Skip to content

Migrate spec docs and tooling from plexapi-dev-docs#119

Open
LukasParke wants to merge 3 commits into
mainfrom
migrate-dev-docs-spec
Open

Migrate spec docs and tooling from plexapi-dev-docs#119
LukasParke wants to merge 3 commits into
mainfrom
migrate-dev-docs-spec

Conversation

@LukasParke

@LukasParke LukasParke commented Jun 13, 2026

Copy link
Copy Markdown
Owner

Migrates the spec-related documentation and tooling from LukasParke/plexapi-dev-docs into this canonical spec repository.

Changes

  • Added contributor docs under docs/:
    • api-contract.md — OpenAPI 3.1 contract decisions and security notes.
    • sdk-generation-strategy.md — Hybrid generated + hand-written SDK strategy.
    • endpoints.md — Generated operation list from plex-api-spec.yaml.
  • Added validation and tooling scripts under scripts/:
    • validate-spec.mjs — Parses and dereferences the spec.
    • openapi-diff.mjs — Breaking-change detection against origin/main.
    • generate-reference.mjs — Regenerates docs/endpoints.md.
  • Added package.json, pnpm-lock.yaml, and .github/workflows/spec-validate.yml.
  • Added .spectral.yaml ruleset.
  • Updated README.md with links to the live docs site and the mintlify/docs repo.

Notes

  • The validation script uses SwaggerParser.dereference() instead of .validate() because swagger-parser's bundled schema incorrectly rejects valid OpenAPI 3.1 server-variable description fields in plex-api-spec.yaml.
  • .spectral.yaml is included for manual use; it is not run in CI because the current spec triggers a spectral/nimma crash on server-variable objects.

Verification

  • pnpm install
  • pnpm spec:validate
  • pnpm spec:generate-reference
  • pnpm spec:diff

Summary by CodeRabbit

  • Documentation

    • Added comprehensive API contract documentation outlining the canonical OpenAPI specification, validation process, and security standards.
    • Added SDK generation strategy guide detailing language roadmap, validation pipeline, and developer experience requirements.
    • Generated complete API endpoint reference with HTTP methods, paths, operation IDs, and authentication/response format conventions.
    • Updated README with repository structure, validation commands, and contribution guidelines.
  • Chores

    • Added automated CI/CD validation workflow for OpenAPI specification changes.
    • Implemented breaking-change detection and reference generation tooling.
    • Updated API specification with normalized examples and improved validation patterns.

…dev-docs

- Add contributor docs: api-contract.md and sdk-generation-strategy.md
- Add docs/endpoints.md generated from plex-api-spec.yaml
- Add validation/diff/reference generation scripts adapted for YAML
- Add package.json, pnpm-lock.yaml, and spec-validate CI workflow
- Update README with links to live docs and canonical repos

Note: spectral lint is included as a script/ruleset but not run in CI because
the current spec triggers a known spectral/nimma crash on server-variable objects.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
@coderabbitai

coderabbitai Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This pull request establishes comprehensive infrastructure for managing the Plex Media Server OpenAPI 3.1 specification. It introduces validation scripts, CI/CD enforcement, reference documentation generation, detailed SDK generation strategy, and normalization of spec examples for consistency.

