ci: validation of generated OpenAPI schema (#604)

[holtgrewe]

Summary by CodeRabbit

• New Features

  • Introduced a new job in the CI workflow for generating and validating an OpenAPI schema.
  • Added a new OpenAPI schema file defining API specifications for the "mehari" tool.
  • Implemented a new endpoint: GET /api/v1/versionsInfo for variant effect predictions.

• Documentation

  • The OpenAPI schema includes detailed metadata and response structures for better API understanding.

[coderabbitai]

Walkthrough

The changes in this pull request introduce a new job named Schema in the GitHub Actions workflow file .github/workflows/rust.yml, which is dependent on the existing Formatting job. This new job runs on the ubuntu-24.04 environment and includes steps for checking out the repository, installing dependencies, generating an OpenAPI schema, and validating it against an expected format. Additionally, a new OpenAPI schema file openapi.schema.yaml is added, defining the API specifications for a variant effect prediction tool, including a new endpoint and various data structures.

Changes

File	Change Summary
.github/workflows/rust.yml	Added a new job Schema that runs after Formatting, including steps for schema generation and validation.
openapi.schema.yaml	Introduced a new OpenAPI schema defining the API for "mehari" with metadata, a new endpoint, and several schemas.

Poem

In the garden of code where the rabbits play,
A new schema blooms, brightening the day.
With jobs that align and validation in tow,
Our API's ready, watch it grow! 🐇✨
Hops of success in each line we write,
Together we build, our future is bright!

Warning

Tool Failures:

Tool Failure Count:

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 7

🧹 Outside diff range and nitpick comments (4)

openapi.schema.yaml (3)

1-10: Consider enhancing API metadata documentation.

While the basic metadata is present, consider adding:

• termsOfService URL
• Extended API description including usage examples
• External documentation links

🧰 Tools

🪛 checkov

[HIGH] 1-93: Ensure that the global security field has rules defined

(CKV_OPENAPI_4)

---

[HIGH] 1-93: Ensure that security operations is not empty.

(CKV_OPENAPI_5)

---

35-38: Remove implementation detail from schema description.

The description mentions it's "Copy from annonars with extension to derive utoipa::ToSchema", which is an implementation detail that shouldn't be in the API documentation.

      description: |-
        Assembly to be passed on the command line.
-
-        Copy from annonars with extension to derive `utoipa::ToSchema`.

---

1-91: Consider API versioning strategy.

The current endpoint path includes /v1/ which indicates version 1, but the OpenAPI spec version 0.29.6 suggests this is still pre-1.0. Consider:

1. Aligning the API version with the software version
2. Documenting the versioning strategy in the API description
3. Adding a deprecation policy for future version changes

🧰 Tools

🪛 checkov

[HIGH] 1-93: Ensure that the global security field has rules defined

(CKV_OPENAPI_4)

---

[HIGH] 1-93: Ensure that security operations is not empty.

(CKV_OPENAPI_5)

.github/workflows/rust.yml (1)

129-131: Consider parallel execution with other jobs.

The Schema job currently only depends on Formatting. Since schema validation is independent of testing and linting, consider making it a parallel job to potentially reduce overall workflow execution time.

  Schema:
-   needs: Formatting
+   needs: []
    runs-on: ubuntu-24.04

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 48382b6 and 30145ea.

📒 Files selected for processing (2)

• .github/workflows/rust.yml (1 hunks)
• openapi.schema.yaml (1 hunks)

🧰 Additional context used

🪛 actionlint

.github/workflows/rust.yml

143-143: the runner of "actions-rs/toolchain@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 checkov

openapi.schema.yaml

[HIGH] 1-93: Ensure that the global security field has rules defined

(CKV_OPENAPI_4)

---

[HIGH] 1-93: Ensure that security operations is not empty.

(CKV_OPENAPI_5)

[coderabbitai]

⚠️ Potential issue

Add security definitions to the API specification.

The API specification lacks security definitions. Consider adding appropriate security schemes (e.g., API key, OAuth2, or Bearer token) to protect the endpoint.

Add the following security definitions:

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

security:
  - bearerAuth: []

Then, apply security to the endpoint:

/api/v1/versionsInfo:
  get:
    security:
      - bearerAuth: []
    # ... rest of the endpoint definition

[coderabbitai]

⚠️ Potential issue

Fix incorrect endpoint summary.

The summary "Query for consequence of a variant" doesn't match the endpoint's purpose of providing version information.

-      summary: Query for consequence of a variant.
+      summary: Retrieve version information for the service.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	summary: Query for consequence of a variant.
	summary: Retrieve version information for the service.

[coderabbitai]

⚠️ Potential issue

Fix incorrect endpoint path in description.

The description references /v1/version but the actual endpoint is /api/v1/versionsInfo.

-      description: Response of the `/v1/version` endpoint.
+      description: Response of the `/api/v1/versionsInfo` endpoint.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	description: Response of the `/v1/version` endpoint.
	description: Response of the `/api/v1/versionsInfo` endpoint.

