remove sprintf for prefixing scopes

[smarcet]

ref: https://app.clickup.com/t/86b8x25q0

Summary by CodeRabbit

• New Features

  • Swagger UI PR previews: generated interactive API docs with per-PR preview URLs.

• Chores

  • Standardized all security scopes to use a centralized base-realm prefix.
  • Added Team scopes and numerous new/updated summit-related scopes.
  • Updated seed and test data to use the centralized scope constants.

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces sprintf-based realm scope strings with a global SCOPE_BASE_REALM constant across security scope classes, seeders, tests, and consumers; adds a new TeamScopes class; ensures SCOPE_BASE_REALM is defined in AppServiceProvider; and adds a Swagger UI build + PR-preview GitHub Actions workflow.

Changes

Cohort / File(s)	Summary
Scope Constants Refactor app/Security/CompanyScopes.php, app/Security/GroupsScopes.php, app/Security/MemberScopes.php, app/Security/OrganizationScopes.php, app/Security/SponsoredProjectScope.php, app/Security/SummitScopes.php, app/Security/TeamScopes.php	Replaced '%s/...' placeholders with SCOPE_BASE_REALM.'/...' in public constants. SummitScopes exposes many constants (migrated and new). Added TeamScopes with Read/Write constants.
Scope Consumers app/Http/Utils/FilterAvailableSummitsStrategy.php, app/ModelSerializers/Summit/SummitSerializer.php	Removed dynamic sprintf-based scope construction; now use fixed scope constants (e.g., SummitScopes::ReadAllSummitData) and drop per-request realm interpolation.
Bootstrap / Provider app/Providers/AppServiceProvider.php	Added guard logic in boot() and register() to define global SCOPE_BASE_REALM from config('app.scope_base_realm') (trim/validate) if not defined.
Seeders & Data database/seeders/ApiScopesSeeder.php	Replaced sprintf-generated scope names with scope constants across many seed entries; added imports (including TeamScopes), switched to short array syntax, and adjusted descriptions.
Tests tests/ProtectedApiTestCase.php	Updated access-token stubs to use scope constants (added imports for TeamScopes); updated token metadata in the second stub (null user ids, SERVICE app type, empty user_groups).
CI / Docs Workflow .github/workflows/l5-swagger-generate.yml	Added steps to build a Swagger UI preview artifact, upload it, and a PR-preview workflow that downloads the artifact, publishes to GitHub Pages under openapi/pr-<PR_NUMBER>, and comments on the PR with the preview URL.

Sequence Diagram(s)

sequenceDiagram
    participant GH-Actions as GitHub Actions
    participant BuildJob as openapi-generate (job)
    participant ArtifactStorage as Actions Artifact
    participant PagesJob as pages-preview (job)
    participant GH-Pages as GitHub Pages
    participant PR as Pull Request

    rect rgba(120,180,240,0.5)
      PR->>GH-Actions: open PR triggers workflows
      GH-Actions->>BuildJob: run openapi-generate
      BuildJob->>ArtifactStorage: upload `swagger-ui` artifact
    end

    rect rgba(120,220,140,0.5)
      GH-Actions->>PagesJob: pages-preview runs on PR (downloads artifact)
      PagesJob->>ArtifactStorage: download `swagger-ui`
      PagesJob->>GH-Pages: publish under `public/openapi/pr-<PR_NUMBER>`
      PagesJob->>PR: post comment with preview URL
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Hotfix/unit test fixes #517 — modifies test access-token stubs in tests/ProtectedApiTestCase.php, overlapping with scope/token changes here.

Suggested reviewers

• romanetar

Poem

🐰
From sprintf burrows to one steady stream,
SCOPE_BASE_REALM lights the scope-team dream.
TeamScopes pops up, tidy and spry,
Swagger previews wave hello from the sky.
A happy rabbit hops — changes deployed with a sigh!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 27.78% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'remove sprintf for prefixing scopes' accurately describes the main change: replacing dynamic sprintf-based scope construction with static SCOPE_BASE_REALM constants throughout the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/prefixed-const-scopes

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

tests/ProtectedApiTestCase.php (2)

30-31: GroupsScopes is imported but never used.

The import for GroupsScopes is added but no GroupsScopes constants are used in either AccessTokenServiceStub or AccessTokenServiceStub2.

