ci: add cloudflare to nightly regenerate-models workflow #102

Merged
stack72 merged 1 commit from ci/add-cloudflare-to-regenerate-models into main 2026-07-13 18:54:12 +00:00
Owner

Summary

  • Adds Cloudflare to the nightly regenerate-models.yml workflow so its models are regenerated from upstream schemas alongside AWS, GCP, Hetzner, and DigitalOcean
  • Adds cloudflare to the workflow_dispatch provider dropdown for manual runs
  • Includes Cloudflare in the change summary and PR body schema sources list

Test plan

  • Trigger a manual workflow_dispatch run with provider set to cloudflare and confirm it fetches the schema and generates models
  • Trigger a manual run with provider set to all and confirm Cloudflare is included
  • Verify the change summary correctly counts model/cloudflare/ diffs

🤖 Generated with Claude Code

## Summary - Adds Cloudflare to the nightly `regenerate-models.yml` workflow so its models are regenerated from upstream schemas alongside AWS, GCP, Hetzner, and DigitalOcean - Adds `cloudflare` to the `workflow_dispatch` provider dropdown for manual runs - Includes Cloudflare in the change summary and PR body schema sources list ## Test plan - [ ] Trigger a manual `workflow_dispatch` run with provider set to `cloudflare` and confirm it fetches the schema and generates models - [ ] Trigger a manual run with provider set to `all` and confirm Cloudflare is included - [ ] Verify the change summary correctly counts `model/cloudflare/` diffs 🤖 Generated with [Claude Code](https://claude.com/claude-code)
ci: add cloudflare to nightly regenerate-models workflow
All checks were successful
CI / workflows/gcs-bootstrap - lint (pull_request) Has been skipped
CI / workflows/s3-bootstrap - lint (pull_request) Has been skipped
CI / workflows/gcs-bootstrap - test (pull_request) Has been skipped
CI / workflows/gcs-bootstrap - lockfile up to date (pull_request) Has been skipped
CI / workflows/s3-bootstrap - test (pull_request) Has been skipped
CI / cve/dirtyfrag - fmt (pull_request) Has been skipped
CI / workflows/s3-bootstrap - lockfile up to date (pull_request) Has been skipped
CI / cve/dirtyfrag - check (pull_request) Has been skipped
CI / cve/dirtyfrag - lint (pull_request) Has been skipped
CI / cve/dirtyfrag - test (pull_request) Has been skipped
CI / cve/mini-shai-hulud - check (pull_request) Has been skipped
CI / cve/mini-shai-hulud - fmt (pull_request) Has been skipped
CI / cve/mini-shai-hulud - lint (pull_request) Has been skipped
CI / cve/researcher - check (pull_request) Has been skipped
CI / cve/mini-shai-hulud - test (pull_request) Has been skipped
CI / cve/researcher - fmt (pull_request) Has been skipped
CI / cve/researcher - lint (pull_request) Has been skipped
CI / cve/researcher - test (pull_request) Has been skipped
CI / software-factory - check (pull_request) Has been skipped
CI / model/hetzner-cloud - check (pull_request) Has been skipped
CI / software-factory - fmt (pull_request) Has been skipped
CI / software-factory - lint (pull_request) Has been skipped
CI / software-factory - lockfile up to date (pull_request) Has been skipped
CI / software-factory - test (pull_request) Has been skipped
CI / model/digitalocean - lockfile up to date (pull_request) Has been skipped
CI / model/hetzner-cloud - lockfile up to date (pull_request) Has been skipped
CI / Adversarial Code Review (pull_request) Has been skipped
CI / CI Security Review (pull_request) Successful in 2m10s
CI / Claude Code Review (pull_request) Successful in 2m2s
CI / Merge Gate (pull_request) Successful in 31s
7ae323cda0
Cloudflare models were missing from the nightly schema regeneration
pipeline. Adds fetch-schema + generate steps, the workflow_dispatch
dropdown option, change summary tracking, and PR body documentation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Author
Owner

CI Security Review

Summary

This PR adds Cloudflare as a new provider to the regenerate-models.yml workflow. The changes are purely additive — a new choice option, a new fetch-and-generate step, inclusion in the summary loop, and a line in the PR body template — all following the exact same patterns as the existing providers (AWS, GCP, Hetzner, DigitalOcean).

Checklist Results

Check Result
Prompt Injection N/A — no LLM invocations in this workflow
Expression Injection Pass — no new expression interpolations introduced; the new Cloudflare step uses only hardcoded deno task commands in its run: block
Dangerous Triggers Pass — triggers remain schedule and workflow_dispatch (choice-constrained input), both safe
Supply Chain Passactions/checkout@v6 and denoland/setup-deno@v2 are tag-pinned to trusted publishers; no new actions or remote script execution introduced
Permissions Passcontents: write and pull-requests: write scoped at job level, appropriate for branch creation and PR management
Secret Exposure PassBOT_TOKEN usage unchanged; passed via env: block (line 172) and used in Authorization headers, not logged
Auto-merge Pass — workflow creates/updates PRs but does not auto-merge; human review required

Pre-existing Observations (NOT blocking — out of scope for this PR)

The following are pre-existing patterns in the unchanged portions of the workflow. They are not findings for this review, but noted for awareness:

  • Lines 160-161: inputs.provider and github.event_name are interpolated directly in run: blocks via ${{ }} syntax rather than passed through env:. This is safe here because inputs.provider is a type: choice constrained to a fixed enum, and github.event_name is runtime-controlled, but the env: pattern would be more defensive.
  • Lines 175, 178: steps.label.outputs.suffix and steps.label.outputs.title are interpolated in run: blocks. These are derived from the constrained choice input, so not exploitable, but using env: would follow best practices.

