feat(dispatch): synchronous workflow_call event dispatch (ADR 41)#1611
feat(dispatch): synchronous workflow_call event dispatch (ADR 41)#1611ifireball wants to merge 3 commits into
Conversation
Site previewPreview: https://5a45ee95-site.fullsend-ai.workers.dev Commit: |
ReviewFindingsMedium
Low
Info
Previous runReviewFindingsHigh
Low
Info
Previous run (2)ReviewFindingsHigh
Low
Info
Previous run (3)ReviewFindingsMedium
Low
Info
Previous run (4)ReviewFindingsMedium
Low
Info
Previous run (5)ReviewFindingsMedium
Low
Info
Previous run (6)ReviewFindingsMedium
Low
Info
Previous run (7)ReviewFindingsHigh
Medium
Low
Info
Previous run (8)ReviewFindingsMedium
Low
Info
Previous run (9)ReviewFindingsMedium
Low
Info
Previous run (10)ReviewFindingsHigh
Medium
Low
Info
Previous run (11)ReviewFindingsMedium
Low
Info
Previous run (12)ReviewFindingsMedium
Low
Info
Previous run (13)ReviewFindingsMedium
Info
Previous run (14)ReviewFindingsMedium
Low
Info
Previous run (15)ReviewFindingsMedium
Low
|
Update stale references to thin callers and per-org OIDC minting in dispatch.yml; address review feedback on PR fullsend-ai#1611. Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
|
HIGH — Missing
code) STAGE_ROLE="coder" ;;Compare with code|fix) STAGE_ROLE="coder" ;;When a (This line isn't in the PR diff — it's existing code that was carried forward without the fix that HIGH — Same ternary kill-switch bug exists in stage: ${{ steps.role-check.outputs.skipped == 'true' && '' || steps.route.outputs.stage }}Same Suggestion: stage: ${{ steps.role-check.outputs.skipped != 'true' && steps.route.outputs.stage || '' }} |
waynesun09
left a comment
There was a problem hiding this comment.
Review Squad — 10-agent deep-dive on mint/OIDC impact
1 CRITICAL, 3 HIGH, 3 MEDIUM findings (see inline comments + PR comment for items on unchanged lines).
The central issue: permissions: {} at workflow level in the per-org dispatch.yml scaffold blocks id-token: write from propagating to stage jobs, which breaks OIDC token minting in all reusable workflows. The old flow worked because thin callers were independent workflow runs with their own permission grants — this PR inlines them as jobs under dispatch.yml's permissions: {} umbrella.
Additional issues: ternary expression bug defeats the role-check kill switch (both per-org and per-repo), fix role mapping is missing in per-org, and secrets: inherit on prioritize is inconsistent with other stages.
Update stale references to thin callers and per-org OIDC minting in dispatch.yml; address review feedback on PR fullsend-ai#1611. Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com> (cherry picked from commit 21e5e0f)
034b8cb to
3df8b3d
Compare
|
Addressed review feedback from @waynesun09:
Commit: |
Update architecture.md and agent skills for synchronous workflow_call: finding-agent-runs and retro-analysis trace runs on the enrolled-repo shim (not separate .fullsend dispatch runs). Restore code-implementation API contract checklist dropped during rebase. Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Barak Korren <bkorren@redhat.com>
Provision GCP secrets and region at org scope during install and refresh selected-repository access on admin enable/disable, matching FULLSEND_MINT_URL visibility for workflow_call dispatch from enrolled repos. Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Barak Korren <bkorren@redhat.com>
bb09458 to
e44b70f
Compare
|
Rebased onto current
@ralphbean — addressed the open skill threads (resolved with replies). @waynesun09 — prior CRITICAL/HIGH items remain in the workflow commit. Head: |
e44b70f to
6200a58
Compare
6200a58 to
e44b70f
Compare
|
Ran into something on #1746 that I think is worth surfacing here. Greg filed that issue and it got labeled Here's what happened: of the five runs, three were cancelled (queued runs get bumped when a newer one arrives — GitHub only keeps one pending per concurrency group). The two that survived and ran to completion had Net result: the code agent never ran, even though the issue has
With the current async dispatch model, this is annoying but contained — only the ~2 second dispatch job is affected. In the synchronous #1637 is asking exactly these questions — this is a concrete example of the problem it's pointing at. |
|
The issue I opened is #1752. |
Getting my old changes-requested review out of the way. I'm curious though what you think of the connection to #1752, @ifireball.
ralphbean
left a comment
There was a problem hiding this comment.
All the items from my May 29 review are addressed — the skills match the new run topology and the code-implementation checklist is back. LGTM.
I looked into this and found out two things:
|
|
With our current e2e coverage (or lack therof) I cannot merge this in good faith. Moving to draft as I work toward having enough e2e coverage in place. |
|
With the per-org going away, this can be closed as well? |
Summary
dispatch.yml→reusable-*.yml@v0(synchronousworkflow_call), replacing# fullsend-stage:scanning andgh workflow run.prioritize.ymlgainsworkflow_callwith declared secrets.fullsend.yamlon the enrolled repo (caller run includes dispatch + stage jobs).Commit structure
finding-agent-runs,retro-analysis)Review feedback addressed
code|fix→coderrole mappingsecrets: inheritintodispatch.yml; dispatch declares required GCPworkflow_callsecretsreusable-dispatch:prioritizejob; fail-closedreusable-fixbot eligibilityfullsend.yaml(not separate.fullsenddispatch.ymlruns)admin enable/disableupdates selected-repo access (same pattern asFULLSEND_MINT_URL)Migration
fullsend admin install <org>(oradmin enable reposto refresh org secret visibility).# fullsend-stage:workflowsworkflow_calljob indispatch.yml; remove markers.Test plan
make go-test/ scaffold + layers unit testse2e note: Shim may still fail until reusable workflow changes are on
@v0(post-merge release) or #1278 lands for PR-branch pinning.Supersedes closed #1586.