ci(SP-4166): add schema sync CI check

[isasmendiagus]

Summary

• Add .github/workflows/schema-sync.yml that calls the reusable schema sync check workflow from scanoss-devops
• Remove stale docs copy of scanoss-settings-schema.json (docs already redirect to scanoss/schema)

Context

Jira: SP-4166

The scanoss/schema repo is the single source of truth for JSON schemas. This PR adds a CI check on PRs to main that fails if the vendored schema at src/scanoss/data/scanoss-settings-schema.json is out of sync with the source.

Test plan

• Schema sync check runs on this PR
• Check fails with clear diff when schema is out of sync
• Existing tests pass

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Added an automated schema synchronization check (CI workflow) to validate schema alignment across the repository.

• Documentation

  • Removed a deprecated JSON schema from the documentation to reduce maintenance and avoid confusion for readers.

[coderabbitai]

Warning

Rate limit exceeded

@isasmendiagus has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 25 minutes and 13 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eebe09ae-dd87-4e28-8fc8-9f03b68a441e

📥 Commits

Reviewing files that changed from the base of the PR and between 9be13d2 and 6c0aa03.

📒 Files selected for processing (1)

• .github/workflows/schema-sync.yml

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow .github/workflows/schema-sync.yml that invokes an external reusable workflow to verify schema synchronization, and removes the deprecated documentation schema file docs/source/_static/scanoss-settings-schema.json.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow ​.github/workflows/schema-sync.yml	Adds workflow "Schema Sync Check" triggered on pull_request to main and workflow_dispatch; reuses external workflow scanoss/scanoss-devops/.../schema-sync-check.yml and supplies source-file and target-file inputs.
Documentation Schema Removal docs/source/_static/scanoss-settings-schema.json	Deletes the deprecated Draft-07 JSON Schema for Scanoss settings and BOM rules from project docs.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• eeisegn

Poem

🐰 I hopped through branches, tidy and quick,
Swapped an old sheet for a tiny new trick,
A workflow now listens, quiet and neat,
The docs lost weight — my paws skip a beat! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding a schema sync CI check workflow. It is concise, specific, and directly related to the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/SP-4166/schema-sync-ci

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 2
• Undeclared components: 0
• Declared components: 2
• Detected files: 111
• Detected files undeclared: 0
• Detected files declared: 111
• Licenses detected: 1
• Licenses detected with copyleft: 0
• Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/schema-sync.yml (1)

10-10: Pin the reusable workflow to a commit SHA.

This is the only @main reference across all workflows in the repository. All other actions and workflows are pinned to specific versions (v4, v5, etc.) or commit SHAs. Pinning prevents unexpected breakage from upstream changes and provides an audit trail of which version was deployed.

Suggested change

-    uses: scanoss/scanoss-devops/.github/workflows/schema-sync-check.yml@main
+    uses: scanoss/scanoss-devops/.github/workflows/schema-sync-check.yml@<commit-sha>

Replace <commit-sha> with the full 40-character commit SHA.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/schema-sync.yml at line 10, The reusable workflow
reference "scanoss/scanoss-devops/.github/workflows/schema-sync-check.yml@main"
should be pinned to a specific commit SHA instead of `@main`: fetch the exact full
40-character commit SHA for the desired version of the upstream repo and replace
the "@main" suffix with "@<full-40-char-commit-sha>" so the workflow is
immutable and auditable; ensure you use the long SHA (not a short SHA or tag)
when updating the reference.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/schema-sync.yml:
- Line 10: The reusable workflow reference
"scanoss/scanoss-devops/.github/workflows/schema-sync-check.yml@main" should be
pinned to a specific commit SHA instead of `@main`: fetch the exact full
40-character commit SHA for the desired version of the upstream repo and replace
the "@main" suffix with "@<full-40-char-commit-sha>" so the workflow is
immutable and auditable; ensure you use the long SHA (not a short SHA or tag)
when updating the reference.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 83c6dc0b-f307-466c-b233-098854bf0f73

📥 Commits

Reviewing files that changed from the base of the PR and between 7974777 and 4facee0.

