feat(#2735): replace GitHub Contents API with git sparse checkout#2736
Conversation
PR Summary by QodoReplace GitHub Contents API directory fetch with git sparse checkout Description
Diagram
High-Level Assessment
Files changed (15)
|
Site previewPreview: https://3bec34ed-site.fullsend-ai.workers.dev Commit: |
|
🤖 Finished Review · ✅ Success · Started 7:53 PM UTC · Completed 8:09 PM UTC |
Code Review by Qodo
Context used✅ Tickets:
🎫 mint: add loader role so the binary self-mints tokens for URL-based harness loading 🎫 refactor(forge): replace GitHub Contents API with git-based directory fetching✅ Compliance rules (platform):
51 rules✅ Skills:
writing-user-docs, writing-adrs 1. Tempdir escape via path
|
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
|
Looks good to me Labels: PR already has appropriate component labels (component/harness, component/skills). The requires-manual-review label is present. Previous runReviewFindingsHigh
Labels: PR already has appropriate component labels. The type/feature label matches the feat() prefix in the PR title. Previous run (2)ReviewFindingsMedium
Previous run (3)ReviewFindingsMedium
Previous run (4)ReviewFindingsMedium
Previous run (5)ReviewFindingsMedium
Previous run (6)ReviewFindingsMedium
Previous run (7)ReviewFindingsMedium
Previous run (8)ReviewFindingsMedium
Previous run (9)ReviewFindingsMedium
Previous run (10)ReviewFindingsMedium
Previous run (11)ReviewFindingsMedium
Previous run (12)ReviewFindingsMedium
Previous run (13)ReviewFindingsMedium
Previous run (14)ReviewFindingsHigh
Previous run (15)ReviewFindingsMedium
Labels: PR modifies Go source code across harness, forge, and fetch service packages and introduces a new gitfetch package. Previous run (16)ReviewFindingsMedium
Previous run (17)ReviewFindingsMedium
Previous run (18)ReviewFindingsHigh
Medium
Previous run (19)ReviewFindingsMedium
Previous run (20)ReviewFindingsMedium
Previous run (21)ReviewFindingsMedium
Previous run (22)ReviewFindingsMedium
Previous run (23)ReviewFindingsHigh
Medium
Previous run (24)ReviewFindingsHigh
Medium
Previous run (25)ReviewFindingsMedium
Labels: PR modifies harness composition, forge URL handling, and skill fetching infrastructure Previous run (26)ReviewFindingsMedium
Previous run (27)ReviewFindingsMedium
Previous run (28)ReviewFindingsMedium
Previous run (29)ReviewFindingsHigh
Medium
|
c093313 to
de25216
Compare
|
🤖 Finished Review · ✅ Success · Started 8:23 PM UTC · Completed 8:37 PM UTC |
de25216 to
9895660
Compare
|
🤖 Finished Review · ✅ Success · Started 9:06 PM UTC · Completed 9:21 PM UTC |
9895660 to
7213182
Compare
|
🤖 Finished Review · ✅ Success · Started 9:33 PM UTC · Completed 9:50 PM UTC |
7213182 to
a5c1e76
Compare
|
🤖 Finished Review · ❌ Failure · Started 9:56 PM UTC · Completed 10:11 PM UTC |
a5c1e76 to
cb9b8a7
Compare
|
🤖 Finished Review · ✅ Success · Started 10:20 PM UTC · Completed 10:35 PM UTC |
007b58c to
1a59952
Compare
|
🤖 Finished Review · ✅ Success · Started 2:09 PM UTC · Completed 2:27 PM UTC |
1a59952 to
9ae3926
Compare
|
🤖 Finished Review · ✅ Success · Started 10:09 PM UTC · Completed 10:23 PM UTC |
Superseded by updated review
|
🤖 Finished Review · ✅ Success · Started 11:15 PM UTC · Completed 11:29 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 11:35 PM UTC · Completed 12:02 AM UTC |
|
🤖 Review · |
|
🤖 Review · |
|
🤖 Finished Review · ❌ Failure · Started 12:29 AM UTC · Completed 12:42 AM UTC |
…heckout Replaces forge-specific GitHub Contents API calls with forge-agnostic git sparse-checkout for skill directory fetching. This eliminates the chicken-and-egg token problem (issue fullsend-ai#2722) and prepares for GitLab support by using git commands that work identically across forges. New package internal/gitfetch provides FetchTree using shallow clone with blob filter and sparse-checkout. Auth uses GIT_CONFIG_COUNT env vars (never written to disk). Includes URL scheme validation, path traversal prevention, ref option injection prevention (-- separator), token redaction in errors, and typed TransientError for stale-cache fallback. Migrates ComposeOpts, ResolveOpts, and ServiceConfig from ForgeClient forge.Client to TreeFetcher gitfetch.TreeFetchFunc + GitToken string. Adds CloneURL() to ForgeURLInfo for constructing clone URLs from parsed forge metadata. Closes fullsend-ai#2735 Supersedes fullsend-ai#2722 Signed-off-by: Greg Allen <gallen@redhat.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Greg Allen <gallen@redhat.com>
|
🤖 Finished Review · ✅ Success · Started 12:52 AM UTC · Completed 1:04 AM UTC |
|
🤖 Finished Retro · ✅ Success · Started 1:19 AM UTC · Completed 1:28 AM UTC |
Retro: PR #2736 — Replace GitHub Contents API with git sparse checkoutWorkflow overviewThis was a human-authored PR by Review quality: ExcellentThe review bot delivered high-quality findings across 30 review rounds:
Human review comparison
Cost observation25 force pushes triggered 30 review rounds (29 status comments + 1 sticky consolidated comment). The most-repeated finding (token resolution downgrade) appeared in ~20 of 29 rounds. This is expensive but was driven by the author's rapid iteration cycle. Proposals: None (existing issues cover all improvement vectors)All identified improvement areas are already tracked by open issues in this repo:
The workflow functioned well overall — the bot caught real security and correctness issues that the early human approval missed, and the author was responsive to all feedback. |
Summary
internal/gitfetchpackage that fetches directory trees via git sparse checkout (--filter=blob:none --depth 1), replacing GitHub Contents API calls (ListDirectoryContents+GetFileContentAtRef)CloneURL()method toForgeURLInfofor forge-agnostic clone URL construction (maps forge names → hostnames)compose.go,resolve.go,fetchsvc/service.go,run.go,lock.go) fromForgeClienttoTreeFetcher gitfetch.TreeFetchFunc+GitToken stringGH_TOKENinjection fromaction.yml"Run fullsend" step — the ambientGITHUB_TOKENis resolved byresolveToken()at runtimeMotivation
This eliminates the chicken-and-egg problem described in #2722:
LoadWithBase()needs a token to fetch skill directories via the GitHub Contents API, but the mint role needed to obtain that token is only known after loading the base. PR #2720 worked around this by injectingGH_TOKEN, but that's over-privileged.With git sparse checkout:
GITHUB_TOKEN(always available in Actions)What stays unchanged
forge.Clientinterface —ListDirectoryContents/GetFileContentAtRefremain (used byDiscoverRemoteAgents)FakeClient— stays fordiscover_remote_test.goTest plan
internal/gitfetchpackage: 86.1% coverage (>85% threshold)TreeFetchFuncinstead ofFakeClientgo test ./internal/gitfetch/ ./internal/harness/ ./internal/resolve/ ./internal/fetchsvc/ ./internal/forge/ ./internal/cli/— all passgo vet— clean on all changed packagesCloses #2735
Refs #2722, #2720
🤖 Generated with Claude Code