Conversation
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📝 WalkthroughWalkthroughAdds a GitHub Actions workflow to build and run the API with a Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant Runner as GitHub Actions Runner
participant APIRepo as API Repository
participant API as Local Spring Boot (swagger profile)
participant DocsRepo as amrit-docs Repository
participant GitHub as GitHub API
Runner->>APIRepo: checkout main
Runner->>Runner: setup Java 17 & Maven cache
Runner->>APIRepo: mvn -DskipTests package
Runner->>API: start app (spring.profiles=swagger) on :9090
Runner->>API: poll GET /v3/api-docs (retry)
API-->>Runner: 200 + swagger JSON
Runner->>Runner: pretty-print -> common-api.json
Runner->>API: stop process (kill PID)
Runner->>DocsRepo: checkout amrit-docs (token) & copy common-api.json -> docs/swagger/common-api.json
Runner->>DocsRepo: commit & push branch auto/swagger-update
Runner->>GitHub: create PR
GitHub-->>Runner: PR created
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In @.github/workflows/swagger-json.yml:
- Around line 29-35: Workflow starts the app with profile "ci" but services like
BeneficiaryOccupationServiceImpl are annotated `@Profile`("!swagger"), so the
intended exclusion of repository-backed services won't occur; change the Maven
profile invoked in the workflow (the -Dspring-boot.run.profiles value used in
the mvn spring-boot:run command) from "ci" to "swagger" so that
`@Profile`("!swagger")-annotated beans are excluded and the H2/in-memory-only
behavior is applied.
- Around line 74-92: The workflow creates and pushes a timestamped branch name
but the create-pull-request step uses a fixed branch; fix by defining a single
branch variable (e.g., BRANCH_NAME=auto/swagger-update-$(date +%Y%m%d%H%M%S))
and use that variable both when creating/checking out the branch and in the
create-pull-request `branch:` input, and also detect if `git commit` produced no
changes (check `git diff --staged --quiet` or test the exit status of `git
commit -m ... || true`) and skip the "Create Pull Request" step when there are
no commits to avoid creating empty/stale PRs; update the steps referencing `git
checkout -b auto/swagger-update-$(date +%Y%m%d%H%M%S)`, `git push --set-upstream
origin $(git rev-parse --abbrev-ref HEAD)`, and the `branch:
auto/swagger-update` input to use the single BRANCH_NAME variable, and add a
conditional that prevents the PR step when no commit occurred.
In `@src/main/resources/application.properties`:
- Around line 376-412: Move the Swagger/H2 and local-dev settings out of the
main application.properties into a profile-specific file (e.g.
application-swagger.properties), remove the block containing
spring.datasource.url=jdbc:h2:mem:swaggerdb and related lines from the main
file, replace all hardcoded secrets (jwt.secret, sms-password, sms-username,
secondary.datasource.password) with placeholder tokens (e.g.
<Enter_Your_Secret_Key>) and set start-grievancedatasync-scheduler to an
appropriate default for non-prod (e.g. false) in the new file; also resolve the
duplicate spring.jpa.hibernate.ddl-auto property by keeping a single declaration
in the profile file and removing the duplicate from the main properties, and
adjust secondary.datasource.* to either use placeholders or an in-memory URL
(instead of production MySQL) in the swagger profile.
🧹 Nitpick comments (1)
src/main/java/com/iemr/common/config/quartz/ScheduleJobForNHMDashboardData.java (1)
34-38: UnusedProfileimport.The
Profileimport was added but is not used in this class. Unlike other services in this PR (e.g.,BeneficiaryOccupationServiceImpl), this class is not annotated with@Profile("!swagger").If this Quartz job should be excluded during Swagger documentation generation (to avoid NHM dashboard service initialization), add the annotation. Otherwise, remove the unused import.
