ci: add cloudflare to nightly regenerate-models workflow #102
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "ci/add-cloudflare-to-regenerate-models"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
regenerate-models.ymlworkflow so its models are regenerated from upstream schemas alongside AWS, GCP, Hetzner, and DigitalOceancloudflareto theworkflow_dispatchprovider dropdown for manual runsTest plan
workflow_dispatchrun with provider set tocloudflareand confirm it fetches the schema and generates modelsalland confirm Cloudflare is includedmodel/cloudflare/diffs🤖 Generated with Claude Code
CI Security Review
Summary
This PR adds Cloudflare as a new provider to the
regenerate-models.ymlworkflow. The changes are purely additive — a new choice option, a new fetch-and-generate step, inclusion in the summary loop, and a line in the PR body template — all following the exact same patterns as the existing providers (AWS, GCP, Hetzner, DigitalOcean).Checklist Results
deno taskcommands in itsrun:blockscheduleandworkflow_dispatch(choice-constrained input), both safeactions/checkout@v6anddenoland/setup-deno@v2are tag-pinned to trusted publishers; no new actions or remote script execution introducedcontents: writeandpull-requests: writescoped at job level, appropriate for branch creation and PR managementBOT_TOKENusage unchanged; passed viaenv:block (line 172) and used inAuthorizationheaders, not loggedPre-existing Observations (NOT blocking — out of scope for this PR)
The following are pre-existing patterns in the unchanged portions of the workflow. They are not findings for this review, but noted for awareness:
inputs.providerandgithub.event_nameare interpolated directly inrun:blocks via${{ }}syntax rather than passed throughenv:. This is safe here becauseinputs.provideris atype: choiceconstrained to a fixed enum, andgithub.event_nameis runtime-controlled, but theenv:pattern would be more defensive.steps.label.outputs.suffixandsteps.label.outputs.titleare interpolated inrun:blocks. These are derived from the constrained choice input, so not exploitable, but usingenv:would follow best practices.Verdict
PASS — The changes are security-neutral. The new Cloudflare provider step is structurally identical to the four existing providers, introduces no new expression interpolations, no new actions, no new secret usage, and no new triggers. No security concerns.
Code Review
This PR adds Cloudflare to the nightly
regenerate-modelsworkflow. The change is straightforward and correct.Blocking Issues
None.
Suggestions
CHANGE_SUMMARYenv var is computed but never surfaces in the PR body.CHANGE_SUMMARY: ${{ steps.changes.outputs.summary }}is declared as an env var for the "Create or update pull request" step (line 173), but theBODYheredoc uses single-quoting (<<'BODY_EOF'), which prevents variable expansion entirely. Even if it were double-quoted,$CHANGE_SUMMARYdoesn't appear anywhere in the body text. The per-provider file counts are computed in the "Check for changes" step but silently dropped. Consider either removing the env var declaration or including$CHANGE_SUMMARYin the PR body so reviewers can see which providers changed and by how many files.Existing PR title is not updated on re-runs.
When an existing open PR is found (lines 194–196), the workflow only logs its number — no PATCH request is made to update the PR title or body. If the workflow runs once with
inputs.provider = aws(creating a provider-specific title) and later runs withinputs.provider = all, the existing PR title will be stale. Consider adding acurl -X PATCHcall to keep the title in sync, or document that this is intentionally left to manual cleanup.