feat(cli): migrate otdfctl into platform monorepo#3205
Open
alkalescent wants to merge 9 commits intomainfrom
Open
feat(cli): migrate otdfctl into platform monorepo#3205alkalescent wants to merge 9 commits intomainfrom
alkalescent wants to merge 9 commits intomainfrom
Conversation
|
Important Review skippedToo many files! This PR contains 298 files, which is 148 over the limit of 150. ⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (298)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on preparing the repository for the migration of the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. A CLI's new home, Files copied, configs set, Migration's begun. Footnotes
|
Contributor
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request represents a significant architectural shift for the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Files copied with care, New home, new purpose they bear, CLI now takes flight. Footnotes
|
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces the otdfctl CLI by copying a large number of files into the repository. The changes include Go source code for the CLI commands, Makefiles, documentation, and end-to-end tests. My review focused on the overall structure and patterns in the newly added code. I've identified a few areas for improvement related to consistency in deprecation handling and potential performance issues with client-side pagination. Overall, the code seems well-structured, but these minor issues should be addressed to improve usability and maintainability.
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces the otdfctl CLI tool by copying over a large number of files. The changes include the CLI's command structure, handlers, documentation, and end-to-end tests. My review focuses on potential issues in the newly added code. I've identified a bug in the Makefile's version handling, a significant performance issue related to client-side pagination, and a minor maintainability issue with flag parsing. Addressing these will improve the robustness and efficiency of the new CLI tool.
Contributor
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a significant number of files by copying the otdfctl CLI tool into the repository. My review focuses on the newly added code, identifying opportunities for improvement in terms of maintainability, correctness, and efficiency. I've pointed out areas with duplicated code that could be refactored, potential performance bottlenecks, and minor issues in test files and configuration. Overall, the changes are substantial and form a good basis for the CLI within this repository.
Contributor
Author
|
Dismissing all automated comments and alerts since this PR's purpose is to migrate not change app + CI code. |
Contributor
|
is there an ADR for this change? I'm aware of the benefits but unclear on the tradeoffs of this approach, if any. Downloading the latest otdfctl package is a part of the quickstart guide: https://github.com/opentdf/docs/blob/main/static/quickstart/install.sh#L132. Is it just a matter of changing the location for where to find this, or will the whole build/release process need to change as a subcomponent of platform? |
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
marythought
previously approved these changes
Mar 25, 2026
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
alkalescent
force-pushed
the
DSPX-2655-migrate-otdfctl
branch
from
01cff81 to
d66bd5b
Compare
alkalescent
changed the title
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
alkalescent
force-pushed
the
DSPX-2655-migrate-otdfctl
branch
from
d66bd5b to
fc2fac5
Compare
Contributor
alkalescent
force-pushed
the
DSPX-2655-migrate-otdfctl
branch
from
fc2fac5 to
24366f4
Compare
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
alkalescent
force-pushed
the
DSPX-2655-migrate-otdfctl
branch
from
07bc639 to
5e4def8
Compare
alkalescent
added a commit
that referenced
this pull request
Apr 6, 2026
Merge opentdf/otdfctl via git subtree into otdfctl/ subdirectory, preserving full git history and tags. Remove files handled at the platform root level (.github/, .gitignore, .golangci.yaml, CODEOWNERS, CONTRIBUTING.md, LICENSE). Update root CODEOWNERS, .gitignore, and pr-checks scope. DSPX-2655 Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
This was referenced Apr 7, 2026
Merge opentdf/otdfctl via git subtree into otdfctl/ subdirectory, preserving full git history and tags. Remove files handled at the platform root level (.github/, .gitignore, .golangci.yaml, CODEOWNERS, CONTRIBUTING.md, LICENSE). Update root CODEOWNERS, .gitignore, and pr-checks scope. DSPX-2655 Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Rewrite Go module path from github.com/opentdf/otdfctl to github.com/opentdf/platform/otdfctl. Update all import statements, add otdfctl to go.work workspace, and update Dockerfile. DSPX-2656 Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
* This PR updates the respective Makefiles for the monorepo and otdfctl as well as restoring the build scripts from the original otdfctl repo. - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation
### Proposed Changes * Add otdfctl to the checks.yaml go job matrix for govulncheck, golangci-lint, unit tests, and go fmt/tidy checks. ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions --------- Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
- Rewrites the `otdfctl-test` CI job in `checks.yaml` to use local composite action references (`./test/start-up-with-containers`, `./otdfctl/e2e`) instead of cross-repo checkouts from `opentdf/otdfctl` - Updates `otdfctl/e2e/action.yaml`: removes external checkout step, removes `otdfctl-ref` input, uses `otdfctl/v0.26.2` subtree tag for legacy binary build - Updates `nightly-checks.yaml` to build otdfctl from `platform/otdfctl/` instead of checking out `opentdf/otdfctl` separately - Restores `tui/` directory lint exclusion (matching original otdfctl config) and fixes ~60 lint errors (gofumpt, unused nolint directives, perfsprint, sloglint, revive) - Adds `.golangci.yaml` exclusion rules for deferred refactoring-level fixes (contextcheck, revive unused-parameter/unexported-return/var-naming) Resolves [DSPX-2659](https://virtru.atlassian.net/browse/DSPX-2659) - [ ] `otdfctl-test` CI job passes (all 19 BATS e2e test files) - [ ] Legacy v0.26.2 binary build succeeds via `git worktree add ../otdfctl_v0.26.2 otdfctl/v0.26.2` - [ ] Profile keyring tests pass with legacy binary - [ ] `golangci-lint run ./...` from `otdfctl/` passes with 0 issues - [ ] `go test ./...` from `otdfctl/` passes - [ ] Nightly-checks workflow syntax is valid [DSPX-2659]: https://virtru.atlassian.net/browse/DSPX-2659?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ --------- Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
# Step 1: Artifact Model
## Summary
This PR implements step 1 of the policy migration plan.
It adds the initial versioned artifact model for migrate policy-graph
output under migrations/artifact, with the current schema implemented as
v1.0.0.
## Included
- Shared ArtifactMetadata for:
- schema
- name
- run_id
- created_at
- Version-based artifact construction using semver
- Initial private v1 schema implementation
- Typed summary model
- Summary() returning JSON-encoded summary data
- Write() support on the artifact interface
- Stubbed Build() and Commit() methods for later steps
- Unit tests for top-level dispatch and v1 schema behavior
## Not Included
- Build logic
- Commit logic
- Prune integration
## Example of schema
```json
{
"metadata": {
"schema": "v1.0.0",
"name": "policy-migration",
"run_id": "8f6fb617-9e95-4b66-b0b7-b91f6c88e1d1",
"created_at": "2026-04-07T15:30:00Z"
},
"summary": {
"counts": {
"namespaces": 1,
"actions": 1,
"subject_condition_sets": 0,
"subject_mappings": 0,
"registered_resources": 1,
"obligation_triggers": 0,
"skipped": 0
}
},
"skipped": [],
"namespaces": [
{
"fqn": "https://example.com",
"id": "11111111-1111-1111-1111-111111111111",
"actions": [
"22222222-2222-2222-2222-222222222222"
],
"subject_condition_sets": [],
"subject_mappings": [],
"registered_resources": [
"33333333-3333-3333-3333-333333333333"
],
"obligation_triggers": []
}
],
"actions": [
{
"source": {
"id": "22222222-2222-2222-2222-222222222222",
"name": "read-document",
"namespace_id": null,
"is_standard": false
},
"targets": [
{
"namespace_id": "11111111-1111-1111-1111-111111111111",
"namespace_fqn": "https://example.com",
"id": "44444444-4444-4444-4444-444444444444"
}
]
}
],
"subject_condition_sets": [],
"subject_mappings": [],
"registered_resources": [
{
"source": {
"id": "33333333-3333-3333-3333-333333333333",
"name": "finance-reports",
"namespace_id": null,
"values": [
{
"id": "55555555-5555-5555-5555-555555555555",
"value": "/reports/finance/*",
"action_attribute_values": [
{
"action_id": "22222222-2222-2222-2222-222222222222",
"attribute_value_id": "66666666-6666-6666-6666-666666666666"
}
]
}
]
},
"targets": [
{
"namespace_id": "11111111-1111-1111-1111-111111111111",
"namespace_fqn": "https://example.com",
"id": "77777777-7777-7777-7777-777777777777",
"values": [
{
