fix(dispatch): per-role two-layer concurrency for per-repo (#981)#2465
Conversation
…ai#981) Remove the monolithic per-repo shim concurrency group and add matching cancel-in-progress groups on reusable-dispatch stage jobs plus all reusable-{stage}.yml workflows so roles dedupe independently. Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
PR Summary by QodoPer-role concurrency for per-repo dispatch workflows Description
Diagram
High-Level Assessment
Files changed (10)
|
Site previewPreview: https://e828f5bf-site.fullsend-ai.workers.dev Commit: |
|
🤖 Finished Review · ✅ Success · Started 8:39 AM UTC · Completed 8:53 AM UTC |
Code Review by Qodo
Context used✅ Tickets:
🎫 Deduplicate review dispatches for the same HEAD SHA 🎫 Follow-up: document concurrency/cancel-in-progress & fan-out semantics under synchronous dispatch (post ADR 0041) 🎫 Concurrency group cancels code dispatch when triage applies multiple labels✅ Compliance rules (platform):
58 rules✅ Skills:
writing-user-docs, writing-adrs 1.
|
ReviewFindingsMedium
Previous runReviewFindingsMedium
Low
Previous run (2)ReviewFindingsMedium
Low
Previous run (3)ReviewFindingsMedium
Low
Previous run (4)ReviewFindingsMedium
Low
Labels: PR fixes dispatch concurrency groups across workflow files and scaffold templates. Previous run (5)ReviewFindingsMedium
Low
Previous run (6)ReviewFindingsMedium
Low
Labels: PR fixes dispatch concurrency groups across workflow files and scaffold templates. |
Signed-off-by: Barak Korren <bkorren@redhat.com>
Align ADR 0034/0041 consequences with per-role cancel-in-progress groups introduced for per-repo dispatch (fullsend-ai#981). Fixes gofmt CI failure. Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
|
🤖 Review · ❌ Terminated · Started 9:56 AM UTC · Ended 10:11 AM UTC |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Babysit update
|
|
🤖 Finished Review · ✅ Success · Started 9:56 AM UTC · Completed 10:11 AM UTC |
Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
|
🤖 Review · |
…ncel Per-role groups on workflow_call parents (thin callers and reusable-dispatch stage jobs) share keys with reusable stage workflows. Duplicate groups with cancel-in-progress cancel the parent immediately, breaking e2e triage (fullsend-ai#981). Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
|
🤖 Finished Review · ✅ Success · Started 10:25 AM UTC · Completed 10:40 AM UTC |
Add individual finding logging (scanner name + detail) after the summary count line in sanitizeReviewResult, matching the established pattern in scan.go:194-196 and run.go:1831. Addresses review feedback on fullsend-ai#2444
…ize-post-review fix(fullsend-ai#1230): run OutputPipeline on post-review before posting to forge
docs(problems): add MCP configuration drift problem doc
The `fullsend github setup` command creates commits via the GitHub API without Signed-off-by trailers, causing DCO checks to reject the scaffold PR in orgs that enforce sign-off. This adds a `GetAuthenticatedUserIdentity` method to the forge Client interface that retrieves the authenticated user's display name and email. The WorkflowsLayer gains a `WithSignOff` builder method that appends a Signed-off-by trailer to all commit messages it produces (scaffold commit, activation commit). The CLI wiring calls GetAuthenticatedUserIdentity and configures the layer when the identity is available (PAT/OAuth tokens). For GitHub App installation tokens, the identity call fails gracefully and no trailer is appended — this is correct because autonomous agent commits are exempt from DCO per project policy. Note: pre-commit could not run in the sandbox (shellcheck_py network error during install). The post-script runs pre-commit authoritatively. Closes fullsend-ai#2591
Only wrap errors with forge.ErrNotFound for HTTP 403/404 responses (e.g., GitHub App installation tokens). Other errors (network failures, server errors) are returned without the ErrNotFound sentinel so callers can distinguish permanent from transient failures. Add test verifying non-permission errors are not wrapped as ErrNotFound. Addresses review feedback on fullsend-ai#2595
…old-signoff fix(fullsend-ai#2591): add Signed-off-by trailer to scaffold PR commits
fix(deps): restore toml-eslint-parser for CI deploy
Add a pre-commit hook that runs `pinact run --fix=false --no-api` to verify all GitHub Actions references use full-length commit SHAs. The --no-api flag ensures the check is offline-only (syntactic SHA presence) so it won't break when new action versions are released. Also install pinact in the CI lint workflow so the hook passes there. Depends-on: fullsend-ai#1055 (auto-detect pre-commit tool dependencies) Assisted-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
The new pinact pre-commit hook correctly caught these unpinned actions. Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
Add pinact installation to `make bootstrap` so local devs get the SHA-pin checker without manual setup. Expand the pre-commit hook's files regex to also match `.github/actions/`, aligning it with the paths configured in `.pinact.yaml`. Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
…commit-hook chore(ci): add pinact pre-commit hook to enforce SHA-pinned actions
Signed-off-by: Barak Korren <bkorren@redhat.com>
Defense-in-depth: dispatch and agent groups for triage, code, and prioritize now chain issue.number || pull_request.number like review/fix/retro. Tighten shim template test to match indented concurrency keys only (fullsend-ai#981). Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
|
🤖 Finished Review · ✅ Success · Started 11:42 AM UTC · Completed 11:51 AM UTC |
82fc89b to
a3bbc22
Compare
Resolve conflicts: keep ADR 0054 dispatch authorization gates, mint-in-binary code workflow env, and agent-scoped concurrency groups from fullsend-ai#981. Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Summary
fullsend-dispatch-{issue|pr}concurrency group from the per-repo shim template — it serialized unrelated roles and could drop the wrong pending run when multiple label events arrived in quick succession (Concurrency group cancels code dispatch when triage applies multiple labels #2452).cancel-in-progress: trueconcurrency on all six stage jobs inreusable-dispatch.yml(triage, code, review, fix, retro, prioritize).reusable-{stage}.ymlworkflows (defense-in-depth for overlappingworkflow_callinvocations and manual re-triggers).Roles operate independently: a review dispatch does not cancel triage, code, fix, etc.
History (why this is messy)
dispatch-triage,dispatch-fix, etc., butdispatch-reviewanddispatch-codedid not → PR refactor: unify mint provisioning and harden URL validation #930 saw 23 review dispatches, only 8 useful.dispatchjob with a shared queue group; per-stage cancellation moved to per-org thin callers (review.yml, etc.).reusable-dispatch.ymlwas documented to get per-stage concurrency (PR feat: add per-repo installation mode (ADR 0033) #799) but never did.This PR implements the two-layer, per-role policy ADR 0033 intended for per-repo installs.
Issues
Closes #981
Closes #982
Closes #1357
Also addresses:
Not solved here (follow-ups):
Test plan
mise exec -- go test ./internal/scaffold/ -vMade with Cursor