Skip to content

feat: fetch scopes.yaml from a canonical location, not per-release#146

Merged
JuroUhlar merged 3 commits into
mainfrom
feat/canonical-scopes-source
Apr 23, 2026
Merged

feat: fetch scopes.yaml from a canonical location, not per-release#146
JuroUhlar merged 3 commits into
mainfrom
feat/canonical-scopes-source

Conversation

@JuroUhlar

@JuroUhlar JuroUhlar commented Apr 23, 2026

Copy link
Copy Markdown
Contributor
  • Fetch scopes.yaml from a canonical repo location (defaults to config/scopes.yaml on the OpenAPI repo's main) instead of each release's frozen asset. A scope-allowlist fix now takes effect on the next sync run without re-cutting releases.
  • Adds action inputs scopesRepository, scopesConfigPath, scopesRef; re-exposed on update-server-side-sdk-schema as scopes-repository, scopes-config-path, scopes-ref. Defaults are backward-compatible — no changes needed in consumer workflows.
  • Core change: update-schema-for-tag.ts swaps findAsset(SCOPES_FILE, ...)downloadRepoFile hitting raw.githubusercontent.com (no auth; openapi repo is public).

Motivation

The v3.2.0 sync produced identically truncated PRs across 5 SDKs (node #239, go #46, python #188, java #20, php #211) — only /visitors/{visitor_id} survived because every historical release shipped a scopes.yaml with v3 paths while the schema switched to v4. Fixing scopes.yaml on main (openapi#352) doesn't help until this PR lands, because the action still downloads the frozen per-release asset.

Discussion point: historical reproducibility

Syncing an old tag picks up today's scopes, not the scopes frozen at that tag's release. I think this is the right default — scopes.yaml is tooling config, not schema content, and adding scopes/paths that don't exist in an older schema is a no-op in filter-schema. Consumers who need frozen reproducibility can pin scopesRef to a tag. Push back if this trade-off is wrong for any known use case.

Discussion point: follow-ups not in this PR

  • upload-schemas.yml in the openapi repo still uploads scopes.yaml as a release asset — no longer needed but harmless; worth a cleanup PR.
  • @v1 tag needs to be moved via the Move v1 Tag workflow after merge for consumers to pick this up.

Test plan

  • pnpm jest .github/actions/update-sdk-schema — 8/8 pass, 4/4 snapshots pass (end-to-end "first sync with two releases" tests stable because both release fixtures had identical scopes content)
  • prettier --check on touched files — clean
  • ncc builddist/index.js rebuilt
  • After merge: move @v1, then re-run sync for v3.2.0 against the fixed scopes.yaml and verify SDK PRs contain all expected paths

Previously the update-sdk-schema action read scopes.yaml from each
intermediate release's assets during iteration. That ties every scope
allowlist fix to a new release cut - and freezes any broken scopes.yaml
that already shipped in historical releases. When scopes.yaml was out
of sync with the schema (e.g. v3->v4 path renames), every re-run of
the sync action produced silently-truncated SDK PRs.

Adds three inputs to the action:

  scopesRepository  - owner/repo to source scopes.yaml from.
                      Defaults to openApiRepository.
  scopesConfigPath  - path within scopesRepository. Default
                      config/scopes.yaml.
  scopesRef         - git ref to read from. Default main.

The action now fetches scopes.yaml from
raw.githubusercontent.com/<scopesRepository>/<scopesRef>/<scopesConfigPath>
once per iteration. A fix merged to scopesRepository@scopesRef takes
effect on the next sync run, regardless of which historical tags the
action iterates over.

The same inputs are plumbed through the update-server-side-sdk-schema
reusable workflow so consumers can override them (e.g. pin to a release
tag for reproducibility, or point at a different repo).

Trade-off: historical syncs are no longer reproducible against frozen
scope snapshots. In practice that's fine - scopes.yaml is tooling
config, not schema content. The scope surface rarely shrinks; adding
scopes/paths that didn't exist in older schemas is a no-op in
filter-schema.
@changeset-bot

changeset-bot Bot commented Apr 23, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 3da2067

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the update-sdk-schema GitHub Action to fetch scopes.yaml from a canonical repository path (instead of per-release assets), enabling scope allowlist fixes to take effect without re-cutting OpenAPI releases.

Changes:

  • Add new action/workflow inputs to control where scopes.yaml is sourced from (scopesRepository, scopesConfigPath, scopesRef).
  • Switch schema update logic to download scopes.yaml via raw.githubusercontent.com rather than from release assets.
  • Update Jest fixtures/mocks and rebuild the action’s dist bundle.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
.github/workflows/update-server-side-sdk-schema.yml Exposes new scopes-source inputs and passes them through to the action.
.github/actions/update-sdk-schema/action.yml Adds action inputs for canonical scopes.yaml sourcing.
.github/actions/update-sdk-schema/config.ts Extends config to include scopes-source fields and parses new inputs.
.github/actions/update-sdk-schema/update-schema-for-tag.ts Replaces per-release scopes.yaml asset download with canonical repo file download.
.github/actions/update-sdk-schema/github.ts Introduces downloadRepoFile helper for fetching files from raw.githubusercontent.com.
.github/actions/update-sdk-schema/const.ts Removes the now-unused SCOPES_FILE constant.
.github/actions/update-sdk-schema/update-schema.test.ts Updates test config objects to include new scopes-source fields.
.github/actions/update-sdk-schema/test/assets.ts Updates mocked URLs to match the new raw GitHub scopes fetch.
.github/actions/update-sdk-schema/dist/index.js Rebuilt bundled action output reflecting the source changes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/update-server-side-sdk-schema.yml Outdated
Comment thread .github/actions/update-sdk-schema/config.ts
Comment thread .github/actions/update-sdk-schema/github.ts
Comment thread .github/actions/update-sdk-schema/update-schema-for-tag.ts Outdated
Comment thread .github/actions/update-sdk-schema/action.yml Outdated
Previously downloadAsset returned the error body as a Buffer on any
non-2xx response. For release assets this was benign (URLs come from
the GitHub API and rarely 404), but the new canonical scopes.yaml
fetch from raw.githubusercontent.com is sensitive to typos in
scopesConfigPath or scopesRef - a 404 would produce a corrupt scopes
YAML that filter-schema would parse as "no allowed paths", silently
reproducing the truncated-schema bug this PR is meant to fix.

Adds a regression test that stubs raw.githubusercontent.com with a
404 and asserts the run aborts before generate runs.
Previously updateSchemaForTag downloaded scopes.yaml on every release
iteration even though the content is identical for the whole run.
Moves the fetch + parse up into updateSchema and threads the parsed
ScopesMap through to each iteration.

Also:
- strip leading slashes from scopesConfigPath in downloadRepoFile so
  a stray leading '/' in the input doesn't produce a 404
- fix 'Whenever' -> 'Whether' in two input descriptions
@github-actions

Copy link
Copy Markdown
Contributor

⚠️ This PR doesn't contain any changesets. If there are user-facing changes, don't forget to run:

pnpm exec changeset

to create a changeset.

@github-actions

Copy link
Copy Markdown
Contributor

This PR will create a minor release 🚀

⚠️ This is a test run of the release-notes-comment action that can be found in .github/workflows/analyze-commits.yml

1.4.0 (2026-04-23)

Features

  • add proseWrap: never to prettier config (101c925)
  • add releaseWorkingDirectory option for Analyze Commits action (a9fa691)
  • add releaseWorkingDirectory option for release TypeScript project workflow (9ee782b)
  • add action for testing template consistency (52c1945)
  • add additional, optional tags parameter to set-datadog-team (771544a)
  • add changeset changelog format package (d6ba005)
  • add changeset preview action (b752bd0)
  • add changesets release action (2433caa)
  • add eslint rule to discourage type-casting in typescript (91e84a6)
  • add force param to sync workflow (d691eec)
  • add github link to commit SHA (84765fd)
  • add option for custom commands for changesets (bf02865)
  • add option to configure action runner in build typescript project workflow (470a111)
  • add option to configure action runner in coverage diff action (c77cd27)
  • add option to configure action runner in release typescript project action (dbbdeac)
  • add option to pass app id and app token to create pr action (fd4a1ba)
  • add pre-release-tag input (d3fa387)
  • add retry to github requests (64142ad)
  • add schema filtering to the update schema action (b33345d)
  • add schema-source input for updating SDK schema reusable workflow (0fc110e)
  • add set-datadog-team reusable workflow (ec70a99)
  • add support for custom plugins in analyze-commits workflow (48f0fc7)
  • add support for handling multiple OpenAPI releases during sync (ace4a3f)
  • add workflow for triggering E2E tests for server-side SDK (50cf12e)
  • add workflow for updating server-side SDK schema (2077c7e)
  • changeset-release-notes: make logs more verbose (9b8503f)
  • configure linter to check actions folder (74783de)
  • don't require environment=production for changesets to create a PR (4b8be0c)
  • fetch scopes.yaml from a canonical repo location, not per-release (2c8c2bf)
  • load scopes from release, use whitelist instead of blacklist (153d47e)
  • setup lang during changeset release (82f98de)
  • support file uploads to the GitHub release in release-sdk-changesets (90deef3)
  • update message if there are no changesets (85df099)
  • use changesets from OpenAPI repo for generating release notes (114dd05)
  • use GitHub app for changesets release (3823858)
  • use white-list approach for filtering scopes (40dd0a6)

Bug Fixes

  • always install node for schema sync action (a95235f)
  • avoid showing legacy notes in preview (d3a262f)
  • don't add changeset manually to pre.json (6834a4b)
  • fix duplicate pnpm install for changeset release in node projects (4319c36)
  • fix upload step in multi package repos (ce8cce5)
  • handle multiple GitHub releases in correct order (39524cd)
  • improve code readability for changeset-determine-step action based on review (69d5be0)
  • improve schema cleanup after filtering scopes for update-sdk-schema action (3a07c6f)
  • release-typescript-project: use release working directory for dist artifact (f5460e9)
  • release-typescript-project: use release working directory for dist artifact in build stage (c5351bd)
  • show correct notes in preview in pre-release mode (71a4eb1)
  • throw on non-2xx responses in downloadAsset (507f0e4)
  • trim scopes (075394f)
  • typo (559fbe3)
  • update regex to support both quoted styles in changesets (954c0a6)
  • use ubuntu-latest for coverage-diff.yml reusable workflow (f5b1bb6)
  • use correct name of the node-version input (8cbd957)
  • use correct starting tag for schema sync (6c2eeca)
  • use correct token name (f9f52aa)

@github-actions

Copy link
Copy Markdown
Contributor

Coverage report

St.
Category Percentage Covered / Total
🔴 Statements 50% 3/6
🟢 Branches 100% 0/0
🔴 Functions 50% 1/2
🔴 Lines 25% 1/4

Test suite run success

15 tests passing in 7 suites.

Report generated by 🧪jest coverage report action from 3da2067

Show full coverage report
St File % Stmts % Branch % Funcs % Lines Uncovered Line #s
🟡 All files 50 100 50 25
🟢  greeting.ts 100 100 100 100
🔴  index.ts 0 100 0 0 1-4

@JuroUhlar
JuroUhlar requested a review from ilfa April 23, 2026 12:55
@JuroUhlar
JuroUhlar merged commit 3499196 into main Apr 23, 2026
17 checks passed
@JuroUhlar
JuroUhlar deleted the feat/canonical-scopes-source branch April 23, 2026 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants