Skip to content

openapi: Add openapi/lint composite action#207

Merged
reakaleek merged 4 commits into
mainfrom
pricey-variety
Jul 6, 2026
Merged

openapi: Add openapi/lint composite action#207
reakaleek merged 4 commits into
mainfrom
pricey-variety

Conversation

@reakaleek

@reakaleek reakaleek commented Jul 3, 2026

Copy link
Copy Markdown
Member

Closes https://github.com/elastic/docs-eng-team/issues/639

What

Adds openapi/lint, a composite GitHub Action wrapping Spectral to lint OpenAPI specs (Swagger 2.0, OpenAPI 3.0.x, 3.1.x) against a centralized ruleset maintained in this repo.

Why

Foundation work for the OpenAPI-to-S3 rollout (elastic/docs-eng-team#634, tracker #638). Closes elastic/docs-eng-team#639.

How

  • openapi/lint/ruleset.yaml: two-tier Spectral ruleset — error for parse/$ref/OAS-schema validity (non-negotiable), warn for authoring conventions (operationId casing, security scheme names, required metadata, x-state shape). Existing consumer specs pass as-is at the default error severity; fail-on-warn: true is the future enforcement lever.
  • openapi/lint/action.yml: validates input, runs npx @stoplight/spectral-cli (no secrets, fork-safe), emits PR annotations (-f github-actions) plus a machine-readable JSON summary, writes a job summary table, and fails per the fail-on-warn input.
  • Fixtures + test-openapi-lint.yml matrix cover valid 2.0/3.0/3.1 specs, a broken $ref, a schema violation, convention-only warnings, and a non-OpenAPI file.

Deferred to a follow-up: the x- extension allowlist rule (RFC open question 3). Will file a separate docs-eng-team issue for it.

Test plan

  • Verified the ruleset locally against 8 fixture scenarios (npx spectral lint) — all match expected pass/fail/warning counts.
  • pre-commit run passes (check-yaml, action-readme, actionlint).
  • CI (test-openapi-lint matrix) green on this PR.

Notes

Once merged, file the x- extension allowlist as a follow-up issue referencing the seeded inventory in elastic/docs-eng-team#639.

Adds a Spectral-based OpenAPI lint action with a centralized ruleset
(error tier for parse/$ref/OAS-schema validity, warn tier for authoring
conventions) covering Swagger 2.0, OpenAPI 3.0, and 3.1. The x- extension
allowlist rule from the RFC is deferred to a follow-up issue.

Closes elastic/docs-eng-team#639 (partial — allowlist follow-up tracked separately)

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@reakaleek reakaleek requested a review from a team as a code owner July 3, 2026 11:15
@reakaleek reakaleek requested a review from cotti July 3, 2026 11:15
@reakaleek reakaleek added the enhancement New feature or request label Jul 3, 2026
- Cache ~/.npm/_npx keyed on the pinned spectral-cli version so npx
  doesn't cold-download the package on every run.
- Replace three separate jq passes over the results file with one,
  and fold the unrecognized-format special case into a documented,
  extensible list of always-error diagnostic codes.
- Merge the "Fail on results" step into the job-summary step, dropping
  the now-unnecessary intermediate step.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@reakaleek reakaleek self-assigned this Jul 3, 2026
The custom elastic-* rules encoded specific conventions from the
docs-eng-team#639 analysis (operationId casing, security scheme
naming, x-state shape) that consumer teams haven't agreed to yet.
Comment them out as examples instead of shipping them as active
warn-tier rules; land each one via PR once its convention is adopted.

The warn tier now only re-enables spectral:oas built-in hygiene rules
(operationId presence, required descriptions/tags/servers). Updated
the convention-warnings fixture to exercise those instead.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
- '.github/workflows/test-openapi-lint.yml'

permissions:
contents: read

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: Is it OK to have read here for the test workflow?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No change needed — contents: read is correct here. This test workflow only checks out the repo (actions/checkout) and invokes the local composite action; it never writes to the repo, opens PRs, or calls other write-scoped APIs, so read-only is the right least-privilege setting.

Comment thread openapi/lint/action.yml
env:
SPEC_PATH: ${{ inputs.spec-path }}
FAIL_ON_WARN: ${{ inputs.fail-on-warn }}
run: |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would set -euo pipefail be useful here?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 355df64 — added set -euo pipefail to all three composite-action shell steps (Validate inputs, Run Spectral, Write job summary), not just the one you flagged, so failures like a malformed jq/read fail loudly instead of silently continuing with empty values. The npx ... || EXIT=$? capture still works fine under set -e since it's the non-final side of an || list.

@cotti cotti left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, added a couple of points

@reakaleek reakaleek merged commit cd07102 into main Jul 6, 2026
12 checks passed
@reakaleek reakaleek deleted the pricey-variety branch July 6, 2026 19:36
reakaleek added a commit to reakaleek/kibana that referenced this pull request Jul 6, 2026
elastic/docs-actions#207 and elastic#208 merged and v1 was tagged, so drop
the placeholder commit-SHA pins in favor of the released tag.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants