Skip to content

feat(#2096): add two-pass review strategy for large PRs#57

Closed
guyoron1 wants to merge 181 commits into
mainfrom
mirror/2303-2096-two-pass-review-strategy
Closed

feat(#2096): add two-pass review strategy for large PRs#57
guyoron1 wants to merge 181 commits into
mainfrom
mirror/2303-2096-two-pass-review-strategy

Conversation

@guyoron1

Copy link
Copy Markdown
Owner

Mirror of upstream fullsend-ai#2303

For PRs with 30+ files, the review orchestrator now runs a lightweight security-triage pre-pass before dispatching dimension sub-agents. Security-critical files get prioritized context in sub-agent packages.

Benkapner and others added 30 commits June 7, 2026 09:54
Add a new subsection under "CI pipeline for agent configurations"
elaborating on Step 1 (static analysis). Covers component-level
checks (structural integrity, security patterns, token budget),
setup-level analysis (redundancy detection, dependency validation,
token budget distribution, trigger overlap, dimension scoring),
and optional LLM-based rubric scoring. Presents similarity
techniques as options (TF-IDF, embeddings, LLM-based) rather
than prescribing a single approach. Adds three open questions
on thresholds, lint rule universality, and token budgets.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Benjamin Kapner <bkapner@redhat.com>
Introduce --vendor to install vendored binaries, reusable workflows,
actions, and agent content. Vendored upstream mirror content is committed
under .defaults/ (same layout as runtime sparse checkout); layered installs
fetch fullsend-ai/fullsend@v0 into .defaults when the marker file is absent.

Reusable workflows use inline workspace preparation and reference infra
from ./.defaults/, matching the pre-vendor layered design. Thin callers
render local reusable paths when --vendor is set.

--fullsend-source pins the source tree for both content and binary
cross-compile; --fullsend-binary remains an explicit ELF override.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Write vendor-manifest.yaml on --vendor installs so cleanup and analyze work
without a local fullsend checkout. Workflows analyze stays embed-only;
vendor layer reports presence, manifest alignment, and optional source
alignment via admin analyze --fullsend-source.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Consolidate thin-stage caller registry, reuse resolved source root for
binary vendoring, reject oversized tar members during extraction, restore
workflows scope comment, fix testing-workflows prose, and introduce
InstallFiles as the canonical collector return type.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Re-add the full download_test.go suite and append extractSourceTree size
limit coverage.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Delete vendored paths atomically via forge.DeleteFiles, reuse resolved
source root for cross-compile, preserve extracted file modes, and tighten
WouldFix deduplication to exact path matches.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Document intentional breaking change: old flag callers should use --vendor;
only known usage was e2e, already updated in this branch.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Document VendorBinaryLayer legacy naming, restore Uninstall/Analyze
comments, and use Title Case for stale-cleanup progress messages.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Batch binary, content, and manifest in one CommitFiles call; validate
manifest version on read; trim leading slash in extractSourceTree; wrap
DeleteFiles ref PATCH in retryOnTransient.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Use the existing blob mode from the recursive tree and set type blob
so deletion entries match GitHub Trees API expectations.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Guard against regressions in delete-entry construction per review.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

# Conflicts:
#	internal/forge/fake.go
#	internal/forge/forge.go

Signed-off-by: Barak Korren <bkorren@redhat.com>
Encode CommitFiles tree entries as base64 to preserve ELF binaries,
add tar extract containment check, consolidate stale cleanup with a
manifest/binary quick-check, and deduplicate cleanup between CLI and layer.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

# Conflicts:
#	action.yml
#	docs/guides/dev/testing-workflows.md

Signed-off-by: Barak Korren <bkorren@redhat.com>
Clarify removed distribution-mode artifacts, drop e2e vendor line, and
document action.yml source-build fallback.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Empty commit to re-dispatch review; prior synchronize dispatch was cancelled.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Keep enumerateVendoredPaths aligned with CollectVendoredAssets after
main added the composite action (fullsend-ai#2106); fixes CI parity test.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
…t dispatch

GitHub Actions may return 422 when repo-maintenance is dispatched immediately
after a separate vendor CommitFiles on a fresh .fullsend repo. Merge scaffold
and vendored assets into one atomic commit and retry dispatch on indexing lag.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
…nance

Poll GitHub until repo-maintenance.yml is active before dispatch, re-touch
config.yaml after scaffold so the push trigger can run enrollment when
dispatch is still rejected, and fall back to awaiting a push-triggered run.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
…nary

Tree entries with encoding:base64 stored base64 text literally on GitHub,
corrupting YAML workflows and vendor-manifest.yaml. Restore UTF-8 inline
content for text and upload binary via the Git Blob API instead.

Signed-off-by: Barak Korren <bkorren@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Design for a new `prerequisites` triage action that replaces `blocked`.
The agent can now express both existing blockers and new issues that need
to be created upstream before progress can happen. Includes allowlist
configuration for cross-repo issue creation and a degraded path when
targets are not authorized.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
…nd-ai#401)

Seven-task plan covering config structs, JSON schema, agent prompt,
post-script, user docs, and caller updates. TDD approach with exact
file paths and code blocks.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
Add CreateIssuesConfig and AllowTargets types to both OrgConfig and
PerRepoConfig. NewOrgConfig populates defaults with the org and
fullsend-ai/fullsend. NewPerRepoConfig populates with the target repo
and fullsend-ai/fullsend.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
…ues (fullsend-ai#401)

Pass org name and target repo to config constructors so create_issues
defaults are populated at install time.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
)

Replace the blocked action and blocked_by field with a prerequisites
action containing existing[] and create[] arrays. At least one array
must be non-empty.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
…pt (fullsend-ai#401)

The triage agent can now recommend creating upstream issues via the
prerequisites action's create array, in addition to referencing existing
blockers. Adds hard constraint against emitting sufficient when
prerequisites exist.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
…d-ai#401)

Update triage agent docs to explain the new prerequisites action and the
create_issues.allow_targets configuration surface.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
…#401)

Replace the blocked handler with prerequisites. The post-script reads
the create_issues allowlist from config.yaml, creates permitted upstream
issues via gh, and includes collapsed draft bodies for disallowed or
failed creates so humans can file them manually.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
…ullsend-ai#401)

The agent prompt referenced a nonexistent `prerequisites` label when
checking for prior blockers — the post-script actually applies the
`blocked` label. Also removed unused SOURCE_ORG variable from
post-triage.sh.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
ralphbean and others added 11 commits June 18, 2026 11:31
…script-diagnostic-errors

fix(fullsend-ai#2393): add diagnostic stderr output to post-script failure paths
…-await-and-enqueue

feat(merge-queue): add await-and-enqueue script
Two call sites in commitFilesTo were missed during the rename, causing
build failures.

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
…pdate

The mergeEnrollmentPR function in the e2e test calls
MergeChangeProposal once without handling GitHub's 409 "Head branch
is out of date" response. When the reconcile workflow pushes to the
default branch between PR creation and the merge attempt, the
enrollment PR's base falls behind and the merge is rejected.

Add an UpdatePullRequestBranch method to the forge.Client interface
(wrapping GitHub's PUT /repos/{owner}/{repo}/pulls/{number}/update-branch)
and implement it in the GitHub LiveClient and FakeClient. In
mergeEnrollmentPR, wrap the merge call in a retry loop (up to 3
attempts) that detects 409 errors via the APIError status code,
calls UpdatePullRequestBranch to bring the PR branch up to date,
waits 5 seconds for GitHub to process, and retries the merge.

Note: pre-commit could not run in sandbox (shellcheck install
failed due to network restrictions). The post-script runs it
authoritatively.

Closes fullsend-ai#2432
fix(forge): retry 5xx server errors at the HTTP client level
docs(problems): add static analysis layer to testing-agents
…-merge-409

fix(fullsend-ai#2432): retry enrollment PR merge on 409 with branch update
For PRs with 30+ files, the review orchestrator now runs a
lightweight security-triage pre-pass before dispatching dimension
sub-agents. The triage pass uses a haiku-model sub-agent to classify
changed files as security-critical or standard based on path
patterns (e.g., **/mint/**, **/auth/**, **/oidc/**) and diff content
heuristics (auth logic, token handling, permission changes).

Security-critical files identified by the triage pass receive
prioritized context in the security and correctness sub-agent
context packages — their full diffs appear first with explicit
classification headers, ensuring they get dedicated reasoning budget
rather than competing with boilerplate changes.

Changes:
- New sub-agent definition: sub-agents/security-triage.md (haiku
  model, read-only classifier)
- New orchestrator step 3c-1 in SKILL.md: security-critical file
  triage, runs synchronously before context package assembly
- Updated step 3d in SKILL.md: security-prioritized context package
  assembly for security and correctness sub-agents when triage
  results are available
- Updated sub-agent roster table with security-triage entry

The 30-file threshold is a starting point that may need tuning.
Triage failures fall back to uniform attention (all files treated as
security-critical) to preserve existing behavior as a safe default.

Closes fullsend-ai#2096
- Raise security triage threshold from 30 to 50 files to align with
  step 2's per-file diff boundary, resolving ambiguity in the 30-49
  file range where per-file diffs were not available [edge-case]
- Add clarifying note to roster table documenting that security-triage
  and challenger use non-standard dispatch and are excluded from step
  4's parallel loop [logic-error, design-direction]
- Clarify step 4 heading to explicitly scope dispatch to dimension
  sub-agents only [logic-error]
- Remove parenthetical from security-triage sub-agent title to match
  naming convention of other sub-agents [naming-convention]

Addresses review feedback on fullsend-ai#2303
@guyoron1

Copy link
Copy Markdown
Owner Author

/fs-qf

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 21, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:00 AM UTC · Completed 8:21 AM UTC
Commit: 53ee5b2 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 21, 2026

Copy link
Copy Markdown

Review

Findings

High

  • [protected-path] Multiple protected paths modified without linked issue — This PR modifies .github/ (12 files), .pre-commit-config.yaml, AGENTS.md, CLAUDE.md, and skills/ (5 files). No issue is linked in this repository to justify changes to governance and infrastructure files. Human approval is always required for protected-path changes.
    Remediation: Link or create an issue in guyoron1/fullsend explaining why each protected path is being changed.

  • [scope-exceeded] PR title claims "add two-pass review strategy for large PRs" but actual scope includes at least 8-10 distinct feature areas across 158 files: vendor flag implementation (ADR 0047), automatic updates (ADR 0048), env var convention (ADR 0049), triage terminology changes, review agent labels, mint role-keyed app ID migration, e2e workflow optimizations, OpenShell version bump, and more.
    Remediation: Split into separate feature-scoped PRs each with proper issue links.

  • [github-action-input-breaking-change] action.yml — The status-token input has been renamed to mint-url, breaking all downstream workflow calls that pass status-token. The failure mode is silent degradation of status comment functionality.
    Remediation: Keep both inputs with deprecation mapping (read mint-url with fallback to status-token), or document as a breaking change with a major version bump.

  • [cli-flag-breaking-change] action.yml — The CLI flag --status-token is replaced with --mint-url in the fullsend run invocation, and reconcilestatus changes from --token to --mint-url --role. External scripts or automation using these flags will break.
    Remediation: Implement flag aliasing to accept both old and new flags during a deprecation period.

  • [workflow-trigger-broadening] .github/workflows/e2e.yml:26 — Removed paths: filter from pull_request_target trigger. Every PR now triggers the e2e workflow. While the gate job still enforces authorization, removing the path filter widens the trigger surface for pull_request_target which runs with base-repo privileges and secret access.
    Remediation: Keep paths: filter as defense-in-depth. If removal is intentional (GitHub path filters unreliable for pull_request_target), document the trade-off.

  • [stale-doc] docs/guides/infrastructure/mint-administration.md — Missing documentation for new mint add-role and mint remove-role commands introduced in this PR. Platform operators will have no reference for these new subcommands.
    Remediation: Add documentation sections for add-role and remove-role including usage, flags, IAM requirements, and interaction with PEM secrets.

Medium

  • [missing-authorization] Non-trivial PR (158 files, ~18,500 lines) has no linked issue in this repository. The #2096 reference in the title appears to be for the upstream repo (fullsend-ai/fullsend), not this fork.
    Remediation: Link or create an issue in guyoron1/fullsend authorizing this scope.

  • [curl-pipe-to-shell] .github/scripts/install-openshell.sh:15 — New script downloads and executes code from GitHub via curl | sh, pinned to a commit SHA but without checksum verification of the downloaded content.
    Remediation: Add SHA-256 checksum verification of the downloaded install.sh before piping to sh.

  • [interface-method-addition] internal/forge/forge.go:189forge.Client interface adds three new methods (DeleteFiles, GetWorkflow, UpdatePullRequestBranch). Any external implementations will fail to compile.
    Remediation: Coordinate rollout if external forge implementations exist.

  • [architectural-conflict] Three new ADRs (0047, 0048, 0049) bundled in a single PR. Independent architectural decisions cannot be reviewed on their individual merits.
    Remediation: Each ADR should be proposed in its own PR for independent review.

  • [scope-creep] internal/appsetup/appsetup.go — Mint enrollment system refactor (org/role keys to role-only keys) is unrelated to the claimed two-pass review strategy.

  • [misleading-label] PR title misrepresents the change scope. The security-triage sub-agent is one small piece among 158 changed files.

  • [design-smell] PR body claims "Mirror of upstream feat(#2096): add two-pass review strategy for large PRs fullsend-ai/fullsend#2303" but provides no context about the relationship between repos, what differs, or the issue number discrepancy (Review agent: two-pass strategy for large PRs — triage security-critical files, then deep-review fullsend-ai/fullsend#2096 vs feat(#2096): add two-pass review strategy for large PRs fullsend-ai/fullsend#2303).

  • [error-handling-gap] internal/dispatch/gcf/provisioner.go:398EnsureOrgInMint no longer validates ROLE_APP_IDS consistency. An org can be enrolled in ALLOWED_ORGS while ROLE_APP_IDS is empty, causing runtime token minting failures.
    Remediation: Add validation that ROLE_APP_IDS contains at least one role-only entry before enrolling.

  • [logic-error] internal/dispatch/gcf/provisioner.go:753 — Legacy org/role keys in ROLE_APP_IDS are never cleaned up during code deploys. Dead data accumulates indefinitely.

  • [logic-error] internal/cli/admin.go:759 — When resolveSharedRoleAppIDs finds no role-only keys but legacy org/role keys exist, the error message says "install the app first" which is misleading. The real issue is a migration to role-only keys is needed.
    Remediation: Include guidance about running migration to convert org/role keys.

  • [stale-doc] docs/guides/infrastructure/mint-administration.md:133 — Enrollment flags table includes removed flags (--app-set, --role-app-ids, --roles).
    Remediation: Remove stale flags and update enrollment documentation.

Low

  • [behavioral-change] internal/dispatch/gcf/mintsrc/mintcore/handler.go.embed:253/v1/status API now returns all roles instead of org-scoped roles. External consumers may observe different response shape.

  • [api-contract-violation] internal/forge/github/github.go:1653 — File-level comment fallback sets Line=0 relying on Go's omitempty behavior. Works correctly but is implicit and should be documented.

  • [comment-accuracy] internal/layers/vendorbinary.goVendorFunc type comment changed to be less accurate than the original "callback" terminology.

  • [scope-creep] Triage agent terminology change (blockedprerequisites) and review agent contextual labeling are independent of the two-pass security triage feature.

Info

  • [token-handling-improvement] action.yml — Positive security change: status-token replaced with mint-url for on-demand short-lived tokens, reducing token exposure window.

  • [container-path-hardening] images/code/Containerfile — PATH ordering now prevents sandbox binaries from shadowing system tools. Positive security change.

  • [workflow-template-change] Scaffold workflows switch to __REUSABLE_WORKFLOW__ placeholder and add install_mode input.

Previous run

Review

Reason: stale-head

The review agent reviewed commit 647da744e18bdd7f470f99b08e2bb66b610a6d7c but the PR HEAD is now 689db50ef6ea1ad58d440ad13da3b8c7962ba958. This review was discarded to avoid approving unreviewed code.

Previous run (2)

Review

Reason: stale-head

The review agent reviewed commit 9a7370e56e43ee3da92cedb7e81a8b33b7619a99 but the PR HEAD is now 647da744e18bdd7f470f99b08e2bb66b610a6d7c. This review was discarded to avoid approving unreviewed code.

@fullsend-ai-review

Copy link
Copy Markdown

/fs-review

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 21, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:24 AM UTC · Completed 9:05 AM UTC
Commit: 53ee5b2 · View workflow run →

QualityFlow and others added 5 commits June 21, 2026 08:27
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replaces intermediate pipeline artifacts with organized test files.

Total: 2 test files → qf-tests/GH-57/
Jira: GH-57
[skip ci]
@github-actions

Copy link
Copy Markdown

QualityFlow Pipeline Summary

Stage Agent Status
1 STP Builder
2 STP Reviewer
3 STP Refiner
4 STD Builder
5 STD Reviewer
6 STD Refiner
7 Test Generator

Test Output

Language Count Location
Go 2 files qf-tests/GH-57/go/

Issue: GH-57


Generated by QualityFlow

@fullsend-ai-review

Copy link
Copy Markdown

/fs-review

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 21, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 9:08 AM UTC · Completed 9:50 AM UTC
Commit: 53ee5b2 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

Comment thread action.yml
default: ""
status-token:
description: Token for status comments (defaults to GH_TOKEN env var).
mint-url:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] github-action-input-breaking-change

The status-token input has been renamed to mint-url, breaking all downstream workflow calls that pass status-token. The failure mode is silent degradation of status comment functionality.

Suggested fix: Keep both inputs with deprecation mapping (read mint-url with fallback to status-token), or document as a breaking change with a major version bump.

Comment thread .github/workflows/e2e.yml
@@ -24,19 +25,6 @@ on:
- 'scripts/check-e2e-authorization.sh'
pull_request_target:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] workflow-trigger-broadening

Removed paths: filter from pull_request_target trigger. Every PR now triggers the e2e workflow. While the gate job enforces authorization, removing the path filter widens the trigger surface for pull_request_target which runs with base-repo privileges and secret access.

Suggested fix: Keep paths: filter as defense-in-depth, or document the intentional trade-off.

source "${SCRIPT_DIR}/openshell-version.sh"

echo "Installing OpenShell ${OPENSHELL_VERSION} (${OPENSHELL_SHA})"
curl -LsSf "https://raw.githubusercontent.com/NVIDIA/OpenShell/${OPENSHELL_SHA}/install.sh" \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] curl-pipe-to-shell

New script downloads and executes code from GitHub via curl | sh, pinned to a commit SHA but without checksum verification of the downloaded content.

Suggested fix: Add SHA-256 checksum verification of the downloaded install.sh before piping to sh.

@@ -719,17 +753,8 @@ func (p *Provisioner) provisionSelfManaged(ctx context.Context) (map[string]stri
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

Legacy org/role keys in ROLE_APP_IDS are never cleaned up during code deploys. Dead data accumulates indefinitely.

Suggested fix: Add a cleanup step during code deploy that strips legacy org/role keys.

Comment thread internal/cli/admin.go
@@ -760,7 +759,7 @@ func runPerRepoInstall(ctx context.Context, c perRepoInstallConfig) error {
agentAppIDs = make(map[string]string, len(roles))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

When resolveSharedRoleAppIDs finds no role-only keys but legacy org/role keys exist, the error message says install the app first which is misleading.

Suggested fix: Include guidance about running migration to convert org/role keys to role-only keys.

The mint URL is stable across redeploys within the same project and region — updating the Cloud Function does not change its URL. Adding a new org to an existing mint only updates `ALLOWED_ORGS` (and WIF configuration) without redeploying the function. Shared `ROLE_APP_IDS` are managed at deploy/bootstrap time (`mint deploy --pem-dir`) or per-role via `mint add-role` / `remove-role` — not during enrollment. Existing enrolled repos continue working with no changes when orgs are added.

Deploying to a **different region** (e.g., changing `--region` from `us-central1` to `us-east5`) creates a new Cloud Run service with a different URL. All enrolled repos store the mint URL in a repo or org variable (`FULLSEND_MINT_URL`), so changing the region requires updating every enrolled repo's variable. Avoid changing `--region` after initial deployment unless you plan to update all consumers.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] stale-doc

Enrollment flags table includes removed flags (--app-set, --role-app-ids, --roles).

Suggested fix: Remove stale flags and update enrollment documentation.

@guyoron1 guyoron1 closed this Jun 21, 2026
@guyoron1 guyoron1 deleted the mirror/2303-2096-two-pass-review-strategy branch June 21, 2026 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants