fix(ci): regenerate SDK from public-spec.yaml, add narrowing guard#69
Conversation
|
@claude review |
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 173edce278
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
The backend spec repo added a narrowed --scope=public export (public-spec.yaml) that excludes dashboard-only/credential-management endpoints (health, webhooks, api-keys, billing, provider-keys, workspace-aggregates, plus a self-serve billing path carve-out under users) from the customer-facing spec. api-spec.yaml is the backend's full internal-dashboard mock/type source and was never meant to be the surface this SDK self-generates from. Also adds a fail-closed guard (mirrors the shaping check already here): refuses to generate if the fetched spec still contains an internal-only tag or the users/me path carve-out, so a regression upstream can't silently publish internal endpoints into the public SDK. Verified the regex against the backend repo's actual public-spec.yaml (clean) and api-spec.yaml (correctly flags every internal tag).
173edce to
ded6351
Compare
These 3 command groups (onepin health, onepin provider-keys, onepin workspace stats) call generated SDK resources for tags that are now excluded from public-spec.yaml (health, provider-keys, workspace-aggregates are dashboard-only per the backend's INTERNAL_TAGS classification). Left as-is, the next real SDK regen would silently drop client.health/client.provider_keys/ client.workspace_aggregates and break these commands at runtime. Removes the hand-rolled onepin/_cli/commands/health.py, the table-driven provider-keys and workspace-stats Cmd entries in _spec.py, and their registration in _registry.py. Updates the version-compat gate's stale onepin-health references (the gate itself fires on any API call, not specifically health -- unaffected functionally), the bundled agent-skill docs (SKILL.md/reference.md), the README's generated CLI reference (regenerated via scripts/gen_cli_docs.py) and hand-written usage examples, and the examples/ directory (quickstart.py's health-probe call, and the now-broken provider_keys.py example, removed). BREAKING CHANGE: `onepin health`, `onepin provider-keys`, and `onepin workspace stats` are removed. Programmatic use of client.health / client.provider_keys / client.workspace_aggregates will also stop working once the next SDK regen lands (tracked separately -- that PR is auto-generated by regen.yml, not this one). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
@claude review |
|
@codex review |
|
Codex Review: Didn't find any major issues. Swish! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Leftover from the health-command removal — the trailing comment in _spec.py still pointed at commands/health.py, which no longer exists. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
🤖 I have created a release *beep* *boop* --- ## [0.8.0](v0.7.1...v0.8.0) (2026-07-03) ### Features * sync SDK to OnePin API v0.40.2 ([#64](#64)) ([aa97888](aa97888)) * sync SDK to OnePin API v0.40.3 ([#66](#66)) ([2f2e765](2f2e765)) * sync SDK to OnePin API v0.41.33 ([#70](#70)) ([394f488](394f488)) ### Bug Fixes * **ci:** make PyPI promote idempotent for already-published versions ([#67](#67)) ([9acc656](9acc656)) * **ci:** regenerate SDK from public-spec.yaml, add narrowing guard ([#69](#69)) ([76a0b71](76a0b71)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Summary
regen.yml's spec-fetch step now pullspublic-spec.yamlinstead ofapi-spec.yaml. The backend spec repo added a narrowed--scope=publicexport excluding dashboard-only/credential-management endpoints (health,webhooks,api-keys,billing,provider-keys,workspace-aggregates, plus a self-serve billing path carve-out underusers) from the customer-facing spec.users/me/{subscription,payment-methods,invoices}path carve-out. Verified against the backend repo's actualpublic-spec.yaml(clean) andapi-spec.yaml(correctly refuses).onepin health,onepin provider-keys, andonepin workspace statscommands call generated resources for 3 of the excluded tags (health,provider-keys,workspace-aggregates). Left in place, the next real SDK regen would silently break them at runtime. Removed the commands, their table entries, tests, docs (README generated block + hand-written examples, bundled agent-skill docs), and the now-brokenexamples/provider_keys.py; fixedquickstart.py's health-probe call and the version-compat gate's staleonepin healthreferences (the gate itself fires on any API call, unaffected).SPEC_REPOsecret already avoids naming the backend repo directly.Test plan
actionlint .github/workflows/regen.yml— cleanpublic-spec.yaml(passes) andapi-spec.yaml(correctly refuses)uv run pytest— 293 passed (incl. regenerated CLI manifest snapshot + README-sync drift gate)uv run ruff check .— cleanFERN_TOKEN/CI secrets): the actualfern generate+tests/buildguard — will run in CI on this PR🤖 Generated with Claude Code