🧹 Suggested fix: Either remove the unused import or add the scope

If the scope should be included in test tokens:

             SummitScopes::ReadBadgeScanValidate,
+            GroupsScopes::ReadData,
             RSVPInvitationsScopes::Write,

Or remove the unused import:

 use App\Security\SponsoredProjectScope;
-use App\Security\GroupsScopes;
 use App\Security\TeamScopes;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/ProtectedApiTestCase.php` around lines 30 - 31, The import for
GroupsScopes is unused; either remove the unused import line "use
App\Security\GroupsScopes;" or add the appropriate GroupsScopes constant(s) to
the test token scopes in the stub classes. Locate AccessTokenServiceStub and
AccessTokenServiceStub2 in this file and either append the relevant
GroupsScopes::<CONSTANT> value(s) to their scopes arrays used when building
tokens, or simply delete the GroupsScopes import if those stubs should not
include group scopes.

---

82-85: Consider creating scope constants to complete the migration.

The following scopes in ProtectedApiTestCase.php still use $url . '/...' concatenation instead of constants (lines 83-85, 99-100):

• public-clouds/read
• private-clouds/read
• consultants/read
• members/invitations/read
• members/invitations/write

No scope constants currently exist for these. Creating dedicated scope classes (e.g., PublicCloudsScopes, PrivateCloudsScopes, ConsultantsScopes) would provide better consistency and maintainability alongside the existing SummitScopes, MemberScopes, and TeamScopes classes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/ProtectedApiTestCase.php` around lines 82 - 85, Replace the ad-hoc
"$url . '/...'" scope concatenations in ProtectedApiTestCase.php by introducing
and using dedicated scope constant classes for the missing domains: add
PublicCloudsScopes, PrivateCloudsScopes and ConsultantsScopes (each exposing
named constants such as READ) and add MembersInvitations or extend MembersScopes
to provide INVITATIONS_READ and INVITATIONS_WRITE constants; then update the
$scopes array and any other places currently using "$url .
'/public-clouds/read'", "$url . '/private-clouds/read'", "$url .
'/consultants/read'", "$url . '/members/invitations/read'", and "$url .
'/members/invitations/write'" to reference the new constants (e.g.,
PublicCloudsScopes::READ) instead of string concatenation.

app/Http/Utils/FilterAvailableSummitsStrategy.php (1)

15-15: Remove unused import.

The Config facade is no longer used in this file after the refactor.

🧹 Suggested fix

 use App\Security\SummitScopes;
-use Illuminate\Support\Facades\Config;
 use models\oauth2\IResourceServerContext;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/Http/Utils/FilterAvailableSummitsStrategy.php` at line 15, Remove the
now-unused Config facade import from the top of
FilterAvailableSummitsStrategy.php: locate the use
Illuminate\Support\Facades\Config; statement in the file (used alongside the
FilterAvailableSummitsStrategy class) and delete that import line so the file
only retains necessary use statements.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/Providers/AppServiceProvider.php`:
- Around line 721-723: Normalize and validate the config value before defining
SCOPE_BASE_REALM: read config('app.scope_base_realm'), trim whitespace and
remove any trailing slashes, then ensure the resulting string is non-empty (or
fail loudly/log an error) before calling define('SCOPE_BASE_REALM', ...). Update
the code around the SCOPE_BASE_REALM definition in AppServiceProvider (where you
currently call define with the raw config value) to perform the trim/rtrim and
non-empty check first so generated scopes won't contain empty segments or
trailing slashes.

In `@tests/ProtectedApiTestCase.php`:
- Around line 194-195: The array of scopes contains a duplicate entry of
SummitScopes::WriteVideoData; remove the redundant SummitScopes::WriteVideoData
occurrence so the list only includes that scope once (locate the scope list
where SummitScopes::WriteVideoData appears twice and delete the duplicate
entry).

---

Nitpick comments:
In `@app/Http/Utils/FilterAvailableSummitsStrategy.php`:
- Line 15: Remove the now-unused Config facade import from the top of
FilterAvailableSummitsStrategy.php: locate the use
Illuminate\Support\Facades\Config; statement in the file (used alongside the
FilterAvailableSummitsStrategy class) and delete that import line so the file
only retains necessary use statements.

In `@tests/ProtectedApiTestCase.php`:
- Around line 30-31: The import for GroupsScopes is unused; either remove the
unused import line "use App\Security\GroupsScopes;" or add the appropriate
GroupsScopes constant(s) to the test token scopes in the stub classes. Locate
AccessTokenServiceStub and AccessTokenServiceStub2 in this file and either
append the relevant GroupsScopes::<CONSTANT> value(s) to their scopes arrays
used when building tokens, or simply delete the GroupsScopes import if those
stubs should not include group scopes.
- Around line 82-85: Replace the ad-hoc "$url . '/...'" scope concatenations in
ProtectedApiTestCase.php by introducing and using dedicated scope constant
classes for the missing domains: add PublicCloudsScopes, PrivateCloudsScopes and
ConsultantsScopes (each exposing named constants such as READ) and add
MembersInvitations or extend MembersScopes to provide INVITATIONS_READ and
INVITATIONS_WRITE constants; then update the $scopes array and any other places
currently using "$url . '/public-clouds/read'", "$url . '/private-clouds/read'",
"$url . '/consultants/read'", "$url . '/members/invitations/read'", and "$url .
'/members/invitations/write'" to reference the new constants (e.g.,
PublicCloudsScopes::READ) instead of string concatenation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2c6942ce-858e-4b11-87a4-6779f87ac002

📥 Commits

Reviewing files that changed from the base of the PR and between 8102c7a and 0c5d732.

📒 Files selected for processing (14)

• .github/workflows/l5-swagger-generate.yml
• app/Http/Utils/FilterAvailableSummitsStrategy.php
• app/ModelSerializers/Summit/SummitSerializer.php
• app/Providers/AppServiceProvider.php
• app/Security/CompanyScopes.php
• app/Security/GroupsScopes.php
• app/Security/MemberScopes.php
• app/Security/OrganizationScopes.php
• app/Security/SponsoredProjectScope.php
• app/Security/SummitScopes.php
• app/Security/TeamScopes.php
• database/seeders/ApiEndpointsSeeder.php
• database/seeders/ApiScopesSeeder.php
• tests/ProtectedApiTestCase.php

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/summit-api/openapi/pr-519/

This page is automatically updated on each push to this PR.

[Copilot]

Pull request overview

This PR standardizes OAuth scope strings across the app by removing sprintf-based realm prefixing and centralizing scope construction around a shared base realm constant. It also extends CI to generate and publish a Swagger UI preview for pull requests.

Changes:

• Replaced sprintf($scope, $realm) patterns with scope constants that include the base realm (SCOPE_BASE_REALM).
• Updated seed/test data to use the new centralized scope constants (and added Teams/Groups scope constants).
• Added a GitHub Actions workflow job to publish Swagger UI previews to GitHub Pages and comment the preview URL on PRs.

Reviewed changes

Copilot reviewed 13 out of 14 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
tests/ProtectedApiTestCase.php	Switched hardcoded/sprintf scopes to centralized scope constants in protected API test stubs.
database/seeders/ApiScopesSeeder.php	Seeds scopes using the new scope constants (no more realm sprintf).
app/Security/TeamScopes.php	Introduces centralized Teams scope constants.
app/Security/SummitScopes.php	Converts Summit scopes from format strings to realm-prefixed constants.
app/Security/SponsoredProjectScope.php	Converts sponsored project scopes to realm-prefixed constants.
app/Security/OrganizationScopes.php	Converts organization scopes to realm-prefixed constants.
app/Security/MemberScopes.php	Converts member scopes to realm-prefixed constants.
app/Security/GroupsScopes.php	Converts groups scope to realm-prefixed constant.
app/Security/CompanyScopes.php	Converts company scopes to realm-prefixed constants.
app/Providers/AppServiceProvider.php	Defines SCOPE_BASE_REALM from config('app.scope_base_realm') during registration.
app/ModelSerializers/Summit/SummitSerializer.php	Uses centralized SummitScopes::ReadAllSummitData for access checks.
app/Http/Utils/FilterAvailableSummitsStrategy.php	Uses centralized SummitScopes::ReadAllSummitData for access checks.
.github/workflows/l5-swagger-generate.yml	Generates Swagger UI artifact and publishes a per-PR preview to GitHub Pages with PR comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

tests/ProtectedApiTestCase.php (1)

194-195: ⚠️ Potential issue | 🟡 Minor

SummitScopes::WriteVideoData is still duplicated here.

The fixture grants the same scope twice, so the test token no longer reflects a clean scope set.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/ProtectedApiTestCase.php` around lines 194 - 195, The fixture
duplicates SummitScopes::WriteVideoData in the granted scopes array, producing a
non-unique scope set; update the fixture used in ProtectedApiTestCase by
removing the duplicate SummitScopes::WriteVideoData entry (or replace it with
the intended missing scope) so the test token reflects a clean, unique set of
scopes—look for the array that lists SummitScopes::WriteVideoData twice and
ensure each scope appears only once.

🧹 Nitpick comments (2)

.github/workflows/l5-swagger-generate.yml (2)

125-129: Pin the Swagger UI assets.

Line 125 and Line 129 pull swagger-ui-dist from floating unpkg URLs, so an upstream release can break this preview without any change in this repo. Pin an explicit version or publish the assets with the artifact.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/l5-swagger-generate.yml around lines 125 - 129, The
workflow currently loads Swagger UI assets from floating unpkg URLs in the HTML
snippet (the <link rel="stylesheet"
href="https://unpkg.com/swagger-ui-dist/swagger-ui.css" /> and <script
src="https://unpkg.com/swagger-ui-dist/swagger-ui-bundle.js"></script>), which
risks breakage; update these references to pin a specific version (e.g., replace
"unpkg.com/swagger-ui-dist/..." with "unpkg.com/swagger-ui-dist@<version>/...")
or serve the CSS/JS from a repository artifact or CDN with an immutable URL so
the preview cannot be broken by upstream releases.

---

184-209: Upsert the preview comment instead of creating a new one.

Line 204 calls createComment on every run, so active PRs will accumulate duplicate preview messages. Prefer updating one sticky bot comment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/l5-swagger-generate.yml around lines 184 - 209, Replace
the unconditional github.rest.issues.createComment call with logic that first
lists existing comments for the PR (use github.rest.issues.listComments with
context.repo and context.payload.pull_request.number), search for a bot comment
that starts with the preview header text (e.g. '📘 **OpenAPI / Swagger
preview**'), and if found call github.rest.issues.update to replace that
comment’s body; only fall back to github.rest.issues.createComment when no
matching comment exists. Ensure you preserve the assembled body string and
reference the existing comment id (comment.id) when calling issues.update.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/l5-swagger-generate.yml:
- Around line 149-183: The pages-preview job runs on pull_request events but
will fail for forked PRs because the read-only GITHUB_TOKEN prevents
peaceiris/actions-gh-pages@v4 from pushing; update the job's if condition (job
name: pages-preview) to only run for same-repo PRs by adding a fork check, e.g.
change the existing if: github.event_name == 'pull_request' to include
github.event.pull_request.head.repo.fork == false (or equivalent comparison such
as github.event.pull_request.head.repo.full_name == github.repository) so the
peaceiris/actions-gh-pages@v4 step only executes for non-fork PRs.

In `@database/seeders/ApiScopesSeeder.php`:
- Around line 55-396: The seedSummitScopes() seeder is missing several new
SummitScopes constants so fresh DBs won't get corresponding ApiScope rows;
update the $scopes array in ApiScopesSeeder::seedSummitScopes() to include
entries for SummitScopes::WriteSubmissionInvitations,
SummitScopes::ReadSubmissionInvitations, SummitScopes::ReadBookableRoomsData,
SummitScopes::BookableRoomsReservation, SummitScopes::WriteBookableRoomsData,
SummitScopes::WriteNotifications, SummitScopes::WriteEventTypeData,
SummitScopes::WriteTracksData, SummitScopes::WriteTrackGroupsData,
SummitScopes::WriteRSVPTemplateData,
SummitScopes::WriteSummitSpeakerAssistanceData, and
SummitScopes::WriteTicketTypeData (use consistent short_description/description
patterns used by other entries and reference SummitScopes.php for exact constant
names).
- Around line 510-523: The organization scopes are being attached to the wrong
API because seedOrganizationScopes() resolves the API with ['name' =>
'companies']; update the lookup so $api =
EntityManager::getRepository(\App\Models\ResourceServer\Api::class)->findOneBy(['name'
=> 'organizations']) (or the exact resource-server name used for organizations)
so OrganizationScopes::ReadOrganizationData and
OrganizationScopes::WriteOrganizationData are persisted against the correct API;
verify subsequent use of $api in this method still assigns scopes to that $api.

---

Duplicate comments:
In `@tests/ProtectedApiTestCase.php`:
- Around line 194-195: The fixture duplicates SummitScopes::WriteVideoData in
the granted scopes array, producing a non-unique scope set; update the fixture
used in ProtectedApiTestCase by removing the duplicate
SummitScopes::WriteVideoData entry (or replace it with the intended missing
scope) so the test token reflects a clean, unique set of scopes—look for the
array that lists SummitScopes::WriteVideoData twice and ensure each scope
appears only once.

---

Nitpick comments:
In @.github/workflows/l5-swagger-generate.yml:
- Around line 125-129: The workflow currently loads Swagger UI assets from
floating unpkg URLs in the HTML snippet (the <link rel="stylesheet"
href="https://unpkg.com/swagger-ui-dist/swagger-ui.css" /> and <script
src="https://unpkg.com/swagger-ui-dist/swagger-ui-bundle.js"></script>), which
risks breakage; update these references to pin a specific version (e.g., replace
"unpkg.com/swagger-ui-dist/..." with "unpkg.com/swagger-ui-dist@<version>/...")
or serve the CSS/JS from a repository artifact or CDN with an immutable URL so
the preview cannot be broken by upstream releases.
- Around line 184-209: Replace the unconditional
github.rest.issues.createComment call with logic that first lists existing
comments for the PR (use github.rest.issues.listComments with context.repo and
context.payload.pull_request.number), search for a bot comment that starts with
the preview header text (e.g. '📘 **OpenAPI / Swagger preview**'), and if found
call github.rest.issues.update to replace that comment’s body; only fall back to
github.rest.issues.createComment when no matching comment exists. Ensure you
preserve the assembled body string and reference the existing comment id
(comment.id) when calling issues.update.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ad32f831-4cf6-4bb1-9c02-0be36d2c5a9e

📥 Commits

Reviewing files that changed from the base of the PR and between 0c5d732 and dfbf1ab.

📒 Files selected for processing (14)

• .github/workflows/l5-swagger-generate.yml
• app/Http/Utils/FilterAvailableSummitsStrategy.php
• app/ModelSerializers/Summit/SummitSerializer.php
• app/Providers/AppServiceProvider.php
• app/Security/CompanyScopes.php
• app/Security/GroupsScopes.php
• app/Security/MemberScopes.php
• app/Security/OrganizationScopes.php
• app/Security/SponsoredProjectScope.php
• app/Security/SummitScopes.php
• app/Security/TeamScopes.php
• database/seeders/ApiEndpointsSeeder.php
• database/seeders/ApiScopesSeeder.php
• tests/ProtectedApiTestCase.php

🚧 Files skipped from review as they are similar to previous changes (5)

• app/ModelSerializers/Summit/SummitSerializer.php
• app/Security/SponsoredProjectScope.php
• app/Providers/AppServiceProvider.php
• app/Security/TeamScopes.php
• app/Security/MemberScopes.php

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GitHub Actions GITHUB_TOKEN fork pull request read-only permissions

💡 Result:

For workflows triggered by pull_request events from a fork, GitHub deliberately downgrades GITHUB_TOKEN to read-only and does not pass repository secrets (this is not overrideable via permissions: in the workflow). [1][2]

Key implications / options:

• You can’t “grant write” to GITHUB_TOKEN for fork PR runs on pull_request; GitHub caps it at read-only for safety. [1][2]
• If you need privileged automation on PRs (labeling, commenting, etc.), many repos use pull_request_target, which runs in the base repo context and therefore can have read/write GITHUB_TOKEN and access to secrets unless you restrict it—but this is security-sensitive (don’t run untrusted fork code in that context). [1]
• For private/internal repos, there are repository/enterprise settings to allow fork PR workflows and (optionally) “send write tokens” and/or “send secrets” to fork PR workflows. [3]

Sources: GitHub Actions docs on fork PR restrictions and pull_request_target behavior [1], GitHub changelog noting fork PR tokens are always read-only [2], and GitHub settings/policy docs for fork PR workflows in private repos (including “send write tokens”) [3].

References:
[1] (docs.github.com)
[2] (github.blog)
[3] (docs.github.com)

Citations:

• 1: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows?azure-portal=true&utm_source=openai
• 2: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/?utm_source=openai
• 3: https://docs.github.com/en/enterprise-server%403.17/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise?utm_source=openai

---

🌐 Web query:

peaceiris/actions-gh-pages write permissions requirements

💡 Result:

To use peaceiris/actions-gh-pages with GITHUB_TOKEN, your workflow/job must grant the token write access to repository contents (so it can push commits/tags to the publishing branch, usually gh-pages). The README explicitly calls out fixing 403 Write access to repository not granted by adding: permissions: contents: write. (github.com)

Example:

jobs:
  deploy:
    permissions:
      contents: write
    steps:
      - uses: peaceiris/actions-gh-pages@v4
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ./public

(github.com)

If you still get “permission denied” errors, also check the repository setting Settings → Actions → General → Workflow permissions and ensure it’s not restricted to read-only (many repos/orgs default to read-only). (stackoverflow.com)

If you deploy to an external repository (external_repository:), GITHUB_TOKEN won’t work; you must use a deploy key or a personal access token instead. (github.com)

Citations:

