authzed · Verolop · Oct 31, 2025 · Oct 30, 2025 · Oct 30, 2025 · Oct 30, 2025
diff --git a/.github/workflows/update-openapi-spec.yml b/.github/workflows/update-openapi-spec.yml
@@ -5,13 +5,6 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
-  # Run when PRs are opened or synchronized
-  pull_request:
-    types: [opened, synchronize]
-    paths:
-      - 'openapi-spec.yaml'
-      - '.github/workflows/update-openapi-spec.yml'
-
   # Allow manual triggering
   workflow_dispatch:
 
@@ -22,8 +15,6 @@ on:
 jobs:
   update-openapi-spec:
     name: Update OpenAPI Spec
-    # Don't run this job on PR events if the PR is from the update-openapi-spec branch (to avoid loops)
-    if: github.event_name != 'pull_request' || github.head_ref != 'update-openapi-spec'
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -48,6 +39,8 @@ jobs:
 
       - name: Update OpenAPI spec
         id: update-spec
+        env:
+          GITHUB_TOKEN: ${{ secrets.INTERNAL_REPO_TOKEN }}
         run: |
           mage openapi:update
           # Check if there are changes
@@ -57,9 +50,9 @@ jobs:
             echo "changes=false" >> $GITHUB_OUTPUT
           fi
 
-      # When not in a PR, create a new PR with changes
+      # Create a new PR with changes
       - name: Create Pull Request
-        if: steps.update-spec.outputs.changes == 'true' && github.event_name != 'pull_request'
+        if: steps.update-spec.outputs.changes == 'true'
         uses: peter-evans/create-pull-request@v7
         with:
           commit-message: 'chore: update OpenAPI spec'
@@ -70,27 +63,4 @@ jobs:
             This is an automated PR created by the GitHub Actions workflow.
           branch: update-openapi-spec
           base: main
-          labels: dependencies,automated
-
-      # When in a PR context, update the PR with the latest spec
-      - name: Commit changes to PR
-        if: steps.update-spec.outputs.changes == 'true' && github.event_name == 'pull_request'
-        run: |
-          git config --global user.name 'GitHub Actions'
-          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
-          git add openapi-spec.yaml
-          git commit -m "chore: update OpenAPI spec to latest version"
-          git push
-
-      # Also add a comment to the PR about the update
-      - name: Comment on PR
-        if: steps.update-spec.outputs.changes == 'true' && github.event_name == 'pull_request'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: '✅ The OpenAPI spec in this PR has been automatically updated to the latest version.'
-            }) 
+          labels: dependencies,automated 
diff --git a/magefiles/openapi.go b/magefiles/openapi.go
@@ -12,12 +12,18 @@ import (
 
 type OpenAPI mg.Namespace
 
-// Update fetches the latest OpenAPI specification from the API
+// Update fetches the latest OpenAPI specification from the private GitHub repository
 func (OpenAPI) Update() error {
-	apiURL := "https://api.admin.stage.aws.authzed.net/openapi-spec"
+	apiURL := "https://raw.githubusercontent.com/authzed/internal/main/cloud-api/internal/specs/25r1.yaml"
 	outputFile := "openapi-spec.yaml"
 
-	fmt.Printf("Fetching latest OpenAPI spec from %s...\n", apiURL)
+	// Get GitHub token from environment
+	githubToken := os.Getenv("GITHUB_TOKEN")
+	if githubToken == "" {
+		return fmt.Errorf("GITHUB_TOKEN environment variable is not set")
+	}
+
+	fmt.Printf("Fetching latest OpenAPI spec from GitHub repository...\n")
 
 	client := &http.Client{}
 
@@ -26,19 +32,29 @@ func (OpenAPI) Update() error {
 		return fmt.Errorf("failed to create request: %w", err)
 	}
 
-	// Set headers (User-Agent, Accept, etc.)
+	// Set headers (User-Agent, Accept, Authorization)
 	req.Header.Set("User-Agent", "AuthZed-Terraform-Provider-Builder")
 	req.Header.Set("Accept", "application/yaml, text/yaml, application/json")
+	req.Header.Set("Authorization", "token "+githubToken)
 
 	resp, err := client.Do(req)
 	if err != nil {
 		return fmt.Errorf("failed to fetch OpenAPI spec: %w", err)
 	}
 	defer resp.Body.Close()
 
-	// Check response status
+	// Check response status with detailed error messages
 	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("failed to fetch OpenAPI spec, status code: %d", resp.StatusCode)
+		switch resp.StatusCode {
+		case http.StatusUnauthorized:
+			return fmt.Errorf("authentication failed (status 401). Please check GITHUB_TOKEN")
+		case http.StatusForbidden:
+			return fmt.Errorf("access forbidden (status 403). Token may lack required permissions")
+		case http.StatusNotFound:
+			return fmt.Errorf("file not found (status 404). Check repository and file path")
+		default:
+			return fmt.Errorf("failed to fetch OpenAPI spec, status code: %d", resp.StatusCode)
+		}
 	}
 
 	file, err := os.Create(outputFile)