Changes

OpenAPI Specification Infrastructure

Layer / File(s) Summary
Validation tooling foundation and npm setup
package.json, scripts/validate-spec.mjs, .spectral.yaml
New npm project configured with scripts for spec validation, linting, diffing, and reference generation. Validation script locates the canonical OpenAPI spec file and confirms successful parsing whilst reporting path and schema counts. Spectral linting enforces stricter error levels for operation IDs and tag definitions.
Breaking change detection via diff script
scripts/openapi-diff.mjs
Script compares baseline (from git history) and head OpenAPI specs to identify breaking changes (removed paths, operations, newly required parameters) whilst allowing non-breaking additions. Gracefully handles missing baseline specs and exits with appropriate status codes.
Generated endpoint reference documentation
scripts/generate-reference.mjs, docs/endpoints.md
Script parses the OpenAPI spec and generates a comprehensive Markdown reference table listing all endpoints by method, path, summary, and operation ID, along with authentication requirements and response format guidance for the API consumer.
CI validation workflow orchestration
.github/workflows/spec-validate.yml
GitHub Actions workflow runs on push and pull request to main, executing the three spec-related commands in sequence: validation, reference regeneration with diff enforcement, and breaking-change detection.
API contract documentation and standards
docs/api-contract.md
Provides guidance on the canonical OpenAPI 3.1 contract specification, validation practices, and security handling for authentication tokens.
SDK generation strategy and project contributing guide
docs/sdk-generation-strategy.md, README.md
Comprehensive strategy document defines a hybrid hand-written and OpenAPI-generated SDK model with target language phases, validation pipelines, release/versioning expectations, security standards, and developer experience requirements. README updated with repository structure and contribution guidelines requiring spec validation in CI.
OpenAPI spec normalization and example updates
plex-api-spec.yaml
Systematically normalizes parameter examples and validation patterns throughout the specification: resolution regex expanded to multi-digit form, parameter examples converted to consistent JSON string/array quoting, transcoder parameters harmonised, parameter formats corrected (urluri), new top-level tags added (Authentication, Plex, Users), and schema examples refined for consistency.

A specification most proper, with validation forthwith,
And scripts to enforce what the API doth gift,
Breaking changes detected ere they slip through the door,
Documented and governed, the OpenAPI's core.


🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the primary change: migrating specification documentation and tooling from another repository into this one.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch migrate-dev-docs-spec

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

LukasParke and others added 2 commits June 13, 2026 09:55
- Remove null examples that crash Spectral's oas3-schema validation
  (UserPlexAccount, UserProfile schemas)
- Add missing global tags: Authentication, Plex, Users
- Fix example types to match their schemas:
  - string examples for playQueueItemID, X-Plex-Platform-Version, verificationCode
  - array examples for device, sort, channelsEnabled, entitlements
  - enum value casing for subtitles (Burn -> burn)
- Change photo/videoResolution pattern to allow multi-digit values
  (^^d[x:]\d$ -> ^\d+[x:]\d+$)
- Fix url parameter format from non-standard 'url' to 'uri'
- Replace nested Guid id example with a single string example
- Fix playlist Policy.value example from empty string to integer 0

Validation results:
- pnpm spec:validate: passes (196 paths, 51 schemas)
- pnpm spec:lint: 0 errors, 113 warnings (warnings are pre-existing)
- pnpm spec:diff: no breaking changes

Fixes PLE-43
- Remove server-variable  fields that swagger-parser's bundled
  OpenAPI 3.1 schema rejects (valid per spec, but the bundled schema has a
  typo: 'descriptions' instead of 'description').
- Switch validate-spec.mjs from SwaggerParser.dereference back to
  SwaggerParser.validate now that the spec passes strict validation.

Validation results:
- pnpm spec:validate now runs SwaggerParser.validate successfully
- pnpm spec:lint: 0 errors, 113 warnings (warnings are pre-existing)
- pnpm spec:diff: no breaking changes

Co-Authored-By: Paperclip <noreply@paperclip.ing>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/spec-validate.yml:
- Around line 1-38: The workflow "name: Validate canonical OpenAPI spec"
currently relies on default permissions; add an explicit minimal permissions
block at the top of the workflow YAML (adjacent to the existing name/on keys)
such as "permissions: contents: read" to restrict access, ensuring the jobs
(including the "validate" job and its steps like "Validate OpenAPI spec" and
"Check generated reference is up to date") run with least privilege.
- Around line 13-24: The workflow uses mutable tags for third-party actions
(actions/checkout@v4, pnpm/action-setup@v4, actions/setup-node@v4); pin each
action reference to its immutable commit SHA instead (e.g., replace
actions/checkout@v4 with actions/checkout@<commit-sha>, pnpm/action-setup@v4
with pnpm/action-setup@<commit-sha>, and actions/setup-node@v4 with
actions/setup-node@<commit-sha>) by looking up the exact commit SHA from each
action's GitHub repo/releases and updating the yml entries accordingly so the
workflow uses fixed SHAs.

