feat: fetch scopes.yaml from a canonical location, not per-release#146
Conversation
Previously the update-sdk-schema action read scopes.yaml from each
intermediate release's assets during iteration. That ties every scope
allowlist fix to a new release cut - and freezes any broken scopes.yaml
that already shipped in historical releases. When scopes.yaml was out
of sync with the schema (e.g. v3->v4 path renames), every re-run of
the sync action produced silently-truncated SDK PRs.
Adds three inputs to the action:
scopesRepository - owner/repo to source scopes.yaml from.
Defaults to openApiRepository.
scopesConfigPath - path within scopesRepository. Default
config/scopes.yaml.
scopesRef - git ref to read from. Default main.
The action now fetches scopes.yaml from
raw.githubusercontent.com/<scopesRepository>/<scopesRef>/<scopesConfigPath>
once per iteration. A fix merged to scopesRepository@scopesRef takes
effect on the next sync run, regardless of which historical tags the
action iterates over.
The same inputs are plumbed through the update-server-side-sdk-schema
reusable workflow so consumers can override them (e.g. pin to a release
tag for reproducibility, or point at a different repo).
Trade-off: historical syncs are no longer reproducible against frozen
scope snapshots. In practice that's fine - scopes.yaml is tooling
config, not schema content. The scope surface rarely shrinks; adding
scopes/paths that didn't exist in older schemas is a no-op in
filter-schema.
|
There was a problem hiding this comment.
Pull request overview
Updates the update-sdk-schema GitHub Action to fetch scopes.yaml from a canonical repository path (instead of per-release assets), enabling scope allowlist fixes to take effect without re-cutting OpenAPI releases.
Changes:
- Add new action/workflow inputs to control where
scopes.yamlis sourced from (scopesRepository,scopesConfigPath,scopesRef). - Switch schema update logic to download
scopes.yamlviaraw.githubusercontent.comrather than from release assets. - Update Jest fixtures/mocks and rebuild the action’s
distbundle.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-server-side-sdk-schema.yml | Exposes new scopes-source inputs and passes them through to the action. |
| .github/actions/update-sdk-schema/action.yml | Adds action inputs for canonical scopes.yaml sourcing. |
| .github/actions/update-sdk-schema/config.ts | Extends config to include scopes-source fields and parses new inputs. |
| .github/actions/update-sdk-schema/update-schema-for-tag.ts | Replaces per-release scopes.yaml asset download with canonical repo file download. |
| .github/actions/update-sdk-schema/github.ts | Introduces downloadRepoFile helper for fetching files from raw.githubusercontent.com. |
| .github/actions/update-sdk-schema/const.ts | Removes the now-unused SCOPES_FILE constant. |
| .github/actions/update-sdk-schema/update-schema.test.ts | Updates test config objects to include new scopes-source fields. |
| .github/actions/update-sdk-schema/test/assets.ts | Updates mocked URLs to match the new raw GitHub scopes fetch. |
| .github/actions/update-sdk-schema/dist/index.js | Rebuilt bundled action output reflecting the source changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Previously downloadAsset returned the error body as a Buffer on any non-2xx response. For release assets this was benign (URLs come from the GitHub API and rarely 404), but the new canonical scopes.yaml fetch from raw.githubusercontent.com is sensitive to typos in scopesConfigPath or scopesRef - a 404 would produce a corrupt scopes YAML that filter-schema would parse as "no allowed paths", silently reproducing the truncated-schema bug this PR is meant to fix. Adds a regression test that stubs raw.githubusercontent.com with a 404 and asserts the run aborts before generate runs.
Previously updateSchemaForTag downloaded scopes.yaml on every release iteration even though the content is identical for the whole run. Moves the fetch + parse up into updateSchema and threads the parsed ScopesMap through to each iteration. Also: - strip leading slashes from scopesConfigPath in downloadRepoFile so a stray leading '/' in the input doesn't produce a 404 - fix 'Whenever' -> 'Whether' in two input descriptions
pnpm exec changesetto create a changeset. |
This PR will create a minor release 🚀
|
Coverage report
Test suite run success15 tests passing in 7 suites. Report generated by 🧪jest coverage report action from 3da2067 Show full coverage report
|
scopes.yamlfrom a canonical repo location (defaults toconfig/scopes.yamlon the OpenAPI repo'smain) instead of each release's frozen asset. A scope-allowlist fix now takes effect on the next sync run without re-cutting releases.scopesRepository,scopesConfigPath,scopesRef; re-exposed onupdate-server-side-sdk-schemaasscopes-repository,scopes-config-path,scopes-ref. Defaults are backward-compatible — no changes needed in consumer workflows.update-schema-for-tag.tsswapsfindAsset(SCOPES_FILE, ...)→downloadRepoFilehittingraw.githubusercontent.com(no auth; openapi repo is public).Motivation
The
v3.2.0sync produced identically truncated PRs across 5 SDKs (node #239, go #46, python #188, java #20, php #211) — only/visitors/{visitor_id}survived because every historical release shipped ascopes.yamlwith v3 paths while the schema switched to v4. Fixing scopes.yaml onmain(openapi#352) doesn't help until this PR lands, because the action still downloads the frozen per-release asset.Discussion point: historical reproducibility
Syncing an old tag picks up today's scopes, not the scopes frozen at that tag's release. I think this is the right default — scopes.yaml is tooling config, not schema content, and adding scopes/paths that don't exist in an older schema is a no-op in
filter-schema. Consumers who need frozen reproducibility can pinscopesRefto a tag. Push back if this trade-off is wrong for any known use case.Discussion point: follow-ups not in this PR
upload-schemas.ymlin the openapi repo still uploadsscopes.yamlas a release asset — no longer needed but harmless; worth a cleanup PR.@v1tag needs to be moved via theMove v1 Tagworkflow after merge for consumers to pick this up.Test plan
pnpm jest .github/actions/update-sdk-schema— 8/8 pass, 4/4 snapshots pass (end-to-end "first sync with two releases" tests stable because both release fixtures had identical scopes content)prettier --checkon touched files — cleanncc build—dist/index.jsrebuilt@v1, then re-run sync forv3.2.0against the fixed scopes.yaml and verify SDK PRs contain all expected paths