fix: publish actor schema and CI hotfixes for 3.0.1

[ar27111994]

Description

This PR prepares and publishes the 3.0.1 hotfix changes from hotfix/issue-40-actor-schema-publish to main.

Summary of changes:

• Move the webhook signing secret to a top-level signatureVerificationSecret actor input with isSecret: true while preserving runtime compatibility.
• Update actor schema artifacts and related typedef/config handling for the published input contract.
• Fix release workflows so PR checks complete successfully without publishing artifacts.
• Ensure the required link-check workflow runs consistently for pull requests.
• Add/adjust unit coverage for actor input schema and config handling.
• Record the release in CHANGELOG.md and align package metadata for 3.0.1.

Issue fixed:

• Fixes actor schema publishing and release workflow behavior for the 3.0.1 hotfix branch.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

If you selected "Breaking change", please describe the impact and migration path below:

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have reviewed my changes for security implications

Summary by CodeRabbit

• New Features

  • Webhook signing secret can be set via a top-level signatureVerificationSecret input (backward compatible).

• Bug Fixes

  • CI/CD: link-check runs on all PRs; publish steps for npm/Docker are restricted to release events while PRs report successful validation.

• Chores

  • Package and API version bumped to 3.0.1; dashboard example/version metadata synced.

• Tests

  • Added unit tests covering schema secrets, version sync, and signature verification handling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0c38183f-00d1-482e-8944-989ce8044546

📥 Commits

Reviewing files that changed from the base of the PR and between 6d938b1 and 3a4044a.

📒 Files selected for processing (1)

• tests/unit/scripts/sync_version.test.js

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/unit/scripts/sync_version.test.js

---

📝 Walkthrough

Walkthrough

Bumps package and actor manifest to v3.0.1; moves webhook signing secret from nested signatureVerification.secret into a new top-level signatureVerificationSecret; adds normalization logic to preserve backward compatibility; updates OpenAPI version and dashboard example sync; adjusts CI workflows for PR validation and gated publishing; expands unit tests.

Changes

Cohort / File(s)	Summary
Version Bumps ​.actor/actor.json, package.json, CHANGELOG.md	Version updated to 3.0.1 and changelog entry added for v3.0.1.
Input Schema ​.actor/input_schema.json	Introduced top-level signatureVerificationSecret (string, secret); removed nested signatureVerification.secret; updated provider descriptions to reference the top-level secret.
Type & Typedefs src/typedefs.js	Added optional signatureVerificationSecret to WebhookConfig JSDoc typedef.
Config Normalization src/utils/config.js, tests/unit/utils/config.test.js	Added normalizeSignatureVerification() and adjusted parseWebhookOptions() to reconcile top-level secret with nested signatureVerification, including trimming/blank handling; tests added for compatibility scenarios.
API Schema & Sync Script ​.actor/web_server_schema.json, scripts/sync-version.js, tests/unit/scripts/sync_version.test.js	OpenAPI info.version bumped to 3.0.1; sync-version.js now updates dashboard example text to match package version; tests expanded to assert example synchronization and conditional writes.
CI/CD Workflows .github/workflows/link-check.yml, .github/workflows/release-docker.yml, .github/workflows/release-npm.yml	Added pull_request triggers for PR validation; publish steps gated to release events; link-check soft-fail allowlist extended (adds 408 and a specific badge URL) and messages generalized.
Tests: Schema Validation tests/unit/actor/input_schema.test.js	New tests ensure isSecret flags appear only at top-level properties and no nested secret flags remain.
Misc (scripts/tests) scripts/sync-version.js (small refactor), various test fixtures	Sync script writes conditioned on schema changes; test fixtures/constants consolidated and assertions strengthened.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix: npm oidc publishing #11 — Overlaps changes to .github/workflows/release-npm.yml and publish gating for PR vs release events.
• feat(ux): cli input precedence and startup log polish #15 — Modifies src/utils/config.js and relates to parseWebhookOptions/signature verification normalization.
• hotfix(ci): Fix NPM OIDC Publishing and update GitHub actions to the latest version #16 — Related edits to release-npm.yml/CI publishing behavior and triggers.

