chore: automate schemata version updates

[alltheseas]

Summary

• Adds .schemata-version as single source of truth for the upstream schemata tag
• Refactors classifier-gate.yml and compile-check.yml to read from this file instead of hardcoding versions
• Fixes compile-check.yml stale v0.3.0 pin (was already v0.3.1 in classifier-gate)
• Adds update-schemata.yml workflow that auto-creates PRs when upstream schemata releases

How it works

1. Upstream schemata publishes a release → notify-downstream.yml dispatches schema-update event
2. update-schemata.yml receives the event, updates .schemata-version, opens a PR
3. Existing CI (classifier-gate + compile-check) runs on the PR automatically
4. If CI passes → safe to merge. If it fails → PR stays open as notification

Setup required

• Add CODEGEN_PAT secret (PAT with repo scope) to this repo — see below
• Companion PR in schemata: chore: add schemata-codegen to downstream notifications schemata#134

How to add the CODEGEN_PAT secret

1. Go to https://github.com/settings/tokens and create a classic PAT with repo scope
2. Go to https://github.com/nostrability/schemata-codegen/settings/secrets/actions
3. Click New repository secret, name it CODEGEN_PAT, paste the token

Test plan

• Verify classifier-gate CI passes (reads version from .schemata-version)
• Verify compile-check CI passes (downloads correct release zip)
• After merging + setting up PAT: gh workflow run update-schemata.yml -f tag=v0.3.1

Closes #23

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@alltheseas has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 56 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 3 minutes and 56 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 479745a7-73f9-4054-9c9a-a3cfb4249e4f

📥 Commits

Reviewing files that changed from the base of the PR and between 001655f and 54690d7.

📒 Files selected for processing (1)

• .github/workflows/update-schemata.yml

📝 Walkthrough

Walkthrough

This PR automates schemata-codegen version management by introducing a .schemata-version file, updating existing workflows to read from this file for dynamic version references, and adding a new workflow that automatically creates pull requests when upstream schemata releases are published.

Changes

Cohort / File(s)	Summary
Version Reference .schemata-version	New file establishing v0.3.1 as the single source of truth for schemata version across workflows.
Workflow Version Pinning Updates .github/workflows/classifier-gate.yml, .github/workflows/compile-check.yml	Updated to read schemata version from .schemata-version file instead of hardcoded tags. classifier-gate.yml now uses dynamic ${{ env.SCHEMATA_VERSION }} for the schemata checkout ref; compile-check.yml similarly uses dynamic version for download and extracts with wildcard pattern matching.
New Automation Workflow .github/workflows/update-schemata.yml	New workflow triggered by repository_dispatch (schema-update event) or manual workflow_dispatch. Detects if repository is already on requested tag (skips if so), closes superseded bump PRs, creates a feature branch, updates .schemata-version, commits, pushes, and opens a PR to merge the version bump to main.

Sequence Diagram

sequenceDiagram
    actor External as Upstream Schemata
    participant GHA as GitHub Actions
    participant Repo as Repository
    participant API as GitHub API

    External->>GHA: Trigger repository_dispatch<br/>(schema-update event with tag)
    activate GHA
    GHA->>Repo: Read .schemata-version
    Repo-->>GHA: Current version
    alt Version matches requested tag
        GHA->>GHA: Set SKIP=true
        GHA->>GHA: Exit early (no changes needed)
    else Version differs
        GHA->>API: Query open PRs with<br/>chore/bump-schemata-* head
        API-->>GHA: List of superseded PRs
        GHA->>API: Close superseded PRs
        GHA->>Repo: Create branch<br/>chore/bump-schemata-${TAG}
        GHA->>Repo: Update .schemata-version<br/>with new TAG
        GHA->>Repo: Commit & push changes
        GHA->>API: Create PR targeting main
        API-->>GHA: PR created
    end
    deactivate GHA

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: cross-language compilation CI for generated validators #29 — Modifies .github/workflows/compile-check.yml and schemata release reference, directly related to the dynamic version pinning approach introduced in this PR.

Poem

🐰 Hops excitedly
Versions pinned in a single file,
Workflows dance in unified style! 🎯
Upstream bumps now automate,
PRs spring forth—what a rate!
Rabbit applauds this clean, bright gate! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: automating schemata version updates via new workflow and version file.
Linked Issues check	✅ Passed	All objectives from issue #23 are addressed: automation of upstream release detection, version pinning, automated PR creation, and CI validation before merge.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with automating schemata version updates: new version file, refactored workflows, and automated update workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/automate-schemata-updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/compile-check.yml (1)

31-38: Consider using consistent glob patterns or the version in the filename.

