Add Cloud Tasks lock to orchestrator to prevent duplicate execution#113
Open
victor-paunescu wants to merge 1 commit into
Open
Add Cloud Tasks lock to orchestrator to prevent duplicate execution#113victor-paunescu wants to merge 1 commit into
victor-paunescu wants to merge 1 commit into
Conversation
|
Still need readability approvals from:
|
|
Still need readability approvals from:
|
|
Still need readability approvals from:
|
christophervoelpel
added a commit
to christophervoelpel/scene-machine
that referenced
this pull request
Jun 17, 2026
…oogle-marketing-solutions#113 Cloud Tasks lock Pre-merge review and hardening: - Split the build and runtime service accounts. The app and worker now run as a dedicated runtime service account that does not hold artifactregistry.writer, so a compromised app cannot push or overwrite container images. - Enforce a content-type allow-list on the signed-upload endpoint. - Remove the unnecessary storage target-apply from the firestore-only deploy phase so it cannot abort and leave the deny-all rules undeployed. - Route the raw Cloud Run and service-account IAM grants through the retry wrapper, and give the worker a finite gunicorn timeout. - Fix the generation flow in the UI: do not resume until the global config has loaded, keep the in-flight marker when only URL signing fails, make render-resume per-execution, guard a malformed signed-URL expiry, and tolerate a single missing URL in a batch sign request. - Reject an empty template update and surface an expired status-viewer session. - Update the storage-rules test to match the deny-all rules, remove README trailing whitespace, and add a diff-check CI step. - Add regression tests for the above. Keep the PR google-marketing-solutions#113 fix from regressing: - Port the Cloud Tasks duplicate-execution lock. The worker acquires and releases a per-task Firestore lock and the deploy enables its TTL, so this rewrite of orch.py and deploy.sh does not drop the fix when it lands after PR google-marketing-solutions#113.
christophervoelpel
added a commit
to christophervoelpel/scene-machine
that referenced
this pull request
Jun 17, 2026
…ions#113 Cloud Tasks lock The lock added in PR google-marketing-solutions#113 reads executionId, nodeId, groupId and workflowDefinition from the task payload, so the older test that posted the pre-lock payload shape raised a KeyError and returned 500 (red Python CI). - Update test_worker_url_overrides_host_for_trigger_action to send a valid Cloud Tasks payload and acquire the lock. - Add tests for the lock behavior: a duplicate delivery is skipped with 'Already Triggered', a retryable failure releases the lock and returns 429, and a non-retryable failure keeps the lock. - Validate the task payload in the handler so a malformed body returns a clean 400 instead of a 500, and add a test for it. This keeps the PR google-marketing-solutions#113 duplicate-execution protection as the source of truth rather than weakening it to satisfy the stale test.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.