Inherit from gov-codejson with tests

[sachin-panayil]

Problem

The Zod validation schema was manually maintained, requiring us to keep it in sync with the gov-codejson schema. This created drift between our logic and the upstream, and added ongoing maintenance burden whenever the schema changed.

Solution

Replaced the manual schema with an auto-generated one

• Added src/scripts/generate-schema.ts that fetches the official schema from gov-codejson and converts it to Zod using json-schema-to-zod
• Outputs formatted TypeScript to src/types/CodeJSONSchema.ts
• Created tests to make sure that generated schema is valid

Result

Schema validation now stays in sync with the gov-codejson, eliminating drift between codebase and upstream changes. This reduces the maintenance burden when schema updates occur since regenerating the types is now a single command

How to Test

1. Run the schema generator

   • npx ts-node src/scripts/generate-schema.ts
   • verify the generated schema at src/types/CodeJSONSchema.ts

2. Run the unit tests

   • npm test
   • check to see if tests pass

To fix the problem, add an explicit permissions block that limits the GITHUB_TOKEN to only what this workflow needs. This job only checks out code and runs tests, so it only needs read access to repository contents.

The best targeted fix is to add a permissions section to the test job, directly under runs-on: ubuntu-latest. This keeps the scope local to this job and does not affect any other workflows or jobs. The block should set contents: read, which is the minimal permission required for actions/checkout and read-only operations.

Concretely, in .github/workflows/test.yml, between lines 11 and 13, insert:

    permissions:
      contents: read

No imports or other definitions are required, as this is standard GitHub Actions YAML configuration.