ci: move audit-api-spec to separate workflow

starfy84 · starfy84 · commit 93364f400182 · 2025-12-18T17:52:21.000-05:00
Ticket: DX-2592
diff --git a/.github/workflows/audit-api-spec.yaml b/.github/workflows/audit-api-spec.yaml
@@ -0,0 +1,201 @@
+name: Audit API Spec
+
+on:
+  pull_request:
+
+env:
+  STATIC_ANALYSIS_BOT_APP_ID: 1819979
+jobs:
+  generate-head-api-spec:
+    name: Generate head API spec
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+
+      - name: Cache npm dependencies
+        id: node-modules-cache
+        uses: actions/cache@v5
+        with:
+          path: "**/node_modules"
+          key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
+
+      - name: Install Dependencies
+        if: steps.node-modules-cache.outputs.cache-hit != 'true'
+        run: npm ci
+
+      - name: Generate API spec
+        run: |
+          ./node_modules/.bin/openapi-generator \
+            src/masterBitgoExpress/routers/index.ts \
+            > generated.json
+
+      - name: Remove unknown tags from generated spec
+        run: |
+          jq '(.paths[] | .[]? | select(. != null)) |= del(."x-unknown-tags")' generated.json > openapi.json
+
+      - name: Convert merged spec to YAML
+        run: yq -P < openapi.json > openapi-head.yaml
+
+      - name: Upload API spec to artifact
+        uses: actions/upload-artifact@v6
+        with:
+          name: openapi-head.yaml
+          path: openapi-head.yaml
+
+  generate-merge-base-api-spec:
+    name: Generate merge base API spec
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Find and checkout merge base
+        run: |
+          git fetch origin ${{ github.event.pull_request.base.ref }}
+          MERGE_BASE=$(git merge-base HEAD origin/${{ github.event.pull_request.base.ref }})
+          echo "Merge base commit: $MERGE_BASE"
+          git checkout $MERGE_BASE
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+
+      - name: Cache npm dependencies
+        id: node-modules-cache
+        uses: actions/cache@v5
+        with:
+          path: "**/node_modules"
+          key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
+
+      - name: Install Dependencies
+        if: steps.node-modules-cache.outputs.cache-hit != 'true'
+        run: npm ci
+
+      - name: Generate API spec
+        run: |
+          ./node_modules/.bin/openapi-generator \
+            src/masterBitgoExpress/routers/index.ts \
+            > generated.json
+
+      - name: Remove unknown tags from generated spec
+        run: |
+          jq '(.paths[] | .[]? | select(. != null)) |= del(."x-unknown-tags")' generated.json > openapi.json
+
+      - name: Convert merged spec to YAML
+        run: yq -P < openapi.json > openapi-merge-base.yaml
+
+      - name: Upload API spec to artifact
+        uses: actions/upload-artifact@v6
+        with:
+          name: openapi-merge-base.yaml
+          path: openapi-merge-base.yaml
+
+  generate-vacuum-reports:
+    name: Generate vacuum reports for API spec
+    runs-on: ubuntu-latest
+    needs: [generate-head-api-spec]
+    steps:
+      - name: Checkout PR head for ruleset
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Download head API spec artifact
+        uses: actions/download-artifact@v7
+        with:
+          name: openapi-head.yaml
+
+      - name: Download and install vacuum v0.18.1
+        run: |
+          curl -L \
+            --output vacuum.tar.gz \
+            --silent \
+            --show-error \
+            --fail \
+            https://github.com/daveshanley/vacuum/releases/download/v0.18.1/vacuum_0.18.1_linux_x86_64.tar.gz
+          tar -xzf vacuum.tar.gz
+          chmod u+x vacuum
+          sudo mv vacuum /usr/local/bin/
+          vacuum version
+
+      - name: Audit head API spec with Vacuum
+        run: |
+          vacuum report \
+            --no-style \
+            --stdout \
+            openapi-head.yaml > vacuum-report.json
+
+          jq '.resultSet.results // []' vacuum-report.json > vacuum-results.json
+
+          ERROR_COUNT=$(jq '[.[] | select(.ruleSeverity == "error")] | length' vacuum-results.json)
+          WARNING_COUNT=$(jq '[.[] | select(.ruleSeverity == "warn")] | length' vacuum-results.json)
+
+          echo "Found $ERROR_COUNT error(s) and $WARNING_COUNT warning(s)"
+
+          if [ "$ERROR_COUNT" -gt 0 ]; then
+            echo "API specification audit failed with $ERROR_COUNT error(s)"
+            echo ""
+            echo "Errors:"
+            jq -r '.[] | select(.ruleSeverity == "error") | "  - [\(.ruleId)] \(.message) at \(.path)"' vacuum-results.json
+            exit 1
+          else
+            echo "API specification audit passed!"
+          fi
+
+  check-breaking-changes:
+    name: Check breaking changes
+    needs: [generate-head-api-spec, generate-merge-base-api-spec]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download head API spec artifact
+        uses: actions/download-artifact@v7
+        with:
+          name: openapi-head.yaml
+
+      - name: Download merge base API spec artifact
+        uses: actions/download-artifact@v7
+        with:
+          name: openapi-merge-base.yaml
+
+      - name: Create static-analysis config file
+        run: |
+          cat <<EOF > .static-analysis.yaml
+          ---
+          api_version: static-analysis.bitgo/v1alpha1
+
+          rules:
+          - path: rules/openapi/breaking-changes
+            severity: error
+            options:
+              before_spec_path: openapi-merge-base.yaml
+              after_spec_path: openapi-head.yaml
+          EOF
+      - name: Generate GitHub App Token
+        id: generate-github-app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ env.STATIC_ANALYSIS_BOT_APP_ID }}
+          private-key: ${{ secrets.STATIC_ANALYSIS_BOT_PRIVATE_KEY }}
+          owner: bitgo
+          repositories: |
+            static-analysis
+
+      - name: Install BitGo/static-analysis/static-analysis@v1
+        uses: BitGo/install-github-release-binary@v2
+        with:
+          targets: BitGo/static-analysis/static-analysis@v1
+          token: ${{ steps.generate-github-app-token.outputs.token }}
+      - name: Check breaking changes
+        run: |
+          static-analysis
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -41,73 +41,3 @@ jobs:
             VCS_REF=${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-
-  audit-api-spec:
-    name: Audit API Spec
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout PR
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 22
-      - name: Cache npm dependencies
-        id: node-modules-cache
-        uses: actions/cache@v4
-        with:
-          path: '**/node_modules'
-          key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-modules-
-      - name: Install Dependencies
-        if: steps.node-modules-cache.outputs.cache-hit != 'true'
-        run: npm ci
-
-      - name: Download and install vacuum v0.18.1
-        run: |
-          curl -L \
-            --output vacuum.tar.gz \
-            --silent \
-            --show-error \
-            --fail \
-            https://github.com/daveshanley/vacuum/releases/download/v0.18.1/vacuum_0.18.1_linux_x86_64.tar.gz
-          tar -xzf vacuum.tar.gz
-          chmod u+x vacuum
-          sudo mv vacuum /usr/local/bin/
-          vacuum version
-
-      - name: Generate API spec
-        run: |
-          ./node_modules/.bin/openapi-generator \
-            src/masterBitgoExpress/routers/index.ts \
-            > api-generated.json
-
-      - name: Audit with Vacuum
-        run: |
-          vacuum report \
-            --no-style \
-            --stdout \
-            --ruleset ruleset.yaml \
-            api-generated.json > vacuum-report.json
-
-          jq '.resultSet.results // []' vacuum-report.json > vacuum-results.json
-
-          ERROR_COUNT=$(jq '[.[] | select(.ruleSeverity == "error")] | length' vacuum-results.json)
-          WARNING_COUNT=$(jq '[.[] | select(.ruleSeverity == "warn")] | length' vacuum-results.json)
-
-          echo "Found $ERROR_COUNT error(s) and $WARNING_COUNT warning(s)"
-
-          if [ "$ERROR_COUNT" -gt 0 ]; then
-            echo "API specification audit failed with $ERROR_COUNT error(s)"
-            echo ""
-            echo "Errors:"
-            jq -r '.[] | select(.ruleSeverity == "error") | "  - [\(.ruleId)] \(.message) at \(.path)"' vacuum-results.json
-            exit 1
-          else
-            echo "API specification audit passed!"
-          fi
