Skip to content

Keep main updated with commits on master#1337

Merged
yashvardhannanavati merged 12 commits into
mainfrom
master
Jun 4, 2026
Merged

Keep main updated with commits on master#1337
yashvardhannanavati merged 12 commits into
mainfrom
master

Conversation

@yashvardhannanavati

@yashvardhannanavati yashvardhannanavati commented Jun 4, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

Ashwini Kumar and others added 12 commits May 5, 2026 06:34
@yashvardhannanavati
CLOUDDST-32368 : Fix FBC remove: call opm registry rm only for packag…
9150274 
…es in the index.db

Only pass operators which are present in db, for removal from db while performing rm operation on fbc operators.
@yashvardhannanavati
Release IIB v9.5.1
28cec98 
Refers to CLOUDDST-32544

Signed-off-by: Yashvardhan Nanavati <yashn@bu.edu>
@renovate @JAVGan
Update dependency urllib3 to v2.7.0 [SECURITY]
05fae7f
@renovate @JAVGan
Update dependency mako to v1.3.12 [SECURITY]
e7656da
@renovate @JAVGan
Update dependency python-qpid-proton to v0.40.0
cc09423
@renovate @JAVGan
Update python Docker tag to v3.14.5
8198fd4
@renovate @JAVGan
Update dependency coverage to v7.14.0
173c86d
@renovate @JAVGan
Update dependency googleapis-common-protos to v1.75.0
fe4293e
@renovate @JAVGan
Update dependency requests to v2.34.1
8212e2f
@renovate @JAVGan
Update dependency idna to v3.15
cb93862
@JAVGan
Release v9.5.2
f52a0e1 
Changes:

* Update dependency urllib3 to v2.7.0 [SECURITY] by @renovate[bot] in #1324
* Update dependency mako to v1.3.12 [SECURITY] by @renovate[bot] in #1323
* Update dependency python-qpid-proton to v0.40.0 by @renovate[bot] in #1318
* Update python Docker tag to v3.14.5 by @renovate[bot] in #1271
* Update dependency coverage to v7.14.0 by @renovate[bot] in #1326
* Update dependency googleapis-common-protos to v1.75.0 by @renovate[bot] in #1327
* Update dependency requests to v2.34.1 by @renovate[bot] in #1329
* Update dependency idna to v3.15 by @renovate[bot] in #1328

Refers to CLOUDDST-32605

Signed-off-by: Jonathan Gangi <jgangi@redhat.com>
@yashvardhannanavati
chore: initialize fullsend per-repo installation
12aeba8
@qodo-for-release-engineering

qodo-for-release-engineering Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review Summary by Qodo

Release v9.5.2 with FBC remove fix and security dependency updates

🐞 Bug fix ✨ Enhancement

Grey Divider

Walkthroughs

Description 
• Fix FBC remove operation to only pass DB-backed operators to opm registry rm
• Update multiple security and non-security dependencies to latest versions
• Release version 9.5.2 with dependency updates and bug fixes
• Add fullsend AI workflow configuration for per-repo installation mode
Diagram 
flowchart LR
  A["FBC Remove Bug"] -->|Fix operators param| B["Pass only DB-backed operators"]
  C["Security Updates"] -->|urllib3, mako| D["Updated Dependencies"]
  E["Non-Security Updates"] -->|coverage, requests, idna, etc| D
  D -->|All updates| F["Version 9.5.2"]
  G["Fullsend Config"] -->|New workflow| H["Per-repo AI mode"]
  F --> I["Release"]
  H --> I
Loading

Grey Divider

File Changes

1. iib/workers/tasks/build.py 🐞 Bug fix +1/-1

Fix FBC remove to use only DB-backed operators

iib/workers/tasks/build.py

2. tests/test_workers/test_tasks/test_build.py 🧪 Tests +14/-3

Update FBC remove test with DB operators validation

tests/test_workers/test_tasks/test_build.py

3. setup.py ⚙️ Configuration changes +1/-1

Bump version to 9.5.2

setup.py

View more (14)
4. CHANGELOG.md 📝 Documentation +17/-0

Document v9.5.2 and v9.5.1 release notes

CHANGELOG.md

5. requirements.txt Dependencies +19/-17

Update dependencies including security patches

requirements.txt

6. requirements-test.txt Dependencies +126/-124

Update test dependencies including security patches

requirements-test.txt

7. .python-version ⚙️ Configuration changes +1/-1

Update Python Docker tag to v3.14.5

.python-version

8. .fullsend/config.yaml ⚙️ Configuration changes +13/-0

Add fullsend per-repo configuration file

.fullsend/config.yaml

9. .github/workflows/fullsend.yaml ⚙️ Configuration changes +85/-0

Add fullsend AI workflow for per-repo mode

.github/workflows/fullsend.yaml

10. .fullsend/customized/agents/.gitkeep Additional files +0/-0

...

.fullsend/customized/agents/.gitkeep

11. .fullsend/customized/env/.gitkeep Additional files +0/-0

...

.fullsend/customized/env/.gitkeep

12. .fullsend/customized/harness/.gitkeep Additional files +0/-0

...

.fullsend/customized/harness/.gitkeep

13. .fullsend/customized/plugins/.gitkeep Additional files +0/-0

...

.fullsend/customized/plugins/.gitkeep

14. .fullsend/customized/policies/.gitkeep Additional files +0/-0

...

.fullsend/customized/policies/.gitkeep

15. .fullsend/customized/schemas/.gitkeep Additional files +0/-0

...

.fullsend/customized/schemas/.gitkeep

16. .fullsend/customized/scripts/.gitkeep Additional files +0/-0

...

.fullsend/customized/scripts/.gitkeep

17. .fullsend/customized/skills/.gitkeep Additional files +0/-0

...

.fullsend/customized/skills/.gitkeep

Grey Divider

Qodo Logo

@qodo-for-release-engineering

qodo-for-release-engineering Bot commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 🔗 Cross-repo conflicts (0)

Grey Divider


Action required

1. Unpinned reusable workflow ref 🐞 Bug ⛨ Security
Description 
The workflow calls an external reusable workflow pinned to the mutable ref @v0 while granting
broad write permissions and passing secrets, so if that tag is retargeted the called workflow can
run arbitrary steps with this repo's token/OIDC and exfiltrate secrets. This can lead to repository
compromise (contents/issues/PR writes) and cloud credential abuse (id-token: write).
Code

.github/workflows/fullsend.yaml[R17-52]

+permissions:
+  actions: write
+  id-token: write
+  contents: write
+  issues: write
+  packages: read
+  pull-requests: write
+
+on:
+  issues:
+    types: [opened, edited, labeled]
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, synchronize, ready_for_review, closed]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  dispatch:
+    concurrency:
+      group: fullsend-dispatch-${{ github.event.issue.number || github.event.pull_request.number }}
+      cancel-in-progress: false
+    if: >-
+      github.event_name != 'issue_comment'
+      || github.event.comment.user.type != 'Bot'
+    uses: fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@v0
+    with:
+      event_action: ${{ github.event.action }}
+      install_mode: per-repo
+      mint_url: ${{ vars.FULLSEND_MINT_URL }}
+      gcp_region: ${{ vars.FULLSEND_GCP_REGION }}
+    secrets:
+      FULLSEND_GCP_WIF_PROVIDER: ${{ secrets.FULLSEND_GCP_WIF_PROVIDER }}
+      FULLSEND_GCP_PROJECT_ID: ${{ secrets.FULLSEND_GCP_PROJECT_ID }}
+
Evidence 
The workflow grants broad write permissions and passes secrets to a reusable workflow referenced by
a mutable external tag, which directly creates a supply-chain execution path with high privileges in
this repository’s context.

.github/workflows/fullsend.yaml[17-52]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`.github/workflows/fullsend.yaml` invokes a reusable workflow from `fullsend-ai/fullsend` using a mutable tag (`@v0`) while also granting broad write permissions and passing secrets. If the external tag is ever moved (malice/compromise), the new workflow content would execute in this repo context with these privileges and could exfiltrate secrets.

### Issue Context
- The called workflow is external (`fullsend-ai/fullsend`) and the ref is not immutable.
- The job inherits broad permissions (`contents: write`, `id-token: write`, etc.) and forwards GCP-related secrets.

### Fix Focus Areas
- .github/workflows/fullsend.yaml[17-52]

### Suggested fix
1. Pin the reusable workflow to an immutable commit SHA (preferred) instead of `@v0`, e.g.:
  - `uses: fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@<full_sha>`
2. Move permissions to the job level and reduce to the minimum required for dispatch (avoid `contents: write` / `id-token: write` unless strictly necessary).
3. Pass only the secrets that are required for the dispatch stage (and consider environment protection if OIDC is needed).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Advisory comments

2. Stop command still dispatches 🐞 Bug ☼ Reliability
Description 
For /fs-fix-stop comments, the dispatch job still runs because its condition allows any non-bot
issue_comment, causing an unnecessary external dispatch invocation for an event that is already
handled by stop-fix. This adds avoidable workflow activity and can create confusing duplicate
automation for the same comment.
Code

.github/workflows/fullsend.yaml[R40-65]

+    if: >-
+      github.event_name != 'issue_comment'
+      || github.event.comment.user.type != 'Bot'
+    uses: fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@v0
+    with:
+      event_action: ${{ github.event.action }}
+      install_mode: per-repo
+      mint_url: ${{ vars.FULLSEND_MINT_URL }}
+      gcp_region: ${{ vars.FULLSEND_GCP_REGION }}
+    secrets:
+      FULLSEND_GCP_WIF_PROVIDER: ${{ secrets.FULLSEND_GCP_WIF_PROVIDER }}
+      FULLSEND_GCP_PROJECT_ID: ${{ secrets.FULLSEND_GCP_PROJECT_ID }}
+
+  stop-fix:
+    if: >-
+      github.event_name == 'issue_comment'
+        && github.event.issue.pull_request
+        && github.event.comment.user.type != 'Bot'
+        && github.event.comment.body == '/fs-fix-stop'
+        && (
+          github.event.comment.author_association == 'OWNER'
+          || github.event.comment.author_association == 'MEMBER'
+          || github.event.comment.author_association == 'COLLABORATOR'
+          || github.event.comment.author_association == 'CONTRIBUTOR'
+          || github.event.comment.user.login == github.event.issue.user.login
+        )
Evidence 
The dispatch job condition is satisfied for any non-bot issue comment, and /fs-fix-stop is a
non-bot issue comment that also satisfies the stop-fix condition, so both jobs will run for that
command.

.github/workflows/fullsend.yaml[40-65]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The `dispatch` job runs on all non-bot `issue_comment` events, including the `/fs-fix-stop` command comment that is specifically handled by the `stop-fix` job. This causes an unnecessary call to the external reusable dispatch workflow for the stop command.

### Issue Context
- `dispatch.if` allows any non-bot `issue_comment`.
- `stop-fix.if` is also true for the same `/fs-fix-stop` event.

### Fix Focus Areas
- .github/workflows/fullsend.yaml[40-65]

### Suggested fix
Refine the `dispatch` job `if:` to exclude `/fs-fix-stop` comments, e.g.:
```yaml
if: >-
 github.event_name != 'issue_comment'
 || (
   github.event.comment.user.type != 'Bot'
   && github.event.comment.body != '/fs-fix-stop'
 )
```
This keeps normal comment dispatching while ensuring the stop command only runs the `stop-fix` job.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

Qodo Logo

@qodo-for-release-engineering

qodo-for-release-engineering Bot commented Jun 4, 2026

Copy link
Copy Markdown

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: dispatch / Review / Review

Failed stage: Mint review token [❌]

Failed test name: ""

Failure summary:

The workflow failed in the fullsend-ai/fullsend/.github/actions/mint-token@v0 step while trying to
mint a token from the Fullsend mint service.
- The action calls ${MINT_URL}/v1/token via curl -sSf
... and the server repeatedly returns 403 Forbidden (lines 382-386, 399-404).
- Because curl is run
with -f, the HTTP 403 causes curl to exit with code 22, which fails the step and the job (line 405).

- This indicates an authorization/permission issue (e.g., the OIDC-derived authorization is not
accepted for role=review and/or repos=iib, or the caller is not allowed to mint tokens from that
mint endpoint).

Relevant error logs: 
1:  ##[group]Runner Image Provisioner
2:  Hosted Compute Agent
...

253:  changes and commit them, and you can discard any commits you make in this
254:  state without impacting any branches by switching back to a branch.
255:  If you want to create a new branch to retain commits you create, you may
256:  do so (now or later) by using -c with the switch command. Example:
257:  git switch -c <new-branch-name>
258:  Or undo this operation with:
259:  git switch -
260:  Turn off this advice by setting config variable advice.detachedHead to false
261:  HEAD is now at 3eb2b9f Merge pull request #1550 from ben-alkov/feat-review-agent-parallel-specialized-subagents
262:  ##[endgroup]
263:  [command]/usr/bin/git log -1 --format=%H
264:  3eb2b9f116ace74b63c7e9ad4914e780c51219a5
265:  ##[group]Run set -euo pipefail
266:  �[36;1mset -euo pipefail�[0m
267:  �[36;1mif [[ "${INSTALL_MODE}" != "per-org" && "${INSTALL_MODE}" != "per-repo" ]]; then�[0m
268:  �[36;1m  echo "::error::Invalid install_mode '${INSTALL_MODE}': must be 'per-org' or 'per-repo'"�[0m
269:  �[36;1m  exit 1�[0m
...

295:  �[36;1mrm -rf .defaults�[0m
296:  shell: /usr/bin/bash -e {0}
297:  env:
298:  INSTALL_MODE: per-repo
299:  ##[endgroup]
300:  ##[group]Run fullsend-ai/fullsend/.github/actions/validate-enrollment@v0
301:  with:
302:  source_repo: release-engineering/iib
303:  install_mode: per-repo
304:  ##[endgroup]
305:  ##[group]Run set -euo pipefail
306:  �[36;1mset -euo pipefail�[0m
307:  �[36;1m: "${SOURCE_REPO:?SOURCE_REPO is required}"�[0m
308:  �[36;1m: "${GITHUB_REPOSITORY_OWNER:?GITHUB_REPOSITORY_OWNER is required}"�[0m
309:  �[36;1mif [[ ! "$SOURCE_REPO" =~ ^[a-zA-Z0-9._-]+/[a-zA-Z0-9._-]+$ ]]; then�[0m
310:  �[36;1m  echo "::error::Invalid source_repo format: must be owner/repo"�[0m
311:  �[36;1m  exit 1�[0m
312:  �[36;1mfi�[0m
313:  �[36;1mREPO_OWNER="${SOURCE_REPO%%/*}"�[0m
314:  �[36;1mif [[ "$REPO_OWNER" != "$GITHUB_REPOSITORY_OWNER" ]]; then�[0m
315:  �[36;1m  echo "::error::source_repo owner does not match org"�[0m
316:  �[36;1m  exit 1�[0m
317:  �[36;1mfi�[0m
318:  �[36;1mif [[ "${INSTALL_MODE}" != "per-org" && "${INSTALL_MODE}" != "per-repo" ]]; then�[0m
319:  �[36;1m  echo "::error::Invalid install_mode '${INSTALL_MODE}': must be 'per-org' or 'per-repo'"�[0m
320:  �[36;1m  exit 1�[0m
321:  �[36;1mfi�[0m
322:  �[36;1mREPO_NAME="${SOURCE_REPO#*/}"�[0m
323:  �[36;1mif [[ "${INSTALL_MODE}" == "per-repo" ]]; then�[0m
324:  �[36;1m  echo "Per-repo mode — skipping config.yaml enrollment check (self-enrolled)"�[0m
325:  �[36;1melse�[0m
326:  �[36;1m  if [[ ! -f config.yaml ]]; then�[0m
327:  �[36;1m    echo "::error::config.yaml not found"�[0m
328:  �[36;1m    exit 1�[0m
329:  �[36;1m  fi�[0m
330:  �[36;1m  if ! command -v yq &> /dev/null; then�[0m
331:  �[36;1m    echo "::error::yq command not found"�[0m
332:  �[36;1m    exit 1�[0m
333:  �[36;1m  fi�[0m
334:  �[36;1m  ENABLED=$(REPO_NAME="${REPO_NAME}" yq 'env(REPO_NAME) as $name | .repos[$name].enabled' config.yaml)�[0m
335:  �[36;1m  if [[ "$ENABLED" != "true" ]]; then�[0m
336:  �[36;1m    echo "::error::repo is not enabled in config.yaml"�[0m
337:  �[36;1m    exit 1�[0m
...

348:  ##[group]Run echo "name=${SOURCE_REPO##*/}" >> "${GITHUB_OUTPUT}"
349:  �[36;1mecho "name=${SOURCE_REPO##*/}" >> "${GITHUB_OUTPUT}"�[0m
350:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
351:  env:
352:  SOURCE_REPO: release-engineering/iib
353:  ##[endgroup]
354:  ##[group]Run fullsend-ai/fullsend/.github/actions/mint-token@v0
355:  with:
356:  role: review
357:  repos: iib
358:  mint_url: https://fullsend-mint-gljhbkcloq-uc.a.run.app
359:  ##[endgroup]
360:  ##[group]Run set -euo pipefail
361:  �[36;1mset -euo pipefail�[0m
362:  �[36;1mif [[ -z "$MINT_URL" ]]; then�[0m
363:  �[36;1m  echo "::error::FULLSEND_MINT_URL is not set"�[0m
364:  �[36;1m  exit 1�[0m
365:  �[36;1mfi�[0m
366:  �[36;1mecho "::add-mask::$MINT_URL"�[0m
367:  �[36;1mif [[ -z "$REPOS" ]]; then�[0m
368:  �[36;1m  echo "::error::repos input is required"�[0m
369:  �[36;1m  exit 1�[0m
370:  �[36;1mfi�[0m
371:  �[36;1mOIDC_TOKEN=$(curl -sSf --retry 3 --retry-delay 2 --retry-all-errors \�[0m
372:  �[36;1m  -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \�[0m
373:  �[36;1m  "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=fullsend-mint" | jq -r '.value')�[0m
374:  �[36;1mif [[ -z "$OIDC_TOKEN" || "$OIDC_TOKEN" == "null" ]]; then�[0m
375:  �[36;1m  echo "::error::Failed to obtain OIDC token"�[0m
376:  �[36;1m  exit 1�[0m
377:  �[36;1mfi�[0m
378:  �[36;1mecho "::add-mask::$OIDC_TOKEN"�[0m
379:  �[36;1mREPOS_JSON=$(echo "$REPOS" | jq -Rc 'split(",") | map(select(length > 0))')�[0m
380:  �[36;1mBODY=$(jq -nc --arg role "$ROLE" --argjson repos "$REPOS_JSON" \�[0m
381:  �[36;1m  '{role: $role, repos: $repos}')�[0m
382:  �[36;1mTOKEN=$(curl -sSf --retry 5 --retry-delay 5 --retry-all-errors \�[0m
383:  �[36;1m  -H "Authorization: ***" \�[0m
384:  �[36;1m  -H "Content-Type: application/json" \�[0m
385:  �[36;1m  -d "$BODY" \�[0m
386:  �[36;1m  "${MINT_URL}/v1/token" | jq -r '.token')�[0m
387:  �[36;1mif [[ -z "$TOKEN" || "$TOKEN" == "null" ]]; then�[0m
388:  �[36;1m  echo "::error::Token mint returned no token for role=$ROLE"�[0m
389:  �[36;1m  exit 1�[0m
390:  �[36;1mfi�[0m
391:  �[36;1mecho "::add-mask::$TOKEN"�[0m
392:  �[36;1mecho "token=$TOKEN" >> "$GITHUB_OUTPUT"�[0m
393:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
394:  env:
395:  MINT_URL: https://fullsend-mint-gljhbkcloq-uc.a.run.app
396:  ROLE: review
397:  REPOS: iib
398:  ##[endgroup]
399:  curl: (22) The requested URL returned error: 403
400:  curl: (22) The requested URL returned error: 403
401:  curl: (22) The requested URL returned error: 403
402:  curl: (22) The requested URL returned error: 403
403:  curl: (22) The requested URL returned error: 403
404:  curl: (22) The requested URL returned error: 403
405:  ##[error]Process completed with exit code 22.
406:  Post job cleanup.

qodo-for-release-engineering[bot]
qodo-for-release-engineering Bot reviewed Jun 4, 2026
View reviewed changes
Comment thread .github/workflows/fullsend.yaml
@yashvardhannanavati

yashvardhannanavati commented Jun 4, 2026

Copy link
Copy Markdown
Collaborator Author

/retest

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review

Findings

Critical

  • [privilege-escalation] .github/workflows/fullsend.yaml:30 — The dispatch job uses pull_request_target trigger and inherits top-level permissions (contents: write, actions: write, id-token: write) which are all delegated to the external reusable workflow fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@v0. The @v0 tag is a mutable reference — the external owner can change what code runs under these permissions at any time. This gives the third-party fullsend-ai organization the ability to write to repository contents, mint OIDC tokens for GCP workload identity federation, and trigger arbitrary workflow runs in this repository. Combined with the secrets FULLSEND_GCP_WIF_PROVIDER and FULLSEND_GCP_PROJECT_ID being passed, a compromise of the external repo would enable full repository takeover and cloud credential theft.
    Remediation: (1) Pin the reusable workflow to an immutable commit SHA instead of the mutable @v0 tag. (2) Move permissions into the dispatch job-level permissions block with only the minimum required. (3) Evaluate whether id-token: write, contents: write, and actions: write are truly needed. See also: [supply-chain] and [overly-broad-permissions] findings at this location.

High

  • [supply-chain] .github/workflows/fullsend.yaml:43 — The reusable workflow fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@v0 is referenced by a mutable tag. The fullsend-ai organization controls this tag and can point it to arbitrary code at any time. Combined with the broad permissions and secrets granted, a compromise or malicious update of the external repository would allow secret exfiltration and repository takeover.
    Remediation: Pin the uses: reference to a full commit SHA (e.g., fullsend-ai/fullsend/.github/workflows/reusable-dispatch.yml@<commit-sha>). Use Dependabot or Renovate to track updates to the pinned SHA.

  • [protected-path] .github/workflows/fullsend.yaml — This PR adds a new file under the .github/ protected path. The PR has no linked issue, no description, and no explanation for why this governance/infrastructure file is being added. Protected-path changes always require human approval.
    Remediation: Link the PR to an issue that authorizes the introduction of fullsend CI tooling, and add a PR description explaining the rationale.

Medium

  • [overly-broad-permissions] .github/workflows/fullsend.yaml:17 — The top-level permissions block grants contents: write, actions: write, issues: write, pull-requests: write, and id-token: write to all jobs that do not override it. The dispatch job does not declare its own permissions, so it inherits all of these. Only the stop-fix job correctly narrows its permissions. The contents: write permission on a pull_request_target-triggered workflow is especially dangerous as it allows pushing commits to the base branch. See also: [privilege-escalation] finding at this location.
    Remediation: Move the top-level permissions block into each job that needs it, granting only the minimum required permissions per job.

Low

  • [type-mismatch] iib/workers/tasks/build.py:1169operators_in_db is a set (returned by verify_operators_exists) but opm_registry_rm_fbc declares its operators parameter as List[str]. This works at runtime because join accepts any iterable, but violates the declared type contract.

  • [contributor-auth-scope] .github/workflows/fullsend.yaml:63 — The stop-fix job allows users with CONTRIBUTOR author_association to trigger the /fs-fix-stop command. The CONTRIBUTOR association includes anyone who has had a merged commit, which may be broader than intended.

Info

  • [incomplete-fix-scope] iib/workers/tasks/build.py:1258_update_index_image_pull_spec still receives rm_operators=operators (the full user-supplied list) rather than operators_in_db. The FileNotFoundError is caught downstream, so this is not a crash, but it means the git-push path may attempt to remove directories for operators that were never in the DB. This may be intentional (remove from git regardless of DB presence).

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 not available on deployment.

  • [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model claude-sonnet-4-5@20250929 not available on deployment.

fullsend-ai-review[bot]
fullsend-ai-review Bot previously requested changes Jun 4, 2026
View reviewed changes

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

Comment thread .github/workflows/fullsend.yaml
Comment thread .github/workflows/fullsend.yaml
Comment thread .github/workflows/fullsend.yaml
Comment thread .github/workflows/fullsend.yaml
Comment thread iib/workers/tasks/build.py
Comment thread .github/workflows/fullsend.yaml
@yashvardhannanavati yashvardhannanavati dismissed fullsend-ai-review[bot]’s stale review June 4, 2026 18:15

fullsend is commenting on files added by the bot itelf.

@yashvardhannanavati yashvardhannanavati merged commit 40c6e2c into main Jun 4, 2026
71 of 73 checks passed
@fullsend-ai-retro fullsend-ai-retro Bot mentioned this pull request Jun 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lipoja lipoja lipoja approved these changes

@MichalZelenak MichalZelenak MichalZelenak approved these changes

+2 more reviewers

@qodo-for-release-engineering qodo-for-release-engineering[bot] qodo-for-release-engineering[bot] left review comments

@fullsend-ai-review fullsend-ai-review[bot] fullsend-ai-review[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yashvardhannanavati @lipoja @MichalZelenak @JAVGan