Skip to content

Commit 557c374

Browse files
docs: align architecture and comments with ADR 41 dispatch
Update stale references to thin callers and per-org OIDC minting in dispatch.yml; align retro-analysis skill and layer comments with the synchronous workflow_call pattern. Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 408fe44 commit 557c374

4 files changed

Lines changed: 15 additions & 36 deletions

File tree

.github/workflows/reusable-dispatch.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# Reusable dispatch workflow for per-repo installation mode.
22
# Routes events to the appropriate stage reusable workflow via conditional
3-
# workflow_call jobs. This is the per-repo equivalent of the per-org
4-
# dispatch.yml + thin caller pair.
3+
# workflow_call jobs. Same direct-dispatch pattern as per-org dispatch.yml
4+
# (ADR 0041).
55
#
66
# Flow: shim (per-repo) → reusable-dispatch.yml → reusable-{stage}.yml
77
# Nesting: 3 levels of workflow_call (within GitHub's 4-level limit)

docs/architecture.md

Lines changed: 6 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -39,12 +39,11 @@ Infrastructure platform choice and configuration are specified in the adopting o
3939

4040
- Forge abstraction: all forge operations go through the `forge.Client` interface, keeping the rest of the codebase forge-agnostic ([ADR 0005](ADRs/0005-forge-abstraction-layer.md)).
4141
- Installation model: ordered layer stack (install forward, uninstall reverse, analyze for status reporting) with idempotent operations. Current stack: config-repo → workflows → secrets → inference → dispatch → enrollment ([ADR 0006](ADRs/0006-ordered-layer-model.md)).
42-
- Cross-repo dispatch: enrolled repos call `.fullsend` via `workflow_call`; a dispatch workflow mints OIDC tokens exchanged at a central token mint (GCP Cloud Function) for scoped GitHub App installation tokens per agent role. App PEM secrets are stored in Secret Manager, not the config repo ([ADR 0008](ADRs/0008-workflow-dispatch-for-cross-repo-dispatch.md)).
42+
- Cross-repo dispatch: enrolled repos call `.fullsend` via `workflow_call`; dispatch routes events to upstream reusable workflows via synchronous `workflow_call` jobs. Each reusable workflow mints OIDC tokens exchanged at a central token mint (GCP Cloud Function) for scoped GitHub App installation tokens per agent role. App PEM secrets are stored in Secret Manager, not the config repo ([ADR 0008](ADRs/0008-workflow-dispatch-for-cross-repo-dispatch.md), [ADR 0041](ADRs/0041-synchronous-workflow-call-event-dispatch.md)).
4343
- Shim workflow security: `pull_request_target` prevents PR authors from modifying the shim workflow. No long-lived secrets flow through the shim — OIDC tokens are issued by the GitHub runtime and scoped to the workflow run ([ADR 0009](ADRs/0009-pull-request-target-in-shim-workflows.md)).
4444
- Repo maintenance: a workflow in `.fullsend` (`.github/workflows/repo-maintenance.yml`) reconciles enrollment shims in target repos when `config.yaml` changes or on manual dispatch. The CLI's `EnrollmentLayer.Install()` dispatches this workflow via `workflow_dispatch` and monitors it for completion, then reports any enrollment PRs created in target repos.
4545
- Installer scaffold: the `WorkflowsLayer` deploys content from an embedded scaffold (`internal/scaffold/`), keeping deployable files as real files under version control rather than Go string constants.
46-
- Reusable workflows: agent workflows in `.fullsend` are thin callers (~40-70 lines) that delegate infrastructure logic to upstream reusable workflows (`fullsend-ai/fullsend/.github/workflows/reusable-*.yml`) via `workflow_call`. Infrastructure patches ship once upstream and propagate to all orgs without re-install ([ADR 0031](ADRs/0031-reusable-workflows-for-action-installed-distribution.md)).
47-
- Event-driven stage dispatch: eliminate `workflow_dispatch` + `gh workflow run` fan-out from `dispatch.yml` in favor of synchronous `workflow_call` so the dispatched run stays linked to the caller ([ADR 0041](ADRs/0041-synchronous-workflow-call-event-dispatch.md)).
46+
- Reusable workflows: `dispatch.yml` in `.fullsend` calls upstream reusable workflows (`fullsend-ai/fullsend/.github/workflows/reusable-*.yml`) directly via `workflow_call` jobs (no per-stage thin callers). Infrastructure patches ship once upstream and propagate to all orgs without re-install ([ADR 0031](ADRs/0031-reusable-workflows-for-action-installed-distribution.md), [ADR 0041](ADRs/0041-synchronous-workflow-call-event-dispatch.md)).
4847

