Fix agentic ingest dispatch authorization / 修复 Agentic 摄取分发授权#2237
Conversation
Switch every agentic ingest trigger to the repository_dispatch contract exposed by InferenceX-app, avoiding the Actions-write permission required by workflow_dispatch. 中文:将所有 Agentic 摄取触发器切换到 InferenceX-app 提供的 repository_dispatch 契约,避免 workflow_dispatch 所需的 Actions 写入权限。
There was a problem hiding this comment.
LGTM — straightforward fix to a broken CI dispatch call.
Extended reasoning...
Overview
Changes 3 GitHub Actions workflows (e2e-tests.yml, recover-reused-ingest.yml, run-sweep.yml) to fix the agentic-results ingest trigger, switching from the workflow-dispatch REST endpoint (which was returning 403 due to insufficient Actions-write scope on the PAT) to the repository-dispatch endpoint (POST /repos/{owner}/{repo}/dispatches with event_type+client_payload), which the target workflow already listens for.
Security risks
None. This only changes which GitHub REST endpoint an existing PAT (INFX_FRONTEND_PAT) calls to fire a repository_dispatch event; the payload fields (run-id, run-attempt, database-target) are unchanged and the PAT's scope is unchanged. No new secrets or permissions are introduced.
Level of scrutiny
Low. This is a config-shaped fix (URL + payload shape) applied identically across three call sites, and the same event_type/client_payload pattern is already used elsewhere in the same run-sweep.yml file (the non-agentic trigger-ingest job), confirming the new pattern is correct and already working in production for a sibling call.
Other factors
The PR description includes root cause, a completed manual recovery of the one production run that failed, and validation via actionlint/YAML parsing/pytest. The bug hunting system found no issues, and my own review of the diff and file context found nothing to add.
Summary
workflow_dispatchto therepository_dispatchcontract exposed byInferenceX-app.Root cause
The source workflows called the target workflow-dispatch endpoint with
INFX_FRONTEND_PAT. GitHub rejected that endpoint with HTTP 403 because it requires Actions write authorization. The target workflow already documents and listens for theingest-agentic-resultsrepository-dispatch event, and the same PAT successfully dispatches repository events.Recovery
The failed production ingest for source run
29470515957was manually re-dispatched through the supported repository-dispatch contract and is tracked by target run29470850852.Validation
actionlinton all three changed workflows, excluding unrelated pre-existing baseline warningspython -m pytest utils/changelog_gate_tests/test_run_sweep_gating.py -q(27 passed)event_type: ingest-agentic-results中文说明
摘要
workflow_dispatch切换为InferenceX-app已提供的repository_dispatch契约。根因
源工作流使用
INFX_FRONTEND_PAT调用目标仓库的 workflow-dispatch 端点。该端点需要 Actions 写入权限,因此 GitHub 返回 HTTP 403。目标工作流本身已记录并监听ingest-agentic-resultsrepository-dispatch 事件,同一 PAT 也能成功发送 repository dispatch。恢复
源运行
29470515957的失败生产摄取已通过受支持的 repository-dispatch 契约重新触发,对应目标运行是29470850852。验证
actionlint,仅排除与本次修改无关的既有基线告警python -m pytest utils/changelog_gate_tests/test_run_sweep_gating.py -q(27 项通过)event_type: ingest-agentic-results