Skip to content

ci(preview): dispatch preview-env create/teardown to infra on PR events#210

Merged
mastermanas805 merged 1 commit into
masterfrom
feat/preview-env-phase-1a-dispatch
May 30, 2026
Merged

ci(preview): dispatch preview-env create/teardown to infra on PR events#210
mastermanas805 merged 1 commit into
masterfrom
feat/preview-env-phase-1a-dispatch

Conversation

@mastermanas805

@mastermanas805 mastermanas805 commented May 30, 2026

Copy link
Copy Markdown
Member

Summary

Phase 1a companion to InstaNode-dev/infra#44 — adds the api-side trigger that fires repository_dispatch events on the infra repo when a PR opens/syncs (create) or closes (teardown).

  • Single new workflow .github/workflows/preview-dispatch.yml
  • Fires preview-create-from-api on opened/synchronize/reopened, preview-teardown-from-api on closed
  • Re-uses the existing REPO_ACCESS_TOKEN secret (same one used by auth-contract-e2e cross-repo dispatch in ci.yml)
  • Phase 1a is warn-only end-to-end — the infra workflow is dry-run; the check-run posted back uses conclusion: neutral so it surfaces preview-env state on the PR without blocking merge

Security posture

  • Every github.event.* value isolated via env: block; never interpolated into a shell run: directly
  • PR number shape-validated as positive integer 1-99999
  • SHA shape-validated as lowercase hex >= 7 chars
  • Only repo-controlled identifiers (github.sha, github.event.pull_request.number, github.event.action, github.event.pull_request.merged) are forwarded — no PR title/body/branch reaches the dispatch payload
  • Missing REPO_ACCESS_TOKEN soft-skips with ::warning:: (keeps the api PR green during rollout)

Rule 17 coverage block

Symptom:        no preview-env dispatch existed on api PRs
Enumeration:    ls .github/workflows/ ; grep -l 'preview' .github/workflows/*.yml
Sites found:    0
Sites touched:  1 new file
Coverage test:  python3 yaml.safe_load_all (OK; on=[pull_request], jobs=[dispatch])
Live verified:  Fires on next PR open against this branch; infra-side
                posts a `neutral` check observable in the PR Checks tab.

Test plan

  • CI on this PR triggers the new workflow (since this PR is opened against master, pull_request:opened fires)
  • Workflow logs Dispatching preview-create to InstaNode-dev/infra: pr=<N> sha=<sha> and dispatch response: HTTP 204
  • A neutral check labelled preview-env / status:planned appears in this PR's Checks tab (posted by InstaNode-dev/infra/preview-create.yml)
  • On close: preview-teardown-from-api dispatch fires and the infra workflow logs WOULD DELETE namespace preview-api-pr-<N>

🤖 Generated with Claude Code

@mastermanas805 @claude
ci(preview): dispatch preview-env create/teardown to infra on PR events
4cfc5a4 
Phase 1a of the Layer-3 per-PR ephemeral k8s preview environment.
Companion PR: InstaNode-dev/infra#<preview-env-phase-1a-scaffolding>.

Fires repository_dispatch on the infra repo:
- preview-create-from-api  on pull_request opened/synchronize/reopened
- preview-teardown-from-api on pull_request closed

Phase 1a is dry-run end-to-end — the infra workflow only echoes what it
would do and posts a `neutral` (warn-only) check-run back to the api PR.
No real namespace is created in Phase 1a; the wiring proves the dispatch
+ check-run + RBAC paths before Phase 1b enables real provisioning.

Security posture (per security-guidance):
- Every github.event.* value is assigned via env: (never interpolated
  into a shell block directly).
- PR number shape-validated as a positive integer 1-99999.
- SHA shape-validated as lowercase hex >= 7 chars.
- Only repo-controlled identifiers are forwarded — no PR title/body/
  branch-name reaches the dispatch payload.
- Re-uses the existing REPO_ACCESS_TOKEN secret (same one already used
  by the auth-contract-e2e cross-repo dispatch in ci.yml).
- If REPO_ACCESS_TOKEN is missing, soft-skips with ::warning::, keeping
  the api PR green (Phase 1a is warn-only end-to-end).

Rule 17 coverage:
  Symptom:        no preview-env dispatch existed on api PRs
  Enumeration:    ls .github/workflows/ + grep -l 'preview' .github/workflows/*.yml
  Sites found:    0
  Sites touched:  1 new file
  Coverage test:  python3 yaml.safe_load_all (OK; on=[pull_request], jobs=[dispatch])
  Live verified:  N/A — fires on next PR open against this branch;
                  infra-side posts a `neutral` check observable in the PR's Checks tab.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mastermanas805 mastermanas805 merged commit 7cefafb into master May 30, 2026
17 checks passed
@mastermanas805 mastermanas805 deleted the feat/preview-env-phase-1a-dispatch branch May 30, 2026 18:06
@mastermanas805 mastermanas805 mentioned this pull request May 30, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mastermanas805