widget/.github/workflows/contract-drift.yml at dev · Marketrix-ai/widget · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Contract Drift
# Fails the PR if widget's scoped SDK mirror (src/sdk/contract.ts + contracts/*)
# has drifted from the source of truth in Marketrix-ai/api (sdk/widget.ts +
# contracts/*). Uses the same sync-consumers.mjs generator in --check mode so
# the gate and the write path are provably equivalent.
#
# TOKEN REQUIREMENT
# -----------------
# This workflow sparse-checkouts the relevant paths from the PRIVATE
# Marketrix-ai/api repo, so it needs a token with read access. Create a
# repo or org secret:
#
#   CONTRACTS_READ_TOKEN = fine-grained PAT with "Contents: read" on
#                          Marketrix-ai/api (read-only, no write scopes).
#
# Without it the job fails fast with a clear message rather than a confusing
# 404 from the GitHub API.
on:
  pull_request:
    paths:
      - src/sdk/**
      - .github/workflows/contract-drift.yml
  workflow_dispatch:
  schedule:
    # Weekly — catches api-side contract changes that never touched this mirror
    # (those won't trigger the pull_request paths filter). Mondays 06:00 UTC.
    - cron: '0 6 * * 1'

permissions:
  contents: read

jobs:
  drift:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - uses: actions/setup-node@v6
        with:
          node-version: 24

      - name: Verify CONTRACTS_READ_TOKEN is present
        env:
          CONTRACTS_READ_TOKEN: ${{ secrets.CONTRACTS_READ_TOKEN }}
        run: |
          if [ -z "${CONTRACTS_READ_TOKEN}" ]; then
            echo "::error::CONTRACTS_READ_TOKEN secret is not set. Add a fine-grained PAT with 'Contents: read' on Marketrix-ai/api as a repo or org secret named CONTRACTS_READ_TOKEN."
            exit 1
          fi

      - name: Sparse-checkout api contracts + sync generator from Marketrix-ai/api@dev
        env:
          GH_TOKEN: ${{ secrets.CONTRACTS_READ_TOKEN }}
        run: |
          set -euo pipefail
          mkdir -p .api-src
          git -C .api-src init
          git -C .api-src remote add origin "https://x-access-token:${GH_TOKEN}@github.com/Marketrix-ai/api.git"
          git -C .api-src config core.sparseCheckout true
          printf 'contracts/\nscripts/sync-consumers.mjs\nsdk/\n' > .api-src/.git/info/sparse-checkout
          git -C .api-src fetch --depth=1 origin dev
          git -C .api-src checkout FETCH_HEAD
          if [ ! -f ".api-src/scripts/sync-consumers.mjs" ]; then
            echo "::error::sync-consumers.mjs not found in .api-src — check token and branch."
            exit 1
          fi

      - name: Check contract drift (sync-consumers --check)
        run: |
          node .api-src/scripts/sync-consumers.mjs widget \
            --check \
            --api-root .api-src \
            --dest src/sdk