Skip to content

Fix agentic ingest dispatch authorization / 修复 Agentic 摄取分发授权#2237

Merged
cquil11 merged 1 commit into
mainfrom
agent/fix-agentic-ingest-dispatch
Jul 16, 2026
Merged

Fix agentic ingest dispatch authorization / 修复 Agentic 摄取分发授权#2237
cquil11 merged 1 commit into
mainfrom
agent/fix-agentic-ingest-dispatch

Conversation

@cquil11

@cquil11 cquil11 commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Switch all agentic ingest triggers from workflow_dispatch to the repository_dispatch contract exposed by InferenceX-app.
  • Cover main sweeps, E2E runs, and reused-ingest recovery runs.
  • Preserve the existing production run ID and attempt payload.

Root cause

The source workflows called the target workflow-dispatch endpoint with INFX_FRONTEND_PAT. GitHub rejected that endpoint with HTTP 403 because it requires Actions write authorization. The target workflow already documents and listens for the ingest-agentic-results repository-dispatch event, and the same PAT successfully dispatches repository events.

Recovery

The failed production ingest for source run 29470515957 was manually re-dispatched through the supported repository-dispatch contract and is tracked by target run 29470850852.

Validation

  • actionlint on all three changed workflows, excluding unrelated pre-existing baseline warnings
  • YAML parsing for all three changed workflows
  • python -m pytest utils/changelog_gate_tests/test_run_sweep_gating.py -q (27 passed)
  • Verified all three agentic call sites use event_type: ingest-agentic-results

中文说明

摘要

  • 将所有 Agentic 摄取触发器从 workflow_dispatch 切换为 InferenceX-app 已提供的 repository_dispatch 契约。
  • 覆盖主分支扫描、E2E 运行以及复用产物摄取恢复流程。
  • 保持现有的生产环境运行 ID 和尝试次数载荷不变。

根因

源工作流使用 INFX_FRONTEND_PAT 调用目标仓库的 workflow-dispatch 端点。该端点需要 Actions 写入权限,因此 GitHub 返回 HTTP 403。目标工作流本身已记录并监听 ingest-agentic-results repository-dispatch 事件,同一 PAT 也能成功发送 repository dispatch。

恢复

源运行 29470515957 的失败生产摄取已通过受支持的 repository-dispatch 契约重新触发,对应目标运行是 29470850852

验证

  • 对三个修改后的工作流运行 actionlint,仅排除与本次修改无关的既有基线告警
  • 验证三个修改后的工作流均可正常解析 YAML
  • python -m pytest utils/changelog_gate_tests/test_run_sweep_gating.py -q(27 项通过)
  • 验证三个 Agentic 调用点均使用 event_type: ingest-agentic-results

Switch every agentic ingest trigger to the repository_dispatch contract exposed by InferenceX-app, avoiding the Actions-write permission required by workflow_dispatch.

中文:将所有 Agentic 摄取触发器切换到 InferenceX-app 提供的 repository_dispatch 契约,避免 workflow_dispatch 所需的 Actions 写入权限。
@cquil11 cquil11 requested a review from a team July 16, 2026 04:17
@cquil11 cquil11 merged commit 3e513b3 into main Jul 16, 2026
4 checks passed
@cquil11 cquil11 deleted the agent/fix-agentic-ingest-dispatch branch July 16, 2026 04:17

@claude claude Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — straightforward fix to a broken CI dispatch call.

Extended reasoning...

Overview

Changes 3 GitHub Actions workflows (e2e-tests.yml, recover-reused-ingest.yml, run-sweep.yml) to fix the agentic-results ingest trigger, switching from the workflow-dispatch REST endpoint (which was returning 403 due to insufficient Actions-write scope on the PAT) to the repository-dispatch endpoint (POST /repos/{owner}/{repo}/dispatches with event_type+client_payload), which the target workflow already listens for.

Security risks

None. This only changes which GitHub REST endpoint an existing PAT (INFX_FRONTEND_PAT) calls to fire a repository_dispatch event; the payload fields (run-id, run-attempt, database-target) are unchanged and the PAT's scope is unchanged. No new secrets or permissions are introduced.

Level of scrutiny

Low. This is a config-shaped fix (URL + payload shape) applied identically across three call sites, and the same event_type/client_payload pattern is already used elsewhere in the same run-sweep.yml file (the non-agentic trigger-ingest job), confirming the new pattern is correct and already working in production for a sibling call.

Other factors

The PR description includes root cause, a completed manual recovery of the one production run that failed, and validation via actionlint/YAML parsing/pytest. The bug hunting system found no issues, and my own review of the diff and file context found nothing to add.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

1 participant