Skip to content

Commit 5b1aeed

Browse files
fix(dispatch): address review — checkout .fullsend repo and prioritize secrets
- Checkout config.yaml from job.workflow_repository (not enrolled repo). - Pass secrets: inherit into prioritize workflow_call job. - Update architecture.md and retro-analysis skill for dispatch.yml flow. Signed-off-by: Barak Korren <bkorren@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent bf2c1c9 commit 5b1aeed

4 files changed

Lines changed: 12 additions & 23 deletions

File tree

docs/architecture.md

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -512,14 +512,13 @@ GitHub event ──► SHIM WORKFLOW (fullsend.yml in enrolled repo)
512512
╔═══════════════════════════════════════════════════════════════╗
513513
║ DISPATCH WORKFLOW (.fullsend repo, dispatch.yml) ║
514514
║ ║
515-
║ Mints OIDC token → Cloud Function (token mint) → scoped ║
516-
║ GitHub App installation token per agent role. ║
517-
║ Dispatches per-role agent workflows (code.yml, triage.yml). ║
515+
║ Routes to stage; synchronous workflow_call to upstream ║
516+
║ reusable-{stage}.yml (or prioritize.yml in .fullsend). ║
518517
╚═══════════════════════════════════════════════════════════════╝
519518
520519
521520
╔═══════════════════════════════════════════════════════════════╗
522-
║ AGENT WORKFLOW (.fullsend repo, e.g. code.yml)
521+
║ AGENT WORKFLOW (fullsend-ai/fullsend reusable-*.yml) ║
523522
║ ║
524523
║ Validates source repo is enrolled in config.yaml. ║
525524
║ Uses scoped GitHub App tokens: ║
@@ -601,7 +600,7 @@ GitHub event ──► SHIM WORKFLOW (fullsend.yml in enrolled repo)
601600

602601
| Abstract layer | MVP technology | ADR |
603602
|---|---|---|
604-
| Dispatcher | Shim workflow (`fullsend.yml`) in enrolled repo → `workflow_call` to `.fullsend/dispatch.yml`OIDC mint → per-role agent workflows (thin callers → upstream reusable workflows) | [ADR 0008](ADRs/0008-workflow-dispatch-for-cross-repo-dispatch.md), [ADR 0031](ADRs/0031-reusable-workflows-for-action-installed-distribution.md) |
603+
| Dispatcher | Shim workflow (`fullsend.yml`) in enrolled repo → `workflow_call` to `.fullsend/dispatch.yml`synchronous `workflow_call` to upstream reusable workflows | [ADR 0008](ADRs/0008-workflow-dispatch-for-cross-repo-dispatch.md), [ADR 0031](ADRs/0031-reusable-workflows-for-action-installed-distribution.md), [ADR 0041](ADRs/0041-synchronous-workflow-call-event-dispatch.md) |
605604
| Agent runner | GitHub Actions job → `fullsend run` CLI (via `fullsend-ai/fullsend@v0` composite action) | |
606605
| Harness store | YAML files in `.fullsend/harness/` (e.g. `code.yaml`, `triage.yaml`) | |
607606
| Sandbox | OpenShell with per-agent L7 network policies (endpoint + binary restrictions) | |

internal/scaffold/fullsend-repo/.github/workflows/dispatch.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ jobs:
3232
- name: Checkout config repository
3333
uses: actions/checkout@v6
3434
with:
35+
repository: ${{ job.workflow_repository }}
3536
persist-credentials: false
3637
sparse-checkout: config.yaml
3738
sparse-checkout-cone-mode: false
@@ -374,6 +375,7 @@ jobs:
374375
needs: route
375376
if: needs.route.outputs.stage == 'prioritize'
376377
uses: ./.github/workflows/prioritize.yml
378+
secrets: inherit
377379
with:
378380
event_type: ${{ github.event_name }}
379381
source_repo: ${{ github.repository }}

internal/scaffold/fullsend-repo/skills/retro-analysis/SKILL.md

Lines changed: 4 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -29,35 +29,21 @@ gh run list --repo "$REPO_FULL_NAME" --workflow=fullsend.yaml \
2929
-q '.[] | select(.event == "issue_comment" or .event == "issues")'
3030
```
3131

32-
2. Find the corresponding agent runs in the dispatch repo:
32+
2. Find the corresponding dispatch runs in the config repo (triage/code/review/fix/retro run as jobs inside `dispatch.yml`):
3333

3434
```bash
35-
gh run list --repo "$DISPATCH_REPO" --workflow=triage.yml --limit 10 \
36-
--json databaseId,status,conclusion,createdAt
37-
```
38-
39-
3. If the issue reached `ready-to-code`, find code dispatches:
40-
41-
```bash
42-
gh run list --repo "$DISPATCH_REPO" --workflow=code.yml --limit 10 \
35+
gh run list --repo "$DISPATCH_REPO" --workflow=dispatch.yml --limit 10 \
4336
--json databaseId,status,conclusion,createdAt
4437
```
4538

4639
### From a PR
4740

4841
1. The PR branch follows `agent/{issue}-{slug}`. Extract the issue number to trace the full history.
4942

50-
2. Find review dispatches:
51-
52-
```bash
53-
gh run list --repo "$DISPATCH_REPO" --workflow=review.yml --limit 10 \
54-
--json databaseId,status,conclusion,createdAt
55-
```
56-
57-
3. Find fix dispatches (if review requested changes):
43+
2. Find dispatch runs for this PR (review/fix stages appear as jobs in the run):
5844

5945
```bash
60-
gh run list --repo "$DISPATCH_REPO" --workflow=fix.yml --limit 10 \
46+
gh run list --repo "$DISPATCH_REPO" --workflow=dispatch.yml --limit 10 \
6147
--json databaseId,status,conclusion,createdAt
6248
```
6349

internal/scaffold/scaffold_test.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,8 @@ func TestDispatchWorkflowContent(t *testing.T) {
231231
assert.Contains(t, s, "install_mode: per-org")
232232
assert.Contains(t, s, "permissions: {}")
233233
assert.Contains(t, s, "sparse-checkout: config.yaml")
234+
assert.Contains(t, s, "repository: ${{ job.workflow_repository }}")
235+
assert.Contains(t, s, "secrets: inherit")
234236
assert.Contains(t, s, "set -euo pipefail")
235237
assert.Contains(t, s, "Invalid stage name")
236238
assert.Contains(t, s, `^[a-z][a-z0-9_-]*$`)

0 commit comments

Comments
 (0)