Second Rollout for IPA validations (#574)

Author: yelizhenden-mdb

.github/workflows/spectral-lint.yml

@@ -14,6 +14,9 @@ on:
       - 'tools/spectral/**'
       - 'openapi/**.yaml'
       - 'package.json'
+permissions:
+  issues: write
+  contents: write
 
 jobs:
   spectral-lint:
@@ -34,6 +37,9 @@ jobs:
           cache: 'npm'
       - name: Install npm dependencies
         run: npm install
+      - name: Fetch OAS file from Dev Branch
+        run: curl -O "https://raw.githubusercontent.com/mongodb/openapi/refs/heads/dev/openapi/.raw/v2.yaml"
+        working-directory: ${{ github.workspace }}
       - name: Spectral action
         uses: stoplightio/spectral-action@2ad0b9302e32a77c1caccf474a9b2191a8060d83
         with:
@@ -43,5 +49,5 @@ jobs:
       - name: IPA validation action
         uses: stoplightio/spectral-action@2ad0b9302e32a77c1caccf474a9b2191a8060d83
         with:
-          file_glob: openapi/.raw/v2.yaml
+          file_glob: ${{ github.workspace }}//v2.yaml
           spectral_ruleset: tools/spectral/ipa/ipa-spectral.yaml

tools/spectral/ipa/__tests__/metrics/data/expected-metric-results.json

@@ -20,7 +20,7 @@ rules:
         - For singleton resources, verifies the resource has a GET method
         - For regular resources, verifies there is a single resource path with a GET method
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-104-resource-has-GET'
-    severity: warn
+    severity: error
     given: '$.paths'
     then:
       field: '@key'
@@ -35,7 +35,7 @@ rules:
         - Verifies the response is not an array or paginated result
         - Different error messages are provided for standard vs singleton resources
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-104-get-method-returns-single-resource'
-    severity: warn
+    severity: error
     given: '$.paths[*].get.responses[*].content'
     then:
       field: '@key'
@@ -49,7 +49,7 @@ rules:
         - Verifies the 200 OK response code is present
         - Fails if the method lacks a 200 OK response or defines a different 2xx status code
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-104-get-method-response-code-is-200'
-    severity: warn
+    severity: error
     given: '$.paths[*].get'
     then:
       function: 'IPA104GetResponseCodeShouldBe200OK'
@@ -62,7 +62,7 @@ rules:
         - Verifies the schema references a predefined schema (not inline)
         - Confirms the referenced schema name ends with "Response" suffix
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-104-get-method-returns-response-suffixed-object'
-    severity: warn
+    severity: error
     given: '$.paths[*].get.responses[*].content'
     then:
       field: '@key'
@@ -76,7 +76,7 @@ rules:
         - Searches through the schema to find any properties marked with writeOnly attribute
         - Fails if any writeOnly properties are found in the response schema
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-104-get-method-response-has-no-input-fields'
-    severity: warn
+    severity: error
     given: '$.paths[*].get.responses[*].content'
     then:
       field: '@key'
@@ -89,7 +89,7 @@ rules:
         - Applies only to GET methods on single resources or singleton resources
         - Verifies that the operation object does not contain a requestBody property
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-104-get-method-no-request-body'
-    severity: warn
+    severity: error
     given: '$.paths[*].get'
     then:
       function: 'IPA104GetMethodHasNoRequestBody'

tools/spectral/ipa/rulesets/IPA-104.yaml

@@ -19,7 +19,7 @@ rules:
         - Verifies the 200 OK response code is present
         - Fails if the method lacks a 200 OK response or defines a different 2xx status code
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-105-list-method-response-code-is-200'
-    severity: warn
+    severity: error
     given: '$.paths[*].get'
     then:
       function: 'IPA105ListResponseCodeShouldBe200OK'
@@ -33,7 +33,7 @@ rules:
         - Ignores singleton resources
         - Verifies that the operation object does not contain a requestBody property
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-105-list-method-no-request-body'
-    severity: warn
+    severity: error
     given: '$.paths[*].get'
     then:
       function: 'IPA105ListMethodHasNoRequestBody'
@@ -48,7 +48,7 @@ rules:
         - Verifies the resource path has a GET method
         - Fails if the resource path does not have a GET method
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-105-resource-has-list'
-    severity: warn
+    severity: error
     given: '$.paths'
     then:
       field: '@key'
@@ -68,7 +68,7 @@ rules:
         - Validation ignores resources without a Get method
         - Paths with `x-xgen-IPA-exception` for this rule are excluded from validation
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-105-list-method-response-is-get-method-response'
-    severity: warn
+    severity: error
     given: '$.paths[*].get.responses.200.content'
     then:
       field: '@key'

tools/spectral/ipa/rulesets/IPA-105.yaml

@@ -21,7 +21,7 @@ rules:
         - Verifies the schema references a predefined schema (not inline)
         - Confirms the referenced schema name ends with "Request" suffix
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-106-create-method-request-body-is-request-suffixed-object'
-    severity: warn
+    severity: error
     given: '$.paths[*].post.requestBody.content'
     then:
       field: '@key'
@@ -36,7 +36,7 @@ rules:
         - Verifies the operation does not contain query parameters
         - Ignores specified parameters like 'pretty' and 'envelope' via configuration
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-106-create-method-should-not-have-query-parameters'
-    severity: warn
+    severity: error
     given: '$.paths[*].post'
     then:
       function: 'IPA106CreateMethodShouldNotHaveQueryParameters'
@@ -71,7 +71,7 @@ rules:
         - Searches through the request schema to find any properties marked with readOnly attribute
         - Fails if any readOnly properties are found in the request schema
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-106-create-method-request-has-no-readonly-fields'
-    severity: warn
+    severity: error
     given: '$.paths[*].post.requestBody.content'
     then:
       field: '@key'
@@ -86,7 +86,7 @@ rules:
         - Verifies the 201 Created response code is present
         - Fails if the method lacks a 201 Created response or defines a different 2xx status code
     message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-106-create-method-response-code-is-201'
-    severity: warn
+    severity: error
     given: '$.paths[*].post'
     then:
       function: 'IPA106CreateMethodResponseCodeIs201Created'

tools/spectral/ipa/rulesets/IPA-106.yaml

@@ -80,7 +80,7 @@ Rules are based on [http://go/ipa/IPA-104](http://go/ipa/IPA-104).
 