• 1: https://github.com/peaceiris/actions-gh-pages
• 2: https://github.com/peaceiris/actions-gh-pages
• 3: https://stackoverflow.com/questions/72851548/permission-denied-to-github-actionsbot?utm_source=openai
• 4: https://github.com/peaceiris/actions-gh-pages

---

Guard the deploy job for same-repo PRs.

pull_request runs from forks receive a read-only GITHUB_TOKEN, which peaceiris/actions-gh-pages@v4 cannot use to push to the repository. This job will fail for external contributors. Add a guard condition to prevent execution on fork PRs:

-        if: github.event_name == 'pull_request'
+        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository

If fork previews are required, use pull_request_target in a separate, trusted workflow instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/l5-swagger-generate.yml around lines 149 - 183, The
pages-preview job runs on pull_request events but will fail for forked PRs
because the read-only GITHUB_TOKEN prevents peaceiris/actions-gh-pages@v4 from
pushing; update the job's if condition (job name: pages-preview) to only run for
same-repo PRs by adding a fork check, e.g. change the existing if:
github.event_name == 'pull_request' to include
github.event.pull_request.head.repo.fork == false (or equivalent comparison such
as github.event.pull_request.head.repo.full_name == github.repository) so the
peaceiris/actions-gh-pages@v4 step only executes for non-fork PRs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Attach organization scopes to the organizations API.

Line 512 still resolves ['name' => 'companies'] inside seedOrganizationScopes(), so both organization scopes are persisted under the wrong resource server.

🛠️ Suggested fix

-        $api           = EntityManager::getRepository(\App\Models\ResourceServer\Api::class)->findOneBy(['name' => 'companies']);
+        $api           = EntityManager::getRepository(\App\Models\ResourceServer\Api::class)->findOneBy(['name' => 'organizations']);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@database/seeders/ApiScopesSeeder.php` around lines 510 - 523, The
organization scopes are being attached to the wrong API because
seedOrganizationScopes() resolves the API with ['name' => 'companies']; update
the lookup so $api =
EntityManager::getRepository(\App\Models\ResourceServer\Api::class)->findOneBy(['name'
=> 'organizations']) (or the exact resource-server name used for organizations)
so OrganizationScopes::ReadOrganizationData and
OrganizationScopes::WriteOrganizationData are persisted against the correct API;
verify subsequent use of $api in this method still assigns scopes to that $api.

[romanetar]

@smarcet aside from the observations raised by Rabbit and GitHub Copilot, everything else looks good to me. I don’t see any additional issues from my side.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/summit-api/openapi/pr-519/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/summit-api/openapi/pr-519/

This page is automatically updated on each push to this PR.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (2)

.github/workflows/l5-swagger-generate.yml (1)

149-183: ⚠️ Potential issue | 🟠 Major

Guard pages-preview for same-repo PRs only.

At Line 152, the job runs for all pull_request events. Fork PRs typically cannot push with GITHUB_TOKEN, so publish/comment steps can fail.

🔧 Suggested fix

-        if: github.event_name == 'pull_request'
+        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository

For GitHub Actions workflows triggered by pull_request from forks, is GITHUB_TOKEN write access restricted and are repository secrets withheld? Also confirm whether peaceiris/actions-gh-pages requires write permission to push to gh-pages.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/l5-swagger-generate.yml around lines 149 - 183, The
pages-preview job runs for all pull_request events which fails for forked PRs
because GITHUB_TOKEN/secrets and write permissions are restricted; update the
pages-preview job (job name pages-preview and the Publish to GitHub Pages step
using peaceiris/actions-gh-pages@v4) to run only for same-repo PRs by adding a
guard to the job-level if expression that checks both the event is a
pull_request and that github.event.pull_request.head.repo.full_name (or
equivalently head.repo.owner == github.repository_owner) equals
github.repository, so the publish/comment steps only run for PRs originating
from the same repository.

database/seeders/ApiScopesSeeder.php (1)

510-523: ⚠️ Potential issue | 🟠 Major

Organization scopes are attached to the wrong API.

Line 512 resolves the API with ['name' => 'companies'], but this method seeds organization scopes. The scopes should be attached to the organizations API resource server instead.