Option 1: Remove unused import
import com.iemr.common.service.nhm_dashboard.NHM_DashboardService; -import org.springframework.context.annotation.Profile; `@Service`Option 2: Add `@Profile` annotation if exclusion is needed
import org.springframework.context.annotation.Profile; `@Service` `@Transactional` +@Profile("!swagger") public class ScheduleJobForNHMDashboardData implements Job {
| # ---- Embedded DB for Swagger | ||
| spring.datasource.url=jdbc:h2:mem:swaggerdb | ||
| spring.datasource.driver-class-name=org.h2.Driver | ||
| spring.datasource.username=sa | ||
| spring.datasource.password= | ||
|
|
||
|
|
||
| spring.jpa.database-platform=org.hibernate.dialect.H2Dialect | ||
| spring.jpa.hibernate.ddl-auto=none | ||
| spring.jpa.show-sql=false | ||
|
|
||
|
|
||
| # Disable schema/data init if present | ||
| spring.sql.init.mode=never | ||
|
|
||
| # --- CORS --- | ||
| cors.allowed-origins=* | ||
|
|
||
| # --- JWT (dummy, but required) --- | ||
| jwt.secret=dummy-secret | ||
| jwt.expiration=3600000 | ||
|
|
||
| # SMS password for OTP handler (set actual value or use dummy for local/CI) | ||
| sms-password=dummypassword | ||
| # SMS username for OTP handler (set actual value or use dummy for local/CI) | ||
| sms-username=dummyuser | ||
| # Enable or disable grievance data sync scheduler | ||
| start-grievancedatasync-scheduler=true | ||
| # SMS consent source address for OTP handler (set actual value or use dummy for local/CI) | ||
| sms-consent-source-address=dummy-source-address | ||
| # SMS sending URL for OTP handler (set actual value or use dummy for local/CI) | ||
| send-message-url=http://localhost:8080/sms/sendMessage | ||
| # Secondary datasource configuration for local development | ||
| secondary.datasource.username=root | ||
| secondary.datasource.password=1234 | ||
| secondary.datasource.url=jdbc:mysql://localhost:3306/db_reporting | ||
| secondary.datasource.driver-class-name=com.mysql.jdbc.Driver No newline at end of file |
There was a problem hiding this comment.
Hardcoded credentials and secrets in default profile pose security and configuration risks.
Several concerns with this configuration block:
-
Hardcoded sensitive values:
jwt.secret=dummy-secret,sms-password=dummypassword,secondary.datasource.password=1234should use placeholders per project conventions. -
Default profile conflict: This H2 configuration is in the main
application.properties, which means it will be loaded for ALL profiles unless overridden. This could accidentally affect production if environment-specific properties don't override these values. -
Duplicate property:
spring.jpa.hibernate.ddl-auto=none(Line 384) duplicates Line 14.
Consider moving this configuration to a profile-specific file like application-swagger.properties.
🔒 Recommended approach
Create a separate src/main/resources/application-swagger.properties:
# ---- Embedded DB for Swagger documentation generation
spring.datasource.url=jdbc:h2:mem:swaggerdb
spring.datasource.driver-class-name=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.show-sql=false
spring.sql.init.mode=never
cors.allowed-origins=*
# Use placeholders for sensitive values
jwt.secret=<Enter_Your_Secret_Key>
jwt.expiration=3600000
sms-password=<Enter_SMS_Password>
sms-username=<Enter_SMS_Username>
start-grievancedatasync-scheduler=false
sms-consent-source-address=<Enter_Source_Address>
send-message-url=http://localhost:8080/sms/sendMessage
secondary.datasource.username=<Enter_Username>
secondary.datasource.password=<Enter_Password>
secondary.datasource.url=jdbc:h2:mem:reportingdb
secondary.datasource.driver-class-name=org.h2.DriverThen remove Lines 376-412 from the main application.properties.
Based on learnings: "In example/template properties files, sensitive values like JWT secrets should use placeholders (e.g. <Enter_Your_Secret_Key>) instead of actual values to avoid exposing secrets in version control."
🤖 Prompt for AI Agents
In `@src/main/resources/application.properties` around lines 376 - 412, Move the
Swagger/H2 and local-dev settings out of the main application.properties into a
profile-specific file (e.g. application-swagger.properties), remove the block
containing spring.datasource.url=jdbc:h2:mem:swaggerdb and related lines from
the main file, replace all hardcoded secrets (jwt.secret, sms-password,
sms-username, secondary.datasource.password) with placeholder tokens (e.g.
<Enter_Your_Secret_Key>) and set start-grievancedatasync-scheduler to an
appropriate default for non-prod (e.g. false) in the new file; also resolve the
duplicate spring.jpa.hibernate.ddl-auto property by keeping a single declaration
in the profile file and removing the duplicate from the main properties, and
adjust secondary.datasource.* to either use placeholders or an in-memory URL
(instead of production MySQL) in the swagger profile.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@src/main/resources/application.properties`:
- Around line 356-357: Change the base defaults for springdoc.api-docs.enabled
and springdoc.swagger-ui.enabled from true to false in the main properties so
Swagger is off by default, then add a profile-specific properties file (e.g., a
"swagger" profile) that sets springdoc.api-docs.enabled=true and
springdoc.swagger-ui.enabled=true to explicitly enable Swagger only when that
profile or corresponding environment variables are activated; update any
deployment/configuration to activate that profile when Swagger UI should be
exposed.
| springdoc.api-docs.enabled=${SWAGGER_DOC_ENABLED:true} | ||
| springdoc.swagger-ui.enabled=${SWAGGER_UI_ENABLED:true} |
There was a problem hiding this comment.
Defaulting Swagger to enabled in the base profile risks unintended exposure.
With true defaults here, Swagger endpoints/UI turn on whenever env vars are missing, including production. Prefer default false in application.properties and explicitly enable in the swagger profile (or the workflow env).
🔧 Suggested change (base defaults)
-springdoc.api-docs.enabled=${SWAGGER_DOC_ENABLED:true}
-springdoc.swagger-ui.enabled=${SWAGGER_UI_ENABLED:true}
+springdoc.api-docs.enabled=${SWAGGER_DOC_ENABLED:false}
+springdoc.swagger-ui.enabled=${SWAGGER_UI_ENABLED:false}✅ Explicit enablement for swagger profile
# src/main/resources/application-swagger.properties
springdoc.api-docs.enabled=true
springdoc.swagger-ui.enabled=true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| springdoc.api-docs.enabled=${SWAGGER_DOC_ENABLED:true} | |
| springdoc.swagger-ui.enabled=${SWAGGER_UI_ENABLED:true} | |
| springdoc.api-docs.enabled=${SWAGGER_DOC_ENABLED:false} | |
| springdoc.swagger-ui.enabled=${SWAGGER_UI_ENABLED:false} |
🤖 Prompt for AI Agents
In `@src/main/resources/application.properties` around lines 356 - 357, Change the
base defaults for springdoc.api-docs.enabled and springdoc.swagger-ui.enabled
from true to false in the main properties so Swagger is off by default, then add
a profile-specific properties file (e.g., a "swagger" profile) that sets
springdoc.api-docs.enabled=true and springdoc.swagger-ui.enabled=true to
explicitly enable Swagger only when that profile or corresponding environment
variables are activated; update any deployment/configuration to activate that
profile when Swagger UI should be exposed.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/swagger-json.yml:
- Around line 14-21: Replace unpinned action versions with full commit SHAs for
supply-chain safety: change uses: actions/checkout@v4, uses:
actions/setup-java@v4, and uses: peter-evans/create-pull-request@... to their
respective release commit SHAs (e.g., actions/checkout@<full-sha>,
actions/setup-java@<full-sha>, peter-evans/create-pull-request@<full-sha>),
keeping the same inputs; update every occurrence of those uses entries in the
workflow so all references are pinned to specific commit SHAs.
🧹 Nitpick comments (1)
.github/workflows/swagger-json.yml (1)
39-46: Add curl timeouts to avoid hung jobs.Without
--connect-timeout/--max-time, a stalled connection can block the loop and delay or hang the job.⏱️ Proposed fix
- CODE=$(curl -s -o swagger_raw.json -w "%{http_code}" http://localhost:9090/v3/api-docs || true) + CODE=$(curl -s --connect-timeout 2 --max-time 5 \ + -o swagger_raw.json -w "%{http_code}" \ + http://localhost:9090/v3/api-docs || true)
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Java 17 | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| distribution: temurin | ||
| java-version: 17 | ||
| cache: maven |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/swagger-json.yml | head -80Repository: PSMRI/Common-API
Length of output: 2770
🌐 Web query:
actions/checkout v4 latest release commit SHA github
💡 Result:
Latest actions/checkout v4 release tag is v4.3.1, which points to commit SHA 34e114876b0b11c390a56381ad16ebd13914f8d5. [1][2]
Major tag v4 currently also points to the same commit. [1]
Sources:
[1] https://github.com/actions/checkout/tags
[2] actions/checkout@34e1148
🌐 Web query:
actions/setup-java v4 latest release commit SHA github
💡 Result:
Latest actions/setup-java v4 release is v4.8.0, which points to commit c1e323688fd81a25caa38c78aa6df2d33d3e20d9. [1] [2]
🌐 Web query:
peter-evans/create-pull-request v6 latest release commit SHA github
💡 Result:
Latest v6 release for peter-evans/create-pull-request is v6.1.0 (tag v6.1.0 / major tag v6), pointing to commit:
- c5a7806660adbe173f04e3e038b0ccdcd758773c [1][2]
Pin GitHub Actions to full commit SHAs.
Unpinned actions are a supply-chain risk. Pin actions/checkout, actions/setup-java, and peter-evans/create-pull-request to their release commit SHAs:
Example pinning
- - uses: actions/checkout@v4
+ - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
- - uses: actions/setup-java@v4
+ - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9
- - uses: peter-evans/create-pull-request@v6
+ - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773cAlso applies to: 57-62, 68-73
🤖 Prompt for AI Agents
In @.github/workflows/swagger-json.yml around lines 14 - 21, Replace unpinned
action versions with full commit SHAs for supply-chain safety: change uses:
actions/checkout@v4, uses: actions/setup-java@v4, and uses:
peter-evans/create-pull-request@... to their respective release commit SHAs
(e.g., actions/checkout@<full-sha>, actions/setup-java@<full-sha>,
peter-evans/create-pull-request@<full-sha>), keeping the same inputs; update
every occurrence of those uses entries in the workflow so all references are
pinned to specific commit SHAs.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @.github/workflows/swagger-json.yml:
- Around line 68-70: The workflow step "Copy Swagger JSON" may fail if the
target directory amrit-docs/docs/swagger does not exist; before running the cp
command in that step, ensure the directory is created (e.g., run a mkdir -p for
amrit-docs/docs/swagger) so the copy succeeds reliably, and keep the step name
"Copy Swagger JSON" and the source file common-api.json unchanged.
- Around line 72-85: The workflow uses the Create Pull Request step (uses:
peter-evans/create-pull-request@v6) with an unsupported input key
`base-repository`; remove the `base-repository: PSMRI/AMRIT-Docs` line from that
step so only valid inputs remain, keep `base: main` and `path: amrit-docs` as-is
so the action operates on the checked-out repo directory.
| - name: Copy Swagger JSON | ||
| run: | | ||
| cp common-api.json amrit-docs/docs/swagger/common-api.json |
There was a problem hiding this comment.
Ensure target directory exists before copy.
The copy will fail if docs/swagger/ directory doesn't exist in the AMRIT-Docs repository.
🔧 Proposed fix
- name: Copy Swagger JSON
run: |
+ mkdir -p amrit-docs/docs/swagger
cp common-api.json amrit-docs/docs/swagger/common-api.json📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Copy Swagger JSON | |
| run: | | |
| cp common-api.json amrit-docs/docs/swagger/common-api.json | |
| - name: Copy Swagger JSON | |
| run: | | |
| mkdir -p amrit-docs/docs/swagger | |
| cp common-api.json amrit-docs/docs/swagger/common-api.json |
🤖 Prompt for AI Agents
In @.github/workflows/swagger-json.yml around lines 68 - 70, The workflow step
"Copy Swagger JSON" may fail if the target directory amrit-docs/docs/swagger
does not exist; before running the cp command in that step, ensure the directory
is created (e.g., run a mkdir -p for amrit-docs/docs/swagger) so the copy
succeeds reliably, and keep the step name "Copy Swagger JSON" and the source
file common-api.json unchanged.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/swagger-json.yml:
- Around line 61-66: The workflow's checkout step is pointing to a personal fork
via the repository field in the Checkout action (uses: actions/checkout@v4) —
change the repository value from "DurgaPrasad-54/AMRIT-Docs" to the organization
repo "PSMRI/AMRIT-Docs" (or parameterize via a secret/variable if testing) so
the action checks out the correct org repository; update the repository key in
the Checkout AMRIT-Docs step accordingly.
🧹 Nitpick comments (1)
.github/workflows/swagger-json.yml (1)
9-10: Consider adding a job timeout.Without
timeout-minutes, the job could run indefinitely if Maven or the Spring Boot application hangs during startup. While the fetch loop is capped at 30 retries, other steps have no timeout.🔧 Suggested fix
swagger-sync: runs-on: ubuntu-latest + timeout-minutes: 15
| - name: Checkout AMRIT-Docs | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: DurgaPrasad-54/AMRIT-Docs | ||
| token: ${{ secrets.DOCS_REPO_TOKEN }} | ||
| path: amrit-docs |
There was a problem hiding this comment.
Workflow targets a personal fork instead of the organization repository.
The checkout targets DurgaPrasad-54/AMRIT-Docs (personal fork) rather than PSMRI/AMRIT-Docs (organization repo). If this is for testing, ensure it's updated to the organization repository before merging.
🔧 Suggested fix
- name: Checkout AMRIT-Docs
uses: actions/checkout@v4
with:
- repository: DurgaPrasad-54/AMRIT-Docs
+ repository: PSMRI/AMRIT-Docs
token: ${{ secrets.DOCS_REPO_TOKEN }}
path: amrit-docs🤖 Prompt for AI Agents
In @.github/workflows/swagger-json.yml around lines 61 - 66, The workflow's
checkout step is pointing to a personal fork via the repository field in the
Checkout action (uses: actions/checkout@v4) — change the repository value from
"DurgaPrasad-54/AMRIT-Docs" to the organization repo "PSMRI/AMRIT-Docs" (or
parameterize via a secret/variable if testing) so the action checks out the
correct org repository; update the repository key in the Checkout AMRIT-Docs
step accordingly.
|
1 participant
Summary by CodeRabbit
New Features
Chores