📒 Files selected for processing (2)

• .github/workflows/schema-sync.yml
• docs/source/_static/scanoss-settings-schema.json

💤 Files with no reviewable changes (1)

• docs/source/_static/scanoss-settings-schema.json

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 2
• Undeclared components: 0
• Declared components: 2
• Detected files: 111
• Detected files undeclared: 0
• Detected files declared: 111
• Licenses detected: 1
• Licenses detected with copyleft: 0
• Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 2
• Undeclared components: 0
• Declared components: 2
• Detected files: 111
• Detected files undeclared: 0
• Detected files declared: 111
• Licenses detected: 1
• Licenses detected with copyleft: 0
• Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 2
• Undeclared components: 0
• Declared components: 2
• Detected files: 111
• Detected files undeclared: 0
• Detected files declared: 111
• Licenses detected: 1
• Licenses detected with copyleft: 0
• Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 2
• Undeclared components: 0
• Declared components: 2
• Detected files: 111
• Detected files undeclared: 0
• Detected files declared: 111
• Licenses detected: 1
• Licenses detected with copyleft: 0
• Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/schema-sync.yml:
- Line 10: The workflow reference currently pins to a mutable branch
"scanoss/scanoss-devops/.github/workflows/schema-sync-check.yml@feat/SP-4166/schema-sync-ci";
replace the branch suffix after the @ with the immutable commit SHA for that
branch (i.e., change "@feat/SP-4166/schema-sync-ci" to "@<commit-sha>") so the
reusable workflow is pinned to a specific commit SHA for deterministic CI.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 99878998-0b67-4ab9-a8a9-ba0ce8066315

📥 Commits

Reviewing files that changed from the base of the PR and between 8631d99 and 9be13d2.

📒 Files selected for processing (1)

• .github/workflows/schema-sync.yml

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Resolve current SHA behind the branch so it can be pinned.
gh api repos/scanoss/scanoss-devops/branches/feat/SP-4166/schema-sync-ci \
  | jq -r '.commit.sha'

Repository: scanoss/scanoss.py

Length of output: 114

---

🏁 Script executed:

# Check if the file exists and read the relevant section
cat -n .github/workflows/schema-sync.yml | head -20

Repository: scanoss/scanoss.py

Length of output: 485

---

Pin reusable workflow to an immutable commit SHA.

Line 10 references a mutable branch (@feat/SP-4166/schema-sync-ci). For CI determinism and safer supply-chain posture, pin to a commit SHA before merge.

Suggested change

-    uses: scanoss/scanoss-devops/.github/workflows/schema-sync-check.yml@feat/SP-4166/schema-sync-ci
+    uses: scanoss/scanoss-devops/.github/workflows/schema-sync-check.yml@<commit-sha>

Replace <commit-sha> with the current commit SHA of the feat/SP-4166/schema-sync-ci branch.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: scanoss/scanoss-devops/.github/workflows/schema-sync-check.yml@feat/SP-4166/schema-sync-ci
	uses: scanoss/scanoss-devops/.github/workflows/schema-sync-check.yml@<actual-commit-sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/schema-sync.yml at line 10, The workflow reference
currently pins to a mutable branch
"scanoss/scanoss-devops/.github/workflows/schema-sync-check.yml@feat/SP-4166/schema-sync-ci";
replace the branch suffix after the @ with the immutable commit SHA for that
branch (i.e., change "@feat/SP-4166/schema-sync-ci" to "@<commit-sha>") so the
reusable workflow is pinned to a specific commit SHA for deterministic CI.

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 2
• Undeclared components: 0
• Declared components: 2
• Detected files: 111
• Detected files undeclared: 0
• Detected files declared: 111
• Licenses detected: 1
• Licenses detected with copyleft: 0
• Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary

[isasmendiagus]

Closing to re-open with clean CI run after fixing devops workflow sharing.