Skip to content

feat: add fullsend AI agents for scorecard workspace#3256

Merged
durandom merged 6 commits into
redhat-developer:mainfrom
durandom:fullsend-review-pilot
Jun 1, 2026
Merged

feat: add fullsend AI agents for scorecard workspace#3256
durandom merged 6 commits into
redhat-developer:mainfrom
durandom:fullsend-review-pilot

Conversation

@durandom

@durandom durandom commented Jun 1, 2026

Copy link
Copy Markdown
Member

Summary

  • Enables fullsend agents (triage, coder, review, fix) on workspaces/scorecard/
  • Review auto-triggers on PRs touching workspaces/scorecard/**; all other agents are available via /fs-* slash commands
  • Slash commands are auth-gated — only org members/collaborators can trigger them (rhdh-plugins is public; without this gate external users could burn Vertex AI tokens)
  • Adds CODEOWNERS protection for .fullsend/ and .github/workflows/fullsend.yaml
  • Includes operational documentation at docs/fullsend.md

What this PR does NOT do

  • Does not run fullsend admin install — the customized shim (with auth gate) would be overwritten by the installer's default template
  • Does not set GitHub secrets/variables — that's a post-merge step (see below)
  • Does not modify .pr_agent.toml — PR Agent continues running as-is; both agents will run in parallel for comparison

Files

File Purpose
.fullsend/config.yaml Declares enabled roles: triage, coder, review, fix
.github/workflows/fullsend.yaml Event shim with auth-gated slash commands, paths filter for workspaces/scorecard/**, stop-fix job
.fullsend/customized/ Scaffold directories (agents, harness, policies, schemas, env, scripts, skills) with .gitkeep
docs/fullsend.md Operational docs — agent table, slash commands, auth model, PR Agent coexistence, expansion guide, debugging
.github/CODEOWNERS Added /.fullsend/ and /.github/workflows/fullsend.yaml@redhat-developer/rhdh-plugins-maintainers

Post-merge steps

  1. Set GitHub repo variables:

    • FULLSEND_MINT_URL — shared token mint URL (get from fullsend team or rhdh-agentic's settings)
    • FULLSEND_GCP_REGION — GCP region for Vertex AI inference
  2. Set GitHub repo secrets:

    • FULLSEND_GCP_WIF_PROVIDER — WIF provider for this repo in the inference GCP project
    • FULLSEND_GCP_PROJECT_ID — GCP project for Vertex AI inference
  3. Add rhdh-plugins to fullsend GitHub Apps access:
    The fullsend-ai GitHub Apps are already installed in the redhat-developer org with selected repos. Add rhdh-plugins to the repository access for: fullsend-ai-triage, fullsend-ai-coder, fullsend-ai-review.

  4. Test: Open a PR touching files in workspaces/scorecard/ and verify the review agent triggers. Post /fs-triage on an issue to test slash command auth gate.

Test plan

  • Verify workflow YAML parses correctly (CI validate-codeowners.yml will check CODEOWNERS)
  • After merge + secrets setup: open a test PR in workspaces/scorecard/ and confirm review agent triggers
  • Open a test PR in a non-scorecard workspace and confirm the review workflow does NOT trigger
  • Post /fs-triage as an org member — should trigger triage agent
  • Verify PR Agent continues working normally on all PRs

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings June 1, 2026 12:36
@durandom durandom requested review from a team as code owners June 1, 2026 12:36

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a review-only Fullsend pilot for selected AI-related workspaces in rhdh-plugins, using a dedicated GitHub Actions workflow shim plus guardrail documentation and CODEOWNERS protection.

Changes:

  • Introduces a pull_request_target-based Fullsend dispatch workflow scoped by paths to three pilot workspaces and configured for per-repo install mode.
  • Adds .fullsend/ configuration + scaffold directories for future customization.
  • Documents the pilot’s scope/operations and protects Fullsend config/workflow via CODEOWNERS.

Reviewed changes

Copilot reviewed 4 out of 11 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
docs/fullsend.md Operational documentation for the pilot, scope, and expansion/debug guidance.
.github/workflows/fullsend.yaml Fullsend dispatch “shim” workflow for the review-only pilot, scoped by workspace paths.
.github/CODEOWNERS Adds maintainer ownership for Fullsend config and workflow guardrails.
.fullsend/config.yaml Enables review role for Fullsend.
.fullsend/customized/**/.gitkeep Scaffolds customization directories for future Fullsend extensions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +36 to +40
dispatch:
concurrency:
group: fullsend-dispatch-${{ github.event.pull_request.number }}
cancel-in-progress: false
uses: fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@v0

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intentional: fork PRs should be reviewed — that's the point of the review agent. pull_request_target runs the BASE branch version of this workflow, so fork PRs cannot modify the shim to exfiltrate secrets. The shim never checks out PR code; it only forwards event context to fullsend's reusable workflow, which runs in its own sandboxed environment.

Comment on lines +19 to +25
permissions:
actions: write
id-token: write
contents: write
issues: write
packages: read
pull-requests: write

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These permissions match the fullsend reference shim (used across multiple repos in the redhat-developer org). The reusable workflow needs contents: write for code suggestions, pull-requests: write for posting reviews, issues: write for triage labeling, id-token: write for WIF auth, and actions: write for workflow dispatch. Reducing them risks breaking the reusable workflow contract. The blast radius is mitigated by the shim never checking out or executing PR code.

concurrency:
group: fullsend-dispatch-${{ github.event.pull_request.number }}
cancel-in-progress: false
uses: fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@v0

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@v0 is the fullsend team's supported semver tag — it receives security patches and bug fixes without consumer repos needing to update. Pinning to a SHA would require manual tracking and risks missing fixes. This is a conscious tradeoff: we trust the fullsend team (internal Red Hat) to maintain the @v0 contract, same as all other consumer repos in the org.

Comment on lines +36 to +40
dispatch:
concurrency:
group: fullsend-dispatch-${{ github.event.pull_request.number }}
cancel-in-progress: false
uses: fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@v0
Comment on lines +19 to +25
permissions:
actions: write
id-token: write
contents: write
issues: write
packages: read
pull-requests: write
concurrency:
group: fullsend-dispatch-${{ github.event.pull_request.number }}
cancel-in-progress: false
uses: fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@v0
Comment on lines +36 to +40
dispatch:
concurrency:
group: fullsend-dispatch-${{ github.event.pull_request.number }}
cancel-in-progress: false
uses: fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@v0
Comment on lines +19 to +25
permissions:
actions: write
id-token: write
contents: write
issues: write
packages: read
pull-requests: write
concurrency:
group: fullsend-dispatch-${{ github.event.pull_request.number }}
cancel-in-progress: false
uses: fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@v0
@durandom durandom marked this pull request as draft June 1, 2026 12:52
@durandom durandom changed the title feat: add fullsend review-only pilot for AI workspaces feat: add fullsend AI agents for augment workspace Jun 1, 2026
@rhdh-gh-app

rhdh-gh-app Bot commented Jun 1, 2026

Copy link
Copy Markdown

⚠️ CODEOWNERS Validation Failed

The following users are listed in CODEOWNERS but are not members of the rhdh-plugins-codeowners team:

durandom

An org admin needs to add the missing members to the team before this PR can be merged.

1 similar comment
@rhdh-gh-app

rhdh-gh-app Bot commented Jun 1, 2026

Copy link
Copy Markdown

⚠️ CODEOWNERS Validation Failed

The following users are listed in CODEOWNERS but are not members of the rhdh-plugins-codeowners team:

durandom

An org admin needs to add the missing members to the team before this PR can be merged.

@schultzp2020 schultzp2020 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label Jun 1, 2026
@durandom durandom marked this pull request as ready for review June 1, 2026 15:02

@schultzp2020 schultzp2020 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label Jun 1, 2026
durandom and others added 6 commits June 1, 2026 17:18
Enable fullsend Review agent on three AI-related workspaces
(ai-integrations, lightspeed, mcp-integrations) via a hardened
shim workflow. Slash commands are intentionally disabled because
rhdh-plugins is public and fullsend has no auth check on
issue_comment-triggered agents.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Expand from review-only to full agent set (triage, coder, review, fix).
Add auth gate on dispatch job to restrict slash commands to org
members/collaborators — prevents external users from burning Vertex AI
tokens on this public repo. Add stop-fix job for /fs-fix-stop command.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Document actual fullsend agent behavior — designed auto-triggers vs
what actually fires. Only Review reliably auto-triggers; the rest
require slash commands.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@durandom durandom force-pushed the fullsend-review-pilot branch from 5a246d9 to ea6951d Compare June 1, 2026 15:18
@openshift-ci openshift-ci Bot removed the lgtm label Jun 1, 2026
@openshift-ci

openshift-ci Bot commented Jun 1, 2026

Copy link
Copy Markdown

New changes are detected. LGTM label has been removed.

@sonarqubecloud

sonarqubecloud Bot commented Jun 1, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

@durandom durandom merged commit ac69555 into redhat-developer:main Jun 1, 2026
11 of 12 checks passed
@durandom durandom deleted the fullsend-review-pilot branch June 1, 2026 15:21
@durandom durandom changed the title feat: add fullsend AI agents for augment workspace feat: add fullsend AI agents for scorecard workspace Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants