Partial revert of #400: restore the issue-triggered helpers PR #400 said it would retain#419
Partial revert of #400: restore the issue-triggered helpers PR #400 said it would retain#419sebryu wants to merge 2 commits intowarpdotdev:mainfrom
Conversation
PR warpdotdev#400 ("feat: migrate control plane to vercel webhook and consolidate agents on cloud runs") removed five reusable workflows from `.github/workflows/`, but its description states those issue-triggered helpers were intended to be retained during the cutover so both delivery paths could be exercised in parallel. These five reusable workflows are still referenced as `uses:` targets by adapter workflows in `warpdotdev/warp`. Because the targets are gone, those runs now fail at workflow-resolution time before any job runs (GitHub: "This run likely failed because of a workflow file issue."), including `respond-to-triaged-issue-comment-local.yml` on every `@oz-agent` comment to a triaged issue. Files restored verbatim from the pre-deletion commit (6ffca63 — the parent of 6a5ac7c): - .github/workflows/respond-to-triaged-issue-comment.yml - .github/workflows/comment-on-unready-assigned-issue.yml - .github/workflows/update-dedupe.yml - .github/workflows/update-pr-review.yml - .github/workflows/update-triage.yml This is one of two valid resolutions to warpdotdev#418. Maintainers should choose: 1. Merge this PR (matches PR warpdotdev#400's stated intent of keeping legacy helpers in place during cutover). 2. Close this PR and instead complete the cutover — confirm the new Vercel webhook handles all five paths (note: `core/workflows/` currently has no handler for `@oz-agent` mentions on already-triaged issues), then open a follow-up in `warpdotdev/warp` to delete the five adapter workflows. Refs: warpdotdev#418
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and posted feedback on this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
There was a problem hiding this comment.
Overview
This PR restores five reusable GitHub Actions workflows that were removed during the control-plane migration.
Concerns
- The restored workflows still call composite actions under
.github/actions/...@main, but those action directories and the.github/scriptsentrypoints were deleted frommainby the same migration. Restoring only the workflow files will leave callers failing before the Python workflow code can run.
Verdict
Found: 0 critical, 2 important, 0 suggestions
Request changes
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
| - name: Checkout repo | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
| - name: Run unready-assignment workflow | ||
| uses: warpdotdev/oz-for-oss/.github/actions/run-oz-python-script@main # main |
There was a problem hiding this comment.
warpdotdev/oz-for-oss/.github/actions/run-oz-python-script@main, but .github/actions/run-oz-python-script/action.yml and the .github/scripts entrypoints are absent from main. Restore those dependencies too or rewrite this workflow to call the new control-plane path; otherwise callers will still fail with action.yml not found.
| with: | ||
| fetch-depth: 0 | ||
| - name: Build triage agent container | ||
| uses: warpdotdev/oz-for-oss/.github/actions/build-triage-image@main # main |
There was a problem hiding this comment.
warpdotdev/oz-for-oss/.github/actions/build-triage-image@main is also missing from main, so this restored job will fail before it reaches the inline response script. Restore the composite action and Docker assets or replace the step with the current implementation.
…rkflows Addresses Oz's CHANGES_REQUESTED on this PR: the five workflow files restored in the previous commit reference composite actions (`build-triage-image`, `run-oz-python-script`) and Python entrypoints that were also deleted by PR warpdotdev#400. Without these, the workflows would still fail at action resolution before any script could run. This commit restores the dependency closure for those five workflows, all from commit 6ffca63 (the parent of the deletion commit 6a5ac7c), scoped to what the legacy issue-triggered helpers actually need: Composite actions: - .github/actions/build-triage-image/action.yml - .github/actions/run-oz-python-script/action.yml Python entrypoints (one per restored workflow): - .github/scripts/respond_to_triaged_issue_comment.py - .github/scripts/comment_on_unready_assigned_issue.py - .github/scripts/update_dedupe.py - .github/scripts/update_pr_review.py - .github/scripts/update_triage.py Shared library used by the entrypoints: - .github/scripts/oz_workflows/{__init__,actions,artifacts,docker_agent,env,helpers,oz_client,repo_local,triage,verification,workflow_config,workflow_paths}.py - .github/scripts/requirements.txt Triage container (built by `build-triage-image`, run by docker_agent.py): - docker/triage/{Dockerfile,README.md,entrypoint.sh} - uv.toml Intentionally left deleted, because PR warpdotdev#400 explicitly migrated them to the Vercel webhook control plane: - review-pull-request workflow + review_pr.py + build-review-image action + docker/review/ - enforce-pr-issue-state + enforce_pr_issue_state.py - respond-to-pr-comment + respond_to_pr_comment.py - verify-pr-comment + verify_pr_comment.py - triage-new-issues + triage_new_issues.py - resolve_review_context.py - All test files (not strictly needed for runtime) Verification: - Grepped all restored Python files for imports; every `oz_workflows.*` module referenced is included in this restore. - Grepped all restored YAML for `uses: warpdotdev/oz-for-oss/...`; only `build-triage-image` and `run-oz-python-script` are referenced and both are restored. Refs: warpdotdev#418
sebryu
changed the title
|
Thanks for the review — you correctly flagged that restoring just the workflow files would leave the composite actions and Python entrypoints unresolved. I've pushed a follow-up commit (d6135fc) that closes the dependency graph for the five restored workflows:
Intentionally left deleted: anything PR #400 explicitly migrated to the Vercel webhook ( Verified via grep that every /oz-review |
|
I'm re-reviewing this pull request in response to a review request. You can view the conversation on Warp. I completed the review and posted feedback on this pull request. Comment Powered by Oz |
There was a problem hiding this comment.
Overview
This PR restores the legacy issue-triggered reusable workflows, composite actions, Python workflow helpers, and the triage container that were removed during the webhook cutover.
Concerns
- The restored triaged-issue response workflow forwards
OSS_WARP_API_KEYinto the same agent/container that processes untrusted issue bodies and comments, then posts the agent's returned Markdown without a secret-redaction boundary. - The restored triage container builds from
warpdotdev/warp-agent:latest, so future runs with workflow secrets can execute a mutable base image that did not go through this repository's review.
Security
- Prompt-injection content from issue comments can attempt to make the agent read and echo secrets inherited by its tool environment.
- The mutable base image is a supply-chain risk for a workflow that receives secrets.
Verdict
Found: 0 critical, 2 important, 0 suggestions
Request changes
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
| env: | ||
| GH_TOKEN: ${{ steps.app_token.outputs.token }} | ||
| GH_APP_SLUG: ${{ steps.app_token.outputs.app-slug }} | ||
| WARP_API_KEY: ${{ secrets.OSS_WARP_API_KEY }} |
There was a problem hiding this comment.
OSS_WARP_API_KEY into the same agent environment that receives untrusted issue bodies/comments, so prompt-injection content can ask the agent to read and echo the secret and the workflow posts analysis_comment without redaction. Keep the API key out of the agent/tool environment or use a narrowly scoped ephemeral token plus output secret scanning before enabling this path.
| # --output-format json \ | ||
| # --share | ||
|
|
||
| FROM warpdotdev/warp-agent:latest |
There was a problem hiding this comment.
latest is mutable, so this workflow can execute a changed base image with WARP_API_KEY access without any repository review. Pin the base image to an immutable digest or reviewed version tag.
|
Both concerns are accurate, but both are pre-existing properties of the legacy code I restored at I don't think it's right for me to redesign the secret-handling boundary or pin the base image as part of a revert PR. Those are architectural decisions for the maintainers, and they're arguably the kind of thing the migration to the Vercel webhook + cloud agents is intended to address (sandboxed environments, ephemeral credentials, stricter boundaries on agent runtime). That is, this review is indirectly an argument for completing the cutover rather than restoring the legacy path. So flagging this for human judgment:
Either direction is fine; just want to surface the question rather than autonomously redesign legacy code that's about to be retired anyway. |
|
Closing this in favor of removing the warp-side adapters instead, per @captainsafia's response on #418:
The cleanup is happening at warpdotdev/warp#9843 (initial scope: the two event-driven adapters that are actively failing — Thanks for the review feedback — the security observations were accurate and the right read of the architecture direction. Leaving the branch ( |
1 participant
Summary
Partial revert of PR #400, scoped to the legacy issue-triggered helpers its description said it would retain during cutover. Brings the actual repository state in line with that description and unblocks the Warp adapter workflows that depend on these reusable workflows.
respond-to-triaged-issue-comment.yml,comment-on-unready-assigned-issue.yml,update-dedupe.yml,update-pr-review.yml,update-triage.yml.github/actions/build-triage-image/,.github/actions/run-oz-python-script/respond_to_triaged_issue_comment.py,comment_on_unready_assigned_issue.py,update_dedupe.py,update_pr_review.py,update_triage.py.github/scripts/oz_workflows/(full package) +requirements.txtdocker/triage/{Dockerfile,README.md,entrypoint.sh}+uv.tomlAll content is restored byte-for-byte from commit
6ffca63, the parent of the deletion commit6a5ac7c.Why
PR #400's description states (emphasis added):
The diff for the same PR removed the workflow files, the composite actions they call, and the Python entrypoints those actions execute. As a result, every
@oz-agentmention on a triaged Warp issue now fails the corresponding GitHub Actions run before any job can start (e.g., run 25207261218). Full impact in #418.What is intentionally left deleted
To keep the diff scoped to "what PR #400 promised to retain," I did not restore anything that PR #400 explicitly migrated to the Vercel webhook control plane:
review-pull-request.yml+review_pr.py+build-review-imageaction +docker/review/enforce-pr-issue-state.yml+enforce_pr_issue_state.pyrespond-to-pr-comment.yml+respond_to_pr_comment.pyverify-pr-comment.yml+verify_pr_comment.pytriage-new-issues.yml+triage_new_issues.pyresolve_review_context.py(review-path helper).github/scripts/tests/test_*(not strictly needed for runtime; happy to add back if you'd like)If any of those should also come back per PR #400's description (e.g.,
create-spec-from-issue,create-implementation-from-issue, plan-approval workflows are mentioned in the kept list but were also deleted), I can extend this PR — just say the word.Assumptions
Verification
oz_workflows.*module referenced is in this restore (full package included).uses: warpdotdev/oz-for-oss/...— onlybuild-triage-imageandrun-oz-python-scriptare referenced, both restored.Caveats — please decide
This PR is a proposal, not the only correct fix. Either is reasonable:
@oz-agentmentions on already-triaged issues incore/workflows/onmain, and PR feat: migrate control plane to vercel webhook and consolidate agents on cloud runs #400 explicitly excludes that path), then open a follow-up inwarpdotdev/warpto delete the five*-local.ymladapter workflows.I don't have visibility into whether the Vercel control plane is deployed and whether the GitHub App webhook URL has been flipped, so I can't pick between (1) and (2) from outside.
Refs
warpdotdev/warp#4186a5ac7c7)6ffca63cc @captainsafia