4948
**Open questions:**
5049

@@ -131,10 +130,6 @@ The mechanism that assigns work to agents and prevents conflicts. Responsible fo
131130

132131
The existing design principle is that [the repo is the coordinator](problems/agent-architecture.md#interaction-model-the-repo-as-coordinator) — branch protection, CODEOWNERS, status checks, and GitHub events provide coordination without a central orchestrator. The agent dispatch and coordination layer may be nothing more than the glue that connects GitHub webhooks to agent infrastructure. Or it may need to be more.
133132

134-
**Decided:**
135-
136-
- Event-driven stage dispatch runs synchronously via `workflow_call` to preserve run correlation in the GitHub Actions UI (see [ADR 0041](ADRs/0041-synchronous-workflow-call-event-dispatch.md)).
137-
138133
**Open questions:**
139134

140135
- Is GitHub's event system sufficient, or do we need additional coordination logic (e.g. to prevent two code agents from picking up the same issue)?
@@ -180,7 +175,6 @@ Observability is a cross-cutting concern that touches every other component. Eac
180175
**Decided:**
181176

182177
- JSONL reasoning trace exposure: raw JSONL conversation transcripts are extracted from sandboxes and stored with owner-scoped access. Credential scanning acts as an invariant check on [ADR 0017](ADRs/0017-credential-isolation-for-sandboxed-agents.md)'s isolation model. Agents handling data from protected sources beyond the target repo can opt in to JSONL suppression via configuration ([ADR 0021](ADRs/0021-jsonl-reasoning-trace-exposure.md)).
183-
- Event-driven stage dispatch remains traceable end-to-end in the GitHub Actions UI by using synchronous `workflow_call` dispatch (see [ADR 0041](ADRs/0041-synchronous-workflow-call-event-dispatch.md)).
184178

185179
**Open questions:**
186180

@@ -518,14 +512,13 @@ GitHub event ──► SHIM WORKFLOW (fullsend.yml in enrolled repo)
518512
╔═══════════════════════════════════════════════════════════════╗
519513
║ DISPATCH WORKFLOW (.fullsend repo, dispatch.yml) ║
520514
║ ║
521-
║ Mints OIDC token → Cloud Function (token mint) → scoped ║
522-
║ GitHub App installation token per agent role. ║
523-
║ Dispatches per-role agent workflows (code.yml, triage.yml). ║
515+
║ Routes to stage; synchronous workflow_call to upstream ║
516+
║ reusable-{stage}.yml (or prioritize.yml in .fullsend). ║
524517
╚═══════════════════════════════════════════════════════════════╝
525518
526519
527520
╔═══════════════════════════════════════════════════════════════╗
528-
║ AGENT WORKFLOW (.fullsend repo, e.g. code.yml)
521+
║ AGENT WORKFLOW (fullsend-ai/fullsend reusable-*.yml) ║
529522
║ ║
530523
║ Validates source repo is enrolled in config.yaml. ║
531524
║ Uses scoped GitHub App tokens: ║
@@ -607,7 +600,7 @@ GitHub event ──► SHIM WORKFLOW (fullsend.yml in enrolled repo)
607600

608601
| Abstract layer | MVP technology | ADR |
609602
|---|---|---|
610-
| Dispatcher | Shim workflow (`fullsend.yml`) in enrolled repo → `workflow_call` to `.fullsend/dispatch.yml`OIDC mint → per-role agent workflows (thin callers → upstream reusable workflows) | [ADR 0008](ADRs/0008-workflow-dispatch-for-cross-repo-dispatch.md), [ADR 0031](ADRs/0031-reusable-workflows-for-action-installed-distribution.md) |
603+
| Dispatcher | Shim workflow (`fullsend.yml`) in enrolled repo → `workflow_call` to `.fullsend/dispatch.yml`synchronous `workflow_call` to upstream reusable workflows | [ADR 0008](ADRs/0008-workflow-dispatch-for-cross-repo-dispatch.md), [ADR 0031](ADRs/0031-reusable-workflows-for-action-installed-distribution.md), [ADR 0041](ADRs/0041-synchronous-workflow-call-event-dispatch.md) |
611604
| Agent runner | GitHub Actions job → `fullsend run` CLI (via `fullsend-ai/fullsend@v0` composite action) | |
612605
| Harness store | YAML files in `.fullsend/harness/` (e.g. `code.yaml`, `triage.yaml`) | |
613606
| Sandbox | OpenShell with per-agent L7 network policies (endpoint + binary restrictions) | |

internal/layers/workflows.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,9 @@ func init() {
2929
}
3030

3131
// WorkflowsLayer manages workflow files and CODEOWNERS in the .fullsend
32-
// config repo. It writes the thin caller workflows, composite actions,
33-
// and a CODEOWNERS file that grants the installing user ownership of all
34-
// config-repo contents.
32+
// config repo. It writes dispatch.yml, prioritize.yml, repo-maintenance.yml,
33+
// composite actions, and a CODEOWNERS file that grants the installing user
34+
// ownership of all config-repo contents.
3535
type WorkflowsLayer struct {
3636
org string
3737
client forge.Client

internal/scaffold/fullsend-repo/skills/retro-analysis/SKILL.md

Lines changed: 4 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -29,35 +29,21 @@ gh run list --repo "$REPO_FULL_NAME" --workflow=fullsend.yaml \
2929
-q '.[] | select(.event == "issue_comment" or .event == "issues")'
3030
```
3131

32-
2. Find the corresponding agent runs in the dispatch repo:
32+
2. Find the corresponding dispatch runs in the config repo (triage/code/review/fix/retro run as jobs inside `dispatch.yml`):
3333

3434
```bash
35-
gh run list --repo "$DISPATCH_REPO" --workflow=triage.yml --limit 10 \
36-
--json databaseId,status,conclusion,createdAt
37-
```
38-
39-
3. If the issue reached `ready-to-code`, find code dispatches:
40-
41-
```bash
42-
gh run list --repo "$DISPATCH_REPO" --workflow=code.yml --limit 10 \
35+
gh run list --repo "$DISPATCH_REPO" --workflow=dispatch.yml --limit 10 \
4336
--json databaseId,status,conclusion,createdAt
4437
```
4538

4639
### From a PR
4740

4841
1. The PR branch follows `agent/{issue}-{slug}`. Extract the issue number to trace the full history.
4942

50-
2. Find review dispatches:
51-
52-
```bash
53-
gh run list --repo "$DISPATCH_REPO" --workflow=review.yml --limit 10 \
54-
--json databaseId,status,conclusion,createdAt
55-
```
56-
57-
3. Find fix dispatches (if review requested changes):
43+
2. Find dispatch runs for this PR (review/fix stages appear as jobs in the run):
5844

5945
```bash
60-
gh run list --repo "$DISPATCH_REPO" --workflow=fix.yml --limit 10 \
46+
gh run list --repo "$DISPATCH_REPO" --workflow=dispatch.yml --limit 10 \
6147
--json databaseId,status,conclusion,createdAt
6248
```
6349

0 commit comments

Comments
 (0)