 #### xgen-IPA-104-resource-has-GET
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 APIs must provide a Get method for resources.
 
 ##### Implementation details
@@ -91,7 +91,7 @@ Rule checks for the following conditions:
 
 #### xgen-IPA-104-get-method-returns-single-resource
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 The purpose of the Get method is to return data from a single resource.
 
 ##### Implementation details
@@ -102,7 +102,7 @@ Rule checks for the following conditions:
 
 #### xgen-IPA-104-get-method-response-code-is-200
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 The Get method must return a 200 OK response.
 ##### Implementation details
 Rule checks for the following conditions:
@@ -112,7 +112,7 @@ Rule checks for the following conditions:
 
 #### xgen-IPA-104-get-method-returns-response-suffixed-object
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 The Get method of a resource should return a "Response" suffixed object.
 ##### Implementation details
 Rule checks for the following conditions:
@@ -122,7 +122,7 @@ Rule checks for the following conditions:
 
 #### xgen-IPA-104-get-method-response-has-no-input-fields
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 The Get method response object must not include writeOnly properties (fields that should be used only on creation or update, ie output fields).
 ##### Implementation details
 Rule checks for the following conditions:
@@ -132,7 +132,7 @@ Rule checks for the following conditions:
 
 #### xgen-IPA-104-get-method-no-request-body
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 The Get method request must not include a body.
 ##### Implementation details
 Rule checks for the following conditions:
@@ -147,7 +147,7 @@ Rules are based on [http://go/ipa/IPA-105](http://go/ipa/IPA-105).
 
 #### xgen-IPA-105-list-method-response-code-is-200
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 The List method must return a 200 OK response.
 
 ##### Implementation details
@@ -159,7 +159,7 @@ Rule checks for the following conditions:
 
 #### xgen-IPA-105-list-method-no-request-body
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 The List method request must not include a body.
 
 ##### Implementation details
@@ -170,7 +170,7 @@ Rule checks for the following conditions:
 
 #### xgen-IPA-105-resource-has-list
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 APIs must provide a List method for resources.
 
 ##### Implementation details
@@ -182,7 +182,7 @@ Rule checks for the following conditions:
 
 #### xgen-IPA-105-list-method-response-is-get-method-response
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 The response body of the List method should consist of the same resource object returned by the Get method.
 ##### Implementation details Rule checks for the following conditions:
   - Applies only to resource collection paths with JSON content types
@@ -201,7 +201,7 @@ Rules are based on [http://go/ipa/IPA-106](http://go/ipa/IPA-106).
 
 #### xgen-IPA-106-create-method-request-body-is-request-suffixed-object
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 The Create method request should be a Request suffixed object.
 
 ##### Implementation details
@@ -213,7 +213,7 @@ Rule checks for the following conditions:
 
 #### xgen-IPA-106-create-method-should-not-have-query-parameters
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 Create operations should not use query parameters.
 
 ##### Implementation details
@@ -222,23 +222,9 @@ Rule checks for the following conditions:
   - Verifies the operation does not contain query parameters
   - Ignores specified parameters like 'pretty' and 'envelope' via configuration
 
-#### xgen-IPA-106-create-method-request-body-is-get-method-response
-
- ![warn](https://img.shields.io/badge/warning-yellow) 
-Request body content of the Create method and response content of the Get method should refer to the same resource.
-
-##### Implementation details
-
-Validation checks the POST method for resource collection paths.
-  - Validation ignores resources without a Get method.
-  - `readOnly:true` properties of Get method response will be ignored. 
-  - `writeOnly:true` properties of Create method request will be ignored.
-  - Property comparison is based on `type` and `name` matching.
-  - `oneOf` and `discriminator` definitions must match exactly.
-
 #### xgen-IPA-106-create-method-request-has-no-readonly-fields
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 Create method Request object must not include fields with readOnly:true.
 
 ##### Implementation details
@@ -250,7 +236,7 @@ Rule checks for the following conditions:
 
 #### xgen-IPA-106-create-method-response-code-is-201
 
- ![warn](https://img.shields.io/badge/warning-yellow) 
+ ![error](https://img.shields.io/badge/error-red) 
 Create methods must return a 201 Created response code.
 
 ##### Implementation details
@@ -259,6 +245,20 @@ Rule checks for the following conditions:
   - Verifies the 201 Created response code is present
   - Fails if the method lacks a 201 Created response or defines a different 2xx status code
 
+#### xgen-IPA-106-create-method-request-body-is-get-method-response
+
+ ![warn](https://img.shields.io/badge/warning-yellow) 
+Request body content of the Create method and response content of the Get method should refer to the same resource.
+
+##### Implementation details
+
+Validation checks the POST method for resource collection paths.
+  - Validation ignores resources without a Get method.
+  - `readOnly:true` properties of Get method response will be ignored. 
+  - `writeOnly:true` properties of Create method request will be ignored.
+  - Property comparison is based on `type` and `name` matching.
+  - `oneOf` and `discriminator` definitions must match exactly.
+
 #### xgen-IPA-106-create-method-response-is-get-method-response
 
  ![warn](https://img.shields.io/badge/warning-yellow)