chore(swagger): preview openapi doc at gh-pages

[smarcet]

Summary by CodeRabbit

• Chores

  • Automated generation and publishing of OpenAPI/Swagger docs for pull requests, producing a browsable preview site and PR preview links.

• Documentation

  • Updated API documentation for an OAuth2 user endpoint: clarified description, added a V2 tag, and documented a 403 Forbidden response.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6ac849b0-f642-47e5-a238-ccd0a1c734c3

📥 Commits

Reviewing files that changed from the base of the PR and between 777f6bd and f445be5.

📒 Files selected for processing (1)

• app/Http/Controllers/Api/OAuth2/OAuth2UserApiController.php

---

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow to generate L5-swagger OpenAPI docs, build and publish per-PR Swagger UI previews to GitHub Pages with a PR comment; and updates an OAuth2 user API OpenAPI annotation (tags, description, x-required-client-type, and a 403 response).

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/l5-swagger-generate.yml	Adds a CI workflow with two jobs: openapi-generate (sets up PHP 8.3, MySQL, Redis; installs Composer deps; runs php artisan l5-swagger:generate; builds and uploads Swagger UI artifact) and pages-preview (downloads artifact for PRs, publishes to public/openapi/pr-{PR_NUMBER} on GitHub Pages, posts PR comment with preview URL).
API Controller OpenAPI Annotations app/Http/Controllers/Api/OAuth2/OAuth2UserApiController.php	Updates OpenAPI metadata for getV2: changes description, adds V2 tag, adds x-required-client-type: SERVICE, and documents a 403 Forbidden response. No runtime signature or control-flow changes.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer (push/PR)
    participant GH as GitHub Actions
    participant Runner as Actions Runner
    participant Services as MySQL/Redis (containers)
    participant PHP as PHP/Composer/artisan
    participant Artifact as Actions Artifact
    participant Pages as GitHub Pages
    participant API as GitHub API (PR comment)

    Dev->>GH: push / open PR
    GH->>Runner: run openapi-generate job
    Runner->>Services: start MySQL & Redis
    Runner->>PHP: setup PHP 8.3 + extensions, install Composer deps
    PHP->>PHP: run php artisan l5-swagger:generate
    PHP->>Runner: build Swagger UI artifact
    Runner->>Artifact: upload artifact
    alt Pull Request
        GH->>Runner: run pages-preview job
        Runner->>Artifact: download artifact
        Runner->>Pages: publish to public/openapi/pr-{PR_NUMBER}
        Runner->>API: post PR comment with preview URL
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 I hopped through workflows, docs in tow,
A preview garden ready to show,
Tags and responses all neat and spry,
A swaggering cheer from this rabbit nearby! 🎈

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main changes: adding a GitHub Actions workflow to generate and preview OpenAPI/Swagger documentation at GitHub Pages, plus updating OpenAPI annotations.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/preview-swagger-doc-at-gh-pages

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-119/

This page is automatically updated on each push to this PR.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/l5-swagger-generate.yml (1)

138-163: Avoid posting duplicate PR comments on every push.

Current logic always creates a new comment, which will spam long-running PRs. Prefer upsert behavior (find existing bot comment marker, then update).

Upsert-style comment flow

-                      await github.rest.issues.createComment({
-                        owner,
-                        repo,
-                        issue_number: prNumber,
-                        body,
-                      });
+                      const marker = '<!-- openapi-preview-comment -->';
+                      const taggedBody = `${marker}\n${body}`;
+                      const { data: comments } = await github.rest.issues.listComments({
+                        owner, repo, issue_number: prNumber, per_page: 100
+                      });
+                      const existing = comments.find(c =>
+                        c.user?.type === 'Bot' && c.body?.includes(marker)
+                      );
+                      if (existing) {
+                        await github.rest.issues.updateComment({
+                          owner, repo, comment_id: existing.id, body: taggedBody
+                        });
+                      } else {
+                        await github.rest.issues.createComment({
+                          owner, repo, issue_number: prNumber, body: taggedBody
+                        });
+                      }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/l5-swagger-generate.yml around lines 138 - 163, Change the
logic that always calls github.rest.issues.createComment to an upsert: add a
unique HTML marker (e.g. "<!-- openapi-preview -->") into the generated body
(variables: body, url) and then call github.rest.issues.listComments (using
owner, repo, issue_number/prNumber) to find an existing comment authored by the
bot that contains that marker; if found call github.rest.issues.updateComment
with the comment id to update it, otherwise call
github.rest.issues.createComment to create it. Ensure you reference prNumber,
owner, repo, body and use github.rest.issues.updateComment/createComment
appropriately so repeated pushes update instead of creating duplicates.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/l5-swagger-generate.yml:
- Around line 12-25: Replace hardcoded credential-like and PII environment
values in the workflow by removing the literal values for APP_KEY, DB_PASSWORD,
REDIS_PASSWORD, and DEV_EMAIL_TO (and any other secret-like envs such as
DB_USERNAME if applicable) and instead load them from GitHub Actions secrets
(e.g., APP_KEY: ${{ secrets.APP_KEY }}, DB_PASSWORD: ${{ secrets.DB_PASSWORD }},
REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}, DEV_EMAIL_TO: ${{
secrets.DEV_EMAIL_TO }}). Ensure the workflow uses non-sensitive defaults or
placeholders for local-only settings (e.g., DB_HOST, DB_PORT) and do not commit
real secrets; after updating, rotate any credentials already committed.
- Around line 106-113: The pages-preview job should skip on forked PRs to avoid
failing operations that require full GITHUB_TOKEN permissions; add an extra
job-level if condition to only run when the PR's head repo matches the base
repository (e.g., compare github.event.pull_request.head.repo.full_name to
github.repository or compare github.event.pull_request.head.repo.owner to
github.repository_owner) so the job (pages-preview) is skipped for forked pull
requests.
- Around line 63-65: The workflow currently injects COMPOSER_AUTH using
secrets.PAT which is unavailable for forked PRs and breaks composer install for
the private VCS dependency referenced in composer.json
(github.com/smarcet/recaptcha); update the env setting for COMPOSER_AUTH to use
github.token instead (COMPOSER_AUTH -> '{"github-oauth": {"github.com": "${{
github.token }}"} }') if that scope suffices, or else gate this job to run only
for same-repo PRs (i.e., only allow runs where the PR originates from the same
repository) so the PAT from secrets.PAT is available for installing the private
dependency.

---

Nitpick comments:
In @.github/workflows/l5-swagger-generate.yml:
- Around line 138-163: Change the logic that always calls
github.rest.issues.createComment to an upsert: add a unique HTML marker (e.g.
"<!-- openapi-preview -->") into the generated body (variables: body, url) and
then call github.rest.issues.listComments (using owner, repo,
issue_number/prNumber) to find an existing comment authored by the bot that
contains that marker; if found call github.rest.issues.updateComment with the
comment id to update it, otherwise call github.rest.issues.createComment to
create it. Ensure you reference prNumber, owner, repo, body and use
github.rest.issues.updateComment/createComment appropriately so repeated pushes
update instead of creating duplicates.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f1459214-15b0-405b-8f0d-a5fb954eafc6

📥 Commits

Reviewing files that changed from the base of the PR and between ed5f869 and 448dd83.

📒 Files selected for processing (1)

• .github/workflows/l5-swagger-generate.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid committing credential-like and PII values in workflow env.

APP_KEY, DB_PASSWORD, REDIS_PASSWORD, and DEV_EMAIL_TO are committed directly in repo. Even for CI/test values, this weakens security posture and can trigger secret/PII leakage concerns.

Suggested hardening

-            APP_KEY: base64:4vh0op/S1dAsXKQ2bbdCfWRyCI9r8NNIdPXyZWt9PX4=
-            DEV_EMAIL_TO: smarcet@gmail.com
+            APP_KEY: ${{ secrets.CI_APP_KEY }}
+            DEV_EMAIL_TO: ${{ vars.DEV_EMAIL_TO }}
...
-            DB_PASSWORD: 1qaz2wsx
+            DB_PASSWORD: ${{ secrets.CI_DB_PASSWORD }}
...
-            REDIS_PASSWORD: 1qaz2wsx
+            REDIS_PASSWORD: ${{ secrets.CI_REDIS_PASSWORD }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	APP_KEY: base64:4vh0op/S1dAsXKQ2bbdCfWRyCI9r8NNIdPXyZWt9PX4=
	DEV_EMAIL_TO: smarcet@gmail.com
	APP_URL: http://localhost
	DB_CONNECTION: mysql
	DB_HOST: 127.0.0.1
	DB_PORT: 3306
	DB_DATABASE: idp_test
	DB_USERNAME: root
	DB_PASSWORD: 1qaz2wsx
	REDIS_HOST: 127.0.0.1
	REDIS_PORT: 6379
	REDIS_DB: 0
	REDIS_PASSWORD: 1qaz2wsx
	REDIS_DATABASES: 16
	APP_KEY: ${{ secrets.CI_APP_KEY }}
	DEV_EMAIL_TO: ${{ vars.DEV_EMAIL_TO }}
	APP_URL: http://localhost
	DB_CONNECTION: mysql
	DB_HOST: 127.0.0.1
	DB_PORT: 3306
	DB_DATABASE: idp_test
	DB_USERNAME: root
	DB_PASSWORD: ${{ secrets.CI_DB_PASSWORD }}
	REDIS_HOST: 127.0.0.1
	REDIS_PORT: 6379
	REDIS_DB: 0
	REDIS_PASSWORD: ${{ secrets.CI_REDIS_PASSWORD }}
	REDIS_DATABASES: 16