[coderabbitai]

⚠️ Potential issue

Fix inconsistent file extensions.

There's an inconsistency in file extensions between steps:

• Line 154: Uses .yaml
• Line 157: Uses .yml
• Line 162: Uses .yml

This could cause the diff and validation steps to fail.

       - name: Compare YAML in git to the one just generated
-        run: diff openapi.schema.yml /tmp/openapi.schema.yml
+        run: diff openapi.schema.yaml /tmp/openapi.schema.yaml

       - name: Validate OpenAPI schema
         uses: thiyagu06/openapi-validator-action@v1
         with:
-          filepath: /tmp/openapi.schema.yml
+          filepath: /tmp/openapi.schema.yaml

Also applies to: 159-162

[coderabbitai]

⚠️ Potential issue

Update outdated GitHub Action.

The actions-rs/toolchain@v1 action is outdated. Consider updating to a newer version or switching to dtolnay/rust-toolchain@stable which is more actively maintained.

-      - name: Install stable toolchain
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
-          override: true
+      - name: Install stable toolchain
+        uses: dtolnay/rust-toolchain@stable

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install stable toolchain
	uses: actions-rs/toolchain@v1
	with:
	toolchain: stable
	override: true
	- name: Install stable toolchain
	uses: dtolnay/rust-toolchain@stable

🧰 Tools

🪛 actionlint

143-143: the runner of "actions-rs/toolchain@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

[coderabbitai]

🛠️ Refactor suggestion

Add error handling for schema generation.

The schema generation step should include error handling to ensure the command's success is properly checked.

-      - name: Write schema
-        run: cargo run -- server schema --output-file /tmp/openapi.schema.yaml
+      - name: Write schema
+        run: |
+          set -eo pipefail
+          cargo run -- server schema --output-file /tmp/openapi.schema.yaml

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Write schema
	run: cargo run -- server schema --output-file /tmp/openapi.schema.yaml
	- name: Write schema
	run: |
	set -eo pipefail
	cargo run -- server schema --output-file /tmp/openapi.schema.yaml

[coderabbitai]

💡 Codebase verification

Pin OpenAPI validator action to specific commit hash

The schema validation setup needs improvement for security:

• The OpenAPI schema file is properly configured with OpenAPI 3.0.3
• The validator action is only pinned to major version v1 which is not secure
• No explicit validation rules are configured, using defaults

To enhance security:

1. Replace thiyagu06/openapi-validator-action@v1 with a specific commit hash
2. Consider adding validation rules via the action's rules input parameter

🔗 Analysis chain

Verify OpenAPI validator version and configuration.

The OpenAPI validator is using a third-party action. Consider:

1. Pinning to a specific version hash for security
2. Adding validator configuration options for schema version and validation rules

---

Let me check the content of the OpenAPI schema file and look for any version or validation configurations.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any OpenAPI schema files and validation configurations
echo "Searching for OpenAPI schema files..."
fd -e yaml -e yml . | grep -i 'openapi\|swagger'

echo "Checking for validator configurations..."
fd -g '*openapi*' -g '*swagger*' .

Length of output: 361

---

Script:

#!/bin/bash
# Check OpenAPI schema file content and validator usage
echo "OpenAPI schema content:"
cat openapi.schema.yaml | head -n 10

echo -e "\nChecking validator usage in workflows:"
rg "openapi-validator" .github/workflows/

Length of output: 523

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 73.38%. Comparing base (48382b6) to head (c9256ba).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #609      +/-   ##
==========================================
- Coverage   73.40%   73.38%   -0.03%     
==========================================
  Files          28       28              
  Lines        9948     9948              
==========================================
- Hits         7302     7300       -2     
- Misses       2646     2648       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

.github/workflows/rust.yml (2)

129-131: Consider adding dependency on Testing job.

The Schema job currently only depends on Formatting, but it requires a successful build to generate the schema. Consider adding Testing as a dependency to ensure the code builds successfully before attempting schema generation.

   Schema:
-    needs: Formatting
+    needs: [Formatting, Testing]
     runs-on: ubuntu-24.04

---

152-154: Add cargo caching for faster builds.

The schema generation step requires building the project, but cargo caching is not configured. Add the Swatinem/rust-cache action to speed up subsequent runs.

      - name: Setup protoc
        uses: arduino/[email protected]
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}

+     - uses: Swatinem/rust-cache@v2
+       with:
+         cache-directories: |
+           ~/.cargo/registry/src/**/librocksdb-sys-*

      - name: Write schema
        run: cargo run -- server schema --output-file /tmp/openapi.schema.yaml

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 30145ea and c9256ba.

📒 Files selected for processing (1)

• .github/workflows/rust.yml (1 hunks)

🧰 Additional context used

🪛 actionlint

.github/workflows/rust.yml

143-143: the runner of "actions-rs/toolchain@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)