ci: add canary dispatcher for canary-tested PRs (PILOT-162)#179
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Collaborator
Author
|
🤖 Hank — CI status Classification: The build/test failure is a genuine code defect: @matthew-pilot — fix or comment. Auto-classified at 2026-05-30T00:12:11Z. Re-runs on next push or check completion. |
2 tasks
TeoSlayer
added a commit
that referenced
this pull request
May 30, 2026
PR #155 extracted pkg/registry to pilot-protocol/rendezvous and pkg/secure to pilot-protocol/common, but the architecture-gates workflow still ran 'go test ./pkg/registry/... ./pkg/secure', which now fails with 'no such file or directory' on every PR. Replace with ./pkg/daemon/... — the daemon-side lock graph (Store.mu, ReplayMu, SalvageMu, tm.mu) is what this gate is actually meant to cover. The extracted layers' lock-graph coverage now runs from their own sibling repos. Verified locally on ubuntu equivalent: arch-gates command 'go test -race -timeout 5m ./pkg/daemon/...' completes without the missing-directory errors. Unblocks PRs #177, #178, #179, #180. Co-authored-by: Teodor Calin <teodor@vulturelabs.io>
Copies the dispatcher template from pilot-protocol/pilot-canary. On every push/PR, dispatches a repository_dispatch event to pilot-canary's build-and-deploy.yml with component=web4. This closes the CI gap where web4 changes aren't canary-tested. Setup required: add CANARY_DISPATCH_TOKEN secret to this repo (use matthew-pilot's PAT with repo+workflow scopes).
The dispatch step calls 'gh api ...' with secrets.CANARY_DISPATCH_TOKEN as GH_TOKEN. When the secret isn't set on a repo (default state), the gh call returns HTTP 401 and the workflow step exits 4, marking the whole 'Notify canary of changes' check as FAILURE on every PR and push — including PRs that have nothing to do with canary. Setting the secret is an operator task documented in the file's header. Until that's done, treat absence as a clean skip via a ::notice:: log line, rather than gating every PR on a credential that's intentionally not in the repo. Adds an early 'Check token presence' step that probes the secret and sets a step output. The dispatch step then gates on that output via 'if:'. With the token present, behaviour is identical to before.
TeoSlayer
force-pushed
the
hank/PILOT-162-canary-dispatcher-web4
branch
from
4187185 to
ff0baae
Compare
Comment on lines
+29
to
+63
| runs-on: ubuntu-latest | ||
| steps: | ||
| # The dispatch step requires CANARY_DISPATCH_TOKEN to be set as a | ||
| # repo secret (see header). Until an operator runs the `gh secret set`, | ||
| # treat "secret absent" as a skip, not a failure — this workflow runs | ||
| # on every PR and push, so a hard fail here would gate the entire | ||
| # check rollup on a credential that's intentionally not committed. | ||
| - name: Check token presence | ||
| id: token_check | ||
| env: | ||
| TOKEN: ${{ secrets.CANARY_DISPATCH_TOKEN }} | ||
| run: | | ||
| if [ -z "${TOKEN}" ]; then | ||
| echo "::notice::CANARY_DISPATCH_TOKEN not set in repo secrets — skipping canary dispatch" | ||
| echo "have_token=false" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "have_token=true" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| - name: Dispatch repository_dispatch to pilot-canary | ||
| if: steps.token_check.outputs.have_token == 'true' | ||
| env: | ||
| GH_TOKEN: ${{ secrets.CANARY_DISPATCH_TOKEN }} | ||
| # CHANGE THIS to match your component name in pilot-canary's resolve step | ||
| COMPONENT: web4 | ||
| REF: ${{ github.head_ref || github.ref_name }} | ||
| run: | | ||
| set -euo pipefail | ||
| echo "Dispatching: component=$COMPONENT ref=$REF" | ||
| gh api -X POST /repos/pilot-protocol/pilot-canary/dispatches \ | ||
| -f event_type=component-changed \ | ||
| -f client_payload[component]="$COMPONENT" \ | ||
| -f client_payload[ref]="$REF" \ | ||
| -f client_payload[source_repo]="${{ github.repository }}" \ | ||
| -f client_payload[source_sha]="${{ github.sha }}" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PILOT-162 — Wire canary CI from web4
Copies the dispatcher template from
pilot-protocol/pilot-canary/.github/templates/dispatcher.yml.What it does
On every push/PR to any branch, dispatches a
repository_dispatchevent topilot-protocol/pilot-canarywith:event_type: component-changedcomponent: web4ref: <branch-name>The canary build resolves web4 to this branch, using latest-stable for other components (rendezvous, updater, common).
Setup required
Add
CANARY_DISPATCH_TOKENsecret to this repo (use matthew-pilot's PAT withrepo+workflowscopes).