chore: update openapi spec workflow

[ttuffin]

• Add logic for git commit signing
• Add logic to update existing PR's

Summary by CodeRabbit

• Chores
  • Use a stable branch and update or deduplicate existing pull requests instead of creating per-run PRs.
  • Add support for supplying a GPG private key to cryptographically sign automated commits.
  • Allow the sync workflow to accept repository and key secrets for flexible syncing.
  • Change push behavior to force-update the stable branch and prefer editing existing PRs over always creating new ones.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: be844ecf-dfd7-4f56-95de-5377f6670c62

📥 Commits

Reviewing files that changed from the base of the PR and between 2b538c3 and 59d2793.

📒 Files selected for processing (2)

• .github/workflows/ci.yaml
• .github/workflows/sync-openapi-spec.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/ci.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/sync-openapi-spec.yml

---

📝 Walkthrough

Walkthrough

Workflow now checks out a configurable spec repo, imports a provided GPG private key to sign commits, uses a stable branch name, force-pushes updates, and either updates an existing PR or creates a new one after removing a stale branch.

Changes

Cohort / File(s)	Summary
OpenAPI Sync Workflow \.github/workflows/sync-openapi-spec.yml	Replaced hard-coded spec repo with secrets.OPENAPI_SPEC_REPO; added OPENAPI_SPEC_SYNC_GPG_PRIVATE_KEY secret and GPG import to enable commit.gpgsign and set committer identity; switched to stable branch auto/update-eda-${SPEC_BRANCH} and git push --force; added PR deduplication: query existing PR by head/base, use gh pr edit when found, otherwise delete stale remote branch and gh pr create.
Workflow Invocation / Secrets \.github/workflows/ci.yml, \.github/workflows/...	Reusable workflow invocation now forwards two additional secrets (OPENAPI_SPEC_REPO, OPENAPI_SPEC_SYNC_GPG_PRIVATE_KEY) alongside the existing OPENAPI_SPEC_SYNC_TOKEN.

Sequence Diagram(s)

sequenceDiagram
    participant Runner as Workflow Runner
    participant GH as GitHub API / gh
    participant Repo as Spec Repo (git remote)
    participant GPG as GPG

    Runner->>GH: checkout main repo
    Runner->>Repo: git clone using secrets.OPENAPI_SPEC_REPO
    Runner->>GPG: import OPENAPI_SPEC_SYNC_GPG_PRIVATE_KEY
    GPG-->>Runner: return signing key ID
    Runner->>Runner: configure git (user, email, commit.gpgsign)
    Runner->>Repo: create/update branch auto/update-eda-${SPEC_BRANCH}
    Runner->>GH: search PR with head=auto/update-eda-${SPEC_BRANCH}&base=SPEC_BRANCH
    alt PR found
        GH-->>Runner: return PR id
        Runner->>GH: gh pr edit (update body)
        Runner->>Repo: git push --force to branch
    else PR not found
        GH-->>Runner: no matching PR
        Runner->>Repo: delete stale remote branch (if present)
        Runner->>Repo: git push --force to branch
        Runner->>GH: gh pr create (open new PR)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is minimal and lacks required template sections such as purpose, issue link, testing approach, and details on dependencies or breaking changes.	Expand the description to include: the purpose of these changes, any linked issues, how to test the changes, and whether new dependencies or breaking changes are introduced.
Title check	❓ Inconclusive	The title 'chore: update openapi spec workflow' is related to the changes but overly vague; it doesn't convey the main improvements (GPG signing and PR update logic).	Consider a more specific title like 'chore: add GPG signing and PR update logic to openapi spec workflow' to better convey the key changes.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/api-spec-key-signing

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ttuffin]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sync-openapi-spec.yml:
- Around line 113-123: BRANCH_NAME is a stable branch that can be force-pushed
by concurrent runs (see BRANCH_NAME, EXISTING_PR and the later force-push), so
add a guard to prevent overlapping updates: either 1) make BRANCH_NAME unique
per run (append RUN_ID or timestamp) so you never clobber another run, or 2)
before creating/force-pushing BRANCH_NAME call the GitHub API to detect
in-progress workflow runs or recent PR updates for that BRANCH_NAME (use gh run
list / gh api or inspect EXISTING_PR and the PR's updatedAt) and exit/skip if a
newer run/PR is active; implement the chosen approach and ensure the force-push
step (the later push that currently overwrites the branch) honours this check to
avoid older runs overwriting newer PR updates.
- Line 52: The reusable workflow requires three secrets (OPENAPI_SPEC_REPO,
OPENAPI_SPEC_SYNC_GPG_PRIVATE_KEY, OPENAPI_SPEC_SYNC_TOKEN) but the caller only
passes OPENAPI_SPEC_SYNC_TOKEN; update the caller (ci.yaml invocation of the
reusable workflow) to either explicitly pass OPENAPI_SPEC_REPO and
OPENAPI_SPEC_SYNC_GPG_PRIVATE_KEY in addition to OPENAPI_SPEC_SYNC_TOKEN, or
replace the explicit secrets block with secrets: inherit so all required secrets
are forwarded to the reusable workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ccb6bb8c-ecbe-40e5-a159-45885b8100e3

📥 Commits

Reviewing files that changed from the base of the PR and between bf5aca0 and f815451.

📒 Files selected for processing (1)

• .github/workflows/sync-openapi-spec.yml

[ttuffin]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/sync-openapi-spec.yml (1)

102-112: Consider using machine-readable GPG output for more robust key ID extraction.

The current parsing relies on the human-readable output format of gpg --list-secret-keys, which can vary across GPG versions. The --with-colons flag provides a stable, machine-parsable format.

♻️ Optional: More robust GPG key ID extraction

-          GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format long 2>/dev/null | grep sec | head -1 | awk '{print $2}' | cut -d'/' -f2)
+          GPG_KEY_ID=$(gpg --list-secret-keys --with-colons --keyid-format long 2>/dev/null | awk -F: '/^sec:/ {print $5; exit}')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sync-openapi-spec.yml around lines 102 - 112, The GPG key
extraction uses human-readable gpg output which is brittle; update the
extraction to use machine-readable output by calling gpg --list-secret-keys
--with-colons and parse the "sec" record to get the key ID (update the
GPG_KEY_ID assignment) so it reliably extracts the long key ID for git signing;
ensure the script still checks for an empty GPG_KEY_ID and then configures git
(user.name, user.email, commit.gpgsign, user.signingkey) as before.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/sync-openapi-spec.yml:
- Around line 102-112: The GPG key extraction uses human-readable gpg output
which is brittle; update the extraction to use machine-readable output by
calling gpg --list-secret-keys --with-colons and parse the "sec" record to get
the key ID (update the GPG_KEY_ID assignment) so it reliably extracts the long
key ID for git signing; ensure the script still checks for an empty GPG_KEY_ID
and then configures git (user.name, user.email, commit.gpgsign, user.signingkey)
as before.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 27eeab2e-5476-4735-a4f6-1e2b267e18bf

📥 Commits

Reviewing files that changed from the base of the PR and between f815451 and 406bc28.

📒 Files selected for processing (2)

• .github/workflows/ci.yaml
• .github/workflows/sync-openapi-spec.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.93%. Comparing base (85efe2e) to head (59d2793).
⚠️ Report is 1 commits behind head on main.

@@           Coverage Diff           @@
##             main    #1525   +/-   ##
=======================================
  Coverage   91.93%   91.93%           
=======================================
  Files         239      239           
  Lines       10810    10810           
=======================================
  Hits         9938     9938           
  Misses        872      872           

Flag	Coverage Δ
unit-int-tests-3.11	91.93% <ø> (ø)
unit-int-tests-3.12	91.93% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/sync-openapi-spec.yml (1)

103-105: Use machine-readable GPG output for key selection.

This parses the human-readable gpg --list-secret-keys output, which is brittle in automation and can pick the wrong key if the format changes or more than one secret key is present.

Possible tweak

-          GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format long 2>/dev/null | grep sec | head -1 | awk '{print $2}' | cut -d'/' -f2)
+          GPG_KEY_ID=$(gpg --batch --with-colons --list-secret-keys 2>/dev/null | awk -F: '$1 == "sec" { print $5; exit }')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sync-openapi-spec.yml around lines 103 - 105, The current
GPG_KEY_ID extraction parses human-readable gpg output and is brittle; replace
the parsing to use machine-readable output by running gpg --list-secret-keys
--with-colons and extract the first "sec" record's key ID into GPG_KEY_ID (e.g.
use awk -F: '/^sec/ {print $5; exit}' on the --with-colons output), so update
the variable assignment for GPG_KEY_ID accordingly to reliably select the first
secret key.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sync-openapi-spec.yml:
- Around line 121-135: The current PR lookup uses gh pr list with --state open
(EXISTING_PR) which misses closed PRs; change the call to use --state all and
return both number and state (e.g., EXISTING_PR_JSON), parse out PR_NUMBER and
PR_STATE, and if PR_STATE == "closed" call gh pr reopen "$PR_NUMBER" (using
BRANCH_NAME/SPEC_REPO/SPEC_BRANCH context) before proceeding; then update the
existing conditional that checks EXISTING_PR to use PR_NUMBER (and treat
reopened PRs as found) so the workflow edits the reopened PR instead of deleting
the branch and creating a new one.

---

Nitpick comments:
In @.github/workflows/sync-openapi-spec.yml:
- Around line 103-105: The current GPG_KEY_ID extraction parses human-readable
gpg output and is brittle; replace the parsing to use machine-readable output by
running gpg --list-secret-keys --with-colons and extract the first "sec"
record's key ID into GPG_KEY_ID (e.g. use awk -F: '/^sec/ {print $5; exit}' on
the --with-colons output), so update the variable assignment for GPG_KEY_ID
accordingly to reliably select the first secret key.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3406a8fe-fec1-4149-bb93-4fd9b3c251bc

📥 Commits

Reviewing files that changed from the base of the PR and between 406bc28 and 2b538c3.

📒 Files selected for processing (2)

• .github/workflows/ci.yaml
• .github/workflows/sync-openapi-spec.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/ci.yaml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud