fix: use GitHub App token in feature flag cleanup workflow to trigger CI#10642
Conversation
The feature_flag_cleanup workflow used ${{ github.token }} when creating
PRs via peter-evans/create-pull-request. GitHub does not trigger workflows
from events generated by the default GITHUB_TOKEN, so the Warp CI workflow
never ran on these PRs — checks appeared stalled until a human pushed a
commit.
Switch to a GitHub App token minted from the Oz for OSS identity
(OZ_MGMT_GHA_APP_ID / OZ_MGMT_GHA_PRIVATE_KEY) so the pull_request.opened
event triggers downstream workflows including CI.
Co-Authored-By: Oz <oz-agent@warp.dev>
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
There was a problem hiding this comment.
Overview
This PR switches the feature flag cleanup workflow from the default GITHUB_TOKEN to a GitHub App installation token so cleanup PR creation can trigger downstream pull_request workflows.
Concerns
- The newly added token-generation action is referenced by a mutable tag while it receives the GitHub App private key.
Security
- Pin actions/create-github-app-token to a full commit SHA before passing OZ_MGMT_GHA_PRIVATE_KEY to it.
Verdict
Found: 0 critical, 1 important, 0 suggestions
Request changes
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
|
@captainsafia i don't think i have enough context to review this. Feels like someone with more knowledge about this flow should review given how many different attempts we've made to fix it. Tagging in @bnavetta |
|
@szgupta Yep, totally understand. I tagged you in because you originally reported the issue with feature flag cleanup PRs not having CI triggered. @bnavetta This is another version of the "commit from workflows don't trigger CI if you use the default token" problem we've run into elsewhere. I'm circumventing that here by using the identity provided by the Oz for OSS app to circumvent that here. I know we've talked about moving this to a scheduled agent and avoiding GHA altogether. Maybe this issue is another motivation for us to just peel the bandaid on that. |
bnavetta
left a comment
bnavetta
left a comment
There was a problem hiding this comment.
I know we've talked about moving this to a scheduled agent and avoiding GHA altogether. Maybe this issue is another motivation for us to just peel the bandaid on that.
Yeah maybe - I wonder if we want cloud->cloud orchestration + some of the integrations v2 automation work first. It'd be great if we could have one agent reliably produce structured data on stale feature flags, and then kick off N others to clean up a few. That was always kind of the intent with this workflow, which is why it has 2 separate agent steps.
It's a hack, but a human closing and reopening the PR also triggers CI - we could go with that assuming a person is reviewing the PRs anyways. The workflow is supposed to auto-assign to whoever initially enabled the flag, but that may have regressed.
… CI (warpdotdev#10642) Co-authored-by: Oz <oz-agent@warp.dev>
3 participants
Description
The
feature_flag_cleanup.ymlworkflow creates PRs usingpeter-evans/create-pull-requestwithtoken: ${{ github.token }}. GitHub does not trigger workflows from events generated by the defaultGITHUB_TOKEN— this is a built-in safeguard against recursive workflow runs. As a result, the Warp CI workflow never ran on feature flag cleanup PRs, making their checks appear stalled until a human manually pushed a commit to the branch.This PR switches to a GitHub App token minted from the Oz for OSS identity (
OZ_MGMT_GHA_APP_ID/OZ_MGMT_GHA_PRIVATE_KEY) usingactions/create-github-app-token@v3, so thepull_request.openedevent properly triggers downstream workflows including CI.Affected PRs (examples):
Linked Issue
N/A — discovered during investigation of stalled CI on #10485.
Testing
OZ_MGMT_GHA_APP_IDandOZ_MGMT_GHA_PRIVATE_KEYsecrets are already used by other workflows in this repo (update-pr-review-local.yml,update-triage-local.yml,update-dedupe-local.yml)./script/runN/A — this is a CI workflow change, not a code change. It will be validated when the next feature flag cleanup run creates a PR and CI triggers.
Agent Mode
Conversation: https://staging.warp.dev/conversation/159eafa2-0c0f-483c-99a9-a461b5bdb3a8
Run: https://oz.staging.warp.dev/runs/019e16ef-48f7-789c-9294-e926e5bff1e0
This PR was generated with Oz.