From 2b13b13001564fdb0e06056f5fe9b5110dfa1eba Mon Sep 17 00:00:00 2001
From: Reuven Harrison <reuvenharrison@gmail.com>
Date: Tue, 16 Jun 2026 15:35:12 +0300
Subject: [PATCH 1/3] Default github-token to ${{ github.token }} so the PR
 comment posts without setup

Most repos got the encrypted free review by tracking a moving action ref,
not by a proactive upgrade, so they never added github-token + permissions.
Result: the review link goes only to the job summary (a page almost nobody
opens). Day-2 production: ~476 reviews created, 3 opened.

Defaulting github-token to the built-in github.token means the comment is
posted automatically wherever the job's GITHUB_TOKEN already has write
permission, with no workflow edit. Repos whose default token is read-only
still fall back to the summary (the permissions line genuinely needs a
workflow edit); fork PRs are unchanged.

Also makes the comment the honest first-touch notice it now is:
- precise privacy wording (key lives in the URL fragment, never sent to a
  server, so oasdiff cannot read the specs) instead of "specs stay private";
- "anyone with the link can open" (the capability-by-URL model) instead of
  "anyone can open";
- an explicit opt-out line ("set review: false") since the comment is now
  posted by default.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 breaking/action.yml     | 4 ++--
 breaking/entrypoint.sh  | 6 ++++--
 changelog/action.yml    | 4 ++--
 changelog/entrypoint.sh | 6 ++++--
 4 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/breaking/action.yml b/breaking/action.yml
index 178b1a8..16e0ddb 100644
--- a/breaking/action.yml
+++ b/breaking/action.yml
@@ -61,9 +61,9 @@ inputs:
     required: false
     default: 'true'
   github-token:
-    description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Pass the built-in github.token and grant the job permissions: pull-requests: write. Optional; when omitted the link is written only to the job summary. On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
+    description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Defaults to the built-in github.token, so the comment is posted automatically when the job grants permissions: pull-requests: write. Set to an empty string to disable the comment (the link then appears only in the job summary). On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
     required: false
-    default: ''
+    default: ${{ github.token }}
 outputs:
   breaking:
     description: 'Output summary of API breaking changes, encompassing both warnings and errors'
diff --git a/breaking/entrypoint.sh b/breaking/entrypoint.sh
index 1a63510..58f0efe 100755
--- a/breaking/entrypoint.sh
+++ b/breaking/entrypoint.sh
@@ -66,9 +66,11 @@ post_review_comment () {
         body="${marker}
 ### 📋 [View the side-by-side API change review](${review_url})
 
-See exactly what changed, in context. Share this link with your team: anyone can open the review, no install and no account needed. It expires in 7 days.
+See exactly what changed, in context. Share this link with your team: anyone with the link can open the review, no install or account needed. It expires in 7 days.
 
-🔒 Your specs stay private. They're encrypted before upload, and only this link can unlock them. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)"
+🔒 Your API specs are encrypted in CI before they're uploaded. The decryption key stays in this link's URL fragment (after the #), which browsers never send to a server, so oasdiff cannot read your specs. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)
+
+<sub>Posted automatically by the oasdiff GitHub Action. To stop posting this comment, set \`review: false\` on the action.</sub>"
     elif [ -n "$existing_id" ]; then
         body="${marker}
 ### ✅ No breaking changes in the latest revision."
diff --git a/changelog/action.yml b/changelog/action.yml
index e915a6e..4d47dc9 100644
--- a/changelog/action.yml
+++ b/changelog/action.yml
@@ -64,9 +64,9 @@ inputs:
     required: false
     default: 'true'
   github-token:
-    description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Pass the built-in github.token and grant the job permissions: pull-requests: write. Optional; when omitted the link is written only to the job summary. On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
+    description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Defaults to the built-in github.token, so the comment is posted automatically when the job grants permissions: pull-requests: write. Set to an empty string to disable the comment (the link then appears only in the job summary). On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
     required: false
-    default: ''
+    default: ${{ github.token }}
 outputs:
   changelog:
     description: 'Output summary of API changelog'
diff --git a/changelog/entrypoint.sh b/changelog/entrypoint.sh
index ba41f09..de20760 100755
--- a/changelog/entrypoint.sh
+++ b/changelog/entrypoint.sh
@@ -85,9 +85,11 @@ post_review_comment () {
         body="${marker}
 ### 📋 [View the side-by-side API change review](${review_url})
 
-See exactly what changed, in context. Share this link with your team: anyone can open the review, no install and no account needed. It expires in 7 days.
+See exactly what changed, in context. Share this link with your team: anyone with the link can open the review, no install or account needed. It expires in 7 days.
 
-🔒 Your specs stay private. They're encrypted before upload, and only this link can unlock them. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)"
+🔒 Your API specs are encrypted in CI before they're uploaded. The decryption key stays in this link's URL fragment (after the #), which browsers never send to a server, so oasdiff cannot read your specs. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)
+
+<sub>Posted automatically by the oasdiff GitHub Action. To stop posting this comment, set \`review: false\` on the action.</sub>"
     elif [ -n "$existing_id" ]; then
         body="${marker}
 ### ✅ No API changes in the latest revision."

