Skip to content

ci: regenerate SDK directly when merged spec changes land#315

Open
robert-j-y wants to merge 1 commit into
mainfrom
ci/regenerate-on-spec-merge
Open

ci: regenerate SDK directly when merged spec changes land#315
robert-j-y wants to merge 1 commit into
mainfrom
ci/regenerate-on-spec-merge

Conversation

@robert-j-y

@robert-j-y robert-j-y commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

OpenAPI spec updates land on main automatically (the chore: update OpenAPI spec from monorepo PRs), but nothing regenerates the SDK when they do. The only generation trigger is the nightly cron in sdk_generation.yaml, which runs Speakeasy in mode: pr and produces a rolling PR that requires a manual merge — #205 accumulated changes from Apr 24 to Jun 11 before it was merged by hand, and #127/#169 went stale the same way.

This adds the same workflow typescript-sdk uses: when a merged PR touches .speakeasy/in.openapi.yaml, run the Speakeasy generator in mode: direct so the regenerated SDK commits straight to main, where the existing Publish workflow (.speakeasy/gen.lock path filter) picks it up and releases to PyPI.

Important

This uses secrets.SDK_MERGE_PAT (not the default GITHUB_TOKEN) for github_access_token, because commits pushed with GITHUB_TOKEN do not trigger other workflows — the Publish workflow would silently never fire. go-sdk already uses a secret with this name for the same purpose, but it does not exist in this repo yet and must be added before merging. (GH_TOKEN was considered, but a scope check showed it has no push access to this repo.)

Test plan

  • Add the SDK_MERGE_PAT secret (PAT with push access to this repo, same as go-sdk's)
  • After merge, wait for the next automated spec update PR to land (or run this workflow via workflow_dispatch with force: true)
  • Verify a regeneration commit lands on main and the Publish workflow fires and releases to PyPI

This was referenced Jun 12, 2026
Closed
Closed
perry-the-pr-reviewer[bot]

This comment was marked as outdated.

Sign in to view

@robert-j-y robert-j-y mentioned this pull request Jun 12, 2026
Open
3 tasks
@robert-j-y robert-j-y force-pushed the ci/regenerate-on-spec-merge branch from cf631ac to d7a796b Compare June 12, 2026 22:53
@robert-j-y
ci: regenerate SDK directly on merged spec changes
d20db80 
Spec updates land on main automatically, but the only generation
trigger is the nightly cron in PR mode, whose rolling PRs require a
manual merge (#205 sat open Apr 24 - Jun 11). Mirror typescript-sdk's
spec-change workflow: when a PR touching .speakeasy/in.openapi.yaml
merges to main, run Speakeasy in direct mode so the regenerated SDK
lands on main and the publish workflow fires.
@robert-j-y robert-j-y force-pushed the ci/regenerate-on-spec-merge branch from 7f191d3 to d20db80 Compare June 12, 2026 22:55
perry-the-pr-reviewer[bot]
perry-the-pr-reviewer Bot reviewed Jun 12, 2026
View reviewed changes

@perry-the-pr-reviewer perry-the-pr-reviewer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ APPROVE unavailable on this installation — the maintainer GitHub App does not have pull_requests: write permission on OpenRouterTeam, so the verdict below is posted as COMMENT. Event-level approval (for branch-protection / review requirements) must be added out-of-band.

Perry's Review

Adds a new GitHub Actions workflow to automatically regenerate the Python SDK in mode: direct whenever a merged PR touches .speakeasy/in.openapi.yaml, replacing the stale rolling-PR pattern that required manual merges.

Verdict: ✅ LGTM

Details

Risk: 🟡 Medium — new CI automation that commits directly to main via a PAT, but no production SDK code paths are changed and the pattern mirrors the existing typescript-sdk and go-sdk workflows.

CI: no checks — new workflow file not yet triggered.

Findings: none.

Security: Category 7 (auth — PAT usage for github_access_token) was touched. The prior review flagged that secrets.GH_TOKEN lacked push access; the author ran a scope-check workflow, confirmed GH_TOKEN has permissions.push=false, and switched to secrets.SDK_MERGE_PAT (same secret name go-sdk uses for this exact purpose). The SDK_MERGE_PAT secret is not yet added to this repo — the PR description and test plan document this as a required pre-merge step. Safeguard is intact once the secret is provisioned.

Research: skipped (small tier).

Codex: skipped (small tier).

Test coverage: no unit tests applicable — this is a CI workflow file. The test plan documents a manual integration test (trigger via workflow_dispatch with force: true post-merge and verify a regeneration commit lands on main and the Publish workflow fires).

Unresolved threads: 1 outdated thread (PAT scope concern, raised in prior review at cf631ac, addressed by author on this push — switched from GH_TOKEN to SDK_MERGE_PAT with confirmed push access).

Scope: first review (full)

Review: tier=small · model=claude-sonnet-latest · score=0.4

@robert-j-y robert-j-y requested a review from mattapperson June 12, 2026 23:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattapperson mattapperson Awaiting requested review from mattapperson

1 more reviewer

@perry-the-pr-reviewer perry-the-pr-reviewer[bot] perry-the-pr-reviewer[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@robert-j-y