chore: include workflow inputs in job get endpoint

[adityachoudhari26]

Summary by CodeRabbit

• New Features
  • Resolved input values are now accessible for workflow runs through the API dispatch context and GitHub Action outputs. This allows you to retrieve and inspect all input parameters provided to a workflow execution.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds an inputs field to the DispatchContext schema to expose resolved workflow run inputs. The schema change propagates through the OpenAPI definition and generated TypeScript types. Two job-object implementations (JavaScript and TypeScript) then wire the new field into their output structures.

Changes

Expose Resolved Workflow Inputs

Layer / File(s)	Summary
DispatchContext schema and types apps/api/openapi/schemas/jobs.jsonnet, apps/api/openapi/openapi.json, apps/api/src/types/openapi.ts	DispatchContext schema gains an optional inputs field (object with arbitrary properties) representing resolved input values for a workflow run. The OpenAPI JSON and generated TypeScript types reflect this addition.
Job object construction github/get-job-inputs/index.js, integrations/github-get-job-inputs/src/index.ts	Both implementations add an input property to the job object, populated from dispatchContext?.inputs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• ctrlplanedev/ctrlplane#865: Modifies the same get-job-inputs implementations to source fields from dispatchContext; this PR extends that pattern by adding the input field.

Suggested reviewers

• zacharyblasczyk
• jsbroks

Poem

🐰 A workflow's inputs now exposed with care,
Through schemas and types flowing everywhere,
Job objects enriched with each value and key,
Dispatch context whispers what inputs shall be! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: adding workflow inputs (the inputs field) to the job get endpoint response through updates to the DispatchContext schema and related job object construction.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch include-inputs-get-job-response

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.43.0)

github/get-job-inputs/index.js

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR extends the job “dispatch context” surface area to include resolved workflow-run input values, and wires those inputs into the Get Job Inputs GitHub Action so they can be exposed as flattened GitHub Actions outputs.

Changes:

• Add dispatchContext.inputs to the OpenAPI schema (jsonnet source, generated openapi.json, and generated TypeScript types).
• Include dispatchContext.inputs in the GitHub Action’s flattened output object (and in the bundled index.js).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
integrations/github-get-job-inputs/src/index.ts	Adds workflow-run inputs into the flattened GitHub Actions output payload.
github/get-job-inputs/index.js	Updates the bundled GitHub Action output to match the source change.
apps/api/src/types/openapi.ts	Updates generated OpenAPI TS types to include DispatchContext.inputs.
apps/api/openapi/schemas/jobs.jsonnet	Adds inputs field to the DispatchContext schema source.
apps/api/openapi/openapi.json	Updates generated OpenAPI JSON to include DispatchContext.inputs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

integrations/github-get-job-inputs/src/index.ts (1)

86-86: 💤 Low value

Consider aligning field name with source property.

The field is named input (singular) while the source is dispatchContext?.inputs (plural). Other fields like variable, resource, and version follow a singular naming pattern, but maintaining consistency with the source property name (inputs) might improve clarity.

♻️ Proposed naming alignment

If inputs is the canonical name in the API schema:

-    input: dispatchContext?.inputs,
+    inputs: dispatchContext?.inputs,

This would result in flattened outputs like inputs_* instead of input_*, which is a breaking change for workflow compatibility, so only apply if this is intentional.

Based on learnings: "Sanitize flattened output keys consistently; changing key format is a breaking workflow compatibility change" applies to this file.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@integrations/github-get-job-inputs/src/index.ts` at line 86, The field
mapping uses a singular key `input` while sourcing from
`dispatchContext?.inputs`, causing a naming mismatch; update the object property
from `input` to `inputs` in the code that constructs the output (the mapping
where `input: dispatchContext?.inputs` is set in
integrations/github-get-job-inputs/src/index.ts) so the output key aligns with
the source property, and verify downstream consumers and flattened key
generation (e.g., the code that produces `input_*` vs `inputs_*`) to ensure you
intentionally accept the breaking change or update those consumers accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@integrations/github-get-job-inputs/src/index.ts`:
- Line 86: dispatchContext?.inputs is being passed directly into
setOutputsRecursively (via the property input) which flattens and writes every
nested value to core.setOutput/core.info and can leak secrets; change the code
so that index.ts does not pass raw dispatchContext?.inputs into
setOutputsRecursively—either (a) only pass a vetted whitelist of allowed keys,
(b) redact sensitive-looking values (e.g., keys containing
"token"/"password"/"secret"/"key") before passing, or (c) avoid recursive output
logging entirely and instead expose only specific safe fields; also confirm
whether the singular property name input is intentional and, if kept, ensure its
contents are sanitized before any calls to setOutputsRecursively or core.info to
prevent secret exposure.

---

Nitpick comments:
In `@integrations/github-get-job-inputs/src/index.ts`:
- Line 86: The field mapping uses a singular key `input` while sourcing from
`dispatchContext?.inputs`, causing a naming mismatch; update the object property
from `input` to `inputs` in the code that constructs the output (the mapping
where `input: dispatchContext?.inputs` is set in
integrations/github-get-job-inputs/src/index.ts) so the output key aligns with
the source property, and verify downstream consumers and flattened key
generation (e.g., the code that produces `input_*` vs `inputs_*`) to ensure you
intentionally accept the breaking change or update those consumers accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: df0c9bae-1ce7-446f-a745-3b9fd0f86016

📥 Commits

Reviewing files that changed from the base of the PR and between 5e617b8 and 03741b1.

