The pipeline nobody in 1,005 repos fully built.
API Evangelist read 1,005 real public GitHub pipelines running Spectral in CI. The maturity ceiling was six out of eight; two repos reached it; nobody assembled the whole blueprint — even though every piece of it already ships somewhere in the data. This repo bolts the pieces together so you fork a good fragment instead of the bad one you'd find first.
npx @stoplight/spectral-cli lint -r ruleset/.spectral.yaml examples/openapi.yaml
@latestThe blueprint, decision by decision
| Piece | The finding it fixes | Real exemplar |
|---|---|---|
| Gate on the pull request | A third lint on push-to-main, after the merge | vtex/openapi-schemas |
| Path-filter to spec/ruleset | Only 22% run only when the spec changed | mongodb/openapi |
| Spectral pinned by commit SHA | Only 14 of 215 pin by commit | mongodb/openapi |
| An owned, grounded ruleset | 63% run the defaults | teamdigitale (national ruleset) |
| A separate OWASP security job | Security rules in just 14% | geobeyond/fastgeoapi |
| A human-readable report | Readable report ~7%, SARIF ~3% | geobeyond/fastgeoapi |
| Sparse blocking severity | Untuned defaults or toothless continue-on-error | — |
What you fork
starter/api-governance.yml
Copy-paste workflow, every decision commented with the finding it fixes and the real team that proved it.
action.yml
A one-step composite action bundling the whole blueprint: spec glob, ruleset path, fail-severity, security on/off.
ruleset/
An owned, grounded example ruleset — 11 rules, only 3 blocking, each with a why and a docs link, plus positive twins for progress reporting.
examples/
A clean spec and a half-complying one that teaches, so you can watch the pipeline gate and report before you touch your own.
# In your repo
cp starter/api-governance.yml .github/workflows/
cp -r ruleset/ . # then rewrite the rules against YOUR operations