v0.0.51

What's changed

The actions now default to allow-external-refs: false. Because CI typically runs on untrusted pull requests (including from forks), external $refs in a spec are no longer resolved by default. Specs loaded via the recommended git-ref form (base: 'origin/main:openapi.yaml') — single- or multi-file — are unaffected, since intra-repository $refs resolve via git show.

Opt back in with allow-external-refs: true on the step if your spec either references external URLs, or loads split multi-file specs by plain file path instead of the git-ref form. A new allow-external-refs input is available on all five actions (breaking, changelog, diff, pr-comment, validate).

Failures now surface as PR annotations. A genuine oasdiff error (unreadable spec, bad reference, …) is shown as a ::error:: annotation on the Checks tab rather than only in the raw log, with a one-line remedy when it's caused by a disallowed external $ref.

Security

This release fixes GHSA-fhj3-7267-7vv5. Before v0.0.51 the actions resolved external $refs by default, which on pull requests carrying untrusted spec content (notably fork PRs on public repositories) enabled SSRF and disclosure of structured files on the runner. Defaulting allow-external-refs to false closes this. See the advisory for impact and workarounds.

Runs on oasdiff v1.18.1.

Full Changelog: v0.0.50...v0.0.51

v0.0.50

Highlights

Upgraded to oasdiff v1.18.0

Every action now runs on oasdiff v1.18.0 (#127, #126). Headline changes for workflow authors:

• Fewer false positives on breaking. Annotation-only allOf additions are no longer flagged as breaking, so doc-only edits stop failing CI gates. Eight new INFO check IDs cover the audit trail.
• --open matches the terminal output. The rendered page from oasdiff breaking --open now filters to ERR / WARN findings, lining up with what the step prints.
• More localized messages. Spanish, Portuguese, and Russian translations added for the exclusiveMinimum / exclusiveMaximum check families.

Full Changelog: v0.0.49...v0.0.50

v0.0.49

Highlights

Step Summary now includes a copy-friendly CLI command

The breaking and changelog actions' Step Summary previously emitted just a clickable review link. It now also includes the exact oasdiff command pre-filled with the PR's base and head SHAs, wrapped in a bash code block so GitHub renders a one-click copy button (#125).

That lets PR authors copy the command directly from the PR's Checks tab and run it locally with --open to see the side-by-side review on oasdiff.com, without going through the instruction-page detour. The link is still there for visitors who'd rather use the web UI.

Upgraded to oasdiff v1.17.0

Every action now runs on oasdiff v1.17.0, which adds two new CLI surfaces:

• oasdiff git-diff-driver, which wires oasdiff into git as an external diff driver so git log --patch --ext-diff renders a human-readable OpenAPI changelog inline.
• oasdiff changelog --open and oasdiff breaking --open, which upload the comparison to oasdiff.com and open a side-by-side review in your browser.

Plus a default flip for --case-insensitive-headers (now true), inline-vs-$ref subschema matching improvements, and a new public validate Go package. Full notes on the oasdiff v1.17.0 release page.

v0.0.48

Highlights

New: validate action

Validate a single OpenAPI spec in CI against the OpenAPI and JSON Schema rules, with a GitHub annotation on the exact line and column of every finding. Findings are graded by severity (error, warning, info), and by default the step fails only on errors.

- uses: oasdiff/oasdiff-action/validate@v0.0.48
  with:
    spec: 'openapi.yaml'

Inputs: spec (required), fail-on (ERR / WARN / INFO), allow-external-refs. Outputs: findings, error_count, warning_count, info_count. For a report-only run, leave fail-on empty and set continue-on-error: true on the step. See the README for full details.

Upgraded to oasdiff v1.16.0

Every action now runs on oasdiff v1.16.0, which adds validate, upgrade, --auto-upgrade, and case-insensitive severity/level flags.

Fixes

• Large changelogs no longer break the PR comment. The pr-comment action now pipes both the changes payload and the POST body via stdin, so specs whose changelog exceeds the command-line size limit (ARG_MAX) post correctly (#118, #119).
• Stable review links. Free /review links now pin to the immutable base commit SHA instead of a branch name, so a shared link keeps working after the branch advances (#117).
• URL-style spec inputs keep their scheme. A base or revision given as a full https:// URL is passed through unchanged by the breaking, changelog, and pr-comment actions instead of having https: stripped (#120, #121).
• Docs and CI housekeeping (#122, #123).

Full Changelog: v0.0.47...v0.0.48

v0.0.47

Highlights

New: configure the actions with .oasdiff.yaml

All four actions (breaking, changelog, diff, pr-comment) now automatically pick up a .oasdiff.yaml file from the root of your checked-out repository, so you can keep CLI-flag-shaped options in source control instead of repeating the same with: block in every workflow.

# .oasdiff.yaml
fail-on: ERR
exclude-elements:
  - description
  - title
  - summary

• Precedence: action with: inputs override .oasdiff.yaml, which overrides the built-in defaults.
• Custom path: set OASDIFF_CONFIG in the workflow env: to point at a config file elsewhere.
• The older oasdiff.yaml (no leading dot) still works as a fallback.

See the "Configuring with .oasdiff.yaml" section of the README and the oasdiff config-file reference for the full list of keys.

Upgraded to oasdiff v1.15.3

Fixes

• fail-on from .oasdiff.yaml is honored correctly. The breaking action now runs oasdiff fewer times and tolerates oasdiff's non-zero exit when a config-file fail-on fires, so the threshold is applied without the step erroring out for the wrong reason (#112).

Full Changelog: v0.0.46...v0.0.47

v0.0.46

What's Changed

• bump: oasdiff v1.15.2 by @reuvenharrison in #108

Full Changelog: v0.0.45...v0.0.46

v0.0.45

What's Changed

• chore: bump README references to v0.0.44 by @reuvenharrison in #106
• bump: oasdiff v1.15.1 by @reuvenharrison in #107

Full Changelog: v0.0.44...v0.0.45

v0.0.44

What's Changed

• chore: bump README references to v0.0.43 by @reuvenharrison in #104
• feat(pr-comment): handle 409 github_app_not_installed gracefully by @reuvenharrison in #105

Full Changelog: v0.0.43...v0.0.44

v0.0.43

What's Changed

• chore: bump README references to v0.0.42 by @reuvenharrison in #102
• feat(changelog): emit free review link when changes are found by @reuvenharrison in #103

Full Changelog: v0.0.42...v0.0.43

v0.0.42

What's Changed

• feat(pr-comment): capture pull_request.base.sha as base_sha by @reuvenharrison in #101

Full Changelog: v0.0.41...v0.0.42