Use basic auth for OpenAPI sync

Anonymous Committer · Anonymous Committer · commit b5e4beb594a3 · 2026-04-14T14:57:51.000+08:00
diff --git a/.github/workflows/sync-openapi.yml b/.github/workflows/sync-openapi.yml
@@ -28,18 +28,11 @@ jobs:
           ruby-version: "3.2"
           bundler-cache: true
 
-      - name: Validate sync secret
-        env:
-          JUSTSERPAPI_OPENAPI_API_KEY: ${{ secrets.JUSTSERPAPI_OPENAPI_API_KEY }}
-        run: |
-          if [ -z "${JUSTSERPAPI_OPENAPI_API_KEY}" ]; then
-            echo "Missing JUSTSERPAPI_OPENAPI_API_KEY secret" >&2
-            exit 1
-          fi
-
       - name: Refresh OpenAPI and generated runtime
         env:
-          JUSTSERPAPI_OPENAPI_API_KEY: ${{ secrets.JUSTSERPAPI_OPENAPI_API_KEY }}
+          JUSTSERPAPI_OPENAPI_USERNAME: ${{ secrets.JUSTSERPAPI_OPENAPI_USERNAME }}
+          JUSTSERPAPI_OPENAPI_PASSWORD: ${{ secrets.JUSTSERPAPI_OPENAPI_PASSWORD }}
+          JUSTSERPAPI_OPENAPI_URL: ${{ secrets.JUSTSERPAPI_OPENAPI_URL }}
         run: python3 scripts/sdkctl.py sync
 
       - name: Run control-plane unit tests
@@ -66,4 +59,3 @@ jobs:
           labels: |
             automation
             openapi
-
diff --git a/README.md b/README.md
@@ -65,9 +65,11 @@ client = JustSerpApi::Client.new(
 Fetch the live OpenAPI document, normalize it, regenerate the SDK, and sync the committed generated runtime:
 
 ```bash
-JUSTSERPAPI_OPENAPI_API_KEY=... python3 scripts/sdkctl.py sync
+JUSTSERPAPI_OPENAPI_USERNAME=... JUSTSERPAPI_OPENAPI_PASSWORD=... python3 scripts/sdkctl.py sync
 ```
 
+The default source URL is `https://api.justserpapi.com/v3/api-docs/gateway`. Override it with `JUSTSERPAPI_OPENAPI_URL` if needed.
+
 Rebuild from the checked-in raw spec without hitting the network:
 
 ```bash
@@ -109,4 +111,3 @@ The upstream spec currently lacks rich per-endpoint response schemas, so the nor
 5. GitHub Actions publishes the gem to RubyGems.org and creates a GitHub Release.
 
 RubyGems Trusted Publishing setup is documented in `docs/publishing.md`.
-
diff --git a/docs/publishing.md b/docs/publishing.md
@@ -18,6 +18,10 @@ The release workflow publishes this SDK to RubyGems.org through Trusted Publishi
 - The release workflow uses the `release` GitHub Actions environment.
 - No long-lived RubyGems API key is required.
 - The workflow needs `contents: write` and `id-token: write`.
+- For the scheduled OpenAPI sync workflow, configure:
+  - `JUSTSERPAPI_OPENAPI_USERNAME`
+  - `JUSTSERPAPI_OPENAPI_PASSWORD`
+  - `JUSTSERPAPI_OPENAPI_URL` only if the docs URL itself changed
 
 ## Release Procedure
 
@@ -32,4 +36,3 @@ The release workflow publishes this SDK to RubyGems.org through Trusted Publishi
 
 4. Create and push a matching Git tag, for example `v0.1.0`.
 5. The `release.yml` workflow will build the gem, publish it to RubyGems.org, and create the GitHub Release.
-
diff --git a/scripts/sdkctl.py b/scripts/sdkctl.py
@@ -4,6 +4,7 @@
 from __future__ import annotations
 
 import argparse
+import base64
 import copy
 import filecmp
 import json
@@ -17,7 +18,6 @@
 from dataclasses import dataclass
 from typing import Any, Dict, Iterable, List, Optional, Sequence, Tuple
 from urllib.error import HTTPError, URLError
-from urllib.parse import parse_qsl, urlencode, urlparse, urlunparse
 from urllib.request import Request, urlopen
 
 
@@ -102,27 +102,29 @@ def load_package_version(version_path: pathlib.Path) -> str:
 
 
 def resolve_source_url(manifest: Dict[str, Any], explicit_url: Optional[str]) -> str:
-    source_url = explicit_url or os.getenv("JUSTSERPAPI_OPENAPI_URL") or manifest["spec"]["source_url"]
-    parsed = urlparse(source_url)
-    query = parse_qsl(parsed.query, keep_blank_values=True)
-    has_api_key = any(key == "api_key" for key, _ in query)
-    env_api_key = os.getenv("JUSTSERPAPI_OPENAPI_API_KEY")
-    if env_api_key and not has_api_key:
-        query.append(("api_key", env_api_key))
-    return urlunparse(parsed._replace(query=urlencode(query)))
+    return explicit_url or os.getenv("JUSTSERPAPI_OPENAPI_URL") or manifest["spec"]["source_url"]
+
+
+def resolve_fetch_headers() -> Dict[str, str]:
+    headers = {
+        "Accept": "application/json",
+        "User-Agent": "justserpapi-ruby-sdkctl/0.1",
+    }
+
+    username = os.getenv("JUSTSERPAPI_OPENAPI_USERNAME")
+    password = os.getenv("JUSTSERPAPI_OPENAPI_PASSWORD")
+    if username is not None and password is not None:
+        encoded = base64.b64encode(("%s:%s" % (username, password)).encode("utf-8")).decode("ascii")
+        headers["Authorization"] = "Basic %s" % encoded
+
+    return headers
 
 
 def fetch_spec_command(args: argparse.Namespace, manifest: Dict[str, Any]) -> None:
     source_url = resolve_source_url(manifest, args.source_url)
     output_path = resolve_path(args.output or manifest["spec"]["raw_path"])
 
-    request = Request(
-        source_url,
-        headers={
-            "Accept": "application/json",
-            "User-Agent": "justserpapi-ruby-sdkctl/0.1"
-        },
-    )
+    request = Request(source_url, headers=resolve_fetch_headers())
 
     log("Fetching spec from %s" % source_url)
     try:
@@ -131,7 +133,8 @@ def fetch_spec_command(args: argparse.Namespace, manifest: Dict[str, Any]) -> No
     except HTTPError as exc:
         if exc.code == 401:
             raise CLIError(
-                "Spec fetch returned HTTP 401. Set JUSTSERPAPI_OPENAPI_API_KEY or JUSTSERPAPI_OPENAPI_URL."
+                "Spec fetch returned HTTP 401. Set JUSTSERPAPI_OPENAPI_USERNAME and "
+                "JUSTSERPAPI_OPENAPI_PASSWORD, or JUSTSERPAPI_OPENAPI_URL if the docs URL changed."
             ) from exc
         raise CLIError("Unable to fetch spec from %s: HTTP %s" % (source_url, exc.code)) from exc
     except URLError as exc:
@@ -560,4 +563,3 @@ def main(argv: Optional[Sequence[str]] = None) -> int:
 
 if __name__ == "__main__":
     raise SystemExit(main())
-
diff --git a/scripts/tests/test_sdkctl.py b/scripts/tests/test_sdkctl.py
@@ -1,5 +1,7 @@
 import copy
+import os
 import unittest
+from unittest import mock
 
 from scripts import sdkctl
 
@@ -114,6 +116,26 @@ def test_detect_breaking_changes_reports_newly_required_param(self):
         )
 
 
+class FetchAuthResolutionTest(unittest.TestCase):
+    def test_resolve_fetch_headers_supports_basic_auth(self):
+        with mock.patch.dict(
+            os.environ,
+            {
+                "JUSTSERPAPI_OPENAPI_USERNAME": "demo-user",
+                "JUSTSERPAPI_OPENAPI_PASSWORD": "demo-pass",
+            },
+            clear=False,
+        ):
+            headers = sdkctl.resolve_fetch_headers()
+
+        self.assertEqual("Basic ZGVtby11c2VyOmRlbW8tcGFzcw==", headers["Authorization"])
+
+    def test_resolve_fetch_headers_omits_authorization_without_credentials(self):
+        with mock.patch.dict(os.environ, {}, clear=True):
+            headers = sdkctl.resolve_fetch_headers()
+
+        self.assertNotIn("Authorization", headers)
+
+
 if __name__ == "__main__":
     unittest.main()
-
