fix: Use shared contract-tests action to avoid GitHub API rate limiting

[devin-ai-integration]

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

Related issues

Fixes intermittent CI failure in the macos-build job: https://github.com/launchdarkly/swift-eventsource/actions/runs/22674124370/job/66058304181

Describe the solution you've provided

The contract test step was failing with Unable to find a release matching 'v2'. The root cause is that the downloader script resolves partial version strings (like v2) by calling the GitHub releases API without authentication, which is subject to a 60 req/hour rate limit per IP. GitHub Actions shared runners frequently exhaust this limit.

This PR replaces the make contract-tests call in the CI action with the shared launchdarkly/gh-actions/actions/contract-tests action (@contract-tests-v1.3.0), which handles authenticated API calls via the token input. The contract test step is split into three separate steps:

1. Build the contract test service (make build-contract-tests)
2. Start it in the background (make start-contract-test-service-bg)
3. Run the test harness via the shared action with token: ${{ inputs.token }}

The Makefile is left unchanged for local development use.

⚠️ Reviewer checklist

• The shared action's enable_persistence_tests defaults to true — verify this is acceptable for SSE contract tests (the original make invocation did not pass this flag)
• contract-tests-v1.3.0 is the appropriate version to pin to

Describe alternatives you've considered

• Inline authenticated version resolution in the Makefile: Duplicates the downloader script's logic and adds complexity to the Makefile.
• Pinning to a specific full version (e.g., v2.31.0): Simpler but requires manual updates whenever a new contract test version is released.

Additional context

• Link to Devin session
• Requested by: rlamb@launchdarkly.com

---

Note

Low Risk
Low risk since changes are confined to CI wiring, but contract-test execution may break if the new shared action inputs/flags differ from the prior make contract-tests behavior or if the background service startup timing is off.

Overview
Switches the CI composite action from a single make contract-tests invocation to a 3-step flow: build the contract test service, start it in the background, then run the harness via launchdarkly/gh-actions/actions/contract-tests@contract-tests-v1.3.0 using the provided token for authenticated GitHub API calls.

Also passes explicit action parameters (repo/branch/port, debug logging, and skipped test patterns) to standardize contract-test runs in CI.

^{Written by Cursor Bugbot for commit 9240504. This will update automatically on new commits. Configure here.}

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[semgrep-code-launchdarkly]

Semgrep identified an issue in your code:
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change

	uses: launchdarkly/gh-actions/actions/contract-tests@contract-tests-v1.3.0
	uses: launchdarkly/gh-actions/actions/contract-tests@31bfa9142fd9d497eac1b1b9e179b2b1fda0d8d9 # contract-tests-v1.3.0

View step-by-step instructions

1. Change the value after @ in uses: launchdarkly/gh-actions/actions/contract-tests@contract-tests-v1.3.0 to the full commit SHA for the contract-tests-v1.3.0 release, such as @a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0 (use the actual 40-character SHA from the release/tag).
2. Optionally, add a comment after the SHA indicating which version it corresponds to, for example: # contract-tests-v1.3.0.

Pinning to a commit SHA ensures that your workflow uses exactly the same code every time and protects against malicious changes in third-party GitHub actions.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[keelerm84]

We own these github actions so I don't think this is a big concern.

[devin-ai-integration]

Agreed — since it's an internal action, pinning to the tag should be fine. I'll leave it as-is.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[cursor]

Duplicate YAML key branch in action config

Medium Severity

The branch key appears twice (lines 88 and 89) in the with block for the contract tests step. Duplicate keys in YAML have undefined behavior per the YAML spec — most parsers silently use the last value, but some may error. This was acknowledged in the PR discussion as a duplication that needs to be fixed; one of the two branch: main entries needs to be removed.

 

[devin-ai-integration]

This was already fixed in commit b63cae1 — the duplicate branch key was a transient issue from the previous commit that has been resolved. The latest commit has only one branch: main entry.