Suggested labels

Possible security concern, Review effort 4/5

Poem

🐰 Hopped a patch to three-oh-one,

Secrets moved where they can run.
Tests now guard the old and new,
Workflows skip when releases aren't due.
A rabbit cheers — version synced and done!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: publishing actor schema updates and fixing CI/release workflows for version 3.0.1, which aligns with the file changes across actor manifests, workflows, and version synchronization.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hotfix/issue-40-actor-schema-publish

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR publishes the 3.0.1 hotfix by updating the Apify actor input contract (moving the webhook signing secret to a top-level secret field), aligning versioned artifacts/metadata, and adjusting CI workflows so required checks pass on PRs without publishing.

Changes:

• Introduce top-level signatureVerificationSecret (marked isSecret) and map it into runtime signatureVerification.secret while keeping backward compatibility.
• Add unit tests covering actor input schema constraints and config mapping behavior.
• Update release/link-check GitHub Actions to run on PRs and skip publishing outside release events; bump versions and changelog to 3.0.1.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/unit/utils/config.test.js	Adds unit coverage for mapping the new top-level secret input into runtime webhook options and preserving legacy nested secrets.
tests/unit/actor/input_schema.test.js	Adds unit tests to ensure isSecret flags only exist on top-level schema properties (Apify compatibility).
src/utils/config.js	Normalizes webhook options by mapping signatureVerificationSecret into signatureVerification.secret.
src/typedefs.js	Extends WebhookConfig typedef to include signatureVerificationSecret.
package.json	Bumps package version to 3.0.1.
CHANGELOG.md	Records the 3.0.1 hotfix release notes.
.github/workflows/release-npm.yml	Runs workflow on PRs for validation and skips publishing unless triggered by a release event.
.github/workflows/release-docker.yml	Runs workflow on PRs for validation, fixes concurrency grouping for PR events, and gates publishing to release events.
.github/workflows/link-check.yml	Ensures link-check runs on every PR (removes path filters that could skip required checks).
.actor/web_server_schema.json	Updates OpenAPI artifact (including version) for the 3.0.1 release.
.actor/input_schema.json	Adds signatureVerificationSecret top-level secret field and removes nested secret field from signatureVerification.
.actor/actor.json	Bumps actor version to 3.0.1.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

.github/workflows/release-npm.yml (1)

32-32: Optional: consider npm test instead of duplicating flags.

package.json already defines "test": "npm run test:jest -- --detectOpenHandles". Inlining --detectOpenHandles --forceExit here works, but drifts from the canonical script. If --forceExit is desired in CI specifically, consider adding a dedicated test:ci script so flags stay centralized.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-npm.yml at line 32, The workflow currently inlines
Jest flags; instead call the existing npm script instead of duplicating flags:
change the job step to run "npm test" (which delegates to "npm run test:jest --
--detectOpenHandles") or if CI needs --forceExit add a dedicated npm script
"test:ci" in package.json that runs "npm run test:jest -- --detectOpenHandles
--forceExit" and update the workflow to run "npm run test:ci"; update references
to the "test" and "test:ci" scripts accordingly so flags remain centralized.

tests/unit/actor/input_schema.test.js (1)

26-53: Optional: recursion only descends via properties.

findNestedSecretPaths only recurses through properties, so an isSecret: true flag buried inside items, additionalProperties, patternProperties, oneOf/anyOf/allOf, etc. would be missed. Not currently an issue for this schema (all nested shapes are plain properties objects), but worth expanding if the schema grows.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/actor/input_schema.test.js` around lines 26 - 53, The helper
findNestedSecretPaths currently only recurses via schemaNode.properties; update
it to also descend into other container keywords (e.g., items,
additionalProperties, patternProperties, oneOf, anyOf, allOf) by detecting those
keys on the current node and calling the same recursion with the appropriate
schemaPath segment (e.g., `${schemaPath}.items`,
`${schemaPath}.additionalProperties`, `${schemaPath}.patternProperties[<key>]`,
`${schemaPath}.oneOf[<index>]`, etc.); ensure you handle both object and array
forms (items can be object or array, patternProperties is an object with
multiple schemas, oneOf/anyOf/allOf are arrays) and still collect isSecret
matches (propertyValue.isSecret === true) found in those nested locations while
preserving existing behavior for properties.

.github/workflows/release-docker.yml (1)

65-78: Minor: consider validating the Docker build on PRs without pushing.

Currently the Build and Publish Standalone Image step is entirely skipped on PRs, so a Dockerfile regression won't surface until a release is cut. You could split into a build-only step (push: false, single platform, no login) that runs on PRs, keeping the push-enabled variant gated to releases. Optional, given the rest of CI likely exercises the image.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-docker.yml around lines 65 - 78, The "Build and
Publish Standalone Image" step is skipped on PRs due to if: github.event_name ==
'release', which hides Dockerfile regressions; add a separate build-only step
that runs on pull_request (or when github.event_name != 'release') that uses
docker/build-push-action with push: false, a single platform (e.g.,
linux/amd64), no registry login and the same context/file/target to validate the
Dockerfile, and keep the existing push-enabled step gated to releases unchanged;
refer to the step name "Build and Publish Standalone Image", the action
"docker/build-push-action", and the push: true setting to locate where to add
the PR-only build variant.

scripts/sync-version.js (1)

29-30: Consider reusing a shared constant for the dashboard example prefix.

DASHBOARD_EXAMPLE_VERSION_PATTERN hard-codes the literal "Webhook Debugger & Logger " prefix, which must stay in lockstep with the string baked into .actor/web_server_schema.json's dashboard example. If the product name in that example ever changes, this regex silently stops matching and the sync becomes a no-op (no warning, no error). Defining the prefix once (e.g., in src/consts/) and referencing it from both places — or at least emitting a log.warn when the schema contains a dashboard example but the pattern doesn't match — would make future drift much easier to catch.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/sync-version.js` around lines 29 - 30,
DASHBOARD_EXAMPLE_VERSION_PATTERN currently hard-codes the "Webhook Debugger &
Logger " prefix which can drift from the same string in
.actor/web_server_schema.json; update the code to reuse a single shared constant
(e.g., import DASHBOARD_EXAMPLE_PREFIX from src/consts) when building the regex
(or constructing the pattern programmatically using that constant) so both
places reference the same source of truth, and add a fallback log.warn when a
dashboard example exists but the pattern fails to match to surface drift;
reference the DASHBOARD_EXAMPLE_VERSION_PATTERN symbol and the dashboard example
in .actor/web_server_schema.json when making the changes.

tests/unit/scripts/sync_version.test.js (1)

52-52: Nit: inconsistent computed-key style for HTTP_STATUS.OK.

Line 52 uses [HTTP_STATUS.OK.toString()] while lines 71 and 90 use [HTTP_STATUS.OK] directly. Both produce the string key "200" (numeric keys in object literals are coerced to strings), but the mismatch is distracting. Consider aligning all three on one style — preferably HTTP_STATUS.OK.toString() to mirror the production lookup in scripts/sync-version.js.

Also applies to: 71-71, 90-90

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/scripts/sync_version.test.js` at line 52, Change the
computed-object-key usage for the HTTP status keys to be consistent: replace
uses of [HTTP_STATUS.OK] in the test with [HTTP_STATUS.OK.toString()] so all
three occurrences match the existing [HTTP_STATUS.OK.toString()] and mirror the
production lookup in scripts/sync-version.js; search for the symbol
HTTP_STATUS.OK in tests/unit/scripts/sync_version.test.js and update the two
mismatched computed keys to call .toString().

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/sync-version.js`:
- Around line 49-72: Add two unit tests for syncDashboardExampleVersion via the
public syncVersion entry to cover its early returns: (1) when dashboard example
is missing (typeof dashboardExample !== "string") — mock fs.readFileSync to
return a schema without APP_ROUTES.DASHBOARD and assert fsMock.writeFileSync was
not called; (2) when the example exists but doesn't match
DASHBOARD_EXAMPLE_VERSION_PATTERN (updatedExample === dashboardExample) — mock
fs.readFileSync to return a schema where
paths[APP_ROUTES.DASHBOARD].get.responses[HTTP_STATUS.OK.toString()].content[MIME_TYPES.TEXT].example
is a non-matching string, call syncVersion(), and assert fsMock.writeFileSync
was not called; reuse existing PACKAGE_JSON/ACTOR_JSON mocks and place tests in
tests/unit/scripts/sync_version.test.js.

---

Nitpick comments:
In @.github/workflows/release-docker.yml:
- Around line 65-78: The "Build and Publish Standalone Image" step is skipped on
PRs due to if: github.event_name == 'release', which hides Dockerfile
regressions; add a separate build-only step that runs on pull_request (or when
github.event_name != 'release') that uses docker/build-push-action with push:
false, a single platform (e.g., linux/amd64), no registry login and the same
context/file/target to validate the Dockerfile, and keep the existing
push-enabled step gated to releases unchanged; refer to the step name "Build and
Publish Standalone Image", the action "docker/build-push-action", and the push:
true setting to locate where to add the PR-only build variant.

In @.github/workflows/release-npm.yml:
- Line 32: The workflow currently inlines Jest flags; instead call the existing
npm script instead of duplicating flags: change the job step to run "npm test"
(which delegates to "npm run test:jest -- --detectOpenHandles") or if CI needs
--forceExit add a dedicated npm script "test:ci" in package.json that runs "npm
run test:jest -- --detectOpenHandles --forceExit" and update the workflow to run
"npm run test:ci"; update references to the "test" and "test:ci" scripts
accordingly so flags remain centralized.

In `@scripts/sync-version.js`:
- Around line 29-30: DASHBOARD_EXAMPLE_VERSION_PATTERN currently hard-codes the
"Webhook Debugger & Logger " prefix which can drift from the same string in
.actor/web_server_schema.json; update the code to reuse a single shared constant
(e.g., import DASHBOARD_EXAMPLE_PREFIX from src/consts) when building the regex
(or constructing the pattern programmatically using that constant) so both
places reference the same source of truth, and add a fallback log.warn when a
dashboard example exists but the pattern fails to match to surface drift;
reference the DASHBOARD_EXAMPLE_VERSION_PATTERN symbol and the dashboard example
in .actor/web_server_schema.json when making the changes.

In `@tests/unit/actor/input_schema.test.js`:
- Around line 26-53: The helper findNestedSecretPaths currently only recurses
via schemaNode.properties; update it to also descend into other container
keywords (e.g., items, additionalProperties, patternProperties, oneOf, anyOf,
allOf) by detecting those keys on the current node and calling the same
recursion with the appropriate schemaPath segment (e.g., `${schemaPath}.items`,
`${schemaPath}.additionalProperties`, `${schemaPath}.patternProperties[<key>]`,
`${schemaPath}.oneOf[<index>]`, etc.); ensure you handle both object and array
forms (items can be object or array, patternProperties is an object with
multiple schemas, oneOf/anyOf/allOf are arrays) and still collect isSecret
matches (propertyValue.isSecret === true) found in those nested locations while
preserving existing behavior for properties.

In `@tests/unit/scripts/sync_version.test.js`:
- Line 52: Change the computed-object-key usage for the HTTP status keys to be
consistent: replace uses of [HTTP_STATUS.OK] in the test with
[HTTP_STATUS.OK.toString()] so all three occurrences match the existing
[HTTP_STATUS.OK.toString()] and mirror the production lookup in
scripts/sync-version.js; search for the symbol HTTP_STATUS.OK in
tests/unit/scripts/sync_version.test.js and update the two mismatched computed
keys to call .toString().

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fb36a2a5-acfa-4370-b87b-6076a1e68b95

📥 Commits

Reviewing files that changed from the base of the PR and between 7c547dd and 6d938b1.

📒 Files selected for processing (14)

• .actor/actor.json
• .actor/input_schema.json
• .actor/web_server_schema.json
• .github/workflows/link-check.yml
• .github/workflows/release-docker.yml
• .github/workflows/release-npm.yml
• CHANGELOG.md
• package.json
• scripts/sync-version.js
• src/typedefs.js
• src/utils/config.js
• tests/unit/actor/input_schema.test.js
• tests/unit/scripts/sync_version.test.js
• tests/unit/utils/config.test.js

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.