From a3b155b276a7e52d0025303084ca642841952a01 Mon Sep 17 00:00:00 2001 From: "fullsend-ai-fullsend[bot]" <278716232+fullsend-ai-fullsend[bot]@users.noreply.github.com> Date: Mon, 1 Jun 2026 15:57:40 +0000 Subject: [PATCH 1/2] chore: update fullsend shim workflow --- .github/workflows/fullsend.yaml | 79 +++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/fullsend.yaml diff --git a/.github/workflows/fullsend.yaml b/.github/workflows/fullsend.yaml new file mode 100644 index 000000000..5735a1d76 --- /dev/null +++ b/.github/workflows/fullsend.yaml @@ -0,0 +1,79 @@ +# lint-workflow-size: max-lines=280 +# fullsend shim workflow (workflow_call mode) +# Routes events to agent workflows in .fullsend via workflow_call. +# No secrets are needed in the enrolled repo — agents fetch scoped tokens +# from the centralized token mint using GitHub OIDC. +# +# Security: pull_request_target runs the BASE branch version of this workflow, +# preventing PRs from modifying it to exfiltrate credentials. +# This shim never checks out PR code, so it is not vulnerable to "pwn request" +# attacks. +# +# conforma is replaced by reconcile-repos.sh at deploy time. +# +# Routing: this shim forwards the raw event context to dispatch.yml, which +# determines the stage from event_type + event_action + payload fields. +# Adding a new stage requires only a case branch in dispatch.yml — zero +# changes to enrolled repos. +name: fullsend + +permissions: + actions: write + id-token: write + contents: read + pull-requests: read + +on: + issues: + types: [opened, edited, labeled] + issue_comment: + types: [created] + pull_request_target: + types: [opened, synchronize, ready_for_review, closed] + pull_request_review: + types: [submitted] + +jobs: + dispatch: + concurrency: + group: fullsend-dispatch-${{ github.event.issue.number || github.event.pull_request.number }} + cancel-in-progress: false + if: >- + github.event_name != 'issue_comment' + || github.event.comment.user.type != 'Bot' + uses: conforma/.fullsend/.github/workflows/dispatch.yml@main + with: + event_action: ${{ github.event.action }} + + stop-fix: + if: >- + github.event_name == 'issue_comment' + && github.event.issue.pull_request + && github.event.comment.user.type != 'Bot' + && github.event.comment.body == '/fs-fix-stop' + && ( + github.event.comment.author_association == 'OWNER' + || github.event.comment.author_association == 'MEMBER' + || github.event.comment.author_association == 'COLLABORATOR' + || github.event.comment.author_association == 'CONTRIBUTOR' + || github.event.comment.user.login == github.event.issue.user.login + ) + runs-on: ubuntu-latest + permissions: + contents: read + issues: write + pull-requests: write + steps: + - name: Add fullsend-no-fix label and notify + env: + GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ github.event.issue.number }} + REPO: ${{ github.repository }} + run: | + gh label create "fullsend-no-fix" --repo "$REPO" \ + --description "Skip bot-triggered fix agent runs" --color "FBCA04" \ + --force 2>/dev/null || true + gh pr edit "$PR_NUMBER" --repo "$REPO" \ + --add-label "fullsend-no-fix" + gh pr comment "$PR_NUMBER" --repo "$REPO" \ + --body "Fix agent disabled for this PR. Remove the \`fullsend-no-fix\` label or use \`/fs-fix\` to re-engage." From 03148287253214fc714661788a5fec3c528c641c Mon Sep 17 00:00:00 2001 From: Stefano Pentassuglia Date: Wed, 3 Jun 2026 12:04:06 +0200 Subject: [PATCH 2/2] Update fullsend.yaml --- .github/workflows/fullsend.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/fullsend.yaml b/.github/workflows/fullsend.yaml index 5735a1d76..7820e5474 100644 --- a/.github/workflows/fullsend.yaml +++ b/.github/workflows/fullsend.yaml @@ -1,3 +1,19 @@ +# Copyright The Conforma Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + # lint-workflow-size: max-lines=280 # fullsend shim workflow (workflow_call mode) # Routes events to agent workflows in .fullsend via workflow_call.