Skip to content

Commit d5a1551

Browse files
authored
Merge pull request #3328 from conforma/fullsend/onboard
chore: update fullsend shim workflow
2 parents 495602e + 0314828 commit d5a1551

1 file changed

Lines changed: 95 additions & 0 deletions

File tree

.github/workflows/fullsend.yaml

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
# Copyright The Conforma Contributors
2+
#
3+
# Licensed under the Apache License, Version 2.0 (the "License");
4+
# you may not use this file except in compliance with the License.
5+
# You may obtain a copy of the License at
6+
#
7+
# http://www.apache.org/licenses/LICENSE-2.0
8+
#
9+
# Unless required by applicable law or agreed to in writing, software
10+
# distributed under the License is distributed on an "AS IS" BASIS,
11+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
# See the License for the specific language governing permissions and
13+
# limitations under the License.
14+
#
15+
# SPDX-License-Identifier: Apache-2.0
16+
17+
# lint-workflow-size: max-lines=280
18+
# fullsend shim workflow (workflow_call mode)
19+
# Routes events to agent workflows in .fullsend via workflow_call.
20+
# No secrets are needed in the enrolled repo — agents fetch scoped tokens
21+
# from the centralized token mint using GitHub OIDC.
22+
#
23+
# Security: pull_request_target runs the BASE branch version of this workflow,
24+
# preventing PRs from modifying it to exfiltrate credentials.
25+
# This shim never checks out PR code, so it is not vulnerable to "pwn request"
26+
# attacks.
27+
#
28+
# conforma is replaced by reconcile-repos.sh at deploy time.
29+
#
30+
# Routing: this shim forwards the raw event context to dispatch.yml, which
31+
# determines the stage from event_type + event_action + payload fields.
32+
# Adding a new stage requires only a case branch in dispatch.yml — zero
33+
# changes to enrolled repos.
34+
name: fullsend
35+
36+
permissions:
37+
actions: write
38+
id-token: write
39+
contents: read
40+
pull-requests: read
41+
42+
on:
43+
issues:
44+
types: [opened, edited, labeled]
45+
issue_comment:
46+
types: [created]
47+
pull_request_target:
48+
types: [opened, synchronize, ready_for_review, closed]
49+
pull_request_review:
50+
types: [submitted]
51+
52+
jobs:
53+
dispatch:
54+
concurrency:
55+
group: fullsend-dispatch-${{ github.event.issue.number || github.event.pull_request.number }}
56+
cancel-in-progress: false
57+
if: >-
58+
github.event_name != 'issue_comment'
59+
|| github.event.comment.user.type != 'Bot'
60+
uses: conforma/.fullsend/.github/workflows/dispatch.yml@main
61+
with:
62+
event_action: ${{ github.event.action }}
63+
64+
stop-fix:
65+
if: >-
66+
github.event_name == 'issue_comment'
67+
&& github.event.issue.pull_request
68+
&& github.event.comment.user.type != 'Bot'
69+
&& github.event.comment.body == '/fs-fix-stop'
70+
&& (
71+
github.event.comment.author_association == 'OWNER'
72+
|| github.event.comment.author_association == 'MEMBER'
73+
|| github.event.comment.author_association == 'COLLABORATOR'
74+
|| github.event.comment.author_association == 'CONTRIBUTOR'
75+
|| github.event.comment.user.login == github.event.issue.user.login
76+
)
77+
runs-on: ubuntu-latest
78+
permissions:
79+
contents: read
80+
issues: write
81+
pull-requests: write
82+
steps:
83+
- name: Add fullsend-no-fix label and notify
84+
env:
85+
GH_TOKEN: ${{ github.token }}
86+
PR_NUMBER: ${{ github.event.issue.number }}
87+
REPO: ${{ github.repository }}
88+
run: |
89+
gh label create "fullsend-no-fix" --repo "$REPO" \
90+
--description "Skip bot-triggered fix agent runs" --color "FBCA04" \
91+
--force 2>/dev/null || true
92+
gh pr edit "$PR_NUMBER" --repo "$REPO" \
93+
--add-label "fullsend-no-fix"
94+
gh pr comment "$PR_NUMBER" --repo "$REPO" \
95+
--body "Fix agent disabled for this PR. Remove the \`fullsend-no-fix\` label or use \`/fs-fix\` to re-engage."

0 commit comments

Comments
 (0)