. Pinning a release version pins both the engine and the snippet content atomically — no separate sdks/ checkout step.

Depends on

• feat: embed snippet sources + wire release pipeline sdk-meta#404 ✅ (embed snippet sources + wire release pipeline) — merged.
• fix: Replace goreleaser with go build + github attestation sdk-meta#409 ✅ (replace goreleaser with go build + actions/attest-build-provenance) — merged. snippets/v0.2.1 is the first published release this action can consume.

End-to-end validation

Wired up in a private sandbox repo (launchdarkly/learn-release-please) via:

• snippet-test/getStarted.tsx — TSX file with two SDK_SNIPPET:RENDER: markers (python-server-sdk/getting-started/mkdir with no inputs, plus .../install with one optional version prop) seeded with hash=0 version=0.0.0 placeholders.
• .github/workflows/sync-snippets.yml — workflow_dispatch referencing this action via @rlamb/sync-snippets-action.

Sandbox PR #89 merged the harness; the next dispatch (run 25190361399) ran green and the action opened sandbox PR #91, rewriting both markers with their v0.2.1 content. Both render modes were exercised — bare-JSX-text (no inputs) and template-literal-with-ternary (optional input → ${version ? \==${version}` : ''}`).

Test plan

• Sandbox harness in learn-release-please opens a PR with rewritten markers (run #25190361399 → PR #91).
• Both renderer paths exercised (bare text + template-literal-with-conditional).
• gh attestation verify against the published v0.2.1 archive succeeds with the --signer-workflow pin.
• Re-dispatch on the sandbox after peter-evans/create-pull-request already opened a PR — expect: same branch updated, no second PR opened.
• Hand-edit one rendered region in the sandbox before re-running — expect: the action opens a PR that reverts the hand-edit (the hash mismatch is what snippets verify flags; render just re-renders).
• Pin version: to a non-existent tag — expect: clean failure at the resolve step.

Known sharp edges

• ${{ ... }} in the action manifest's description: field is template-evaluated at action-load time. Don't put example workflow snippets containing secrets.* into description: — those parse-fail with Unrecognized named-value: 'secrets'. Fixed in a0ad8bb by moving the inline example to README.md.
• Consumer repos must enable Settings → Actions → General → Workflow permissions → "Allow GitHub Actions to create and approve pull requests" for peter-evans/create-pull-request to open the sync PR; otherwise the PR-open step is silently blocked by the default GITHUB_TOKEN policy.