push signed artifacts to new connector registry

[gontzess]

Updated connector release workflow for signing artifacts and pushing to the new c1 connector registry. The registry will provide a central, consistent way to distribute binaries and container images to customers across all public and private connectors.

This PR makes a number of changes and and will necessitate a new major release version bump.

• new goreleaser binary config file that signs binaries with cosign, generates sboms, checksums, then uploads to the registry s3 using OIDC
• new consolidated goreleaser docker config file that signs and builds a multi-arch image, lambda image, and digests - both images are conditional based on input bools
• dockerfiles are now build from centralized templates here in this repo, not used from files in each repo
• go scripts for building and uploading a release manifest.json the registry s3 using
• protos for consistent manifest and stable structs in this workflow and available for other repos/scripts to import for use

For a connector repo to upgrade to the new workflow:

• needs to be added in ops for OIDC permissions
• needs to upgrade to the new pending release workflow verison (likely v4)
• nice to have but not required: remove the Dockerfile and Dockerfile.lambda from it's own repo since they're no longer used in v4+

Summary by CodeRabbit

• New Features
  • Added support for artifact release manifests capturing version, name, organization, and semantic version.
  • Tracks release and update timestamps for artifacts.
  • Stores per-artifact attachments: assets with media type, size, checksum, and SBOM links.
  • Records release signatures, certificates, and container image references.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (5)

• .Dockerfile-lambda-template is excluded by none and included by none
• .github/workflows/release.yaml is excluded by none and included by none
• .goreleaser-docker-template-signing.yaml is excluded by none and included by none
• README.md is excluded by none and included by none
• cmd/extract-images/main.go is excluded by none and included by none

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Adds a Go module declaration and dependency; introduces protobuf schemas defining artifact manifests (Manifest, Asset, Image) and a Stable message with timestamps for immutable release metadata and per-asset SBOM/signature/certificate references.

Changes

Cohort / File(s)	Summary
Module configuration go.mod	Adds module github.com/ConductorOne/github-workflows, sets Go version to 1.25.2, and adds dependency google.golang.org/protobuf v1.36.5.
Artifact protobufs proto/artifacts/v1/manifest.proto, proto/artifacts/v1/stable.proto	Adds Manifest, Asset, and Image messages in manifest.proto (versioning, assets map, images map, signature/certificate/SBOM hrefs). Adds Stable message in stable.proto mirroring Manifest with an additional updated_at timestamp; imports and options set (go_package, api_level).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify proto field numbers, types, and imports (google.protobuf.Timestamp).
• Confirm Stable correctly references Asset/Image from manifest.proto and imported symbols.
• Check go_package and API feature options for correctness and expected generated paths.
• Validate semantic comments and timestamp semantics (released_at vs updated_at).

Poem

🐰 I hopped through code, so spry and fleet,
Brought manifests and SBOMs to meet,
Images, assets, timestamps bright,
Signatures tucked in snug and tight,
A joyful patch — a carrot treat! 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: introducing infrastructure to push signed artifacts to a new connector registry. It aligns with the core PR objective of adding a connector release workflow with artifact signing and registry uploads.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kans]

Consolidated docker template for GoReleaser >= 2.12 with optional lambda build and signing

Do we actually want to bundle in the lambda infra into order containers? Its an extra 10-15MB IIRC and highly specialized for our lambda deployments.

[gontzess]

These are still separate images, see lines 21 and 41 below. I've consolidated the goreleaser template so that they're in one file (and one GitHub job).

Note, the amd64 and arm64 arch are now bundled into a single image for GHCR (corresponding to image from line 21).

I'm wondering if the baton_lambda_support tag here is correct tho for the build step

[kans]

Lets fix this in a different PR

[kans]

When do we not want MSIs?

[gontzess]

im going to remove this flag since i'm not sure yet about this, plus this functionality didnt make it into this PR anyways

[kans]

Did we verify the signatures?

[kans]

Is this correct?

[gontzess]

yes. basically it was wrong, but we weren'tm using it anyways. the lambda just hardcodes conductorone

[kans]

This PR is hard to review for correctness, but thats easy to verify:

TODOS:

• Do the containers work?
• Do the lambdas still work?
• Are the sigs valid?
• Do the other things work?

[kans]

^