ci(schema): Deliver schema updates via PR instead of direct push to main

[yamadashy]

Summary

The Update Schema workflow fails at every version bump. The cause is the main branch ruleset:

remote: error: GH013: Repository rule violations found for refs/heads/main.
 ! [remote rejected] main -> main (push declined due to repository rule violations)

The ruleset requires changes to land via PR (pull_request rule), and only the admin role is in the bypass list — so github-actions[bot]'s direct push of the regenerated schema is rejected. Regular merges pass because there is nothing to commit; the failure only happens when a new schemas/<version>/ is generated (i.e. at release time).

Change

• On main (push / workflow_dispatch): open a PR via peter-evans/create-pull-request instead of pushing directly. Branch chore/schema-update, auto-deleted after merge.
• On pull_request: unchanged — keep committing the regenerated schema back into the PR branch (git-auto-commit-action) so schema changes ride along with the PR that caused them.
• Adds pull-requests: write permission.

Token

Uses the existing COMMITTER_TOKEN PAT (already used by homebrew.yml) so the generated PR triggers CI and is mergeable. The create-pull-request step is gated to github.event_name != 'pull_request', so the PAT is never exposed to fork-triggered runs.

Notes / things to verify

• COMMITTER_TOKEN scope: it must have contents + pull-requests write on yamadashy/repomix. It is a classic-scoped PAT used for Homebrew bumps, so this is very likely already covered — but worth confirming. If it is scoped too narrowly, swap in a dedicated PAT.
• Merge flow: the ruleset requires 1 approving + code-owner review with no required status checks, so the schema PR is merged by the admin (bypass) — typically one click per release.
• Validation limitation: this PR's own CI runs on a pull_request event, so it exercises only the unchanged git-auto-commit path. The new create-pull-request path runs on push: main / workflow_dispatch and will be exercised at the next version bump (or a manual workflow_dispatch once merged).

Checklist

• Run npm run test
• Run npm run lint

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[github-actions]

⚡ Performance Benchmark

Latest commit:	4f73c60 fix(ci): Address schema-update review feedback
Status:	✅ Benchmark complete!
Ubuntu:	0.59s (±0.01s) → 0.60s (±0.03s) · +0.01s (+1.4%)
macOS:	0.50s (±0.05s) → 0.51s (±0.07s) · +0.01s (+1.6%)
Windows:	0.96s (±0.03s) → 0.96s (±0.03s) · -0.00s (-0.3%)

Details

• Packing the repomix repository with node bin/repomix.cjs
• Warmup: 2 runs (discarded), interleaved execution
• Measurement: 20 runs / 30 on macOS (median ± IQR)
• Workflow run

History

19a2d68 fix(ci): Harden schema-update PR/fork/dispatch handling

Ubuntu:	0.75s (±0.02s) → 0.74s (±0.01s) · -0.01s (-0.8%)
macOS:	0.54s (±0.08s) → 0.56s (±0.07s) · +0.01s (+2.4%)
Windows:	1.07s (±0.09s) → 1.09s (±0.12s) · +0.02s (+2.1%)

77f72f6 ci(schema): Deliver schema updates via PR instead of direct push to main

Ubuntu:	0.79s (±0.02s) → 0.78s (±0.02s) · -0.00s (-0.5%)
macOS:	0.45s (±0.04s) → 0.46s (±0.04s) · +0.01s (+2.0%)
Windows:	1.02s (±0.02s) → 1.01s (±0.03s) · -0.00s (-0.4%)

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 21c4240f-1487-4d78-a04b-69e72ecbbe1e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Single workflow file updated to publish regenerated schema differently based on event type: auto-commits back to PR branches, creates separate PR for non-PR events, with additional GitHub permissions.

Changes

Schema Publishing Automation

Layer / File(s)	Summary
Conditional Schema Publishing with Permissions .github/workflows/schema-update.yml	Workflow permissions grant pull-requests: write access; schema publishing branches by event type to auto-commit on pull_request events via auto-commit action or create a separate PR on other events via create-pull-request action with branch auto-deletion and COMMITTER_TOKEN.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• yamadashy/repomix#799: Original PR that introduced the schema-update workflow now being extended with event-type-based publishing.
• yamadashy/repomix#778: Prior work on schema regeneration and auto-commit using the same stefanzweifel/git-auto-commit-action.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: switching from direct push to PR-based delivery for schema updates, which directly addresses the core issue described in the PR objectives.
Description check	✅ Passed	The description is comprehensive and complete, covering the problem, solution, implementation details, token usage, and verification notes. It follows the required template structure with the checklist items included.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/schema-update-auto-pr

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.86%. Comparing base (c4eac37) to head (4f73c60).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1614   +/-   ##
=======================================
  Coverage   90.86%   90.86%           
=======================================
  Files         121      121           
  Lines        4698     4698           
  Branches     1096     1096           
=======================================
  Hits         4269     4269           
  Misses        429      429           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cloudflare-workers-and-pages]

Deploying repomix with    Cloudflare Pages

Latest commit:	4f73c60
Status:	✅  Deploy successful!
Preview URL:	https://233774ca.repomix.pages.dev
Branch Preview URL:	https://ci-schema-update-auto-pr.repomix.pages.dev

View logs

[claude]

Code Review

Reviewed by 6 parallel reviewer agents (code-quality, security, performance, test-coverage, conventions, holistic). The design (split same-repo PR commit-back vs. main-branch PR creation) is sound; the PR is well-described and the security-sensitive claims (PAT never reaches fork runs) check out. A handful of substantive items below.

Recommended

1. Add a paths: filter to skip unrelated PRs/pushes (performance)
The schema only depends on a small surface: src/config/configSchema.ts (+ transitive imports), website/client/scripts/generateSchema.ts, normalizeJsonSchema.ts, and package.json (for the version baked into the schema). Today every PR pays the cost of npm ci + tsx run. Suggested:
```yaml
on:
push:
branches: [main]
paths:
- 'src/config/**'
- 'website/client/scripts/generateSchema.ts'
- 'website/client/scripts/normalizeJsonSchema.ts'
- 'package.json'
- '.github/workflows/schema-update.yml'
pull_request:
branches: [main]
paths: [ ... same ... ]
workflow_dispatch: # leave unfiltered as manual escape hatch
```

2. Add a concurrency: group (test-coverage / race safety)
Two near-simultaneous main pushes could race on the reused chore/schema-update branch / PR. A simple guard:
```yaml
concurrency:
group: schema-update-${{ github.ref }}
cancel-in-progress: false
```

3. Tighten permissions: and consider job-level scoping (security / conventions)
The create-pull-request step uses COMMITTER_TOKEN (a PAT) — it does not consume GITHUB_TOKEN's pull-requests scope. The auto-commit step needs only contents: write. So the top-level pull-requests: write grant on GITHUB_TOKEN is unnecessary and can be dropped. Most other workflows in this repo also follow a contents: read top-level default + per-job escalation pattern (see docker.yml, npm-publish.yml).

4. Commit message casing (conventions, per CLAUDE.md)
`commit_message: 'chore(schema): auto generate schema'` (lines 39 and 53) — "auto" should be capitalized per the project's commit guideline ("Description: ... starting with a capital letter"). Suggest `'chore(schema): Auto-generate schema'`. Also: the job name on line 16 (Update configuration json schema) lowercases "json" while line 56 uses "JSON" — worth aligning.

Nice-to-have

Details

5. Observability when create-pull-request silently no-ops (holistic)
peter-evans/create-pull-request exits 0 with no PR when there's no diff (the common case), which is indistinguishable in the Actions UI from a token-auth path that produced no PR after partial failure. A small follow-up step that surfaces the action's pull-request-number / pull-request-operation outputs would make the run log unambiguous.

