Skip to content

Commit 21e5e0f

Browse files
docs: align architecture and comments with ADR 41 dispatch
Update stale references to thin callers and per-org OIDC minting in dispatch.yml; address review feedback on PR fullsend-ai#1611. Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 5b1aeed commit 21e5e0f

3 files changed

Lines changed: 7 additions & 7 deletions

File tree

.github/workflows/reusable-dispatch.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# Reusable dispatch workflow for per-repo installation mode.
22
# Routes events to the appropriate stage reusable workflow via conditional
3-
# workflow_call jobs. This is the per-repo equivalent of the per-org
4-
# dispatch.yml + thin caller pair.
3+
# workflow_call jobs. Same direct-dispatch pattern as per-org dispatch.yml
4+
# (ADR 0041).
55
#
66
# Flow: shim (per-repo) → reusable-dispatch.yml → reusable-{stage}.yml
77
# Nesting: 3 levels of workflow_call (within GitHub's 4-level limit)

docs/architecture.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,11 +39,11 @@ Infrastructure platform choice and configuration are specified in the adopting o
3939

4040
- Forge abstraction: all forge operations go through the `forge.Client` interface, keeping the rest of the codebase forge-agnostic ([ADR 0005](ADRs/0005-forge-abstraction-layer.md)).
4141
- Installation model: ordered layer stack (install forward, uninstall reverse, analyze for status reporting) with idempotent operations. Current stack: config-repo → workflows → secrets → inference → dispatch → enrollment ([ADR 0006](ADRs/0006-ordered-layer-model.md)).
42-
- Cross-repo dispatch: enrolled repos call `.fullsend` via `workflow_call`; a dispatch workflow mints OIDC tokens exchanged at a central token mint (GCP Cloud Function) for scoped GitHub App installation tokens per agent role. App PEM secrets are stored in Secret Manager, not the config repo ([ADR 0008](ADRs/0008-workflow-dispatch-for-cross-repo-dispatch.md)).
42+
- Cross-repo dispatch: enrolled repos call `.fullsend` via `workflow_call`; dispatch routes events to upstream reusable workflows via synchronous `workflow_call` jobs. Each reusable workflow mints OIDC tokens exchanged at a central token mint (GCP Cloud Function) for scoped GitHub App installation tokens per agent role. App PEM secrets are stored in Secret Manager, not the config repo ([ADR 0008](ADRs/0008-workflow-dispatch-for-cross-repo-dispatch.md), [ADR 0041](ADRs/0041-synchronous-workflow-call-event-dispatch.md)).
4343
- Shim workflow security: `pull_request_target` prevents PR authors from modifying the shim workflow. No long-lived secrets flow through the shim — OIDC tokens are issued by the GitHub runtime and scoped to the workflow run ([ADR 0009](ADRs/0009-pull-request-target-in-shim-workflows.md)).
4444
- Repo maintenance: a workflow in `.fullsend` (`.github/workflows/repo-maintenance.yml`) reconciles enrollment shims in target repos when `config.yaml` changes or on manual dispatch. The CLI's `EnrollmentLayer.Install()` dispatches this workflow via `workflow_dispatch` and monitors it for completion, then reports any enrollment PRs created in target repos.
4545
- Installer scaffold: the `WorkflowsLayer` deploys content from an embedded scaffold (`internal/scaffold/`), keeping deployable files as real files under version control rather than Go string constants.
46-
- Reusable workflows: agent workflows in `.fullsend` are thin callers (~40-70 lines) that delegate infrastructure logic to upstream reusable workflows (`fullsend-ai/fullsend/.github/workflows/reusable-*.yml`) via `workflow_call`. Infrastructure patches ship once upstream and propagate to all orgs without re-install ([ADR 0031](ADRs/0031-reusable-workflows-for-action-installed-distribution.md)).
46+
- Reusable workflows: `dispatch.yml` in `.fullsend` calls upstream reusable workflows (`fullsend-ai/fullsend/.github/workflows/reusable-*.yml`) directly via `workflow_call` jobs (no per-stage thin callers). Infrastructure patches ship once upstream and propagate to all orgs without re-install ([ADR 0031](ADRs/0031-reusable-workflows-for-action-installed-distribution.md), [ADR 0041](ADRs/0041-synchronous-workflow-call-event-dispatch.md)).
4747

4848
**Open questions:**
4949

internal/layers/workflows.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,9 @@ func init() {
2929
}
3030

3131
// WorkflowsLayer manages workflow files and CODEOWNERS in the .fullsend
32-
// config repo. It writes the thin caller workflows, composite actions,
33-
// and a CODEOWNERS file that grants the installing user ownership of all
34-
// config-repo contents.
32+
// config repo. It writes dispatch.yml, prioritize.yml, repo-maintenance.yml,
33+
// composite actions, and a CODEOWNERS file that grants the installing user
34+
// ownership of all config-repo contents.
3535
type WorkflowsLayer struct {
3636
org string
3737
client forge.Client

0 commit comments

Comments
 (0)