Skip to content

fix(workflows): refresh org per execution and gate metadata OrgID#22311

Open
prashantkumar1982 wants to merge 2 commits intodevelopfrom
fix/workflow-v2-org-resolve-and-metadata-gate
Open

fix(workflows): refresh org per execution and gate metadata OrgID#22311
prashantkumar1982 wants to merge 2 commits intodevelopfrom
fix/workflow-v2-org-resolve-and-metadata-gate

Conversation

@prashantkumar1982
Copy link
Copy Markdown
Contributor

@prashantkumar1982 prashantkumar1982 commented May 5, 2026
edited
Loading

Resolve workflow org at subscribe and at each execution start, thread it into SecretsFetcher and ExecutionHelper, and re-bind CRE for tracing and confidential execution. Add enrichRequestMetadataOrg for trigger register/unregister and capability calls; confidential-workflows sets OrgId and metadata OrgID only when VaultOrgIdAsSecretOwnerEnabled is on. Close gate limiters in tests via t.Cleanup.

This is fixing a regression caused by a previous PR here: https://github.com/smartcontractkit/chainlink/pull/21715/changes#diff-d217f82a818cadc25ef1cfd01b67b55b5ce2b86a5256af94d3472de4d4a24f56L619-L632
Then, we only resolved OrgID during engine startup.

@prashantkumar1982 @cursoragent
fix(workflows): refresh org per execution and gate metadata OrgID
bd4ccc7 
Resolve workflow org at subscribe and at each execution start, thread it into
SecretsFetcher and ExecutionHelper, and re-bind CRE for tracing and confidential
execution. Add enrichRequestMetadataOrg for trigger register/unregister and
capability calls; confidential-workflows sets OrgId and metadata OrgID only when
VaultOrgIdAsSecretOwnerEnabled is on. Close gate limiters in tests via t.Cleanup.

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

  • #added For any new functionality added.
  • #breaking_change For any functionality that requires manual action for the node to boot.
  • #bugfix For bug fixes.
  • #changed For any change to the existing functionality.
  • #db_update For any feature that introduces updates to database schema.
  • #deprecation_notice For any upcoming deprecation functionality.
  • #internal For changesets that need to be excluded from the final changelog.
  • #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
  • #removed For any functionality/config that is removed.
  • #updated For any functionality that is updated.
  • #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026
edited
Loading

✅ No conflicts with other open PRs targeting develop

@prashantkumar1982 @cursoragent
fix(workflows): avoid err shadow in enrich metadata paths (govet)
16ee018 
Co-authored-by: Cursor <cursoragent@cursor.com>
@prashantkumar1982 prashantkumar1982 marked this pull request as ready for review May 5, 2026 21:47
@prashantkumar1982 prashantkumar1982 requested a review from a team as a code owner May 5, 2026 21:47
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented May 5, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@trunk-io
Copy link
Copy Markdown

trunk-io Bot commented May 5, 2026
edited
Loading

Static BadgeStatic BadgeStatic BadgeStatic Badge

View Full Report ↗︎Docs

bolekk
bolekk reviewed May 5, 2026
View reviewed changes
Comment thread core/services/workflows/v2/capability_executor.go
Config: values.EmptyMap(),
}

if err = c.enrichRequestMetadataOrg(ctx, &capReq.Metadata, c.ExecutionOrgID); err != nil {
Copy link
Copy Markdown
Contributor

@bolekk bolekk May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to resolve it on every execution? I was just discussing with @ibrajer that we could do the opposite - resolve the org once and store it in the DB for all future executions and other workflows.

Copy link
Copy Markdown
Contributor Author

@prashantkumar1982 prashantkumar1982 May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The question is how tolerant are we for stale orgIDs.
Since we can re-link a workflow owner with a different orgID, it means orgIDs can go stale.

@cl-sonarqube-production
Copy link
Copy Markdown

cl-sonarqube-production Bot commented May 5, 2026

Quality Gate passed Quality Gate passed

Issues
2 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@jmank88 jmank88 requested review from jmank88 and patrickhuie19 May 5, 2026 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bolekk bolekk bolekk left review comments

@fernandofederico1984 fernandofederico1984 Awaiting requested review from fernandofederico1984

@jmank88 jmank88 Awaiting requested review from jmank88

@patrickhuie19 patrickhuie19 Awaiting requested review from patrickhuie19

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prashantkumar1982 @bolekk