Skip to content

Commit 61d18a8

Browse files
docs: document the current Pro workflow (changelog + oasdiff-token) (#179)
The Pro section showed the legacy pr-comment action. The current Pro model is the changelog action with an oasdiff-token: same workflow as the free changelog, plus the token and statuses: write, which turns the review into approve/reject + an `oasdiff` commit-status gate. - Replace "Pro: Rich PR comment" with "Pro: Approve and gate changes", leading with the upgrade story (you already run changelog; add your token). Matches the workflow w3 generates on /setup. - Repoint the verify example's review job from pr-comment to changelog, add the permissions block, bump checkout to v7. - Update the table of contents. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 39013c1 commit 61d18a8

1 file changed

Lines changed: 17 additions & 75 deletions

File tree

README.md

Lines changed: 17 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,7 @@ GitHub Actions that check your OpenAPI specs for breaking changes on every pull
1919
- [Validate a single spec](#validate-a-single-spec)
2020
- [Configuring with `.oasdiff.yaml`](#configuring-with-oasdiffyaml)
2121
- [Spec paths](#spec-paths)
22-
- [Pro: Rich PR comment](#pro-rich-pr-comment)
23-
- [Pro: Verify your setup](#pro-verify-your-setup)
22+
- [Pro: Approve and gate changes](#pro-approve-and-gate-changes)
2423

2524
## Quick start
2625

@@ -284,101 +283,44 @@ When using git refs, you need to check out the repo and fetch the base branch:
284283

285284
---
286285

287-
## Pro: Rich PR comment
286+
## Pro: Approve and gate changes
288287

289-
`oasdiff/oasdiff-action/pr-comment` posts a single auto-updating comment on every PR that touches your API spec.
288+
oasdiff Pro adds a sign-off step to the review, so a breaking change can't merge until your team approves it. It's the **same `changelog` action** as above, with your `oasdiff-token` added.
290289

291-
**Getting started:** [Sign up for oasdiff Pro](https://www.oasdiff.com/pricing) to get your token, then follow the setup instructions to install the GitHub App, add your repo secret, and create the workflow.
290+
On every pull request, oasdiff posts the encrypted side-by-side review and gives each change **Approve / Reject** buttons. A commit status check named `oasdiff` blocks the merge until every breaking change is approved. Approvals are tied to the change fingerprint and carry forward across commits, with a record of who approved what and when.
291+
292+
[Start a free trial](https://www.oasdiff.com/start-trial) (no credit card) to get your token, then add it as an `OASDIFF_TOKEN` repository secret.
292293

293294
```yaml
294295
name: oasdiff
295296
on:
296297
pull_request:
297298
branches: [ "main" ]
299+
permissions:
300+
pull-requests: write # post the review comment
301+
statuses: write # set the merge-gate commit status
298302
jobs:
299-
pr-comment:
303+
review:
300304
runs-on: ubuntu-latest
301305
steps:
302306
- uses: actions/checkout@v7
303307
- run: git fetch --depth=1 origin ${{ github.base_ref }}
304-
- uses: oasdiff/oasdiff-action/pr-comment@v0
308+
- uses: oasdiff/oasdiff-action/changelog@v0
305309
with:
306310
base: 'origin/${{ github.base_ref }}:openapi.yaml'
307311
revision: 'HEAD:openapi.yaml'
308312
oasdiff-token: ${{ secrets.OASDIFF_TOKEN }}
313+
github-token: ${{ github.token }}
309314
```
310315

311-
The comment shows a table of all changes, grouped by severity, with a **Review** link for each breaking change:
312-
313-
| Severity | Change | Path | Review |
314-
|---|---|---|---|
315-
| 🔴 | request parameter became required | `GET /products` | ⏳ [Review](https://www.oasdiff.com/review/4a9fd2d5-5ac2-42f5-94cb-c911d6d41680?highlight=a570278809fa) |
316-
| 🔴 | api removed without deprecation | `DELETE /users/{userId}` | ⏳ [Review](https://www.oasdiff.com/review/4a9fd2d5-5ac2-42f5-94cb-c911d6d41680?highlight=bc9f61316c57) |
317-
| 🔴 | request parameter type changed | `GET /users/{userId}` | ⏳ [Review](https://www.oasdiff.com/review/4a9fd2d5-5ac2-42f5-94cb-c911d6d41680?highlight=b9a23e767b29) |
316+
The only difference from the free [changelog workflow](#generate-a-changelog) is the `oasdiff-token` secret and the `statuses: write` permission. Your specs are still encrypted in CI before upload, so the server can't read them.
318317

319-
Each **Review** link opens a hosted page with a side-by-side spec diff and **Approve / Reject** buttons. Approvals are tied to the change fingerprint and carry forward automatically when the branch is updated. A commit status check blocks the merge until every breaking change has been reviewed.
318+
This is the `changelog` action [documented above](#generate-a-changelog); the one added input is:
320319

321320
| Input | Default | Description | Accepted values |
322321
|---|---|---|---|
323-
| `base` | — (required) | Path to the base (old) OpenAPI spec | file path, URL, git ref |
324-
| `revision` | — (required) | Path to the revised (new) OpenAPI spec | file path, URL, git ref |
325-
| `oasdiff-token` | — (required) | oasdiff API token — [sign up at oasdiff.com](https://www.oasdiff.com/pricing) | — |
326-
| `include-path-params` | `false` | Include path parameter names in endpoint matching | `true`, `false` |
327-
| `exclude-elements` | `''` | Exclude certain kinds of changes from the output | `endpoints`, `request`, `response` (comma-separated) |
328-
| `composed` | `false` | Run in composed mode | `true`, `false` |
329-
| `allow-external-refs` | `false` | Resolve external `$ref`s. Defaults to `false` to prevent SSRF on untrusted pull requests. Set `true` if your spec references external URLs or loads split files by file path | `true`, `false` |
330-
331-
[Get oasdiff Pro →](https://www.oasdiff.com/pricing)
332-
333-
## Pro: Verify your setup
334-
335-
`oasdiff/oasdiff-action/verify` is a read-only check that confirms your setup works end to end. It posts no PR comment and sets no commit status. Run it on demand from the **Actions** tab (the "Run workflow" button).
336-
337-
Add it to the same workflow as `pr-comment`, guarded by event type, so one file handles both: `pr-comment` on pull requests, and `verify` when you click "Run workflow".
338-
339-
```yaml
340-
name: oasdiff
341-
on:
342-
pull_request:
343-
branches: [ "main" ]
344-
workflow_dispatch:
345-
jobs:
346-
pr-comment:
347-
if: github.event_name == 'pull_request'
348-
runs-on: ubuntu-latest
349-
steps:
350-
- uses: actions/checkout@v7
351-
- run: git fetch --depth=1 origin ${{ github.base_ref }}
352-
- uses: oasdiff/oasdiff-action/pr-comment@v0
353-
with:
354-
base: 'origin/${{ github.base_ref }}:openapi.yaml'
355-
revision: 'HEAD:openapi.yaml'
356-
oasdiff-token: ${{ secrets.OASDIFF_TOKEN }}
357-
verify:
358-
if: github.event_name == 'workflow_dispatch'
359-
runs-on: ubuntu-latest
360-
steps:
361-
- uses: actions/checkout@v7
362-
- run: git fetch --depth=1 origin ${{ github.event.repository.default_branch }}
363-
- uses: oasdiff/oasdiff-action/verify@v0
364-
with:
365-
base: 'origin/${{ github.event.repository.default_branch }}:openapi.yaml'
366-
revision: 'HEAD:openapi.yaml'
367-
oasdiff-token: ${{ secrets.OASDIFF_TOKEN }}
368-
```
369-
370-
The verify run renders a checklist in the workflow **Step Summary**:
371-
372-
- ✅ GitHub Actions workflow is running
373-
- ✅ Connected to oasdiff (your `OASDIFF_TOKEN` secret)
374-
- ✅ oasdiff GitHub App installed on the repo
375-
- ✅ OpenAPI spec found and compared
322+
| `oasdiff-token` | `''` | Your oasdiff Pro token (the `OASDIFF_TOKEN` secret). When set, the action uploads an authenticated review, posts the approve/reject comment, and sets the `oasdiff` commit status check that gates the merge. Requires `pull-requests: write` and `statuses: write` | — |
376323

377-
It exits non-zero with a one-line hint for any check that fails, so a verify run is a clear pass/fail. (Reviewer access is checked separately on your setup page.)
324+
**Optional:** install the [oasdiff GitHub App](https://github.com/apps/oasdiff/installations/new) for an instant gate (the status updates the moment a change is approved, instead of on the next CI run) and for reviews on pull requests from forks. The workflow above already posts the review and sets the gate without it.
378325

379-
| Input | Default | Description | Accepted values |
380-
|---|---|---|---|
381-
| `base` | — (required) | Path to the base (old) OpenAPI spec | file path, URL, git ref |
382-
| `revision` | — (required) | Path to the revised (new) OpenAPI spec | file path, URL, git ref |
383-
| `oasdiff-token` | — (required) | oasdiff API token, [sign up at oasdiff.com](https://www.oasdiff.com/pricing) | — |
384-
| `allow-external-refs` | `false` | Resolve external `$ref`s. Defaults to `false`; set `true` if your spec references external URLs | `true`, `false` |
326+
[Get oasdiff Pro →](https://www.oasdiff.com/pricing)

0 commit comments

Comments
 (0)