In `@scripts/openapi-diff.mjs`:
- Around line 11-28: The getBaseSpec function is vulnerable to command injection
because it interpolates the unvalidated ref into a shell command; fix it by
switching from a shell-invoking execSync call to a non-shell form (e.g.,
child_process.execFileSync or spawnSync) and pass git and its arguments as an
argument array instead of a single interpolated string, and additionally
validate/sanitize the ref (for example allow only a safe pattern like
alphanumerics, slashes, dots, dashes, and underscores) before using it; update
the getBaseSpec implementation to call git using execFileSync('git', ['show',
`${ref}:plex-api-spec.yaml`], {...}) (or equivalent) and reject or escape refs
that don't match the allowed pattern to eliminate injection risk.
- Around line 19-25: The current check that looks for stderr.includes("Path
'plex-api-spec.yaml' does not exist") || stderr.includes("Invalid object name")
and then calls process.exit(0) silently makes the CI step pass when the baseline
spec is missing; change this so the step fails by default and only skips when an
explicit allow flag is set: modify the branch that detects the missing-baseline
case to log an error (include the stderr) and call process.exit(1) unless a
clear opt-in env var (e.g. ALLOW_MISSING_BASELINE or SKIP_MISSING_BASELINE) is
present, and if that env var is set keep the current informational log and
exit(0) (or continue), ensuring the missing-baseline behavior is now explicit
and not a silent CI pass.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 29078abb-6a13-483d-8460-a4d3ea209b13

📥 Commits

Reviewing files that changed from the base of the PR and between ed6572e and 82149ba.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (11)
  • .github/workflows/spec-validate.yml
  • .spectral.yaml
  • README.md
  • docs/api-contract.md
  • docs/endpoints.md
  • docs/sdk-generation-strategy.md
  • package.json
  • plex-api-spec.yaml
  • scripts/generate-reference.mjs
  • scripts/openapi-diff.mjs
  • scripts/validate-spec.mjs

Comment on lines +1 to +38
name: Validate canonical OpenAPI spec

on:
push:
branches: [main]
pull_request:
branches: [main]

jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 10.18.1

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm

- name: Install dependencies
run: pnpm install --frozen-lockfile

- name: Validate OpenAPI spec
run: pnpm spec:validate

- name: Check generated reference is up to date
run: |
pnpm spec:generate-reference
git diff --exit-code docs/endpoints.md

- name: Dry-run breaking-change detection
run: pnpm spec:diff

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | 💤 Low value

One might consider explicit permissions for enhanced security posture.

Whilst the workflow functions admirably, I note with respect that it relies upon default permissions. Best practices suggest explicitly declaring minimal required permissions, typically contents: read for such validation workflows.

This is, of course, an optional refinement rather than a pressing concern.

🔒 Proposed explicit permissions declaration
 name: Validate canonical OpenAPI spec

 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]

+permissions:
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
name: Validate canonical OpenAPI spec
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 10.18.1
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Validate OpenAPI spec
run: pnpm spec:validate
- name: Check generated reference is up to date
run: |
pnpm spec:generate-reference
git diff --exit-code docs/endpoints.md
- name: Dry-run breaking-change detection
run: pnpm spec:diff
name: Validate canonical OpenAPI spec
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 10.18.1
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Validate OpenAPI spec
run: pnpm spec:validate
- name: Check generated reference is up to date
run: |
pnpm spec:generate-reference
git diff --exit-code docs/endpoints.md
- name: Dry-run breaking-change detection
run: pnpm spec:diff
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 13-13: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[warning] 1-39: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 21-21: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 10-10: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 3-7: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/spec-validate.yml around lines 1 - 38, The workflow "name:
Validate canonical OpenAPI spec" currently relies on default permissions; add an
explicit minimal permissions block at the top of the workflow YAML (adjacent to
the existing name/on keys) such as "permissions: contents: read" to restrict
access, ensuring the jobs (including the "validate" job and its steps like
"Validate OpenAPI spec" and "Check generated reference is up to date") run with
least privilege.

Comment on lines +13 to +24
- uses: actions/checkout@v4

- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 10.18.1

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

I humbly suggest pinning GitHub Actions to commit SHAs for enhanced security.

If I may be so bold, the static analysis tool has raised a pertinent security consideration. The workflow presently references actions by tag (e.g., @v4), which, whilst convenient, does present a theoretical supply-chain vulnerability should a tag be moved.

The security-conscious approach would be to pin to specific commit SHAs, thus ensuring immutability.

🔐 Proposed enhancement for supply-chain security
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0

-      - name: Set up Node.js
-        uses: actions/setup-node@v4
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v4
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 10.18.1
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 20
cache: pnpm
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install pnpm
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
with:
version: 10.18.1
- name: Set up Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 20
cache: pnpm
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 13-13: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 21-21: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/spec-validate.yml around lines 13 - 24, The workflow uses
mutable tags for third-party actions (actions/checkout@v4, pnpm/action-setup@v4,
actions/setup-node@v4); pin each action reference to its immutable commit SHA
instead (e.g., replace actions/checkout@v4 with actions/checkout@<commit-sha>,
pnpm/action-setup@v4 with pnpm/action-setup@<commit-sha>, and
actions/setup-node@v4 with actions/setup-node@<commit-sha>) by looking up the
exact commit SHA from each action's GitHub repo/releases and updating the yml
entries accordingly so the workflow uses fixed SHAs.

Comment thread scripts/openapi-diff.mjs
Comment on lines +11 to +28
function getBaseSpec(ref) {
try {
return execSync(`git show ${ref}:plex-api-spec.yaml`, {
encoding: "utf-8",
stdio: ["pipe", "pipe", "pipe"],
});
} catch (err) {
const stderr = String(err.stderr || err);
if (
stderr.includes("Path 'plex-api-spec.yaml' does not exist") ||
stderr.includes("Invalid object name")
) {
console.log("ℹ️ No baseline spec found in git history; skipping breaking-change check.");
process.exit(0);
}
throw err;
}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Command injection vulnerability in git command construction.

I must respectfully draw your attention to a most concerning matter on Line 13. The ref parameter, derived from process.argv[2], is interpolated directly into the shell command without proper validation or escaping. A less-than-scrupulous individual might exploit this by providing a malicious argument such as "origin/main; rm -rf /".

Whilst I acknowledge this is a development script, good form dictates we guard against such misadventures.

🛡️ Proposed remedy to prevent command injection
 function getBaseSpec(ref) {
+  // Validate ref contains only safe characters
+  if (!/^[\w\/.@-]+$/.test(ref)) {
+    throw new Error(`Invalid git reference: ${ref}`);
+  }
   try {
     return execSync(`git show ${ref}:plex-api-spec.yaml`, {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
function getBaseSpec(ref) {
try {
return execSync(`git show ${ref}:plex-api-spec.yaml`, {
encoding: "utf-8",
stdio: ["pipe", "pipe", "pipe"],
});
} catch (err) {
const stderr = String(err.stderr || err);
if (
stderr.includes("Path 'plex-api-spec.yaml' does not exist") ||
stderr.includes("Invalid object name")
) {
console.log("ℹ️ No baseline spec found in git history; skipping breaking-change check.");
process.exit(0);
}
throw err;
}
}
function getBaseSpec(ref) {
// Validate ref contains only safe characters
if (!/^[\w\/.@-]+$/.test(ref)) {
throw new Error(`Invalid git reference: ${ref}`);
}
try {
return execSync(`git show ${ref}:plex-api-spec.yaml`, {
encoding: "utf-8",
stdio: ["pipe", "pipe", "pipe"],
});
} catch (err) {
const stderr = String(err.stderr || err);
if (
stderr.includes("Path 'plex-api-spec.yaml' does not exist") ||
stderr.includes("Invalid object name")
) {
console.log("ℹ️ No baseline spec found in git history; skipping breaking-change check.");
process.exit(0);
}
throw err;
}
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/openapi-diff.mjs` around lines 11 - 28, The getBaseSpec function is
vulnerable to command injection because it interpolates the unvalidated ref into
a shell command; fix it by switching from a shell-invoking execSync call to a
non-shell form (e.g., child_process.execFileSync or spawnSync) and pass git and
its arguments as an argument array instead of a single interpolated string, and
additionally validate/sanitize the ref (for example allow only a safe pattern
like alphanumerics, slashes, dots, dashes, and underscores) before using it;
update the getBaseSpec implementation to call git using execFileSync('git',
['show', `${ref}:plex-api-spec.yaml`], {...}) (or equivalent) and reject or
escape refs that don't match the allowed pattern to eliminate injection risk.