🛠️ Suggested fix

-        $api           = EntityManager::getRepository(\App\Models\ResourceServer\Api::class)->findOneBy(['name' => 'companies']);
+        $api           = EntityManager::getRepository(\App\Models\ResourceServer\Api::class)->findOneBy(['name' => 'organizations']);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@database/seeders/ApiScopesSeeder.php` around lines 510 - 523, The
seedOrganizationScopes function is resolving the wrong API ('companies') before
seeding organization scopes; update the EntityManager lookup in
seedOrganizationScopes (where it calls
EntityManager::getRepository(...)->findOneBy(['name' => 'companies'])) to
resolve the 'organizations' API instead so the scopes
(OrganizationScopes::ReadOrganizationData,
OrganizationScopes::WriteOrganizationData, etc.) are attached to the
organizations resource server.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@database/seeders/ApiScopesSeeder.php`:
- Around line 55-396: The seeder's $scopes array in ApiScopesSeeder is missing
several SummitScopes constants (e.g., WriteSubmissionInvitations,
ReadSubmissionInvitations, ReadBookableRoomsData, BookableRoomsReservation,
WriteBookableRoomsData, WriteNotifications, WriteEventTypeData, WriteTracksData,
WriteTrackGroupsData, WriteRSVPTemplateData, WriteSummitSpeakerAssistanceData,
WriteTicketTypeData); add entries for each missing SummitScopes::Constant into
the $scopes array with appropriate short_description and description values
(matching the style of existing entries) so ApiScope rows are created for those
constants when the seeder runs. Ensure each new array element uses the same key
names ('name', 'short_description', 'description') as the other entries in the
$scopes list.

In `@tests/ProtectedApiTestCase.php`:
- Around line 148-151: The scopes array contains a duplicate entry of
SummitScopes::UpdateRegistrationOrders; remove the redundant
SummitScopes::UpdateRegistrationOrders line so each scope is unique (or replace
with the intended missing scope if it was a copy/paste mistake). Locate the
scopes list in ProtectedApiTestCase (where SummitScopes entries are declared)
and delete the second occurrence to deduplicate the array.
- Around line 250-254: AccessTokenServiceStub2 contains a duplicated scope entry
(SummitScopes::UpdateRegistrationOrders) in its scopes list; locate the scopes
array in the AccessTokenServiceStub2 definition inside
tests/ProtectedApiTestCase.php and remove the redundant
SummitScopes::UpdateRegistrationOrders so each scope appears only once, ensuring
the list mirrors the corrected version used in AccessTokenServiceStub.

---

Duplicate comments:
In @.github/workflows/l5-swagger-generate.yml:
- Around line 149-183: The pages-preview job runs for all pull_request events
which fails for forked PRs because GITHUB_TOKEN/secrets and write permissions
are restricted; update the pages-preview job (job name pages-preview and the
Publish to GitHub Pages step using peaceiris/actions-gh-pages@v4) to run only
for same-repo PRs by adding a guard to the job-level if expression that checks
both the event is a pull_request and that
github.event.pull_request.head.repo.full_name (or equivalently head.repo.owner
== github.repository_owner) equals github.repository, so the publish/comment
steps only run for PRs originating from the same repository.

In `@database/seeders/ApiScopesSeeder.php`:
- Around line 510-523: The seedOrganizationScopes function is resolving the
wrong API ('companies') before seeding organization scopes; update the
EntityManager lookup in seedOrganizationScopes (where it calls
EntityManager::getRepository(...)->findOneBy(['name' => 'companies'])) to
resolve the 'organizations' API instead so the scopes
(OrganizationScopes::ReadOrganizationData,
OrganizationScopes::WriteOrganizationData, etc.) are attached to the
organizations resource server.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eb4a64ef-558b-40b1-b2a3-fae4941e5b32

📥 Commits

Reviewing files that changed from the base of the PR and between dfbf1ab and 68ead3c.

📒 Files selected for processing (14)

• .github/workflows/l5-swagger-generate.yml
• app/Http/Utils/FilterAvailableSummitsStrategy.php
• app/ModelSerializers/Summit/SummitSerializer.php
• app/Providers/AppServiceProvider.php
• app/Security/CompanyScopes.php
• app/Security/GroupsScopes.php
• app/Security/MemberScopes.php
• app/Security/OrganizationScopes.php
• app/Security/SponsoredProjectScope.php
• app/Security/SummitScopes.php
• app/Security/TeamScopes.php
• database/seeders/ApiEndpointsSeeder.php
• database/seeders/ApiScopesSeeder.php
• tests/ProtectedApiTestCase.php

🚧 Files skipped from review as they are similar to previous changes (6)

• app/ModelSerializers/Summit/SummitSerializer.php
• app/Security/GroupsScopes.php
• app/Security/MemberScopes.php
• app/Providers/AppServiceProvider.php
• app/Security/TeamScopes.php
• app/Security/CompanyScopes.php

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Several SummitScopes constants are missing from the seeder.

The following constants defined in app/Security/SummitScopes.php are not seeded, which means fresh databases won't have ApiScope rows for them:

• WriteSubmissionInvitations
• ReadSubmissionInvitations
• ReadBookableRoomsData
• BookableRoomsReservation
• WriteBookableRoomsData
• WriteNotifications
• WriteEventTypeData
• WriteTracksData
• WriteTrackGroupsData
• WriteRSVPTemplateData
• WriteSummitSpeakerAssistanceData
• WriteTicketTypeData

Consider adding these to the $scopes array to ensure completeness.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@database/seeders/ApiScopesSeeder.php` around lines 55 - 396, The seeder's
$scopes array in ApiScopesSeeder is missing several SummitScopes constants
(e.g., WriteSubmissionInvitations, ReadSubmissionInvitations,
ReadBookableRoomsData, BookableRoomsReservation, WriteBookableRoomsData,
WriteNotifications, WriteEventTypeData, WriteTracksData, WriteTrackGroupsData,
WriteRSVPTemplateData, WriteSummitSpeakerAssistanceData, WriteTicketTypeData);
add entries for each missing SummitScopes::Constant into the $scopes array with
appropriate short_description and description values (matching the style of
existing entries) so ApiScope rows are created for those constants when the
seeder runs. Ensure each new array element uses the same key names ('name',
'short_description', 'description') as the other entries in the $scopes list.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Duplicate scope entry: SummitScopes::UpdateRegistrationOrders appears twice.

Lines 148 and 151 both contain SummitScopes::UpdateRegistrationOrders. This is likely a copy-paste error and should be deduplicated.

🐛 Proposed fix

             SummitScopes::UpdateRegistrationOrders,
             SummitScopes::CreateOfflineRegistrationOrders,
             SummitScopes::DeleteRegistrationOrders,
-            SummitScopes::UpdateRegistrationOrders,
             SummitScopes::UpdateMyRegistrationOrders,

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	SummitScopes::UpdateRegistrationOrders,
	SummitScopes::CreateOfflineRegistrationOrders,
	SummitScopes::DeleteRegistrationOrders,
	SummitScopes::UpdateRegistrationOrders,
	SummitScopes::UpdateRegistrationOrders,
	SummitScopes::CreateOfflineRegistrationOrders,
	SummitScopes::DeleteRegistrationOrders,
	SummitScopes::UpdateMyRegistrationOrders,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/ProtectedApiTestCase.php` around lines 148 - 151, The scopes array
contains a duplicate entry of SummitScopes::UpdateRegistrationOrders; remove the
redundant SummitScopes::UpdateRegistrationOrders line so each scope is unique
(or replace with the intended missing scope if it was a copy/paste mistake).
Locate the scopes list in ProtectedApiTestCase (where SummitScopes entries are
declared) and delete the second occurrence to deduplicate the array.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Duplicate scope entry: SummitScopes::UpdateRegistrationOrders appears twice in AccessTokenServiceStub2.

Lines 250 and 254 both contain SummitScopes::UpdateRegistrationOrders. Same issue as in AccessTokenServiceStub.

🐛 Proposed fix

             SummitScopes::UpdateRegistrationOrders,
             SummitScopes::UpdateMyRegistrationOrders,
             SummitScopes::CreateOfflineRegistrationOrders,
             SummitScopes::DeleteRegistrationOrders,
-            SummitScopes::UpdateRegistrationOrders,
             SummitScopes::WriteBadgeScan,

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	SummitScopes::UpdateRegistrationOrders,
	SummitScopes::UpdateMyRegistrationOrders,
	SummitScopes::CreateOfflineRegistrationOrders,
	SummitScopes::DeleteRegistrationOrders,
	SummitScopes::UpdateRegistrationOrders,
	SummitScopes::UpdateRegistrationOrders,
	SummitScopes::UpdateMyRegistrationOrders,
	SummitScopes::CreateOfflineRegistrationOrders,
	SummitScopes::DeleteRegistrationOrders,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/ProtectedApiTestCase.php` around lines 250 - 254,
AccessTokenServiceStub2 contains a duplicated scope entry
(SummitScopes::UpdateRegistrationOrders) in its scopes list; locate the scopes
array in the AccessTokenServiceStub2 definition inside
tests/ProtectedApiTestCase.php and remove the redundant
SummitScopes::UpdateRegistrationOrders so each scope appears only once, ensuring
the list mirrors the corrected version used in AccessTokenServiceStub.