axonflow-codex-plugin/.github/workflows/wire-shape-contract.yml at main · getaxonflow/axonflow-codex-plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: Wire-Shape Contract

# Wire-shape gate parity with the four SDK gates and the OpenClaw plugin
# gate (ADR-047). Diffs the plugin's bash-script jq accesses against the
# AxonFlow agent's OpenAPI spec at the SHA pinned in the baseline. Fails
# on drift NOT covered by the baseline.
#
# A 'spec-pin-bump' PR label is required to bump the pinned SHA in the
# same PR as plugin changes — preserves review integrity.
#
# To regenerate the baseline:
#   python3 scripts/wire-shape/refresh.py <specs_dir>

on:
  pull_request:
    branches: [main]
    paths:
      - 'scripts/**/*.sh'
      - 'tests/fixtures/wire-shape-baseline.json'
      - 'scripts/wire-shape/**'
      - '.github/workflows/wire-shape-contract.yml'
  push:
    branches: [main]
    paths:
      - 'scripts/**/*.sh'
      - 'tests/fixtures/wire-shape-baseline.json'
      - 'scripts/wire-shape/**'
      - '.github/workflows/wire-shape-contract.yml'

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
  wire-shape:
    name: Validate Wire Shape
    runs-on: ubuntu-latest
    steps:
      - name: Checkout plugin (full history for SHA-bump guard)
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: '3.11'

      - name: Install PyYAML
        run: pip install --quiet pyyaml

      - name: Read pinned OpenAPI specs SHA from baseline
        id: specs_sha
        run: |
          python3 - <<'PY' >> "$GITHUB_OUTPUT"
          import json
          import sys
          path = "tests/fixtures/wire-shape-baseline.json"
          data = json.load(open(path))
          sha = (data.get("openapi_specs_sha", "") or "").strip()
          if not sha:
              print(
                  f"::error::{path} is missing openapi_specs_sha. "
                  "Regenerate via scripts/wire-shape/refresh.py.",
                  file=sys.stderr,
              )
              sys.exit(1)
          print(f"sha={sha}")
          PY

      - name: Guard against unauthorized OpenAPI specs SHA bump
        if: github.event_name == 'pull_request'
        env:
          PR_LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }}
          BASE_REF: ${{ github.base_ref }}
          PR_SHA: ${{ steps.specs_sha.outputs.sha }}
        run: |
          set -e
          BASE_SHA=$(
            git show "origin/${BASE_REF}:tests/fixtures/wire-shape-baseline.json" 2>/dev/null \
              | python3 -c "import json, sys; print(json.load(sys.stdin).get('openapi_specs_sha','') or '')" \
              || true
          )
          if [ -z "$BASE_SHA" ]; then
            echo "::notice::Base branch has no openapi_specs_sha yet; treating this PR as first pin introduction."
            exit 0
          fi
          if [ "$BASE_SHA" = "$PR_SHA" ]; then
            echo "openapi_specs_sha unchanged (${PR_SHA})."
            exit 0
          fi
          echo "SHA change detected: ${BASE_SHA} -> ${PR_SHA}"
          HAS_LABEL=$(printf '%s' "$PR_LABELS" | python3 -c "import json, sys; print('spec-pin-bump' in json.load(sys.stdin))")
          if [ "$HAS_LABEL" = "True" ]; then
            echo "::notice::'spec-pin-bump' label present — SHA bump authorized."
            exit 0
          fi
          echo "::error::openapi_specs_sha changed from ${BASE_SHA} to ${PR_SHA}."
          echo "::error::The wire-shape contract's spec revision is pinned to preserve"
          echo "::error::review integrity: a SHA change in the same PR as plugin changes"
          echo "::error::can silence drift by retargeting the contract to a friendlier"
          echo "::error::revision. Either split into a dedicated SHA-bump PR, or"
          echo "::error::apply the 'spec-pin-bump' label to this PR."
          exit 1

      - name: Checkout OpenAPI specs (pinned to baseline SHA)
        uses: actions/checkout@v6
        with:
          repository: getaxonflow/axonflow
          ref: ${{ steps.specs_sha.outputs.sha }}
          path: axonflow-community

      - name: Run wire-shape contract gate
        env:
          AXONFLOW_OPENAPI_SPECS_DIR: ${{ github.workspace }}/axonflow-community/docs/api
        run: python3 scripts/wire-shape/validate.py