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/l5-swagger-generate.yml around lines 12 - 25, Replace
hardcoded credential-like and PII environment values in the workflow by removing
the literal values for APP_KEY, DB_PASSWORD, REDIS_PASSWORD, and DEV_EMAIL_TO
(and any other secret-like envs such as DB_USERNAME if applicable) and instead
load them from GitHub Actions secrets (e.g., APP_KEY: ${{ secrets.APP_KEY }},
DB_PASSWORD: ${{ secrets.DB_PASSWORD }}, REDIS_PASSWORD: ${{
secrets.REDIS_PASSWORD }}, DEV_EMAIL_TO: ${{ secrets.DEV_EMAIL_TO }}). Ensure
the workflow uses non-sensitive defaults or placeholders for local-only settings
(e.g., DB_HOST, DB_PORT) and do not commit real secrets; after updating, rotate
any credentials already committed.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/l5-swagger-generate.yml

Repository: OpenStackweb/openstackid

Length of output: 6964

---

🏁 Script executed:

# Check if PAT secret is referenced elsewhere in workflows
rg 'secrets\.PAT' .github/workflows/

# Check for any repository secrets documentation or configuration
find .github -name "*.yml" -o -name "*.yaml" | head -20

Repository: OpenStackweb/openstackid

Length of output: 720

---

🏁 Script executed:

# Check pull_request_unit_tests.yml to see if it has guards against fork PRs
cat -n .github/workflows/pull_request_unit_tests.yml | head -40

Repository: OpenStackweb/openstackid

Length of output: 1503

---

🏁 Script executed:

# Search for composer-install and secrets.PAT in pull_request_unit_tests.yml
cat -n .github/workflows/pull_request_unit_tests.yml | grep -A 3 -B 3 "secrets.PAT"

Repository: OpenStackweb/openstackid

Length of output: 362

---

🏁 Script executed:

# Check if there are any conditional guards in the openapi-generate job
cat -n .github/workflows/l5-swagger-generate.yml | grep -A 10 "openapi-generate:"

Repository: OpenStackweb/openstackid

Length of output: 512

---

🏁 Script executed:

# Check for composer.json to see if there are private package dependencies
head -50 composer.json | grep -A 5 -B 5 '"repositories"'

Repository: OpenStackweb/openstackid

Length of output: 245

---

🏁 Script executed:

# Let's check what happens when secrets.PAT is undefined in GitHub Actions
# Also verify the behavior described in GitHub documentation by searching for any conditional patterns in the repo
rg 'github\.event\.pull_request\.head\.repo\.full_name' .github/workflows/

Repository: OpenStackweb/openstackid

Length of output: 50

---

secrets.PAT on fork PRs will cause dependency installation to fail.

Repository secrets are unavailable by default on forked pull requests. When secrets.PAT is undefined, Composer authentication fails and blocks the workflow, especially problematic since composer.json includes a private VCS dependency (github.com/smarcet/recaptcha).

To fix this, either:

• Replace secrets.PAT with github.token (note: may not access private packages with restricted scope)
• Or gate this workflow to same-repo PRs only if the PAT's broader scope is required

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/l5-swagger-generate.yml around lines 63 - 65, The workflow
currently injects COMPOSER_AUTH using secrets.PAT which is unavailable for
forked PRs and breaks composer install for the private VCS dependency referenced
in composer.json (github.com/smarcet/recaptcha); update the env setting for
COMPOSER_AUTH to use github.token instead (COMPOSER_AUTH -> '{"github-oauth":
{"github.com": "${{ github.token }}"} }') if that scope suffices, or else gate
this job to run only for same-repo PRs (i.e., only allow runs where the PR
originates from the same repository) so the PAT from secrets.PAT is available
for installing the private dependency.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat .github/workflows/l5-swagger-generate.yml

Repository: OpenStackweb/openstackid

Length of output: 5844

---

Guard pages-preview job from fork PRs to prevent permission failures.

The job writes to gh-pages and comments on PRs. On fork PRs, the GITHUB_TOKEN has restricted permissions, causing these operations to fail noisily. The job needs to skip execution for fork PRs.

Suggested condition

-        if: github.event_name == 'pull_request'
+        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: github.event_name == 'pull_request'
	runs-on: ubuntu-latest
	permissions:
	contents: write
	issues: write
	pull-requests: write
	if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
	runs-on: ubuntu-latest
	permissions:
	contents: write
	issues: write
	pull-requests: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/l5-swagger-generate.yml around lines 106 - 113, The
pages-preview job should skip on forked PRs to avoid failing operations that
require full GITHUB_TOKEN permissions; add an extra job-level if condition to
only run when the PR's head repo matches the base repository (e.g., compare
github.event.pull_request.head.repo.full_name to github.repository or compare
github.event.pull_request.head.repo.owner to github.repository_owner) so the job
(pages-preview) is skipped for forked pull requests.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-119/

This page is automatically updated on each push to this PR.