From 39e3c07a6e7e3c1c75515287cec451835d9b7fd7 Mon Sep 17 00:00:00 2001
From: Mary Dickson <mary.dickson@virtru.com>
Date: Tue, 17 Mar 2026 16:16:07 -0700
Subject: [PATCH 1/2] chore(ci): add scheduled workflow to auto-update vendored
 OpenAPI specs

Runs daily at 01:42 UTC (+ manual dispatch). When upstream specs in
opentdf/platform have changed, opens a PR on chore/update-vendored-specs
(or updates the existing branch if a PR is already open).

Closes #247

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/update-vendored-specs.yaml | 86 ++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 .github/workflows/update-vendored-specs.yaml

diff --git a/.github/workflows/update-vendored-specs.yaml b/.github/workflows/update-vendored-specs.yaml
new file mode 100644
index 00000000..a640bee9
--- /dev/null
+++ b/.github/workflows/update-vendored-specs.yaml
@@ -0,0 +1,86 @@
+name: Update vendored OpenAPI specs
+
+on:
+  schedule:
+    - cron: "42 1 * * *" # Daily at 01:42 UTC
+  workflow_dispatch:
+
+jobs:
+  update-specs:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: true
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+
+      - name: Set up git identity
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Update vendored specs
+        run: npm run update-vendored-yaml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check for changes
+        id: diff
+        run: |
+          if [ -z "$(git status --porcelain specs/)" ]; then
+            echo "changes=false" >> "$GITHUB_OUTPUT"
+            echo "No spec changes detected."
+          else
+            echo "changes=true" >> "$GITHUB_OUTPUT"
+            echo "Changed files:"
+            git status --porcelain specs/
+          fi
+
+      - name: Check for existing PR
+        if: steps.diff.outputs.changes == 'true'
+        id: existing-pr
+        run: |
+          PR_NUMBER=$(gh pr list --head chore/update-vendored-specs --json number --jq '.[0].number')
+          if [ -n "$PR_NUMBER" ]; then
+            echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
+            echo "Found existing PR #$PR_NUMBER"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create or update branch
+        if: steps.diff.outputs.changes == 'true'
+        run: |
+          BRANCH=chore/update-vendored-specs
+          git fetch origin "$BRANCH" 2>/dev/null && git checkout "$BRANCH" && git merge origin/main --no-edit || git checkout -b "$BRANCH"
+          npm run update-vendored-yaml
+          git add specs/
+          if git diff --cached --quiet; then
+            echo "Branch already has latest specs, nothing to commit."
+          else
+            git commit -m "chore(deps): update vendored OpenAPI specs"
+            git push -u origin "$BRANCH" --force-with-lease
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create PR
+        if: steps.diff.outputs.changes == 'true' && steps.existing-pr.outputs.pr_number == ''
+        run: |
+          gh pr create \
+            --title "chore(deps): update vendored OpenAPI specs" \
+            --body "Automated update of vendored OpenAPI specs in \`specs/\` to match upstream \`opentdf/platform\`." \
+            --head chore/update-vendored-specs \
+            --base main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 84ce513e0276c9c536046baaed2c5cc17cc86240 Mon Sep 17 00:00:00 2001
From: Mary Dickson <mary.dickson@virtru.com>
Date: Mon, 23 Mar 2026 11:27:19 -0700
Subject: [PATCH 2/2] fix(ci): deterministic branch handling and concurrency
 guard

- Replace fragile &&/|| chain with `git checkout -B` from origin/main
  to avoid merge-conflict fallback creating a new branch
- Add workflow concurrency group to prevent overlapping runs from racing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/update-vendored-specs.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/update-vendored-specs.yaml b/.github/workflows/update-vendored-specs.yaml
index a640bee9..e40bf898 100644
--- a/.github/workflows/update-vendored-specs.yaml
+++ b/.github/workflows/update-vendored-specs.yaml
@@ -5,6 +5,10 @@ on:
     - cron: "42 1 * * *" # Daily at 01:42 UTC
   workflow_dispatch:
 
+concurrency:
+  group: update-vendored-specs
+  cancel-in-progress: true
+
 jobs:
   update-specs:
     runs-on: ubuntu-latest
@@ -62,7 +66,8 @@ jobs:
         if: steps.diff.outputs.changes == 'true'
         run: |
           BRANCH=chore/update-vendored-specs
-          git fetch origin "$BRANCH" 2>/dev/null && git checkout "$BRANCH" && git merge origin/main --no-edit || git checkout -b "$BRANCH"
+          git fetch origin main "$BRANCH" || true
+          git checkout -B "$BRANCH" origin/main
           npm run update-vendored-yaml
           git add specs/
           if git diff --cached --quiet; then