Skip to content

ci: add spectral lint workflow for openapi.yaml#2547

Draft
mandarini wants to merge 2 commits into
masterfrom
ci/openapi-lint
Draft

ci: add spectral lint workflow for openapi.yaml#2547
mandarini wants to merge 2 commits into
masterfrom
ci/openapi-lint

Conversation

@mandarini
Copy link
Copy Markdown

@mandarini mandarini commented May 27, 2026
edited
Loading

What this is

  • Two complementary CI gates for the hand-written openapi.yaml:
    • Spectral lint — structural validation on every PR touching the spec.
    • Schemathesis contract test — fuzzes the real auth server against the spec, catching divergence between what the spec says and what the server actually returns (wrong status codes, wrong response shapes, missing endpoints, etc.).

What maintainers need to do

  • Merge as-is — no bootstrap needed.
  • First Schemathesis run will almost certainly surface drift; the hand-written spec has had no enforcement until now. The job is set to continue-on-error: true so initial findings don't block PRs.
  • Triage the findings, fix spec or server as appropriate, then flip continue-on-error: false to make it blocking.

What it's used for

  • openapi.yaml is already consumed by oapi-codegen to generate the Go client. Other-language SDKs need the same accuracy guarantee for their own code generation and type checks; today the spec can drift from server behavior with nothing to catch it.

What was added and why

  • .spectral.yaml + .github/workflows/openapi-lint.yml — Spectral with a soft-start ruleset (errors on structural issues, warns on style). Cheap baseline.
  • .github/workflows/schemathesis.yml — mirrors test.yml's postgres + make migrate_dev pattern; builds via make auth; starts the binary against hack/test.env; mints an anon JWT inline (signed with testsecret); runs schemathesis run against http://localhost:9999. Excludes endpoint patterns that send email/SMS, redirect to external OAuth providers, or perform destructive admin ops. Uploads JUnit + auth.log as artifacts.
  • Two gates because lint and contract-testing answer different questions: "is the spec well-formed?" vs "does the server actually do what the spec says?".

Stranger6667
Stranger6667 reviewed May 27, 2026
View reviewed changes
Comment thread .github/workflows/schemathesis.yml
exit 1

- name: Install Schemathesis
run: pip install --upgrade 'schemathesis>=3.36,<4' PyJWT
Copy link
Copy Markdown

@Stranger6667 Stranger6667 May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mandarini Would you consider install the latest version of Schemathesis? Branch 3.x is unsupported and haven't had any updates for ~1.5 years already (and I don't have any plans for it)

Copy link
Copy Markdown
Author

@mandarini mandarini May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep thanks! I'm just testing things out atm in any case, but of course, I'll update!

Comment thread .github/workflows/schemathesis.yml
continue-on-error: true
run: |
schemathesis run openapi.yaml \
--url=http://localhost:9999 \
Copy link
Copy Markdown

@Stranger6667 Stranger6667 May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--url is 4.x only, 3.x had --base-url

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Stranger6667 Stranger6667 Stranger6667 left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mandarini @Stranger6667