feat: add API validation script with Zod schemas and CI workflow inte…#113
feat: add API validation script with Zod schemas and CI workflow inte…#113kpj2006 wants to merge 8 commits into
Conversation
|
Warning Review limit reached
Next review available in: 33 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
WalkthroughThis PR adds GitHub API validation tooling: reusable GraphQL queries, a Zod-based validation script for mock and live REST/GraphQL checks, and supporting Makefile, npm, and GitHub Actions wiring to run validation. ChangesAPI Validation Tooling
Estimated code review effort: 3 (Moderate) | ~25 minutes Suggested labels: Poem
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/api-validation.yml:
- Around line 21-27: The workflow uses mutable action tags for actions/checkout
and actions/setup-node; update both uses entries to immutable commit SHAs
instead of `@v4`. Keep the existing behavior in the api-validation workflow, but
pin the checkout and Node setup steps to specific SHA references so the workflow
is hardened against tag mutation.
- Around line 1-35: The API validation workflow is using default GITHUB_TOKEN
permissions and leaving checkout credentials persisted, which are unnecessary
for schema validation. Add an explicit least-privilege permissions block for the
workflow/job in api-validation.yml and configure the Checkout repository step to
avoid persisting credentials. Keep the change scoped to the validate job and
preserve the existing validate-api execution with GITHUB_TOKEN only if still
needed.
In `@scripts/validate-api.js`:
- Around line 225-239: fetchGraphQL currently only rejects on HTTP failures, so
GitHub GraphQL responses with a top-level errors array still flow into Zod and
hide the real API error. Update fetchGraphQL to inspect the parsed JSON response
and throw a descriptive error when errors is present before returning data, then
make the callers that validate GraphQLOrgDetailsSchema and the other GraphQL
schemas consume only the data payload after this check.
- Around line 315-439: The live REST validation logic in validate-api.js is
duplicated across the repository, contributors, issues, and rate-limit blocks,
making the flow hard to maintain and easy to drift. Extract the repeated
fetchREST + array check + safeParse + handleZodError + 403 handling into a
shared helper such as validateLiveRESTCollection, then call it from the existing
live REST sections using the specific URL, schema, and label for each resource.
Keep the existing logging behavior and use the same fetchREST, handleZodError,
and schema symbols so the refactor stays localized.
- Around line 210-223: The 403 handling in fetchREST and its downstream catch
blocks is relying on a message substring that never matches, so the
unauthenticated skip path is dead code. Update fetchREST to throw a 403-specific
signal that can be checked reliably, and change the affected catch blocks that
inspect err.message.includes('403') to use a structured status check like
err.status === 403 instead. Make sure the logic around fetchREST and the live
REST skip handling stays consistent so rate-limit/forbidden responses gracefully
skip instead of setting failed = true.
- Around line 25-152: The schemas in validate-api.js are still using deprecated
chained string format methods, especially `.url()`, which will break on a future
Zod major version. Update the affected fields in `OrganizationSchema`,
`RepositorySchema`, `ContributorSchema`, `IssueSchema`,
`GraphQLOrgDetailsSchema`, and `GraphQLRepoIssuesSchema` to use the top-level
`z.url()` form instead of `z.string().url()`. Keep the existing
optional/nullable structure intact while migrating each URL field to the new
API.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 38446e7a-f81c-4fa6-80bd-d992c4eb524b
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (5)
.github/workflows/api-validation.ymlMakefilepackage.jsonscripts/validate-api.jssrc/services/queries.js
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
…I/CD workflow testing
|
Please resolve the merge conflicts before review. Your PR will only be reviewed by a maintainer after all conflicts have been resolved. 📺 Watch this video to understand why conflicts occur and how to resolve them: |
…gration
Addressed Issues:
Fixes #(issue number)
Screenshots/Recordings:
Additional Notes:
Checklist
We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.
Summary by CodeRabbit