Skip to content

Commit efad245

Browse files
Default github-token to github.token so the review comment posts without setup (#167)
* Default github-token to ${{ github.token }} so the PR comment posts without setup Most repos got the encrypted free review by tracking a moving action ref, not by a proactive upgrade, so they never added github-token + permissions. Result: the review link goes only to the job summary (a page almost nobody opens). Day-2 production: ~476 reviews created, 3 opened. Defaulting github-token to the built-in github.token means the comment is posted automatically wherever the job's GITHUB_TOKEN already has write permission, with no workflow edit. Repos whose default token is read-only still fall back to the summary (the permissions line genuinely needs a workflow edit); fork PRs are unchanged. Also makes the comment the honest first-touch notice it now is: - precise privacy wording (key lives in the URL fragment, never sent to a server, so oasdiff cannot read the specs) instead of "specs stay private"; - "anyone with the link can open" (the capability-by-URL model) instead of "anyone can open"; - an explicit opt-out line ("set review: false") since the comment is now posted by default. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * Trim the review comment to essentials Drop product-jargon ('in context'), the share prompt (the review page has a per-change 'Copy link'), the 'anyone with the link' line (covered by the docs 'How it works' link), and 'no install or account needed' (self-evident on click). Keep the title (the value), the 7-day TTL, the privacy explanation, and the opt-out footer. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * Make the comment's opt-out findable: link to the docs Action section, name the upload A user who got the comment via a moving action ref (not a deliberate opt-in) is the one most likely to want to turn it off. Two changes so they find how: - link 'oasdiff GitHub Action' to /docs/free-review#github-action, the section that explains what posted the comment and how to disable it; - reframe the off-switch from 'stop posting this comment' to 'turn this off (no spec upload, no comment)', since review: false stops the upload too, which is what a privacy-minded first-time reader actually wants. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 5fbe96e commit efad245

4 files changed

Lines changed: 12 additions & 8 deletions

File tree

breaking/action.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,9 +61,9 @@ inputs:
6161
required: false
6262
default: 'true'
6363
github-token:
64-
description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Pass the built-in github.token and grant the job permissions: pull-requests: write. Optional; when omitted the link is written only to the job summary. On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
64+
description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Defaults to the built-in github.token, so the comment is posted automatically when the job grants permissions: pull-requests: write. Set to an empty string to disable the comment (the link then appears only in the job summary). On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
6565
required: false
66-
default: ''
66+
default: ${{ github.token }}
6767
outputs:
6868
breaking:
6969
description: 'Output summary of API breaking changes, encompassing both warnings and errors'

breaking/entrypoint.sh

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -66,9 +66,11 @@ post_review_comment () {
6666
body="${marker}
6767
### 📋 [View the side-by-side API change review](${review_url})
6868
69-
See exactly what changed, in context. Share this link with your team: anyone can open the review, no install and no account needed. It expires in 7 days.
69+
The link expires in 7 days.
7070
71-
🔒 Your specs stay private. They're encrypted before upload, and only this link can unlock them. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)"
71+
🔒 Your API specs are encrypted in CI before they're uploaded. The decryption key stays in this link's URL fragment (after the #), which browsers never send to a server, so oasdiff cannot read your specs. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)
72+
73+
<sub>Posted automatically by the [oasdiff GitHub Action](https://www.oasdiff.com/docs/free-review#github-action). To turn this off (no spec upload, no comment), set \`review: false\` on the action.</sub>"
7274
elif [ -n "$existing_id" ]; then
7375
body="${marker}
7476
### ✅ No breaking changes in the latest revision."

changelog/action.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,9 +64,9 @@ inputs:
6464
required: false
6565
default: 'true'
6666
github-token:
67-
description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Pass the built-in github.token and grant the job permissions: pull-requests: write. Optional; when omitted the link is written only to the job summary. On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
67+
description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Defaults to the built-in github.token, so the comment is posted automatically when the job grants permissions: pull-requests: write. Set to an empty string to disable the comment (the link then appears only in the job summary). On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
6868
required: false
69-
default: ''
69+
default: ${{ github.token }}
7070
outputs:
7171
changelog:
7272
description: 'Output summary of API changelog'

changelog/entrypoint.sh

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -85,9 +85,11 @@ post_review_comment () {
8585
body="${marker}
8686
### 📋 [View the side-by-side API change review](${review_url})
8787
88-
See exactly what changed, in context. Share this link with your team: anyone can open the review, no install and no account needed. It expires in 7 days.
88+
The link expires in 7 days.
8989
90-
🔒 Your specs stay private. They're encrypted before upload, and only this link can unlock them. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)"
90+
🔒 Your API specs are encrypted in CI before they're uploaded. The decryption key stays in this link's URL fragment (after the #), which browsers never send to a server, so oasdiff cannot read your specs. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)
91+
92+
<sub>Posted automatically by the [oasdiff GitHub Action](https://www.oasdiff.com/docs/free-review#github-action). To turn this off (no spec upload, no comment), set \`review: false\` on the action.</sub>"
9193
elif [ -n "$existing_id" ]; then
9294
body="${marker}
9395
### ✅ No API changes in the latest revision."

0 commit comments

Comments
 (0)