HYPERFLEET-1024 - feat: CI for schema checks, version bump, externalize as Go module

[mliptak0]

Summary

Added CI workflow (ci.yml) that runs on every PR and push to main: rebuilds all four schemas from TypeSpec, checks consistency against committed files, lints both openapi.yaml files with spectral:oas, and enforces a version bump against the latest release tag.

Replaced manual release process with automated release.yml that triggers on push to main, extracts version from main.tsp, auto-creates an annotated tag, and publishes a GitHub Release with all four artifacts attached (core-openapi.yaml, core-swagger.yaml, gcp-openapi.yaml, gcp-swagger.yaml).

Added go.mod and schemas/schemas.go exposing all generated schemas via //go:embed as embed.FS, enabling downstream Go consumers to import versioned schemas as a module dependency without vendoring local copies.

Added .spectral.yaml with spectral:oas ruleset. Fix Error.instance field format from uri to uri-reference per RFC 7807. Bump actions/checkout and actions/setup-node to v6.

Update CHANGELOG.md

• HYPERFLEET-1024

Test Plan

• Unit tests added/updated
• make test-all passes
• make lint passes
• Helm chart changes validated with make test-helm (if applicable)
• Deployed to a development cluster and verified (if Helm/config changes)
• E2E tests passed (if cross-component or major changes)

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 77094153-df75-4099-acb0-1441f51f057e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Releases v1.0.11 and adds CI and release automation. New CI workflow (PRs + pushes to main) builds core/gcp OpenAPI+Swagger schemas, enforces generated-schema consistency, runs Spectral lint, and checks that main.tsp’s version is bumped. Release workflow (push to main) extracts version from main.tsp, skips if tag exists, builds four schema artifacts, creates/pushes an annotated tag, and publishes a GitHub Release with all artifacts. build-schema.sh now uses the local TypeSpec binary from node_modules/.bin. Schemas’ Error.instance format changed from uri to uri-reference. A Go package exposes embedded schema files.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: CI workflow, schema version enforcement, and Go module externalization of schemas.
Description check	✅ Passed	The description directly relates to the changeset, detailing CI workflow additions, automated release process, Go module exposure via embed.FS, Spectral linting configuration, and RFC compliance fixes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 53-63: The version check currently does only string equality on
CURRENT and LATEST and doesn't guard empty values; update the CI step to first
fail if either CURRENT (from main.tsp) or LATEST is empty, then perform a
semver-aware comparison (e.g. using sort -V) to ensure CURRENT is strictly
greater than LATEST — reference the CURRENT and LATEST variables and replace the
equality check block with: 1) empty-value guard for CURRENT and LATEST, 2)
semver comparison that fails if the sorted highest version is not CURRENT, and
3) keep the existing messages but return non-zero on equal or downgraded
versions.

In @.github/workflows/release.yml:
- Around line 28-33: The "Extract version" step sets VERSION from main.tsp but
doesn't guard against an empty result, which yields a malformed tag "v"; update
the step to validate VERSION after extraction (the shell variable VERSION used
in the step) and if it's empty, print a clear error to stderr and exit with
non-zero status so the workflow fails instead of creating a "v" tag, or
alternatively conditionally set the "tag" output only when VERSION is non-empty;
ensure the outputs "version" and "tag" are only written to GITHUB_OUTPUT when
VERSION contains a value and include context (e.g., reference to main.tsp) in
the error message.

In `@CHANGELOG.md`:
- Line 21: The changelog entry incorrectly states "Node.js 24 runtime" while the
workflows still set node-version: '20'; update the CHANGELOG line that currently
reads "Bumped `actions/checkout` and `actions/setup-node` to v6 (Node.js 24
runtime)" to accurately reflect the runtime (e.g., remove the "(Node.js 24
runtime)" parenthetical or change it to "(Node.js 20 runtime)"), so the text
matches the actual `node-version: '20'` used in the workflows.