If the asset naming is reliable (e.g., schemata-v0.3.1.zip), you could make the patterns more explicit:

♻️ Proposed refinement for explicit naming

       - name: Download schemata schemas
         run: |
-          gh release download "$SCHEMATA_VERSION" -R nostrability/schemata -p '*.zip' -D /tmp
+          gh release download "$SCHEMATA_VERSION" -R nostrability/schemata -p "schemata-${SCHEMATA_VERSION}.zip" -D /tmp
           mkdir -p /tmp/schemata-dist
-          unzip -q /tmp/schemata-*.zip -d /tmp/schemata-dist
+          unzip -q "/tmp/schemata-${SCHEMATA_VERSION}.zip" -d /tmp/schemata-dist
           echo "SCHEMAS_DIR=/tmp/schemata-dist" >> "$GITHUB_ENV"

Alternatively, if asset names vary, use the same glob for both download and unzip:

-          gh release download "$SCHEMATA_VERSION" -R nostrability/schemata -p '*.zip' -D /tmp
+          gh release download "$SCHEMATA_VERSION" -R nostrability/schemata -p 'schemata-*.zip' -D /tmp

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/compile-check.yml around lines 31 - 38, The download and
unzip patterns differ (gh release download uses '*.zip' while unzip expects
'schemata-*.zip'), which can fail if filenames don't match; update the workflow
to use a consistent asset name pattern—either make gh release download request
'schemata-*.zip' (or better: 'schemata-${SCHEMATA_VERSION}.zip' to pin the exact
release file) and ensure the unzip command and subsequent SCHEMAS_DIR export use
the same filename/glob so the downloaded file is found and extracted (refer to
SCHEMATA_VERSION, gh release download, unzip, and SCHEMAS_DIR).

.github/workflows/update-schemata.yml (1)

46-55: Consider handling pre-existing remote branches.

If a previous workflow run created the branch but failed before completing (e.g., during PR creation), subsequent runs will fail at git push. Using --force-with-lease ensures the push succeeds while protecting against unexpected concurrent changes.

♻️ Proposed fix

-          git push -u origin "$BRANCH"
+          git push --force-with-lease -u origin "$BRANCH"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/update-schemata.yml around lines 46 - 55, The Create
branch and update version step currently does a plain git push which will fail
if the remote branch already exists; change the push invocation that references
"$BRANCH" (the git push command) to use git push --force-with-lease -u origin
"$BRANCH" so the workflow can overwrite the branch created by a previous failed
run while still protecting against unexpected concurrent remote changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/update-schemata.yml:
- Around line 16-24: After computing TAG and BRANCH, validate TAG is non-empty
and well-formed before writing to $GITHUB_ENV: check if TAG is empty (e.g., if [
-z "$TAG" ]) and optionally validate against a pattern (e.g., semver or allowed
chars using shell pattern or grep/egrep), and if validation fails echo a clear
error like "Missing or invalid TAG: '$TAG'" to stderr and exit 1 so the workflow
fails early; only write TAG and BRANCH to $GITHUB_ENV when the TAG passes
validation.

---

Nitpick comments:
In @.github/workflows/compile-check.yml:
- Around line 31-38: The download and unzip patterns differ (gh release download
uses '*.zip' while unzip expects 'schemata-*.zip'), which can fail if filenames
don't match; update the workflow to use a consistent asset name pattern—either
make gh release download request 'schemata-*.zip' (or better:
'schemata-${SCHEMATA_VERSION}.zip' to pin the exact release file) and ensure the
unzip command and subsequent SCHEMAS_DIR export use the same filename/glob so
the downloaded file is found and extracted (refer to SCHEMATA_VERSION, gh
release download, unzip, and SCHEMAS_DIR).

In @.github/workflows/update-schemata.yml:
- Around line 46-55: The Create branch and update version step currently does a
plain git push which will fail if the remote branch already exists; change the
push invocation that references "$BRANCH" (the git push command) to use git push
--force-with-lease -u origin "$BRANCH" so the workflow can overwrite the branch
created by a previous failed run while still protecting against unexpected
concurrent remote changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f5d5ad8f-92a2-470a-8bb4-5d7cdda3e765

📥 Commits

Reviewing files that changed from the base of the PR and between 769f5f2 and 001655f.

📒 Files selected for processing (4)

• .github/workflows/classifier-gate.yml
• .github/workflows/compile-check.yml
• .github/workflows/update-schemata.yml
• .schemata-version