Verdict

PASS — The changes are security-neutral. The new Cloudflare provider step is structurally identical to the four existing providers, introduces no new expression interpolations, no new actions, no new secret usage, and no new triggers. No security concerns.

## CI Security Review ### Summary This PR adds Cloudflare as a new provider to the `regenerate-models.yml` workflow. The changes are purely additive — a new choice option, a new fetch-and-generate step, inclusion in the summary loop, and a line in the PR body template — all following the exact same patterns as the existing providers (AWS, GCP, Hetzner, DigitalOcean). ### Checklist Results | Check | Result | |---|---| | Prompt Injection | **N/A** — no LLM invocations in this workflow | | Expression Injection | **Pass** — no new expression interpolations introduced; the new Cloudflare step uses only hardcoded `deno task` commands in its `run:` block | | Dangerous Triggers | **Pass** — triggers remain `schedule` and `workflow_dispatch` (choice-constrained input), both safe | | Supply Chain | **Pass** — `actions/checkout@v6` and `denoland/setup-deno@v2` are tag-pinned to trusted publishers; no new actions or remote script execution introduced | | Permissions | **Pass** — `contents: write` and `pull-requests: write` scoped at job level, appropriate for branch creation and PR management | | Secret Exposure | **Pass** — `BOT_TOKEN` usage unchanged; passed via `env:` block (line 172) and used in `Authorization` headers, not logged | | Auto-merge | **Pass** — workflow creates/updates PRs but does not auto-merge; human review required | ### Pre-existing Observations (NOT blocking — out of scope for this PR) The following are pre-existing patterns in the unchanged portions of the workflow. They are **not findings** for this review, but noted for awareness: - Lines 160-161: `inputs.provider` and `github.event_name` are interpolated directly in `run:` blocks via `${{ }}` syntax rather than passed through `env:`. This is safe here because `inputs.provider` is a `type: choice` constrained to a fixed enum, and `github.event_name` is runtime-controlled, but the `env:` pattern would be more defensive. - Lines 175, 178: `steps.label.outputs.suffix` and `steps.label.outputs.title` are interpolated in `run:` blocks. These are derived from the constrained choice input, so not exploitable, but using `env:` would follow best practices. ### Verdict **PASS** — The changes are security-neutral. The new Cloudflare provider step is structurally identical to the four existing providers, introduces no new expression interpolations, no new actions, no new secret usage, and no new triggers. No security concerns.
Author
Owner

Code Review

This PR adds Cloudflare to the nightly regenerate-models workflow. The change is straightforward and correct.

Blocking Issues

None.

Suggestions

  1. CHANGE_SUMMARY env var is computed but never surfaces in the PR body.
    CHANGE_SUMMARY: ${{ steps.changes.outputs.summary }} is declared as an env var for the "Create or update pull request" step (line 173), but the BODY heredoc uses single-quoting (<<'BODY_EOF'), which prevents variable expansion entirely. Even if it were double-quoted, $CHANGE_SUMMARY doesn't appear anywhere in the body text. The per-provider file counts are computed in the "Check for changes" step but silently dropped. Consider either removing the env var declaration or including $CHANGE_SUMMARY in the PR body so reviewers can see which providers changed and by how many files.

  2. Existing PR title is not updated on re-runs.
    When an existing open PR is found (lines 194–196), the workflow only logs its number — no PATCH request is made to update the PR title or body. If the workflow runs once with inputs.provider = aws (creating a provider-specific title) and later runs with inputs.provider = all, the existing PR title will be stale. Consider adding a curl -X PATCH call to keep the title in sync, or document that this is intentionally left to manual cleanup.

## Code Review This PR adds Cloudflare to the nightly `regenerate-models` workflow. The change is straightforward and correct. ### Blocking Issues None. ### Suggestions 1. **`CHANGE_SUMMARY` env var is computed but never surfaces in the PR body.** `CHANGE_SUMMARY: ${{ steps.changes.outputs.summary }}` is declared as an env var for the "Create or update pull request" step (line 173), but the `BODY` heredoc uses single-quoting (`<<'BODY_EOF'`), which prevents variable expansion entirely. Even if it were double-quoted, `$CHANGE_SUMMARY` doesn't appear anywhere in the body text. The per-provider file counts are computed in the "Check for changes" step but silently dropped. Consider either removing the env var declaration or including `$CHANGE_SUMMARY` in the PR body so reviewers can see which providers changed and by how many files. 2. **Existing PR title is not updated on re-runs.** When an existing open PR is found (lines 194–196), the workflow only logs its number — no PATCH request is made to update the PR title or body. If the workflow runs once with `inputs.provider = aws` (creating a provider-specific title) and later runs with `inputs.provider = all`, the existing PR title will be stale. Consider adding a `curl -X PATCH` call to keep the title in sync, or document that this is intentionally left to manual cleanup.
stack72 deleted branch ci/add-cloudflare-to-regenerate-models 2026-07-13 18:54:12 +00:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
swamp-club/swamp-extensions!102
No description provided.