From 4bc1b4b3e2482c2b9ddba42b79c0b82a036be98c Mon Sep 17 00:00:00 2001 From: Security Auditor Date: Mon, 6 Apr 2026 12:01:18 +0100 Subject: [PATCH 1/3] ci: add Swagger freshness check on proto changes Add a GitHub Actions workflow that runs 'make proto-swagger-gen' and fails if the generated swagger.yaml or swagger.json differ from the committed versions. Triggers on PRs touching proto/, client/docs/, or query/tx handler files, and on pushes to main. Closes #66 --- .github/workflows/swagger-check.yml | 47 +++++++++++++++++++++++++++++ CHANGELOG.md | 4 +++ 2 files changed, 51 insertions(+) create mode 100644 .github/workflows/swagger-check.yml diff --git a/.github/workflows/swagger-check.yml b/.github/workflows/swagger-check.yml new file mode 100644 index 00000000..a913d663 --- /dev/null +++ b/.github/workflows/swagger-check.yml @@ -0,0 +1,47 @@ +name: Swagger Check + +on: + pull_request: + paths: + - "proto/**" + - "client/docs/**" + - "x/**/query.go" + - "x/**/tx.go" + - ".github/workflows/swagger-check.yml" + push: + branches: + - main + paths: + - "proto/**" + - "client/docs/**" + +permissions: + contents: read + +jobs: + swagger-diff: + name: Check Swagger is up to date + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version: "1.24" + + - name: Regenerate Swagger + run: make proto-swagger-gen + + - name: Check for uncommitted changes + run: | + if ! git diff --quiet --exit-code client/docs/swagger-ui/swagger.yaml client/docs/swagger-ui/swagger.json; then + echo "::error::Swagger files are out of date. Please run 'make proto-swagger-gen' and commit the changes." + echo "" + echo "Changed files:" + git diff --stat client/docs/swagger-ui/swagger.yaml client/docs/swagger-ui/swagger.json + echo "" + echo "Diff:" + git diff client/docs/swagger-ui/swagger.yaml client/docs/swagger-ui/swagger.json + exit 1 + fi + echo "Swagger files are up to date." diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d80040c..09138578 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## Unreleased +### Added + +- Add CI workflow to verify Swagger files are up to date after `make proto-swagger-gen`; fails PR if generated files differ from committed ones ([#66](https://github.com/KiiChain/kiichain/issues/66)) + ### Fixed - Fix division-by-zero chain halt in `CalculateReward` caused by sub-second schedule durations; replace `Seconds()` truncation with `Nanoseconds()` precision and release full remaining reward when `EndTime <= LastReleaseTime` ([#267](https://github.com/KiiChain/kiichain/issues/267)) From 42332b4239708c4cfb2f45523ff3f07e85daa797 Mon Sep 17 00:00:00 2001 From: Security Auditor Date: Mon, 6 Apr 2026 12:24:55 +0100 Subject: [PATCH 2/3] fix: run proto-builder container as runner user to fix permission denied The Docker proto-builder container cannot write to the mounted workspace volume on GitHub Actions because it runs as a non-root user different from the runner. Override protoImage to pass --user flag matching the host uid/gid. --- .github/workflows/swagger-check.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/swagger-check.yml b/.github/workflows/swagger-check.yml index a913d663..8afbe164 100644 --- a/.github/workflows/swagger-check.yml +++ b/.github/workflows/swagger-check.yml @@ -30,7 +30,12 @@ jobs: go-version: "1.24" - name: Regenerate Swagger - run: make proto-swagger-gen + run: | + # Override protoImage so the Docker container runs as the runner user, + # avoiding "permission denied" on the mounted workspace volume. + PROTO_VER=$(grep '^protoVer=' Makefile | cut -d= -f2) + make proto-swagger-gen \ + "protoImage=docker run --rm --user $(id -u):$(id -g) -v $(pwd):/workspace --workdir /workspace ghcr.io/cosmos/proto-builder:${PROTO_VER}" - name: Check for uncommitted changes run: | From 2bb76b3a1ef4cbf626d3afaeec780c5b0d6b238d Mon Sep 17 00:00:00 2001 From: Security Auditor Date: Mon, 6 Apr 2026 12:36:39 +0100 Subject: [PATCH 3/3] fix: set HOME=/tmp in proto-builder container for buf cache buf tries to create /.cache for its module cache, which fails when running as a non-root user. Setting HOME=/tmp lets buf write its cache to /tmp/.cache instead. --- .github/workflows/swagger-check.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/swagger-check.yml b/.github/workflows/swagger-check.yml index 8afbe164..bc2a22da 100644 --- a/.github/workflows/swagger-check.yml +++ b/.github/workflows/swagger-check.yml @@ -33,9 +33,10 @@ jobs: run: | # Override protoImage so the Docker container runs as the runner user, # avoiding "permission denied" on the mounted workspace volume. + # Set HOME to /tmp so buf can write its cache (default /.cache is root-only). PROTO_VER=$(grep '^protoVer=' Makefile | cut -d= -f2) make proto-swagger-gen \ - "protoImage=docker run --rm --user $(id -u):$(id -g) -v $(pwd):/workspace --workdir /workspace ghcr.io/cosmos/proto-builder:${PROTO_VER}" + "protoImage=docker run --rm --user $(id -u):$(id -g) -e HOME=/tmp -v $(pwd):/workspace --workdir /workspace ghcr.io/cosmos/proto-builder:${PROTO_VER}" - name: Check for uncommitted changes run: |