fix(observability): surface publish/checks-perm/secret-scan failures to Sentry#1627
Merged
Conversation
…to Sentry Three review-pipeline failure classes in processors.ts were invisible to the self-host Sentry forwarder (which only forwards level:error/fatal): - Total public-surface publish failure (maybePublishPrPublicSurface): the advisory ran but NOTHING reached the PR (revoked token / perms removed / 5xx) was recorded only to the DB audit ledger. Escalate via captureReviewFailure (kind:publish), scoped to the total-failure branch (partial publish stays ledger-only to avoid noise). - Install-wide Checks:write gap (auditGateCheckPermissionMissing chokepoint + the context check-run branch): a misconfig that silently stops the required gate check-run from ever posting now logs at level:error. - Secret-leak scan crash: a crashed credential scanner degraded silently at level:warn -> flipped to level:error. Covered by existing pr_public_surface_failed / *_permission_missing tests; a captureReviewFailure spy pins the total-failure escalation.
Contributor
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1627 +/- ##
=======================================
Coverage 95.52% 95.52%
=======================================
Files 204 204
Lines 22056 22060 +4
Branches 7967 7967
=======================================
+ Hits 21069 21073 +4
Misses 412 412
Partials 575 575
🚀 New features to boost your workflow:
|
8 tasks
JSONbored
added a commit
that referenced
this pull request
Jun 28, 2026
…the event slug (#1636) forwardStructuredLogToSentry titled each issue with only obj.event and buried the real failure in a 'log' context blob — so operators had to open each issue to learn what broke. Now: - title leads with the failure: "<event>: <message ?? error>" (e.g. orb_broker_unavailable: The operation was aborted due to timeout) - index filterable tags for the dimensions operators search/group by (repo, installationId, pull, pr, project, kind, deliveryId), present values only - fingerprint by event so recurrences collapse into one issue instead of fragmenting on the variable detail now in the title Pairs with the source-side instrumentation (#1605/#1619/#1625/#1627/#1628): those make failures reach Sentry; this makes each issue legible at a glance.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Surfaces three review-pipeline failure classes in
processors.tsto Sentry. The self-host forwarder (src/selfhost/sentry.ts) only forwardslevel:"error"/"fatal"console lines, so these were invisible to operators:maybePublishPrPublicSurface, thepublishedOutputs.length === 0 && failedOutputs.length > 0branch): the advisory ran but nothing reached the PR (revoked token / perms removed / GitHub 5xx) — the worst failure for an advisory-only bot — was recorded only to the DB audit ledger. Now escalated viacaptureReviewFailure(..., { kind:"publish", owner, repo, pr, head_sha, failedOutputs })(already imported; no-op when Sentry is off). Scoped to the total-failure branch (a partial publish stays ledger-only to avoid noise).Checks:writegap (auditGateCheckPermissionMissingchokepoint + the context check-run branch): a common self-host misconfig silently prevents the required gate check-run from ever posting on any PR — now logged atlevel:"error"(gate_check_permission_missing/check_run_permission_missing). Volume bounded (once-per-install config fault).maybeAddSecretLeakFindingcatch): a crashed credential scanner degraded silently to "no finding" atlevel:"warn"— flipped tolevel:"error"(a security-observability event).Surfaced by the 2026-06-27 review-pipeline hardening audit (observability — high + medium).
Scope
site//CNAME/Pages; followsCONTRIBUTING.md.Validation
git diff --check·actionlint·typechecktest:coverage— all three branches are exercised by existing tests (pr_public_surface_failed,gate_check_permission_missing,check_run_permission_missing); the new log/capture lines add no branches. Added acaptureReviewFailurespy to the existing total-failure test pinning thekind:"publish"escalation. The secret-scan catch is/* v8 ignore */.test:workers·build:mcp·test:mcp-pack·ui:*·npm audit --audit-level=moderateIf any required check was skipped, explain why:
Safety
Notes
captureReviewFailureis a no-op on cloud/Workers and on self-host without a Sentry DSN.