feat(cli): migrate otdfctl into platform monorepo#3205
Open
alkalescent wants to merge 16 commits intomainfrom
Open
feat(cli): migrate otdfctl into platform monorepo#3205alkalescent wants to merge 16 commits intomainfrom
alkalescent wants to merge 16 commits intomainfrom
Conversation
|
Important Review skippedToo many files! This PR contains 298 files, which is 148 over the limit of 150. ⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (298)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on preparing the repository for the migration of the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. A CLI's new home, Files copied, configs set, Migration's begun. Footnotes
|
Contributor
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request represents a significant architectural shift for the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Files copied with care, New home, new purpose they bear, CLI now takes flight. Footnotes
|
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces the otdfctl CLI by copying a large number of files into the repository. The changes include Go source code for the CLI commands, Makefiles, documentation, and end-to-end tests. My review focused on the overall structure and patterns in the newly added code. I've identified a few areas for improvement related to consistency in deprecation handling and potential performance issues with client-side pagination. Overall, the code seems well-structured, but these minor issues should be addressed to improve usability and maintainability.
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces the otdfctl CLI tool by copying over a large number of files. The changes include the CLI's command structure, handlers, documentation, and end-to-end tests. My review focuses on potential issues in the newly added code. I've identified a bug in the Makefile's version handling, a significant performance issue related to client-side pagination, and a minor maintainability issue with flag parsing. Addressing these will improve the robustness and efficiency of the new CLI tool.
Contributor
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a significant number of files by copying the otdfctl CLI tool into the repository. My review focuses on the newly added code, identifying opportunities for improvement in terms of maintainability, correctness, and efficiency. I've pointed out areas with duplicated code that could be refactored, potential performance bottlenecks, and minor issues in test files and configuration. Overall, the changes are substantial and form a good basis for the CLI within this repository.
Contributor
Author
|
Dismissing all automated comments and alerts since this PR's purpose is to migrate not change app + CI code. |
Contributor
|
is there an ADR for this change? I'm aware of the benefits but unclear on the tradeoffs of this approach, if any. Downloading the latest otdfctl package is a part of the quickstart guide: https://github.com/opentdf/docs/blob/main/static/quickstart/install.sh#L132. Is it just a matter of changing the location for where to find this, or will the whole build/release process need to change as a subcomponent of platform? |
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
marythought
previously approved these changes
Mar 25, 2026
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
alkalescent
force-pushed
the
DSPX-2655-migrate-otdfctl
branch
from
01cff81 to
d66bd5b
Compare
alkalescent
changed the title
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
alkalescent
force-pushed
the
DSPX-2655-migrate-otdfctl
branch
from
d66bd5b to
fc2fac5
Compare
alkalescent
force-pushed
the
DSPX-2655-migrate-otdfctl
branch
from
ac9d36a to
40e396b
Compare
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
### Proposed Changes * Add otdfctl component to platform release-please configuration for independent versioned releases * Tags follow the monorepo per-component pattern: `otdfctl/v0.30.0` * Register `otdfctl/pkg/config/config.go` as extra-file so release-please bumps the `Version` constant (already has `// x-release-please-version` marker) * Create release workflow that triggers on `otdfctl/v*` tags, builds 8 cross-platform binaries (darwin amd64/arm64, linux amd64/arm/arm64, windows amd64/arm/arm64), and uploads artifacts to the GitHub release #### Files added/modified | File | Change | |------|--------| | `release-please-config.main.json` | Add `otdfctl` package entry with `extra-files` | | `release-please-manifest.json` | Add `"otdfctl": "0.30.0"` version tracking | | `release-please-config.otdfctl.json` | **New** — component config for `release/otdfctl/vX.Y` branches | | `release-otdfctl.yaml` | **New** — build and upload workflow on release publish | #### PR Stack (DSPX-2654) 1. #3205 — Subtree merge + module path rewrite (DSPX-2655, DSPX-2656) 2. #3208 — Makefile and build scripts (DSPX-2657) 3. #3221 — CI workflows (DSPX-2658) 4. #3236 — e2e tests and lint fixes (DSPX-2659) 5. **This PR** — Release pipeline (DSPX-2660) ### Checklist - [ ] I have added or updated unit tests - [x] I have added or updated integration tests (if appropriate) - [x] I have added or updated documentation ### Testing Instructions - Verify JSON configs are valid: `cat .github/release-please/release-please-config.main.json | jq .packages.otdfctl` - Verify manifest version: `cat .github/release-please/release-please-manifest.json | jq .otdfctl` - Verify `reusable_release-please.yaml` config lookup: branch `release/otdfctl/v0.30` → sanitized name `otdfctl` → resolves to `release-please-config.otdfctl.json` - Full release flow testable after merge by creating a manual release with tag `otdfctl/v0.30.0` --------- Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
## Summary Implements the dry-run planner for `migrate namespacedpolicy`, the unified CLI entrypoint for migrating legacy (unnamespaced) policy objects into target namespaces. The planner builds a full graph plan before any writes, covering actions, subject condition sets, subject mappings, registered resources, and obligation triggers. It runs a staged pipeline: - **Retrieve** legacy candidates from the platform API, including dependent objects needed for namespace derivation - **Reduce** dependency-loaded actions and SCS to only those actually referenced by in-scope objects - **Derive** target namespaces per object type, including fan-out for actions and SCS referenced from multiple namespaces - **Resolve** each derived placement against existing target-side objects (already migrated, existing standard action, needs create, or unresolved) - **Finalize** into an executable plan that preserves per-target status and rewritten dependency bindings for downstream creates ### CLI surface - `migrate namespacedpolicy --scope=<csv> --output=<path>` — writes the plan as JSON - `migrate prune namespacedpolicy --scope=<csv>` — command scaffold, not yet implemented - `--scope` accepts `actions`, `subject-condition-sets`, `subject-mappings`, `registered-resources`, `obligation-triggers` - `--commit` and `--interactive` flags are wired but not yet implemented - All commands are hidden pending completion ### Key design decisions - Scope expansion is automatic: `subject-mappings` pulls in `actions` and `subject-condition-sets`; `registered-resources` and `obligation-triggers` pull in `actions` - Subject mapping resolution is dependency-aware — it only resolves once its action and SCS dependencies are satisfiable in the same target namespace - Standard actions resolve by matching existing namespaced standard actions; no create needed - Registered resource namespace detection requires all RAAV attribute values to agree on a single namespace; ambiguous cases are recorded as unresolved - Missing target namespaces are fatal planning errors, not planned mutations - Canonical comparison uses explicit field extraction into plain Go types (not protobuf serialization) for deterministic cross-object equality ### Not yet implemented - Executor/commit behavior (create calls, label writes, manifest rewrite with target IDs) - Interactive per-scope confirmation - `migrate prune namespacedpolicy` live-graph evaluation - Artifact schema projection (metadata, summary, skipped sections) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Implemented `namespaced-policy` migration workflow with dry-run planning support * Generates migration plans as JSON output based on specified scopes * Validates configuration and produces executable migration plans * **Documentation** * Updated migration guide to clarify dry-run mode is available and `--commit` is not yet implemented <!-- end of auto-generated comment: release notes by coderabbit.ai -->
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
### Proposed Changes * Add `otdfctl/e2e` to the `github-actions` dependabot ecosystem so composite action dependencies (`actions/setup-go`, `bats-core/bats-action`, `actions/upload-artifact`) are tracked * Add `otdfctl` gomod entry with daily schedule and `github.com/opentdf/*` internal dep exclusion, matching existing module patterns #### Files modified | File | Change | |------|--------| | `.github/dependabot.yml` | Add `otdfctl/e2e` to github-actions directories; add `otdfctl` gomod entry | #### Already configured (no changes needed) | Workflow | Status | |----------|--------| | Backport | Uses repo-wide reusable workflow | | CodeQL | Scans entire repo (no path filters) | | Dependency review | Single consolidated deny-license list | | PR lint | `cli` scope already present | | Checks matrix | `otdfctl` already in directory list | #### PR Stack (DSPX-2654) 1. #3205 — Subtree merge + module path rewrite (DSPX-2655, DSPX-2656) 2. #3208 — Makefile and build scripts (DSPX-2657) 3. #3221 — CI workflows (DSPX-2658) 4. #3236 — e2e tests and lint fixes (DSPX-2659) 5. #3268 — Release pipeline (DSPX-2660) 6. **This PR** — Supporting workflows (DSPX-2661) ### Checklist - [ ] I have added or updated unit tests - [x] I have added or updated integration tests (if appropriate) - [x] I have added or updated documentation ### Testing Instructions - Verify YAML is valid: `python3 -c "import yaml; yaml.safe_load(open('.github/dependabot.yml'))"` - Verify otdfctl gomod entry: search for `directory: "/otdfctl"` in dependabot.yml - Verify github-actions directories include `/otdfctl/e2e`
| schedule: | ||
| interval: daily | ||
|
|
||
| - package-ecosystem: gomod |
Check warning
Code scanning / zizmor
insufficient cooldown in Dependabot updates Warning
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
### Proposed Changes 1.) Adds the `executor` which is in-charge of committing a specific plan. 2.) Adds commit logic for `actions` only 3.) Adds stubs for other policy constructs. ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
### Proposed Changes 1.) Commit `subject-condition-sets` 2.) Refactor code placement to avoid large `execute.go` file size. ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Added support for executing actions and subject condition sets within namespaced policy migrations * Enhanced execution result tracking with detailed failure diagnostics * **Refactor** * Streamlined error naming conventions across migration execution flows * Optimized internal state caching for target resolution * **Tests** * Expanded test coverage for policy execution and error handling scenarios <!-- end of auto-generated comment: release notes by coderabbit.ai -->
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
### Proposed Changes 1.) Add logic to commit subject mappings 2.) Wire in action / scs needed deps. ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
### Proposed Changes * Fix two zizmor-flagged code injection vulnerabilities in `release-otdfctl.yaml` by passing `github.event.release.tag_name` through `env:` variables instead of direct template expansion in `run:` blocks. ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions No functional change — the workflow behaves identically, but tag name values are now injected as environment variables rather than interpolated into shell scripts.
### Proposed Changes 1.) Add implementation for migrating `obligation triggers` ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions
Contributor
X-Test Failure Report |
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Contributor
|
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed Changes
opentdf/otdfctlintootdfctl/viagit subtree add, preserving full git history and tagsgo.workworkspaceDSPX-2655: Subtree merge + cleanup
.github/,.golangci.yaml,CONTRIBUTING.md,LICENSE)otdfctl/CHANGELOG.mdfor historical reference.gitignore,CODEOWNERS, pr-checks scopeotdfctl/*prefix (e.g.,otdfctl/v0.26.2)DSPX-2656: Module path rewrite
github.com/opentdf/otdfctl→github.com/opentdf/platform/otdfctlotdfctltogo.workworkspaceDockerfileDSPX-2657: Makefile and build scripts
DSPX-2658: CI matrix
checks.yamlgo job matrixPR Stack (DSPX-2654)
Checklist
Testing Instructions
git log --oneline --follow -M otdfctl/cmd/root.goshows pre-merge historygit tag | grep otdfctl/v0.26confirms tags importedgo build ./otdfctl/...succeeds