Fix actor schema validation release flow

[ar27111994]

Summary

• bump the package and Actor metadata to 3.0.2
• switch Actor input schema validation to the project-installed apify CLI
• add the 3.0.2 changelog entry for the schema publish fix
• sync the generated Actor web server schema metadata to the new release version

Validation

• npm run validate:schemas
• npm test -- --runInBand tests/unit/actor/input_schema.test.js tests/unit/scripts/sync_version.test.js
• npm run lint

Summary by CodeRabbit

• Bug Fixes

  • Restored missing alert-channel descriptions in the actor input settings.
  • Improved request forwarding robustness (Content-Length parsing/fallbacks).

• Improvements

  • Added stronger schema validation to CI to catch input/schema issues earlier.
  • Normalized link-checks and release tagging for more stable CI behavior.

• Tests

  • Added coverage ensuring all input schema fields include non-empty descriptions.

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumps project and actor versions to 3.0.2; adds/normalizes schema metadata and validation scripts; reforms OpenAPI/web server schema formatting; adjusts multiple CI/CD workflows (split validate/publish, change schema validation command, conditional publish/tagging); and adds tests enforcing schema descriptions and response key stringification.

Changes

Cohort / File(s)	Summary
Version & Package ​.actor/actor.json, package.json, CHANGELOG.md	Bumped actor and package versions to 3.0.2; added validate:input-schema and validate:schemas npm scripts; added dev deps (@apify/input_secrets, apify-cli); updated changelog entries for 3.0.2.
Actor Schemas ​.actor/input_schema.json, ​.actor/web_server_schema.json	Moved/reordered top-level properties (allowedIps, signatureVerificationSecret), added descriptions for alerts.slack/alerts.discord, updated OpenAPI info.version to 3.0.2, added servers array, and reformatted/reordered component/schema objects (no behavioral API contract changes indicated).
CI/CD Workflows .github/workflows/ci.yml, .github/workflows/release-npm.yml, .github/workflows/release-docker.yml	Replaced validate:web-server-schema step with validate:schemas; split validate/publish into separate jobs with release-only publish guarded by if: github.event_name == 'release'; adjusted id-token permissions scoping; and made Docker tag resolution conditional on event type and prerelease.
Link-check workflow update .github/workflows/link-check.yml	Replaced direct URL Set membership with normalizeUrlKey helper and a Set of normalized origin+pathname keys to soft-fail certain link-check errors (403/408/429).
Tests & Fixtures tests/unit/actor/input_schema.test.js, tests/unit/scripts/sync_version.test.js	Added recursive findMissingDescriptions helper and test asserting all schema properties have non-empty description; adjusted test fixtures / assertions to use stringified HTTP status keys (HTTP_STATUS.OK.toString()).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix: publish actor schema and CI hotfixes for 3.0.1 #66: Continues/overlaps actor input schema rework (moving webhook secret to top level) and shared schema-validation CI changes.
• Fix/output schema views #18: Modifies actor/package version fields and related manifest metadata (overlaps version bumps).
• fix: npm oidc publishing #11: Alters the release npm workflow and npm publish/OIDC steps (overlaps release-npm.yml edits).

Suggested labels

Review effort 4/5

Poem

🐰 I nudged the schema, hopped it up a tree,
Versions bumped — three dot oh dot two, whee!
CI split its chores, tags learned when to play,
Tests sniff descriptions so none stray away.
A carrot for docs, and a tidy deploy day. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix actor schema validation release flow' directly addresses the main objective of the PR: fixing the actor schema validation process in the release workflow by switching to the project-installed apify CLI and bumping versions.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hotfix/issue-74-actor-schema-publish

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the Actor release/validation flow to prevent schema-related release failures and aligns generated metadata with the 3.0.2 release.

Changes:

• Bumps package/Actor versioning to 3.0.2 and synchronizes generated Actor web server schema metadata.
• Switches schema validation to use the project-installed apify CLI and runs schema validation in CI/release workflows.
• Adds/extends unit tests for Actor input schema constraints, version sync behavior, and signature secret normalization.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/utils/config.js	Normalizes top-level signatureVerificationSecret into runtime signatureVerification while keeping backward compatibility.
src/typedefs.js	Extends WebhookConfig typedef to include signatureVerificationSecret.
scripts/sync-version.js	Syncs web server schema dashboard example version alongside info.version.
tests/unit/utils/config.test.js	Adds coverage for mapping/clearing signature verification secrets.
tests/unit/scripts/sync_version.test.js	Extends coverage for syncing dashboard example version and no-op scenarios.
tests/unit/actor/input_schema.test.js	Adds schema compatibility tests (secret placement + required nested descriptions).
.actor/input_schema.json	Moves signing secret to top-level signatureVerificationSecret and adds missing nested descriptions.
.actor/web_server_schema.json	Updates schema version metadata and embedded dashboard example to 3.0.2 (and reformats JSON).
.actor/actor.json	Bumps Actor metadata version to 3.0.2.
package.json	Adds schema validation scripts and apify-cli dev dependency; bumps package version to 3.0.2.
package-lock.json	Locks updated dependency graph including apify-cli.
.github/workflows/ci.yml	Runs combined schema validation (validate:schemas) in CI.
.github/workflows/release-npm.yml	Runs schema validation + Jest on PRs; publishes only on release.
.github/workflows/release-docker.yml	Runs on PRs for wiring verification; publishes only on release; adjusts concurrency/tag fallback.
.github/workflows/link-check.yml	Removes PR path filters and expands “soft-fail” handling for known flaky external links.
CHANGELOG.md	Adds 3.0.2 changelog entry describing schema publish fix.

Comments suppressed due to low confidence (1)

.github/workflows/release-npm.yml:15

• This workflow now runs on pull_request, but the job still grants id-token: write. Since the steps executed on PRs run untrusted code from the PR branch, consider splitting PR validation into a separate job/workflow (or separate job in this workflow) that only has contents: read, and reserve id-token: write for the release-only publishing job.

  pull_request:
    branches: [main]

jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write # Required for provenance (used in package.json) (optional but good practice)
    steps:

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

.github/workflows/release-docker.yml (1)

41-55: PR-path tag computation produces nonsensical values (harmless but noisy).

For pull_request events, release_tag="pr-123", so version="pr-123" and minor="pr" (since cut -d. -f1,2 on a dotless string returns the whole token). The resulting tag list includes things like ghcr.io/.../webhook-debugger-logger:pr and :latest (on non-prereleases). These are never pushed because login/publish steps are gated on github.event_name == 'release', so it's not a defect — but it's misleading in logs and an easy footgun if someone later removes the gate.

Consider either skipping this step on PRs, or computing only a single pr-<n> tag when not a release:

Suggested tightening

       - name: Resolve Image Tags
         id: image_tags
+        if: github.event_name == 'release'
         shell: bash

Or alternatively short-circuit inside the script for PR events.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-docker.yml around lines 41 - 55, The current tag
generation block builds version and minor tags from release_tag (variables
release_tag, version, minor, image_name) which yields nonsensical tags for
pull_request events (e.g. "pr-123" -> "pr")—fix by short-circuiting: detect
pull_request via github.event_name (or check if release_tag starts with "pr-")
and when true only emit the single pr-<n> tag (or skip the whole block),
otherwise continue computing version and minor and appending latest when
RELEASE_PRERELEASE != "true"; update the conditional around the tag emission to
use that check so logs only show meaningful tags.

.github/workflows/release-npm.yml (1)

6-7: PR-gated publish wiring is correct.

Triggering on pull_request for validation while gating the Publish to NPM step on github.event_name == 'release' is the right pattern. One optional tightening: consider splitting into two jobs (validation vs. publish) so the publish job's id-token: write permission is only granted on release events — this narrows the OIDC surface during PR runs from forks.

Also applies to: 31-36, 42-43

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-npm.yml around lines 6 - 7, The workflow currently
triggers validation on pull_request while gating the "Publish to NPM" step by
checking github.event_name == 'release', but it still exposes id-token: write
during PR runs; refactor the workflow by splitting the logic into two jobs
(e.g., a "validate" job run on pull_request and push, and a separate "publish"
job that only runs on release events) and move the id-token: write permission
and the "Publish to NPM" step into the publish job so that the OIDC id-token
permission is granted only when github.event_name == 'release' (reference the
"Publish to NPM" step and the id-token: write permission to locate where to move
permissions and steps).

.actor/input_schema.json (1)

137-143: Top-level secret move looks good; cross-reference wording is accurate.

Moving signatureVerificationSecret to a top-level isSecret field is required by Apify (secret fields must be top-level), and the updated descriptions on signatureVerification and signatureVerification.provider correctly point users upward to the new field. Backward compatibility for existing inputs is handled in src/utils/config.js per the summary.

One nit: confirm you want the secret to appear just above allowedIps in the UI rather than directly adjacent to signatureVerification. Apify renders properties in declared order, so placing signatureVerificationSecret immediately before signatureVerification would make the "above" reference more obvious to users.

Also applies to: 150-158

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.actor/input_schema.json around lines 137 - 143, Move the
"signatureVerificationSecret" schema property so it appears immediately before
"signatureVerification" in the JSON property order (rather than above
"allowedIps") so the UI placement matches the cross-reference in the
descriptions; update the schema ordering in .actor/input_schema.json and verify
any references in src/utils/config.js (and any migration/back-compat handling
for signatureVerification and signatureVerification.provider) still work after
the reordering.

tests/unit/scripts/sync_version.test.js (1)

48-140: Optional: normalize the HTTP_STATUS.OK key style across fixtures.

WEB_SERVER_SCHEMA_OLD at Line 55 uses [HTTP_STATUS.OK.toString()] while WEB_SERVER_SCHEMA_MATCH, WEB_SERVER_SCHEMA_EXAMPLE_OLD, WEB_SERVER_SCHEMA_WITHOUT_EXAMPLE, and WEB_SERVER_SCHEMA_WITH_NON_MATCHING_EXAMPLE (Lines 74, 93, 112, 129) use [HTTP_STATUS.OK]. Both produce the "200" key due to JS key coercion, so behavior is identical, but making all fixtures use the same form (matching the HTTP_STATUS.OK.toString() call in scripts/sync-version.js) would read more consistently.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/scripts/sync_version.test.js` around lines 48 - 140, Normalize the
HTTP_STATUS.OK key usage across the fixtures by changing the bracket key
expressions in the constants WEB_SERVER_SCHEMA_MATCH,
WEB_SERVER_SCHEMA_EXAMPLE_OLD, WEB_SERVER_SCHEMA_WITHOUT_EXAMPLE, and
WEB_SERVER_SCHEMA_WITH_NON_MATCHING_EXAMPLE to use HTTP_STATUS.OK.toString()
(the same form already used in WEB_SERVER_SCHEMA_OLD) so all generated JSON
fixtures consistently produce the "200" key and match the style used in
scripts/sync-version.js.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/link-check.yml:
- Around line 100-104: The softHandledUrls exact-string check is brittle because
query params and encoding can change; update the allowlist logic that uses
softHandledUrls and the Set.has(failure.url) check so it compares normalized
origin+pathname instead of the raw URL string. Build the allowlist as normalized
keys using new URL(x).origin + new URL(x).pathname for each entry (referencing
softHandledUrls) and when processing failures compute normalizedFailure = new
URL(failure.url).origin + new URL(failure.url).pathname and check membership
against that normalized set (replace direct Set.has(failure.url) checks). Ensure
this handles missing/invalid URLs by guarding URL construction with try/catch or
skipping on parse errors.

In `@tests/unit/actor/input_schema.test.js`:
- Line 7: The test imports getInputSchemaSecretFieldKeys from
"@apify/input_secrets" but that package is not listed in package.json, making
the test rely on a transitive dependency; add "@apify/input_secrets": "^1.2.30"
to package.json devDependencies so the test reliably resolves the module (update
package.json devDependencies and run npm/yarn install to lock the version).

---

Nitpick comments:
In @.actor/input_schema.json:
- Around line 137-143: Move the "signatureVerificationSecret" schema property so
it appears immediately before "signatureVerification" in the JSON property order
(rather than above "allowedIps") so the UI placement matches the cross-reference
in the descriptions; update the schema ordering in .actor/input_schema.json and
verify any references in src/utils/config.js (and any migration/back-compat
handling for signatureVerification and signatureVerification.provider) still
work after the reordering.

In @.github/workflows/release-docker.yml:
- Around line 41-55: The current tag generation block builds version and minor
tags from release_tag (variables release_tag, version, minor, image_name) which
yields nonsensical tags for pull_request events (e.g. "pr-123" -> "pr")—fix by
short-circuiting: detect pull_request via github.event_name (or check if
release_tag starts with "pr-") and when true only emit the single pr-<n> tag (or
skip the whole block), otherwise continue computing version and minor and
appending latest when RELEASE_PRERELEASE != "true"; update the conditional
around the tag emission to use that check so logs only show meaningful tags.

In @.github/workflows/release-npm.yml:
- Around line 6-7: The workflow currently triggers validation on pull_request
while gating the "Publish to NPM" step by checking github.event_name ==
'release', but it still exposes id-token: write during PR runs; refactor the
workflow by splitting the logic into two jobs (e.g., a "validate" job run on
pull_request and push, and a separate "publish" job that only runs on release
events) and move the id-token: write permission and the "Publish to NPM" step
into the publish job so that the OIDC id-token permission is granted only when
github.event_name == 'release' (reference the "Publish to NPM" step and the
id-token: write permission to locate where to move permissions and steps).

In `@tests/unit/scripts/sync_version.test.js`:
- Around line 48-140: Normalize the HTTP_STATUS.OK key usage across the fixtures
by changing the bracket key expressions in the constants
WEB_SERVER_SCHEMA_MATCH, WEB_SERVER_SCHEMA_EXAMPLE_OLD,
WEB_SERVER_SCHEMA_WITHOUT_EXAMPLE, and
WEB_SERVER_SCHEMA_WITH_NON_MATCHING_EXAMPLE to use HTTP_STATUS.OK.toString()
(the same form already used in WEB_SERVER_SCHEMA_OLD) so all generated JSON
fixtures consistently produce the "200" key and match the style used in
scripts/sync-version.js.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: af2e7d88-8602-4d45-95d0-f53ec765c4f4

📥 Commits

Reviewing files that changed from the base of the PR and between cd93e95 and 270553b.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (15)

• .actor/actor.json
• .actor/input_schema.json
• .actor/web_server_schema.json
• .github/workflows/ci.yml
• .github/workflows/link-check.yml
• .github/workflows/release-docker.yml
• .github/workflows/release-npm.yml
• CHANGELOG.md
• package.json
• scripts/sync-version.js
• src/typedefs.js
• src/utils/config.js
• tests/unit/actor/input_schema.test.js
• tests/unit/scripts/sync_version.test.js
• tests/unit/utils/config.test.js

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	apify-cli@​1.4.1
	@​apify/​input_secrets@​1.2.27 ⏵ 1.2.30				+4

View full report

[coderabbitai]

🧹 Nitpick comments (1)

CHANGELOG.md (1)

5-16: 3.0.2 entry accurately reflects the PR scope.

Entries map cleanly to the changes in this PR (Actor schema metadata restoration, validate:schemas/validate:input-schema scripts, split validate/publish workflow, Docker PR tag constraint, link-check normalization, project-installed apify CLI, @apify/input_secrets dev dep, and sync-version test fixture alignment).

Optional style nit from LanguageTool: three consecutive **CI/CD**: bullets (lines 11–13) start alike — consider varying the lead-in (e.g., merging the workflow-permission and Docker-tag bullet, or prefacing with "Workflows"/"Release flow"). Non-blocking.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CHANGELOG.md` around lines 5 - 16, The three consecutive "**CI/CD**:" bullets
in the CHANGELOG entry create repetitive lead-ins; either merge related items
(e.g., combine the workflow permission and Docker PR tag points) or vary the
prefixes (e.g., "Workflows:" / "Release flow:" / "CI/CD:") to improve
readability while keeping the same content and ordering for the
`validate:schemas`/`validate:input-schema`, split validate/publish, and Docker
PR tag constraint items.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@CHANGELOG.md`:
- Around line 5-16: The three consecutive "**CI/CD**:" bullets in the CHANGELOG
entry create repetitive lead-ins; either merge related items (e.g., combine the
workflow permission and Docker PR tag points) or vary the prefixes (e.g.,
"Workflows:" / "Release flow:" / "CI/CD:") to improve readability while keeping
the same content and ordering for the
`validate:schemas`/`validate:input-schema`, split validate/publish, and Docker
PR tag constraint items.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 177caf5b-6bd0-4dda-b55a-baf9e62028bd

📥 Commits

Reviewing files that changed from the base of the PR and between 34defb8 and ad5d520.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (7)

• .actor/input_schema.json
• .github/workflows/link-check.yml
• .github/workflows/release-docker.yml
• .github/workflows/release-npm.yml
• CHANGELOG.md
• package.json
• tests/unit/scripts/sync_version.test.js

✅ Files skipped from review due to trivial changes (1)

• .actor/input_schema.json

🚧 Files skipped from review as they are similar to previous changes (2)

• package.json
• .github/workflows/release-npm.yml

[Copilot]

Pull request overview

Copilot reviewed 11 out of 12 changed files in this pull request and generated no new comments.