ci: regenerate SDK directly when merged spec changes land

[robert-j-y]

Summary

OpenAPI spec updates land on main automatically (the chore: update OpenAPI spec from monorepo PRs), but nothing regenerates the SDK when they do. The only generation trigger is the nightly cron in sdk_generation.yaml, which runs Speakeasy in mode: pr and produces a rolling PR that requires a manual merge — #205 accumulated changes from Apr 24 to Jun 11 before it was merged by hand, and #127/#169 went stale the same way.

This adds the same workflow typescript-sdk uses: when a merged PR touches .speakeasy/in.openapi.yaml, run the Speakeasy generator in mode: direct so the regenerated SDK commits straight to main, where the existing Publish workflow (.speakeasy/gen.lock path filter) picks it up and releases to PyPI.

Important

This uses secrets.SDK_MERGE_PAT (not the default GITHUB_TOKEN) for github_access_token, because commits pushed with GITHUB_TOKEN do not trigger other workflows — the Publish workflow would silently never fire. go-sdk already uses a secret with this name for the same purpose, but it does not exist in this repo yet and must be added before merging. (GH_TOKEN was considered, but a scope check showed it has no push access to this repo.)

Test plan

• Add the SDK_MERGE_PAT secret (PAT with push access to this repo, same as go-sdk's)
• After merge, wait for the next automated spec update PR to land (or run this workflow via workflow_dispatch with force: true)
• Verify a regeneration commit lands on main and the Publish workflow fires and releases to PyPI

[perry-the-pr-reviewer]

⚠️ APPROVE unavailable on this installation — the maintainer GitHub App does not have pull_requests: write permission on OpenRouterTeam, so the verdict below is posted as COMMENT. Event-level approval (for branch-protection / review requirements) must be added out-of-band.

Perry's Review

Adds a new GitHub Actions workflow to automatically regenerate the Python SDK in mode: direct whenever a merged PR touches .speakeasy/in.openapi.yaml, replacing the stale rolling-PR pattern that required manual merges.

Verdict: ✅ LGTM

Details

Risk: 🟡 Medium — new CI automation that commits directly to main via a PAT, but no production SDK code paths are changed and the pattern mirrors the existing typescript-sdk and go-sdk workflows.

CI: no checks — new workflow file not yet triggered.

Findings: none.

Security: Category 7 (auth — PAT usage for github_access_token) was touched. The prior review flagged that secrets.GH_TOKEN lacked push access; the author ran a scope-check workflow, confirmed GH_TOKEN has permissions.push=false, and switched to secrets.SDK_MERGE_PAT (same secret name go-sdk uses for this exact purpose). The SDK_MERGE_PAT secret is not yet added to this repo — the PR description and test plan document this as a required pre-merge step. Safeguard is intact once the secret is provisioned.

Research: skipped (small tier).

Codex: skipped (small tier).

Test coverage: no unit tests applicable — this is a CI workflow file. The test plan documents a manual integration test (trigger via workflow_dispatch with force: true post-merge and verify a regeneration commit lands on main and the Publish workflow fires).

Unresolved threads: 1 outdated thread (PAT scope concern, raised in prior review at cf631ac, addressed by author on this push — switched from GH_TOKEN to SDK_MERGE_PAT with confirmed push access).

Scope: first review (full)

Review: tier=small · model=claude-sonnet-latest · score=0.4