"id": "88888888-8888-8888-8888-888888888888",
"value": "/reports/finance/*",
"action_attribute_values": [
{
"action_id": "44444444-4444-4444-4444-444444444444",
"attribute_value_id": "66666666-6666-6666-6666-666666666666"
}
]
}
]
}
]
}
],
"obligation_triggers": []
}
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Formalized artifact schema/version framework with v1.0.0 as the
baseline
* Standardized artifact lifecycle interface and artifact metadata
(schema, name, run ID, timestamp)
* Defaulting to the current schema version when no version is provided
* **Tests**
* Added comprehensive tests for version selection, v1 schema
initialization, summaries, writing, and error cases
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Proposed Changes * Adds the new otdfctl migrate command scaffold and related docs for namespaced policy migration. The work splits the migrate CLI into its own command package, adds hidden stub subcommands for namespaced-policy and prune namespaced-policy, preserves the legacy registered-resources path as hidden, and updates the migration plan/docs to reflect the new command structure ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions
alkalescent
force-pushed
the
DSPX-2655-migrate-otdfctl
branch
from
ac9d36a to
40e396b
Compare
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
### Proposed Changes * Add otdfctl component to platform release-please configuration for independent versioned releases * Tags follow the monorepo per-component pattern: `otdfctl/v0.30.0` * Register `otdfctl/pkg/config/config.go` as extra-file so release-please bumps the `Version` constant (already has `// x-release-please-version` marker) * Create release workflow that triggers on `otdfctl/v*` tags, builds 8 cross-platform binaries (darwin amd64/arm64, linux amd64/arm/arm64, windows amd64/arm/arm64), and uploads artifacts to the GitHub release #### Files added/modified | File | Change | |------|--------| | `release-please-config.main.json` | Add `otdfctl` package entry with `extra-files` | | `release-please-manifest.json` | Add `"otdfctl": "0.30.0"` version tracking | | `release-please-config.otdfctl.json` | **New** — component config for `release/otdfctl/vX.Y` branches | | `release-otdfctl.yaml` | **New** — build and upload workflow on release publish | #### PR Stack (DSPX-2654) 1. #3205 — Subtree merge + module path rewrite (DSPX-2655, DSPX-2656) 2. #3208 — Makefile and build scripts (DSPX-2657) 3. #3221 — CI workflows (DSPX-2658) 4. #3236 — e2e tests and lint fixes (DSPX-2659) 5. **This PR** — Release pipeline (DSPX-2660) ### Checklist - [ ] I have added or updated unit tests - [x] I have added or updated integration tests (if appropriate) - [x] I have added or updated documentation ### Testing Instructions - Verify JSON configs are valid: `cat .github/release-please/release-please-config.main.json | jq .packages.otdfctl` - Verify manifest version: `cat .github/release-please/release-please-manifest.json | jq .otdfctl` - Verify `reusable_release-please.yaml` config lookup: branch `release/otdfctl/v0.30` → sanitized name `otdfctl` → resolves to `release-please-config.otdfctl.json` - Full release flow testable after merge by creating a manual release with tag `otdfctl/v0.30.0` --------- Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
| - name: Extract version from tag | ||
| id: version | ||
| run: | | ||
| TAG="${{ github.event.release.tag_name }}" |
Check failure
Code scanning / zizmor
code injection via template expansion Error
| - name: Upload release artifacts | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh release upload "${{ github.event.release.tag_name }}" ./otdfctl/output/* |
Check failure
Code scanning / zizmor
code injection via template expansion Error
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
|
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed Changes
opentdf/otdfctlintootdfctl/viagit subtree add, preserving full git history and tagsgo.workworkspaceDSPX-2655: Subtree merge + cleanup
.github/,.golangci.yaml,CONTRIBUTING.md,LICENSE)otdfctl/CHANGELOG.mdfor historical reference.gitignore,CODEOWNERS, pr-checks scopeotdfctl/*prefix (e.g.,otdfctl/v0.26.2)DSPX-2656: Module path rewrite
github.com/opentdf/otdfctl→github.com/opentdf/platform/otdfctlotdfctltogo.workworkspaceDockerfileDSPX-2657: Makefile and build scripts
DSPX-2658: CI matrix
checks.yamlgo job matrixPR Stack (DSPX-2654)
Checklist
Testing Instructions
git log --oneline --follow -M otdfctl/cmd/root.goshows pre-merge historygit tag | grep otdfctl/v0.26confirms tags importedgo build ./otdfctl/...succeeds