6. Token-rot risk (holistic)
Most runs will have no schema diff, so a stale/expired COMMITTER_TOKEN would sit broken for weeks until a config change exposes it — and by then the drift PR is the thing that's blocked. Worth considering: a scheduled workflow_dispatch smoke test, a calendar reminder for PAT rotation, or eventually migrating to a GitHub App installation token.

7. DRY the same-repo PR condition (code-quality, minor)
The expression `github.event.pull_request.head.repo.full_name == github.repository` is duplicated on lines 24 and 36. Hoisting to a job-level env.IS_SAME_REPO_PR and referencing env.IS_SAME_REPO_PR in both if: and the ref: expression avoids drift if either changes later.

8. Step naming convention (conventions, minor)
Most workflows in this repo give each step a name:. This file uses bare - uses: / - run:, which makes the Actions UI log slightly harder to scan. Not blocking.

9. Pre-merge validation
The new create-pull-request path isn't exercised by this PR's own CI (as you noted). A gh workflow run schema-update.yml --ref <branch> once the workflow exists on the branch would exercise the exact PAT/ruleset interaction before merge.

Not flagged

• Action pinning is consistent and SHA-pinned ✅
• cache: npm correctly configured ✅
• No-diff path is genuinely a no-op for both delivery actions ✅
• git-auto-commit-action's push won't cascade workflows (uses GITHUB_TOKEN) ✅
• Reversibility is trivial — single file, no state ✅

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/schema-update.yml:
- Around line 21-24: The workflow checks out the wrong ref for forked
pull_request runs (the ref expression at `ref:` falls back to 'main'), causing
`node --run website-generate-schema` to run against the base branch instead of
the PR and hiding schema drift; change the checkout `ref` logic in
schema-update.yml to prefer the pull request head ref even for forks (use
`github.event.pull_request.head.ref`/`github.event.pull_request.head.repo.full_name`
or equivalent) so the PR code is used, and add post-generation validation that
fails CI on schema drift or, if allowed, opens/commits a schema-update PR using
`secrets.COMMITTER_TOKEN` (or aborts with a clear error) so generated schema
mismatches are surfaced instead of silently skipped.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6c03fc12-3a1a-4d09-b389-07d4ac1dfc11

📥 Commits

Reviewing files that changed from the base of the PR and between 77f72f6 and 19a2d68.

📒 Files selected for processing (1)

• .github/workflows/schema-update.yml

[yamadashy]

Thanks for the thorough review. Disposition of the items (addressed in 4f73c604):

Applied

• feat: Remove comments #2 concurrency: group — added (schema-update-${{ github.ref }}, cancel-in-progress: false) to avoid races on the reused chore/schema-update branch.
• chore: Add ignore filter tests and improve ci #3 permissions — dropped the unused pull-requests: write; create-pull-request uses the COMMITTER_TOKEN PAT and auto-commit needs only contents: write.
• feat: Add comment remove feature #4 commit-message casing — now chore(schema): Auto-generate schema. (Left the pre-existing job name Update configuration json schema as-is to avoid renaming the check.)
• Also CodeRabbit's fork finding: fork PRs now check out the merge ref and fail on schema drift.

Skipped (minor / scope)

• Add --top-files-length option to customize top files display #5 (no-op observability), feat(output): Improve security check output #7 (DRY the condition into env — the same-repo and fork ref expressions diverge after the fork fix, so a shared var no longer maps cleanly), feat: Option to prexfix line number #8 (per-step name:).

Deferred to maintainer (judgment calls — left for @yamadashy)

• Issue with Ignore #1 paths: filter — real cost saving, but the schema's transitive dependency surface is wider than src/config/** (types pulled from elsewhere in src/), so a too-narrow filter could silently skip needed regen. Worth a follow-up only with a verified path set.
• feat: Implement SecretLint integration for enhanced security checks #6 COMMITTER_TOKEN rotation/monitoring, feat(file): Improve detect binary file #9 pre-merge workflow_dispatch smoke test — ops/process, tracked separately.
  🤖