ci: get OpenAPI json export operating on nightly

[imnotjames]

Description

ensures that the action yaml for the openapi export task is available before trying to execute it

to make testing / building easier - does not wait for tests to finish as this is an artifact related to the build rather than part of any release & makes the exposed artifact name clearer

Linked Issue: Fixes #1021

Testing

Ran in https://github.com/imnotjames/grimmory/actions/runs/25195541750

Changes

• checks out the repo before running an action so the action is found
• drops the unnecessary needs from the job
• makes artifact name less redundant

Summary by CodeRabbit

• Chores
  • Streamlined the nightly workflow to eliminate unnecessary waits and run more efficiently.
  • Ensured the repository is checked out at the resolved commit before export steps for more reliable artifact generation.
  • Standardized artifact naming for clearer, consistent OpenAPI artifact names and simpler downstream handling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0378edbe-f8c6-43bf-8ae2-3d2a6f31e063

📥 Commits

Reviewing files that changed from the base of the PR and between be6f49f and 8c5ab49.

📒 Files selected for processing (1)

• .github/workflows/publish-nightly.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Test Suite / Frontend Tests
• GitHub Check: Test Suite / Backend Tests
• GitHub Check: Analyze (java-kotlin)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (actions)
• GitHub Check: Frontend Lint Threshold Check

🧰 Additional context used

📓 Path-based instructions (1)

**/.github/workflows/*.yml

⚙️ CodeRabbit configuration file

**/.github/workflows/*.yml: GitHub Actions review:

• Pin action versions to SHA hashes, not floating tags.
• Flag secrets referenced as env vars in run: steps; prefer secrets context.
• Flag missing permissions: blocks (principle of least privilege).
• Ensure Java 25 is configured in the workflow, and verify --enable-preview is passed where the JVM is actually launched (for example via Gradle/Maven args, JAVA_TOOL_OPTIONS, or the explicit java command).

Files:

• .github/workflows/publish-nightly.yml

🧠 Learnings (1)

📚 Learning: 2026-04-30T04:30:04.350Z

Learnt from: imnotjames
Repo: grimmory-tools/grimmory PR: 1002
File: .github/workflows/publish-nightly.yml:118-124
Timestamp: 2026-04-30T04:30:04.350Z
Learning: When using `docker/metadata-action` in GitHub Actions workflows with an `images: |` multiline YAML block, it’s acceptable for some `images` entries to be empty (e.g., because a registry/login var like `vars.DOCKERHUB_REGISTRY` is unset in forks). `docker/metadata-action` should skip the empty line and still produce valid metadata without downstream failures, so you generally don’t need an additional `enable`/conditional guard solely to prevent empty-image formatting issues—verify the action is still generating usable tags/labels in the workflow output.

Applied to files:

• .github/workflows/publish-nightly.yml

🔇 Additional comments (3)

.github/workflows/publish-nightly.yml (3)

147-147: export-openapi dependency reduction is appropriate.

Running this job after resolve_ref only is consistent with its independent export behavior.

---

154-159: Great fix: checkout is pinned to the resolved commit SHA.

This prevents ref drift before executing the local OpenAPI export action.

---

169-169: Artifact naming improvement looks good.

openapi-${{ needs.resolve_ref.outputs.nightly_tag }} is clearer while staying specific.

---

Walkthrough

Reduce export-openapi job's dependencies to only resolve_ref, add an explicit shallow repository checkout at the resolved commit before running the local ./.github/actions/export-openapi action, and rename the uploaded artifact from nightly-openapi-* to openapi-*.

Changes

Cohort / File(s)	Summary
Nightly OpenAPI Export Workflow /.github/workflows/publish-nightly.yml	export-openapi job needs reduced to resolve_ref; added actions/checkout@v6 with fetch-depth: 1 checking out the workflow repo at the resolved SHA before running ./.github/actions/export-openapi; artifact name changed from nightly-openapi-${{ ... }} to openapi-${{ ... }} (artifact path and retention unchanged).

Sequence Diagram(s)

sequenceDiagram
    participant Resolve as Resolve Ref job
    participant Checkout as actions/checkout@v6
    participant LocalAction as ./.github/actions/export-openapi
    participant Artifacts as actions/upload-artifact

    Resolve->>Checkout: provide resolved commit SHA
    Checkout->>LocalAction: checkout repo at SHA (fetch-depth:1)
    LocalAction->>Artifacts: generate OpenAPI bundle
    LocalAction->>Artifacts: upload artifact named "openapi-<sha>"

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• PR #999 — Previously added/managed the export-openapi job and local action; directly related to job ordering, checkout, and artifact naming.

Suggested reviewers

• imajes
• balazs-szucs

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title follows conventional commit format with 'ci:' prefix and clearly describes the change to make OpenAPI export operational in the nightly workflow.
Description check	✅ Passed	The PR description follows the template structure with clear sections explaining what the PR does, linked issue reference, testing evidence, and detailed changes.
Linked Issues check	✅ Passed	The PR addresses issue #1021 by ensuring the OpenAPI export action works in the nightly workflow through repository checkout, removing unnecessary dependencies, and clarifying artifact naming.
Out of Scope Changes check	✅ Passed	All changes are focused on fixing the nightly OpenAPI export workflow job and directly address the linked issue #1021 without introducing unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[imnotjames]

wut. why are tests failing

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish-nightly.yml:
- Around line 154-158: The "Checkout Workflow Repository" step currently uses
actions/checkout without a ref, causing potential ref drift versus the export
step that uses needs.resolve_ref.outputs.commit_sha; update the checkout step
(named "Checkout Workflow Repository" using actions/checkout@de0fac2e4...) to
explicitly pin ref to needs.resolve_ref.outputs.commit_sha so the workflow runs
the same commit as the exported OpenAPI artifact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2c2cfbbb-385c-45c2-b254-4d28fe03b6e3

📥 Commits

Reviewing files that changed from the base of the PR and between cf650ad and be6f49f.

📒 Files selected for processing (1)

• .github/workflows/publish-nightly.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Test Suite / Backend Tests
• GitHub Check: Test Suite / Frontend Tests
• GitHub Check: Analyze (java-kotlin)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (actions)
• GitHub Check: Frontend Lint Threshold Check

🧰 Additional context used

📓 Path-based instructions (1)

**/.github/workflows/*.yml

⚙️ CodeRabbit configuration file

**/.github/workflows/*.yml: GitHub Actions review:

• Pin action versions to SHA hashes, not floating tags.
• Flag secrets referenced as env vars in run: steps; prefer secrets context.
• Flag missing permissions: blocks (principle of least privilege).
• Ensure Java 25 is configured in the workflow, and verify --enable-preview is passed where the JVM is actually launched (for example via Gradle/Maven args, JAVA_TOOL_OPTIONS, or the explicit java command).

Files:

• .github/workflows/publish-nightly.yml

🧠 Learnings (1)

📚 Learning: 2026-04-30T04:30:04.350Z

Learnt from: imnotjames
Repo: grimmory-tools/grimmory PR: 1002
File: .github/workflows/publish-nightly.yml:118-124
Timestamp: 2026-04-30T04:30:04.350Z
Learning: When using `docker/metadata-action` in GitHub Actions workflows with an `images: |` multiline YAML block, it’s acceptable for some `images` entries to be empty (e.g., because a registry/login var like `vars.DOCKERHUB_REGISTRY` is unset in forks). `docker/metadata-action` should skip the empty line and still produce valid metadata without downstream failures, so you generally don’t need an additional `enable`/conditional guard solely to prevent empty-image formatting issues—verify the action is still generating usable tags/labels in the workflow output.

Applied to files:

• .github/workflows/publish-nightly.yml

🔇 Additional comments (3)

.github/workflows/publish-nightly.yml (3)

147-147: Dependency narrowing for export-openapi is correct.

This change is aligned with the job’s actual inputs and should reduce nightly latency without affecting artifact generation.

---

168-168: Artifact name cleanup improves clarity.

openapi-${{ needs.resolve_ref.outputs.nightly_tag }} is less redundant and still descriptive.

---

159-163: Preview flags are correctly applied in the OpenAPI export JVM launch path.

Java 25 is configured in the action, and --enable-preview is explicitly set in backend/scripts/export-openapi.sh (line 32) where the Java process is actually launched. The flag flows through: workflow → action (Java 25 setup) → just api openapi-export → Gradle buildOpenApiArtifacts → exportOpenApi task → export-openapi.sh script.