📒 Files selected for processing (5)

• apps/api/openapi/openapi.json
• apps/api/openapi/schemas/jobs.jsonnet
• apps/api/src/types/openapi.ts
• github/get-job-inputs/index.js
• integrations/github-get-job-inputs/src/index.ts

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check the DispatchContext schema to understand if inputs can contain sensitive data

# Look for the DispatchContext type definition and inputs field
ast-grep --pattern $'interface DispatchContext {
  $$$
  inputs$_
  $$$
}'

# Also search for any documentation or comments about inputs
rg -nP -C5 'inputs.*:.*\{' --type=ts --glob '**/schemas/**' --glob '**/types/**'

# Check if there are any sanitization or filtering patterns for inputs
rg -nP '(secret|password|token|key|credential)' --type=ts --iglob '*dispatch*' --iglob '*input*' -C3

Repository: ctrlplanedev/ctrlplane

Length of output: 22669

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate and print the relevant section of the action entrypoint
echo "### integrations/github-get-job-inputs/src/index.ts (around line 60-120)"
nl -ba integrations/github-get-job-inputs/src/index.ts | sed -n '60,130p'

# Find where setOutputsRecursively is defined/used
echo "### Search for setOutputsRecursively definition"
rg -n "setOutputsRecursively" integrations/github-get-job-inputs/src -S

# Print the file(s) containing setOutputsRecursively
echo "### Print setOutputsRecursively implementation (if in-repo)"
FILES=$(rg -l "setOutputsRecursively" integrations/github-get-job-inputs/src -S || true)
if [ -n "${FILES:-}" ]; then
  for f in $FILES; do
    echo "---- $f ----"
    nl -ba "$f" | sed -n '1,220p'
  done
fi

# Determine where dispatchContext comes from and its type import/definition
echo "### Search for dispatchContext usage and its type/source"
rg -n "dispatchContext" integrations/github-get-job-inputs/src -S

# Also locate the typed DispatchContext import (if any) and show its type shape
echo "### Search for DispatchContext type references in this integration"
rg -n "DispatchContext" integrations/github-get-job-inputs/src -S

Repository: ctrlplanedev/ctrlplane

Length of output: 200

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "### integrations/github-get-job-inputs/src/index.ts (around line 60-130)"
sed -n '60,130p' integrations/github-get-job-inputs/src/index.ts | cat -n

echo "### Search for setOutputsRecursively definition/usage"
rg -n "setOutputsRecursively" integrations/github-get-job-inputs/src -S || true

echo "### Print candidate files that define setOutputsRecursively (if in-repo)"
FILES=$(rg -l "setOutputsRecursively" integrations/github-get-job-inputs/src -S || true)
if [ -n "${FILES:-}" ]; then
  for f in $FILES; do
    echo "---- $f ----"
    # show enough lines around the definition
    sed -n '1,220p' "$f" | cat -n
  done
fi

echo "### Search for dispatchContext usage"
rg -n "dispatchContext" integrations/github-get-job-inputs/src -S || true

echo "### Search for DispatchContext type references"
rg -n "DispatchContext" integrations/github-get-job-inputs/src -S || true

Repository: ctrlplanedev/ctrlplane

Length of output: 6394

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "### Search for sanitization/redaction in the integration"
rg -n "(sanitize|redact|mask|secret|token|password|key|credential)" integrations/github-get-job-inputs/src -S || true

echo "### Inspect OpenAPI DispatchContext type shape around inputs"
# show the exact lines from openapi generated types
sed -n '1560,1620p' apps/api/src/types/openapi.ts | cat -n

echo "### Search for setOutputAndLog usage / any overrides"
rg -n "setOutputAndLog|core\.info\(" integrations/github-get-job-inputs/src -S

Repository: ctrlplanedev/ctrlplane

Length of output: 4906

---

Prevent potential secret leakage by not recursively logging/setting outputs from dispatchContext?.inputs

• integrations/github-get-job-inputs/src/index.ts sets input: dispatchContext?.inputs and passes it to setOutputsRecursively, which flattens every nested leaf and writes it to both core.setOutput(...) and core.info(...).
• DispatchContext.inputs is typed as { [key: string]: unknown }, and there’s no value redaction/sanitization (only key name normalization), so any workflow input that contains a token/password/API key would be exposed in action logs and as outputs.
• Minor: input (singular) is populated from inputs (plural); check if the naming is intentional for workflow compatibility.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@integrations/github-get-job-inputs/src/index.ts` at line 86,
dispatchContext?.inputs is being passed directly into setOutputsRecursively (via
the property input) which flattens and writes every nested value to
core.setOutput/core.info and can leak secrets; change the code so that index.ts
does not pass raw dispatchContext?.inputs into setOutputsRecursively—either (a)
only pass a vetted whitelist of allowed keys, (b) redact sensitive-looking
values (e.g., keys containing "token"/"password"/"secret"/"key") before passing,
or (c) avoid recursive output logging entirely and instead expose only specific
safe fields; also confirm whether the singular property name input is
intentional and, if kept, ensure its contents are sanitized before any calls to
setOutputsRecursively or core.info to prevent secret exposure.