Releases: oasdiff/oasdiff-action
Release list
v0.1.4
What's Changed
This release updates the GitHub Action to oasdiff v1.21.0. See the oasdiff v1.21.0 release notes for the detection and output improvements it brings: response type widening vs narrowing, a crash fix for schema-less media types, more response-side checks, and clearer change messages.
Full Changelog: v0.1.3...v0.1.4
v0.1.3
Highlights
Pro review mode in the changelog action
Given an oasdiff-token, the changelog action now posts an encrypted Pro review on your pull requests. The specs are encrypted client-side in CI and only ciphertext is uploaded, so oasdiff cannot read them; the decryption key lives only in the review link's URL fragment. The action posts a PR comment linking to a side-by-side review where your team approves or rejects each change, and the oasdiff commit status gates merge until every breaking change is approved.
- uses: oasdiff/oasdiff-action/changelog@v0.1.3
with:
base: main:openapi.yaml
revision: openapi.yaml
oasdiff-token: ${{ secrets.OASDIFF_TOKEN }}
github-token: ${{ github.token }}(needs permissions: pull-requests: write and statuses: write)
Upgraded to oasdiff v1.20.0
The action images now run oasdiff v1.20.0.
Fixes
- Graceful message when a trial or subscription expires. When a plan lapses, the
pr-commentand Prochangelogactions now surface a clear "your plan has expired, renew here" message and keep the workflow green, instead of failing with an opaqueHTTP 402error.
Full Changelog: v0.1.2...v0.1.3
v0.1.2
Highlights
The PR comment now posts by default
The breaking and changelog actions now default github-token to ${{ github.token }}, so the review/changelog comment posts to the PR automatically on any repo whose job GITHUB_TOKEN already has write access, with no workflow edit (#167). Previously most repos only ever saw the review link in the job summary, which almost nobody opens. If your org forces a read-only default token you still need to add permissions: pull-requests: write, and fork PRs are unchanged (read-only token). The comment copy is also clearer about the capability-by-URL model and how specs stay encrypted in CI, plus an explicit opt-out: set review: false to stop posting.
New @v0 moving major tag
A v0 tag is now published and re-pointed on every stable release, so you can pin to @v0 and pick up later patches and minors (like the comment improvements above) automatically, with no workflow change (#168).
- uses: oasdiff/oasdiff-action/breaking@v0A new Versioning section in the README covers @v0 (recommended), exact pins like @v0.1.1 (reproducible CI), and @main (unreleased tip). README examples now use @v0.
Upgraded to oasdiff v1.19.1
Every action now runs on oasdiff v1.19.1.
Full Changelog: v0.1.1...v0.1.2
v0.1.1
Highlights
Upgraded to oasdiff v1.19.1
Every action now runs on oasdiff v1.19.1.
Fixes
The free side-by-side review that the breaking and changelog actions generate gets several reliability fixes in this release:
- Review links survive the v1.19.1 output change. v1.19.1 moved the
Opening <url>line from stdout to stderr so it can no longer corrupt piped JSON or YAML output. The action now captures the review URL from either stream, so on v1.19.1 your PRs keep getting the side-by-side review comment instead of a misleading "couldn't upload, re-run the job" warning and no comment at all (#165). - No more spurious review links on clean PRs. No-change detection no longer depends on the
formatyou set. An empty changelog renders differently per format ([]forjsonandyaml, a header plus "No changes detected" formarkup), and those slipped past the old text-only check, so every clean PR got a review link and an uploaded comparison. Detection now uses a format-independent JSON probe (#164). - Composed mode skips the review upload cleanly. In composed mode (
-c) the encrypted review can't represent a glob of many specs, so the action no longer attempts--open. Instead of the generic "couldn't upload, re-run" warning, it emits a single notice explaining the review isn't available in composed mode (#164). - A nudge when the PR comment isn't wired up. If a review link is produced on a pull request but no
github-tokenis set, the action now emits a notice (with a docs link) showing how to get the review posted as a PR comment, rather than leaving it silently on the job summary. It stays quiet on no-change runs and non-PR events (#163). - Aligned the
verifyaction onto the same oasdiff v1.19.0 release base image as the other five actions (#162).
Full Changelog: v0.1.0...v0.1.1
v0.1.0
Highlights
New: free side-by-side review link, now posted as a PR comment
The breaking and changelog actions can now find a review link on the PR itself instead of burying it in the job summary. When changes are detected, the action encrypts both specs in CI, uploads only the ciphertext, and posts (then auto-updates) a single PR comment with the side-by-side review link. The decryption key lives only in the URL fragment and never reaches a server.
- uses: oasdiff/oasdiff-action/breaking@v0.1.0
with:
base: 'main/openapi.yaml'
revision: 'openapi.yaml'
github-token: ${{ github.token }}
permissions:
pull-requests: writeTwo new inputs drive this (#152, #156):
review(defaulttrue): emit the encrypted review link when changes are found. Setreview: falseto opt out entirely, no spec leaves CI, and detection plus inline annotations are unaffected.github-token: pass${{ github.token }}(and grantpull-requests: write) to get the PR comment. Omit it to keep the previous behavior, link in the job summary only. No oasdiff account or token is required;github.tokenis GitHub's built-in token.
The comment is best-effort and never fatal: the action posts it before exiting non-zero, so it survives a fail-on gate, and on fork PRs (where GITHUB_TOKEN is read-only) it falls back to the always-written job summary. It updates one marker comment rather than spamming per push, and rewrites itself to a "no changes" note when a later push clears the changes.
Upgraded to oasdiff v1.19.0
All six actions (breaking, changelog, diff, validate, pr-comment, verify) now run on the oasdiff v1.19.0 base image (#161, #162).
Fixes
- The review link now actually posts from
breakingandchangelog. Both images now installcurl(andca-certificates), which the new PR-comment and review-link calls need. Without it the API call returned HTTP 000 and silently fell back to the job summary (#157). - Clearer free-action docs and PR-comment copy. The
breakingandchangelogdescriptions now mention the encrypted review link and correct where annotations land (the Files changed tab, not the summary). The PR comment itself was reworked to lead with opening and sharing the review with your team, with privacy collapsed to one line, and its "How it works" link now points straight at the privacy section (#155, #158, #159, #160).
Full Changelog: v0.0.57...v0.1.0
v0.0.57
Highlights
Upgraded to oasdiff v1.18.5
The breaking, changelog, diff, pr-comment, and validate actions now run oasdiff v1.18.5. For workflow authors this brings:
- No more crashes on certain spec changes. A change that dropped a single-valued sub-schema on one side (for example an array property removing its
items, or a removednot/if/then/else) previously crashed the action with a panic. The actions now handle these diffs cleanly. (oasdiff #998) notsub-schemas are now checked. Property changes nested inside anotschema (a removed property, a tightened constraint, a newly required field) are now reported by the breaking and changelog actions instead of being skipped. (oasdiff #994)
Full Changelog: v0.0.56...v0.0.57
v0.0.56
What's Changed
- Remove stale release.sh by @reuvenharrison in #146
- Pass the PR base branch in the review URL (editable workflow link) by @reuvenharrison in #147
Full Changelog: v0.0.55...v0.0.56
v0.0.55
What's changed
- The free
breaking/changelogstep summary is now a single link to the side-by-side review on oasdiff.com, instead of a baked CLI command. The command, install help, and any guidance now live on that page, so they can be improved without you needing to upgrade the action. Removed the duplicate (non-clickable)::notice::review link; the per-change::error::annotations are unchanged (#144). - Added a
workflowURL parameter (fromGITHUB_WORKFLOW_REF) so the review page can link back to the exact workflow file (#144). - Docs: examples bumped to
v0.0.55(#145).
Full Changelog: v0.0.54...v0.0.55
v0.0.54
What's changed
- The local-review command now self-recovers. The
breakingandchangelogstep summaries printgit fetch origin <base> <head> && oasdiff ..., and the base image is bumped to oasdiff v1.18.4, which prints an actionablegit fetch origin <sha>hint (instead of a terse git error) when a reviewer's clone is missing the commit. So a reviewer on a fresh or shallow clone reaches the review without manual fixups (#138, #143). - Action version is now recorded for diagnostics. Service-calling actions (
pr-comment,verify) sendUser-Agent: oasdiff-action/<ref>, and the free/reviewURL carriesaction_version=<ref>, so a run's version is visible in the logs (#142). - Base image bumped to oasdiff v1.18.4 across all actions, including
verify/(was v1.18.1) (#143). - Internal: removed an internal doc-path reference from step-summary comments (#137).
Full Changelog: v0.0.53...v0.0.54
v0.0.53
Highlights
Upgraded to oasdiff v1.18.2
Every action now runs on oasdiff v1.18.2, which completes and polishes the breaking-change rule catalog: all 474 rules now have a real description (29 were previously missing), the mitigation texts are clearer, and descriptions are localized across English, Spanish, Brazilian Portuguese, and Russian. See the oasdiff v1.18.2 release for details.
Full Changelog: v0.0.52...v0.0.53