From f60eb2921a3a86cc902ffd00091aa6df0624876d Mon Sep 17 00:00:00 2001
From: Reuven Harrison <reuvenharrison@gmail.com>
Date: Tue, 16 Jun 2026 15:51:51 +0300
Subject: [PATCH 2/3] Trim the review comment to essentials

Drop product-jargon ('in context'), the share prompt (the review page has a
per-change 'Copy link'), the 'anyone with the link' line (covered by the docs
'How it works' link), and 'no install or account needed' (self-evident on
click). Keep the title (the value), the 7-day TTL, the privacy explanation,
and the opt-out footer.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 breaking/entrypoint.sh  | 2 +-
 changelog/entrypoint.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/breaking/entrypoint.sh b/breaking/entrypoint.sh
index 58f0efe..d2509ef 100755
--- a/breaking/entrypoint.sh
+++ b/breaking/entrypoint.sh
@@ -66,7 +66,7 @@ post_review_comment () {
         body="${marker}
 ### 📋 [View the side-by-side API change review](${review_url})
 
-See exactly what changed, in context. Share this link with your team: anyone with the link can open the review, no install or account needed. It expires in 7 days.
+The link expires in 7 days.
 
 🔒 Your API specs are encrypted in CI before they're uploaded. The decryption key stays in this link's URL fragment (after the #), which browsers never send to a server, so oasdiff cannot read your specs. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)
 
diff --git a/changelog/entrypoint.sh b/changelog/entrypoint.sh
index de20760..b170261 100755
--- a/changelog/entrypoint.sh
+++ b/changelog/entrypoint.sh
@@ -85,7 +85,7 @@ post_review_comment () {
         body="${marker}
 ### 📋 [View the side-by-side API change review](${review_url})
 
-See exactly what changed, in context. Share this link with your team: anyone with the link can open the review, no install or account needed. It expires in 7 days.
+The link expires in 7 days.
 
 🔒 Your API specs are encrypted in CI before they're uploaded. The decryption key stays in this link's URL fragment (after the #), which browsers never send to a server, so oasdiff cannot read your specs. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)
 

From 24c0b8a51218e34094b77930fc00166fdd02f199 Mon Sep 17 00:00:00 2001
From: Reuven Harrison <reuvenharrison@gmail.com>
Date: Tue, 16 Jun 2026 16:06:15 +0300
Subject: [PATCH 3/3] Make the comment's opt-out findable: link to the docs
 Action section, name the upload

A user who got the comment via a moving action ref (not a deliberate opt-in)
is the one most likely to want to turn it off. Two changes so they find how:
- link 'oasdiff GitHub Action' to /docs/free-review#github-action, the section
  that explains what posted the comment and how to disable it;
- reframe the off-switch from 'stop posting this comment' to 'turn this off
  (no spec upload, no comment)', since review: false stops the upload too,
  which is what a privacy-minded first-time reader actually wants.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 breaking/entrypoint.sh  | 2 +-
 changelog/entrypoint.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/breaking/entrypoint.sh b/breaking/entrypoint.sh
index d2509ef..d0031b8 100755
--- a/breaking/entrypoint.sh
+++ b/breaking/entrypoint.sh
@@ -70,7 +70,7 @@ The link expires in 7 days.
 
 🔒 Your API specs are encrypted in CI before they're uploaded. The decryption key stays in this link's URL fragment (after the #), which browsers never send to a server, so oasdiff cannot read your specs. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)
 
-<sub>Posted automatically by the oasdiff GitHub Action. To stop posting this comment, set \`review: false\` on the action.</sub>"
+<sub>Posted automatically by the [oasdiff GitHub Action](https://www.oasdiff.com/docs/free-review#github-action). To turn this off (no spec upload, no comment), set \`review: false\` on the action.</sub>"
     elif [ -n "$existing_id" ]; then
         body="${marker}
 ### ✅ No breaking changes in the latest revision."
diff --git a/changelog/entrypoint.sh b/changelog/entrypoint.sh
index b170261..94da126 100755
--- a/changelog/entrypoint.sh
+++ b/changelog/entrypoint.sh
@@ -89,7 +89,7 @@ The link expires in 7 days.
 
 🔒 Your API specs are encrypted in CI before they're uploaded. The decryption key stays in this link's URL fragment (after the #), which browsers never send to a server, so oasdiff cannot read your specs. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)
 
-<sub>Posted automatically by the oasdiff GitHub Action. To stop posting this comment, set \`review: false\` on the action.</sub>"
+<sub>Posted automatically by the [oasdiff GitHub Action](https://www.oasdiff.com/docs/free-review#github-action). To turn this off (no spec upload, no comment), set \`review: false\` on the action.</sub>"
     elif [ -n "$existing_id" ]; then
         body="${marker}
 ### ✅ No API changes in the latest revision."