Comment thread scripts/openapi-diff.mjs
Comment on lines +19 to +25
if (
stderr.includes("Path 'plex-api-spec.yaml' does not exist") ||
stderr.includes("Invalid object name")
) {
console.log("ℹ️ No baseline spec found in git history; skipping breaking-change check.");
process.exit(0);
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check if the workflow properly handles missing baseline

# Check if there are any safeguards in the workflow
rg -n "spec:diff" .github/workflows/

Repository: LukasParke/plex-api-spec

Length of output: 135


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Inspect the targeted script section
echo "---- scripts/openapi-diff.mjs (lines 1-120) ----"
nl -ba scripts/openapi-diff.mjs | sed -n '1,120p'

# 2) Inspect the workflow step that runs spec:diff
echo "---- .github/workflows/spec-validate.yml (lines 1-120) ----"
nl -ba .github/workflows/spec-validate.yml | sed -n '1,120p'

# 3) Find how `spec:diff` is defined (pnpm scripts) + where it points
echo "---- package.json (spec scripts) ----"
rg -n "\"spec:diff\"|spec-validate|openapi-diff" package.json pnpm-lock.yaml -S || true
ls -la package.json
nl -ba package.json | sed -n '1,160p'

# 4) Search for the specific stderr strings and baseline logic
echo "---- Search for baseline / stderr strings in scripts ----"
rg -n "plex-api-spec\.yaml|Invalid object name|baseline|origin/main|spec:diff|openapi-diff" scripts -S

Repository: LukasParke/plex-api-spec

Length of output: 178


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- scripts/openapi-diff.mjs (lines 1-120) ----"
cat -n scripts/openapi-diff.mjs | sed -n '1,120p'

echo "---- scripts/openapi-diff.mjs (lines 120-240) ----"
cat -n scripts/openapi-diff.mjs | sed -n '120,240p'

echo "---- .github/workflows/spec-validate.yml (lines 1-120) ----"
cat -n .github/workflows/spec-validate.yml | sed -n '1,120p'

echo "---- package.json (first 200 lines) ----"
cat -n package.json | sed -n '1,200p'

echo "---- Search for spec:diff wiring and stderr strings ----"
rg -n "pnpm spec:diff|openapi-diff|plex-api-spec\.yaml|Invalid object name|baseline|origin/main" . -S

Repository: LukasParke/plex-api-spec

Length of output: 9466


Avoid silent CI pass when the baseline OpenAPI spec is missing
In scripts/openapi-diff.mjs, if git show origin/main:plex-api-spec.yaml fails with a missing-file or invalid-ref error, the script logs an info message and exits with process.exit(0), so the “Dry-run breaking-change detection” step in .github/workflows/spec-validate.yml will pass while skipping the check entirely. Consider failing the step (or making it conditional via an explicit “allow missing baseline” mechanism) so future PRs can’t inadvertently bypass breaking-change detection.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/openapi-diff.mjs` around lines 19 - 25, The current check that looks
for stderr.includes("Path 'plex-api-spec.yaml' does not exist") ||
stderr.includes("Invalid object name") and then calls process.exit(0) silently
makes the CI step pass when the baseline spec is missing; change this so the
step fails by default and only skips when an explicit allow flag is set: modify
the branch that detects the missing-baseline case to log an error (include the
stderr) and call process.exit(1) unless a clear opt-in env var (e.g.
ALLOW_MISSING_BASELINE or SKIP_MISSING_BASELINE) is present, and if that env var
is set keep the current informational log and exit(0) (or continue), ensuring
the missing-baseline behavior is now explicit and not a silent CI pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant