Add OpenAPI generation workflow#1398
Conversation
|
@brendan-kellam your pull request is missing a changelog! |
WalkthroughAdds a new GitHub Actions workflow that triggers on PRs to ChangesOpenAPI Spec Auto-generation Workflow
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/generate-openapi.yml (2)
18-23: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winSet
persist-credentials: falseon checkout and configure push auth explicitly.The checkout step persists the GitHub token in git config by default, which zizmor flags as a credential-persistence risk. While the push step needs authentication, it is safer to disable persistence and configure the remote URL with the token only where needed.
Add
persist-credentials: falseto the checkout step, then update the push step to use the token explicitly:- name: Checkout repository uses: actions/checkout@v4 with: submodules: "true" ref: ${{ github.head_ref }} token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: falseAnd in the commit step, before
git push:git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}`@github.com/`${{ github.repository }}.git git push🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/generate-openapi.yml around lines 18 - 23, The checkout step in the workflow currently persists the GitHub token in git config, so update the actions/checkout@v4 configuration to set persist-credentials: false in the “Checkout repository” step. Then make the push authentication explicit in the commit/push step by updating the remote URL with the token right before git push, using the existing GITHUB_TOKEN and the push-related step that performs the commit.Source: Linters/SAST tools
38-49: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winAdd
pull --rebasebefore push to avoid race-condition rejections.If the PR branch receives new commits between checkout and push, the bare
git pushwill fail with a non-fast-forward error. Add a pull-rebase step before pushing:git pull --rebase origin ${{ github.head_ref }} git pushAdditionally, consider whether the OpenAPI generation is fully deterministic. If
createPublicOpenApiDocumentembeds timestamps, non-sorted schema keys, or environment-dependent values, the workflow could commit spurious diffs on every run. Verify that generation output is stable for identical inputs.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/generate-openapi.yml around lines 38 - 49, The commit-and-push step in the OpenAPI generation workflow can fail on non-fast-forward updates, so update the commit block in the workflow to rebase the current branch before pushing by using the existing git push flow around the commit step; reference the Commit regenerated spec if changed block and the git push command. Also review createPublicOpenApiDocument output for stability and make sure generated spec content is deterministic (no timestamps, unstable key ordering, or environment-dependent values) so the workflow does not produce spurious commits.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/generate-openapi.yml:
- Around line 18-23: The checkout step in the workflow currently persists the
GitHub token in git config, so update the actions/checkout@v4 configuration to
set persist-credentials: false in the “Checkout repository” step. Then make the
push authentication explicit in the commit/push step by updating the remote URL
with the token right before git push, using the existing GITHUB_TOKEN and the
push-related step that performs the commit.
- Around line 38-49: The commit-and-push step in the OpenAPI generation workflow
can fail on non-fast-forward updates, so update the commit block in the workflow
to rebase the current branch before pushing by using the existing git push flow
around the commit step; reference the Commit regenerated spec if changed block
and the git push command. Also review createPublicOpenApiDocument output for
stability and make sure generated spec content is deterministic (no timestamps,
unstable key ordering, or environment-dependent values) so the workflow does not
produce spurious commits.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ba74afbf-a55b-4341-871c-fa0c54f7ef81
📒 Files selected for processing (1)
.github/workflows/generate-openapi.yml
Summary
Testing
Summary by CodeRabbit