build(action): action.yml now compiles from source if not release#2053
Conversation
Site previewPreview: https://cc1630d5-site.fullsend-ai.workers.dev Commit: |
|
🤖 Finished Review · ✅ Success · Started 7:33 AM UTC · Completed 7:48 AM UTC |
ReviewFindingsMedium
Low
Info
Previous runReviewFindingsMedium
Low
Info
|
| fi | ||
|
|
||
| HTTP_STATUS="$(curl -sL -o /dev/null -w "%{http_code}" \ | ||
| -H "Accept: application/vnd.github+json" \ |
There was a problem hiding this comment.
[medium] error handling gap
The release existence check treats ANY non-200 HTTP status (including 403 rate-limit, 500 server error, or network timeout returning 000) as 'release not found' and falls through to a source build instead of surfacing the real error.
Suggested fix: Distinguish between 404 (genuinely no release) and other HTTP status codes. For 403/429/5xx/000, either retry or fail with a clear error message.
| if [[ -n "${VENDORED}" ]]; then | ||
| echo "Using vendored binary: ${VENDORED#"${GITHUB_WORKSPACE}/"}" | ||
| echo "install-method=vendored" >> "${GITHUB_OUTPUT}" | ||
| echo "vendored-path=${VENDORED}" >> "${GITHUB_OUTPUT}" |
There was a problem hiding this comment.
[medium] error handling gap
The 'Detect install method' step resolves the 'latest' tag and checks release existence using plain curl without retries. The original code used retry_curl (3 attempts with exponential backoff). The retry_curl function is only defined in the 'Download release binary' step. This is a resilience regression.
Suggested fix: Either define retry_curl in the detect step as well, or extract it into a shared function defined before both steps.
There was a problem hiding this comment.
+1 — I'm battling transient API flakes in e2e right now and retries everywhere help. This one's worth fixing before we merge.
| GH_TOKEN: ${{ inputs.github_token }} | ||
| run: | | ||
| set -euo pipefail | ||
| SRC="${RUNNER_TEMP}/fullsend-src" |
There was a problem hiding this comment.
[medium] edge case
The source build path uses 'git fetch --depth 1 origin "${SOURCE_REF}"'. If SOURCE_REF is a full commit SHA, this will fail because GitHub does not allow fetching arbitrary commit SHAs via shallow fetch. Branch names and tags work, but SHAs fail with a confusing 'unadvertised object' error.
Suggested fix: Document that SOURCE_REF must be a branch name or tag. Alternatively, fall back to a full clone or use the GitHub archive API for SHA-based refs.
There was a problem hiding this comment.
I think we'll need SHA support here — for e2e and CI, pinning to a specific commit is the main use case for source builds.
ralphbean
left a comment
There was a problem hiding this comment.
The three-tier fallback makes sense. A few things to sort out — mostly around making the detect step as resilient as the download step, and getting the version stamp right for source builds. See inline comments and the threads on the bot's review.
| run: | | ||
| set -euo pipefail | ||
| mkdir -p "${RUNNER_TEMP}/fullsend" | ||
| cd "${RUNNER_TEMP}/fullsend-src" |
There was a problem hiding this comment.
[important] The Makefile already handles version stamping — make go-build passes -ldflags with git describe --tags --always --dirty. Could we use make go-build here and then copy bin/fullsend into place? That keeps the version logic in one place, and fullsend --version would show the actual commit ref instead of dev.
Without ldflags, internal/cli.version defaults to "dev", and the CLI uses that string in binary.ResolveForRun and binary.ResolveForVendor — so it's not just cosmetic.
| env: | ||
| SOURCE_REF: ${{ steps.detect.outputs.source-ref }} | ||
| GH_TOKEN: ${{ inputs.github_token }} | ||
| run: | |
There was a problem hiding this comment.
[non-blocking] If git fetch fails, the token embedded in the remote URL could end up in stderr. The default GITHUB_TOKEN gets auto-masked by Actions, but a custom PAT might not. An ::add-mask::${GH_TOKEN} before the git commands would cover that edge.
action.yml now uses a detect-then-act pattern (vendored → release → source build). Signed-off-by: Hector Martinez <hemartin@redhat.com> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Hector Martinez <hemartin@redhat.com>
48e69cc to
3ffbdb5
Compare
|
🤖 Finished Review · ✅ Success · Started 1:25 PM UTC · Completed 1:39 PM UTC |
| -H "Accept: application/vnd.github+json" \ | ||
| -H "Authorization: Bearer ${GH_TOKEN}" \ | ||
| "https://api.github.com/repos/fullsend-ai/fullsend/releases/tags/${VERSION_URL}")" | ||
|
|
There was a problem hiding this comment.
[medium] error handling gap
The release-existence check uses retry_curl -sL -o /dev/null -w "%{http_code}" without -f. Because curl returns exit code 0 for any completed HTTP response when -f is absent, retry_curl will never retry this call regardless of the HTTP status. If the GitHub API returns a transient error (429, 503), retry_curl does not retry, and the step falls into the else branch which exits with an error.
Suggested fix: Either add -f so that non-2xx responses trigger retry_curl retries, or add an inner retry loop for 429/5xx status codes.
| macos) os=darwin ;; | ||
| esac | ||
|
|
||
| arch="$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')" |
There was a problem hiding this comment.
[low] edge case
When shallow fetch fails, the fallback performs a full git clone. If SOURCE_REF is invalid, the clone succeeds but git checkout fails, wasting time and resources.
Suggested fix: After the full clone, validate SOURCE_REF exists before proceeding.
| chmod +x "${RUNNER_TEMP}/fullsend/fullsend" | ||
| echo "${RUNNER_TEMP}/fullsend" >> "${GITHUB_PATH}" | ||
|
|
||
| - name: Download release binary |
There was a problem hiding this comment.
[low] missing validation
If the detect step completes without setting install-method, all install steps are silently skipped. Defense-in-depth concern, not a current bug.
| shell: bash | ||
| env: | ||
| SOURCE_REF: ${{ steps.detect.outputs.source-ref }} | ||
| GH_TOKEN: ${{ inputs.github_token }} |
There was a problem hiding this comment.
[low] edge case
Source build uses make go-build which relies on git describe --tags. In a shallow clone, tags are not fetched, so the binary reports an inaccurate version string.
ralphbean
left a comment
There was a problem hiding this comment.
All four items from my previous review are addressed in the rebase. LGTM.
|
🤖 Finished Retro · ✅ Success · Started 6:56 AM UTC · Completed 7:01 AM UTC |
Retro: PR #2053 —
|
Summary
Now the action.yml tries to find a version that matches, if it does not it clones the repository at the ref and then compiles the binary.