In `@go.mod`:
- Line 3: Update the Go version directive in go.mod from "go 1.25.0" to a lower,
compatible version such as "go 1.16" or "go 1.17" to broaden downstream
compatibility; open go.mod, locate the line containing the literal token "go
1.25.0" and replace it with "go 1.16" (or "go 1.17") since only //go:embed
(introduced in 1.16) is required by the module.

In `@README.md`:
- Around line 365-367: The fenced code block containing the Go module replace
directive (the line starting with "replace
github.com/openshift-hyperfleet/hyperfleet-api-spec =>
/path/to/local/hyperfleet-api-spec") should include a language specifier to
enable syntax highlighting and silence MD040; change the opening backticks from
"```" to "```go" so the block reads "```go" followed by the replace directive
and then the closing "```".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: d5cdb396-db24-4ad4-9c30-d1c9df7625b3

📥 Commits

Reviewing files that changed from the base of the PR and between 5d10855 and 6a17bb6.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (17)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• .spectral.yaml
• CHANGELOG.md
• CLAUDE.md
• CONTRIBUTING.md
• README.md
• RELEASING.md
• build-schema.sh
• go.mod
• main.tsp
• models/common/model.tsp
• schemas/core/openapi.yaml
• schemas/core/swagger.yaml
• schemas/gcp/openapi.yaml
• schemas/gcp/swagger.yaml
• schemas/schemas.go

[rh-amarin]

ci.yml:28 — global Spectral install contradicts tsp-to-local migration

This PR removes the global tsp install in favor of node_modules/.bin/tsp to eliminate version mismatches, but installs Spectral globally (npm install -g @stoplight/spectral-cli@6.15.1). Consider adding @stoplight/spectral-cli as a pinned devDependency and invoking via npx spectral or node_modules/.bin/spectral for consistency.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 55-58: The current command collapses real gh failures into an
empty LATEST and silently skips version checks; change the logic around the gh
release list call so you capture its output and exit status separately: run gh
release list --limit 1 --json tagName --jq '.[0].tagName' and store its stdout
into a temp var, check the command's exit code and if non-zero fail the CI with
a clear error (do not fall back to empty), only treat an empty stdout as "no
previous releases" (then echo "No previous releases found — version check
skipped" and exit 0), and when stdout is non-empty set LATEST by stripping a
leading v (current LATEST variable) before doing the version comparison.

In `@CONTRIBUTING.md`:
- Around line 84-94: Update the CONTRIBUTING.md local linting instructions to
use the repository's pinned Spectral instead of a global install: replace the
global install command "npm install -g `@stoplight/spectral-cli`" with "npm ci"
(or a command that installs pinned devDependencies) and replace the invocation
"spectral lint schemas/core/openapi.yaml schemas/gcp/openapi.yaml" with the
local binary path "node_modules/.bin/spectral lint schemas/core/openapi.yaml
schemas/gcp/openapi.yaml" so contributors run the exact Spectral version used by
CI.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 86a02636-8f45-444b-bebc-66ae758f1bf2

📥 Commits

Reviewing files that changed from the base of the PR and between 6a17bb6 and 4bab831.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (18)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• .spectral.yaml
• CHANGELOG.md
• CLAUDE.md
• CONTRIBUTING.md
• README.md
• RELEASING.md
• build-schema.sh
• go.mod
• main.tsp
• models/common/model.tsp
• package.json
• schemas/core/openapi.yaml
• schemas/core/swagger.yaml
• schemas/gcp/openapi.yaml
• schemas/gcp/swagger.yaml
• schemas/schemas.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t treat GitHub API failures as “no previous releases.”

LATEST=$(... || echo "") collapses real gh failures into an empty value, and Line 56-58 then skips version enforcement. That can let non-bumped versions merge when the API call fails transiently.

