Problem
Autoloop PRs often have no CI running because:
- Pushes via
GITHUB_TOKEN don't trigger workflows (GitHub security measure)
- Even with
GH_AW_CI_TRIGGER_TOKEN, the safe-outputs push may not always trigger CI reliably
- The PR can sit with no checks for hours, invisible to Evergreen's selector (which treats "no checks" as "healthy")
Desired behavior
When Evergreen encounters an autoloop PR (branch starts with autoloop/, has autoloop label) that has no check runs or only stale/queued checks, Evergreen should use its token to trigger CI directly.
This should ONLY apply to autoloop PRs — not to PRs from outside contributors, for security reasons (anyone can comment on public issues to steer autoloop, so we want to be careful about auto-triggering CI on arbitrary code).
Implementation
-
Detection: In pr_needs_attention, add a new issue type missing_checks when:
- The PR branch matches
autoloop/*
- The PR has no completed check runs, OR the latest check run is stale (older than the HEAD commit)
-
Action: When Evergreen selects a PR with missing_checks:
- Use
GH_AW_CI_TRIGGER_TOKEN (or the workflow's GitHub token) to trigger CI via one of:
gh workflow run ci.yml --ref <branch> (workflow_dispatch — requires adding workflow_dispatch trigger to ci.yml)- Push an empty commit to the branch to trigger the
push event
- Use the GitHub API to re-request check runs
- Post a comment noting that CI was triggered
- Do NOT attempt any code fixes — just trigger CI and move on
-
CI workflow change: Add workflow_dispatch trigger to ci.yml so Evergreen can trigger it directly:
on:
workflow_dispatch:
push:
branches: [main, "autoloop/**"]
pull_request:
branches: [main]
Security considerations
- Only trigger CI on PRs from branches matching
autoloop/* — these are created by the autoloop workflow, not external contributors
- Do NOT auto-trigger CI on PRs from forks or unknown branches
- The
autoloop label can be checked as an additional signal, but branch name is the primary gate since labels can be added by anyone on public repos
Problem
Autoloop PRs often have no CI running because:
GITHUB_TOKENdon't trigger workflows (GitHub security measure)GH_AW_CI_TRIGGER_TOKEN, the safe-outputs push may not always trigger CI reliablyDesired behavior
When Evergreen encounters an autoloop PR (branch starts with
autoloop/, hasautolooplabel) that has no check runs or only stale/queued checks, Evergreen should use its token to trigger CI directly.This should ONLY apply to autoloop PRs — not to PRs from outside contributors, for security reasons (anyone can comment on public issues to steer autoloop, so we want to be careful about auto-triggering CI on arbitrary code).
Implementation
Detection: In
pr_needs_attention, add a new issue typemissing_checkswhen:autoloop/*Action: When Evergreen selects a PR with
missing_checks:GH_AW_CI_TRIGGER_TOKEN(or the workflow's GitHub token) to trigger CI via one of:gh workflow run ci.yml --ref <branch>(workflow_dispatch — requires addingworkflow_dispatchtrigger to ci.yml)pusheventCI workflow change: Add
workflow_dispatchtrigger toci.ymlso Evergreen can trigger it directly:Security considerations
autoloop/*— these are created by the autoloop workflow, not external contributorsautolooplabel can be checked as an additional signal, but branch name is the primary gate since labels can be added by anyone on public repos