ci: Add CI jobs to detect proto/OpenAPI breaking changes

[thossain-nv]

Description

• Currently there are no CI process that raises awareness for proto or OpenAPI breaking changes
• We want to automate the checks so the burden on the submitter and reviewer is lessened
• This PR adds two CI jobs, one to check for breaking changes in proto files and one to check for breaking changes in OpenAPI schema that the REST API follows

We want to initially run these jobs for informational purposes, and later decide which of them should block PR merging.

Note

The actions being used may not be NVIDIA approved. If we can't get them approved, I've added alternative commands

Type of Change

• Internal - Internal changes (refactoring, tests, docs, etc.)

Related Issues (Optional)

None

Breaking Changes

• This PR contains breaking changes

Testing

• No testing required (docs, internal refactor, etc.)

Additional Notes

None

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d88d52ee-27d1-4de1-855c-5808496d6348

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-06-05 01:00:49 UTC | Commit: 79ed891}

[lachen-nv]

Our pipeline use copy-pr-bot when we create a pull request. The bot create a push event on pull-request, so github.event.pull_request.base.sha is not populated. we can change to push-safe ref, e.g. origin/main:rest-api/openapi/spec.yaml

[thossain-nv]

Thanks Larry, updated.

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
nico-flow	116	13	50	41	4	8
nico-nsm	133	11	45	66	11	0
nico-psm	118	13	52	41	4	8
nico-rest-api	182	16	84	67	7	8
nico-rest-cert-manager	95	5	47	32	3	8
nico-rest-db	116	13	50	41	4	8
nico-rest-site-agent	115	13	50	41	3	8
nico-rest-site-manager	102	6	48	37	3	8
nico-rest-workflow	118	13	52	41	4	8
TOTAL	1095	103	478	407	43	64

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

[lachen-nv]

The third-party GitHub Actions should pin to immutable commit SHAs instead of mutable tags like @v1 or @v0.0.51. This keeps CI reproducible and reduces supply-chain drift.
It looks like the action isn’t on the allow list yet. I can help file a request to get it approved.

[thossain-nv]

bug breaking supports github-actions error format, I think we can skip the action.

[lachen-nv]

Same here: it would be better pin this action by commit SHA instead of a mutable tag.
Just checked this action is already on our allow list.

[nv-dmendoza]

is v0.0.51 a mutable tag though?

[nv-dmendoza]

ah i see the guidance from github here now says to use sha for 3rd party tags: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions. We should mark in a comment above the version to know what the sha pins to.

[thossain-nv]

Pinned to specific commit.

[nv-dmendoza]

LGTM other than needing to adjust 3rd party actions to use sha ref over tag ref. See https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pull-request-2229.docs.buildwithfern.com/infra-controller