Suggested fix

-          LATEST=$(gh release list --limit 1 --json tagName --jq '.[0].tagName' 2>/dev/null | sed 's/^v//' || echo "")
-          if [ -z "$LATEST" ]; then
+          if ! RAW_LATEST=$(gh release list --limit 1 --json tagName --jq '.[0].tagName' 2>/dev/null); then
+            echo "::error::Failed to query latest GitHub release tag via gh."
+            exit 1
+          fi
+          LATEST=$(printf '%s' "$RAW_LATEST" | sed 's/^v//')
+          if [ -z "$RAW_LATEST" ]; then
             echo "No previous releases found — version check skipped"
             exit 0
           fi

As per coding guidelines, "CI requirements for PRs: Enforce a strict version bump ... and fail unless main.tsp’s version is strictly greater than the latest release (or skip if no prior releases)."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	LATEST=$(gh release list --limit 1 --json tagName --jq '.[0].tagName' 2>/dev/null | sed 's/^v//' || echo "")
	if [ -z "$LATEST" ]; then
	echo "No previous releases found — version check skipped"
	exit 0
	CURRENT=$(grep -oP '(?<=version: ")[^"]+' main.tsp)
	if [ -z "$CURRENT" ]; then
	echo "Could not extract version from main.tsp — check the \`@info\` decorator format."
	exit 1
	fi
	if ! RAW_LATEST=$(gh release list --limit 1 --json tagName --jq '.[0].tagName' 2>/dev/null); then
	echo "::error::Failed to query latest GitHub release tag via gh."
	exit 1
	fi
	LATEST=$(printf '%s' "$RAW_LATEST" | sed 's/^v//')
	if [ -z "$RAW_LATEST" ]; then
	echo "No previous releases found — version check skipped"
	exit 0
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 55 - 58, The current command collapses
real gh failures into an empty LATEST and silently skips version checks; change
the logic around the gh release list call so you capture its output and exit
status separately: run gh release list --limit 1 --json tagName --jq
'.[0].tagName' and store its stdout into a temp var, check the command's exit
code and if non-zero fail the CI with a clear error (do not fall back to empty),
only treat an empty stdout as "no previous releases" (then echo "No previous
releases found — version check skipped" and exit 0), and when stdout is
non-empty set LATEST by stripping a leading v (current LATEST variable) before
doing the version comparison.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use local/pinned Spectral in contributor instructions, not a global install

Line 84 correctly calls out pinned CI behavior, but Lines 85-94 switch to a global install and unpinned binary invocation. That can produce lint results different from CI and hurts reproducibility for contributors.

Suggested doc fix

-CI automatically lints OpenAPI schemas using a pinned version of [Spectral](https://github.com/stoplightio/spectral) installed locally in the workflow. For local linting during development, install Spectral globally:
+CI automatically lints OpenAPI schemas using a pinned version of [Spectral](https://github.com/stoplightio/spectral) installed locally in the workflow. For local linting during development, use the project-local dependency:

 ```bash
-npm install -g `@stoplight/spectral-cli`
+npm ci

Then lint the generated schemas:

-spectral lint schemas/core/openapi.yaml schemas/gcp/openapi.yaml
+node_modules/.bin/spectral lint schemas/core/openapi.yaml schemas/gcp/openapi.yaml

</details>

As per coding guidelines, “Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity. Validate changes against HyperFleet architecture standards from the linked architecture repository.”

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @CONTRIBUTING.md around lines 84 - 94, Update the CONTRIBUTING.md local
linting instructions to use the repository's pinned Spectral instead of a global
install: replace the global install command "npm install -g
@stoplight/spectral-cli" with "npm ci" (or a command that installs pinned
devDependencies) and replace the invocation "spectral lint
schemas/core/openapi.yaml schemas/gcp/openapi.yaml" with the local binary path
"node_modules/.bin/spectral lint schemas/core/openapi.yaml
schemas/gcp/openapi.yaml" so contributors run the exact Spectral version used by
CI.

</details>

<!-- fingerprinting:phantom:triton:hawk -->

<!-- d98c2f50 -->

<!-- This is an auto-generated comment by CodeRabbit -->

[rh-amarin]

/lgtm

[rh-amarin]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rh-amarin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rh-amarin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment