Skip to content

fix: align scopes.yaml with v4 schema paths#352

Merged
JuroUhlar merged 2 commits into
mainfrom
fix/scopes-yaml-v4-paths
Apr 23, 2026
Merged

fix: align scopes.yaml with v4 schema paths#352
JuroUhlar merged 2 commits into
mainfrom
fix/scopes-yaml-v4-paths

Conversation

@JuroUhlar

Copy link
Copy Markdown
Contributor

Summary

Fixes the path-scope allowlist to match the v4 OpenAPI schema. The SDK sync action was filtering out every events path because scopes.yaml still listed v3-era names (/events/{request_id}, /events/search) while the released fingerprint-server-api-v4.yaml uses /events/{event_id} and /events.

Evidence

All 5 open SDK sync PRs for tag v3.2.0 are identically truncated — only /visitors/{visitor_id} survives because that path name is unchanged across v3→v4:

Job logs (example) confirm every SDK downloads fingerprint-server-api-v4.yaml (the schema-path input in the sync workflow is only the local save path, not the download source).

Changes

  • events: /events/{request_id} (get+put) → /events/{event_id} (get+patch)
  • events-search: /events/search (get) → /events (get)
  • visitors: removed obsolete v3 get on /visitors/{visitor_id}, keeps delete
  • webhook: tracepost — cosmetic only; /webhook doesn't exist as a path in v4 (webhook moved to OpenAPI 3.1 top-level webhooks:, which filter-schema doesn't touch)
  • related-visitors: unchanged — no v4 equivalent, kept as an inert scope name so allowed-scopes in the sync workflow and scripts/changeset.js keep working

v4 path/method mappings verified against schemas/paths/event.yaml, events.yaml, visitors.yaml.

Caveats — important for re-running sync

scopes.yaml is bundled as a per-release asset (.github/workflows/upload-schemas.yml). The update-sdk-schema action downloads scopes.yaml from each intermediate release it iterates through (update-schema-for-tag.ts). That means:

  • This fix only corrects future releases. Existing v3.0.0, v3.0.1, v3.1.0, v3.2.0 release assets still ship the broken scopes.yaml.
  • Re-running the sync action against any of those tags will still produce the same truncated PRs.

To fully unblock SDK syncs, one of the following is needed in addition to this PR:

  1. Cut a new release (e.g. patch) that ships the fixed scopes.yaml, and have each SDK's .schema-version bump directly to that new tag — skipping the broken intermediate ones.
  2. Manually re-upload the fixed scopes.yaml to the existing broken releases.
  3. Patch dx-team-toolkit/update-sdk-schema to source scopes.yaml from a single canonical location instead of per-release (longer term).

No changeset

This is a tooling config fix, not a schema change — the public schema contract is unaffected. The pending events-rfc3339-timestamps.md changeset will drive the next release regardless and ship this fix alongside it.

Test plan

  • pnpm test (77/77 pass)
  • pnpm lint (clean)
  • prettier --check config/scopes.yaml (clean)
  • Simulated filter-schema.ts with the new scopes against the released fingerprint-server-api-v4.yaml/events/{event_id} (get, patch), /events (get), /visitors/{visitor_id} (delete) all survive
  • After merge + release, re-run sync for the new tag and verify the resulting SDK PRs contain all expected paths (not just /visitors/{visitor_id})

The SDK sync action (dx-team-toolkit/update-sdk-schema) filters the
downloaded schema by allowed scopes using scopes.yaml. Paths still
listed v3 names (/events/{request_id}, /events/search) while the
released fingerprint-server-api-v4.yaml uses /events/{event_id} and
/events, so the filter deleted every events path and left only
/visitors/{visitor_id}. All 5 open SDK sync PRs for v3.2.0 (node #239,
go #46, python #188, java #20, php #211) are truncated identically;
node-sdk's generated types collapsed from 1421 lines to 3.

Updates events/events-search/visitors to the v4 paths and methods
(get+patch on /events/{event_id}, get on /events, delete on
/visitors/{visitor_id}). webhook and related-visitors scopes keep
their names and now-inert paths - they don't exist in the v4 schema
but the filter ignores unmatched scopes, and removing them would
just produce noise in the filter logs and break scope names referenced
by scripts/changeset.js.
@changeset-bot

changeset-bot Bot commented Apr 23, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 5398fef

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions

github-actions Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

Schema Diff vs Published Schemas

  • Generated at: 2026-04-23T11:01:39.266Z
  • Published source: https://fingerprintjs.github.io/fingerprint-pro-server-api-openapi/schemas
  • Compared schemas: 8
  • Changed schemas: 0

No schema changes detected between local build output and published GitHub Pages schemas.

ilfa
ilfa previously approved these changes Apr 23, 2026
Added functionality to the lintChangesets script to check for valid scopes defined in config/scopes.yaml. The script now flags changesets with invalid scopes and accepts changesets without a scope line. Updated tests to cover these new validations.
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Following releases will be created using changesets from this PR:

fingerprint-pro-server-api-openapi@3.3.0

Minor Changes

  • events-search: Accept RFC3339 timestamps for start and end filter parameters in addition to Unix milliseconds (d26c53b)

@JuroUhlar JuroUhlar merged commit 4410b77 into main Apr 23, 2026
7 checks passed
@JuroUhlar JuroUhlar deleted the fix/scopes-yaml-v4-paths branch April 23, 2026 11:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants