Skip to content

fix: CI paths filter and workflow_dispatch #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TerrifiedBug merged 15 commits into from
Mar 5, 2026
Merged

fix: CI paths filter and workflow_dispatch #12

Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
8f7d927
feat(agent): add --version and --help CLI flags
TerrifiedBug Mar 5, 2026
3c9d0cd
ci: publish dev agent binaries as rolling pre-release
TerrifiedBug Mar 5, 2026
d34e659
feat(agent): add --channel dev flag to install script
TerrifiedBug Mar 5, 2026
d7db096
feat: dev-aware version comparison for agent updates
TerrifiedBug Mar 5, 2026
7e8b1f5
db: add dev agent release tracking fields to SystemSettings
TerrifiedBug Mar 5, 2026
1e13f34
feat: add dev channel agent version checking
TerrifiedBug Mar 5, 2026
58c5336
feat: expose dev agent version in fleet router
TerrifiedBug Mar 5, 2026
64b9a80
feat: channel-aware agent update buttons in fleet UI
TerrifiedBug Mar 5, 2026
f8f47bc
fix: address greptile review findings
TerrifiedBug Mar 5, 2026
40a264f
fix: remove unused VF_CHANNEL from env file
TerrifiedBug Mar 5, 2026
966631f
fix: persist agent checksums to DB across server restarts
TerrifiedBug Mar 5, 2026
3efbfc1
fix: address greptile round 2 findings
TerrifiedBug Mar 5, 2026
36c527b
fix: remove paths filter from push trigger and add workflow_dispatch
TerrifiedBug Mar 5, 2026
fd0bf72
fix: include workflow_dispatch in job conditions
TerrifiedBug Mar 5, 2026
28184dd
Merge branch 'main' into feat/dev-binary-channel
TerrifiedBug Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 4 additions & 12 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,7 @@ on:
push:
branches: [main]
tags: ["v*"]
paths:
- "src/**"
- "agent/**"
- "prisma/**"
- "docker/**"
- "package.json"
- "pnpm-lock.yaml"
- "tsconfig.json"
- ".github/workflows/ci.yml"
workflow_dispatch:

permissions:
contents: write
Expand Down Expand Up @@ -60,7 +52,7 @@ jobs:
server-image:
name: Server Image
needs: check
if: github.event_name == 'push'
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
Copy link

@greptile-apps greptile-apps bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

workflow_dispatch from any branch overwrites dev artifacts

The updated conditions at lines 55, 100, and 145 allow workflow_dispatch to publish Docker images and recreate the rolling dev GitHub pre-release from any branch — not just main. A developer can run:

gh workflow run ci.yml --ref feature/my-branch

This would:

  1. Push dev-tagged Docker images from the feature branch to ghcr.io (server-image at line 55, agent-image at line 100)
  2. Delete and recreate the rolling dev pre-release with binaries from the feature branch (agent-dev-binaries at line 145)
  3. Cancel any in-progress main-branch run via the cancel-in-progress: true concurrency setting on agent-dev-binaries

Fix: Restrict workflow_dispatch to main (and semver tags for the image jobs):

# server-image (line 55) and agent-image (line 100):
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')

# agent-dev-binaries (line 145):
if: (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')) && !startsWith(github.ref, 'refs/tags/v')

This ensures manual dispatch can only republish from main.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 55

Comment:
`workflow_dispatch` from any branch overwrites dev artifacts

The updated conditions at lines 55, 100, and 145 allow `workflow_dispatch` to publish Docker images and recreate the rolling `dev` GitHub pre-release from *any* branch — not just `main`. A developer can run:
```bash
gh workflow run ci.yml --ref feature/my-branch
```
This would:
1. Push `dev`-tagged Docker images from the feature branch to ghcr.io (`server-image` at line 55, `agent-image` at line 100)
2. Delete and recreate the rolling `dev` pre-release with binaries from the feature branch (`agent-dev-binaries` at line 145)
3. Cancel any in-progress `main`-branch run via the `cancel-in-progress: true` concurrency setting on `agent-dev-binaries`

**Fix**: Restrict `workflow_dispatch` to `main` (and semver tags for the image jobs):

```yaml
# server-image (line 55) and agent-image (line 100):
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')

# agent-dev-binaries (line 145):
if: (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')) && !startsWith(github.ref, 'refs/tags/v')
```

This ensures manual dispatch can only republish from `main`.

How can I resolve this? If you propose a fix, please make it concise.

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand Down Expand Up @@ -105,7 +97,7 @@ jobs:
agent-image:
name: Agent Image
needs: check
if: github.event_name == 'push'
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand Down Expand Up @@ -150,7 +142,7 @@ jobs:
agent-dev-binaries:
name: Agent Dev Binaries
needs: check
if: github.event_name == 'push' && !startsWith(github.ref, 'refs/tags/v')
if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && !startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
concurrency:
group: dev-release
Expand Down
Loading