Skip to content

feat(workflow): restore repo variable gate with dedicated poller app#7780

Merged
BYK merged 7 commits into
mainfrom
feat/ci-poller-variable-gate
Apr 13, 2026
Merged

feat(workflow): restore repo variable gate with dedicated poller app#7780
BYK merged 7 commits into
mainfrom
feat/ci-poller-variable-gate

Conversation

@BYK

@BYK BYK commented Apr 13, 2026

Copy link
Copy Markdown
Member

Summary

Bring back the CI_POLLER_HAS_PENDING variable gate so the cron is truly zero-cost when idle — no runner provisioned at all.

Uses a dedicated GitHub App (CI_POLLER_APP_CLIENT_ID) for variable writes since neither GITHUB_TOKEN nor sentry-internal-app has the actions_variables:write permission. The app secret is in the production environment for branch protection.

How it works

Workflow Trigger What it does
ci-pending.yml issues: opened Adds ci-pending label (sentry-internal-app) + sets variable to true (poller app)
ci-poller.yml schedule: */5 if: vars.CI_POLLER_HAS_PENDING == 'true' — skips when false (no runner). Checks CI, flips labels, sets variable to false when done.

Cost

  • Idle: zero — job if is false, no runner provisioned
  • Active: ~30s per cron tick while there are pending releases
  • Previous (without variable): ~10-15s per tick 24/7 even when idle

Pre-requisites (already done)

  • Repo variable: CI_POLLER_HAS_PENDING = false
  • Repo variable: CI_POLLER_APP_CLIENT_ID
  • Production environment secret: CI_POLLER_APP_PRIVATE_KEY

Bring back the CI_POLLER_HAS_PENDING variable gate so the cron is
truly zero-cost when idle (no runner provisioned).

Use a dedicated GitHub App (CI_POLLER_APP_CLIENT_ID) for variable
access since neither GITHUB_TOKEN nor sentry-internal-app has the
actions_variables:write permission. The app secret is stored in the
production environment for branch protection.

Flow:
- ci-pending.yml: adds ci-pending label (sentry-internal-app) and
  sets CI_POLLER_HAS_PENDING=true (poller app)
- ci-poller.yml: gated by if: vars.CI_POLLER_HAS_PENDING == "true",
  resets to "false" when all issues resolved (poller app)
@BYK BYK marked this pull request as ready for review April 13, 2026 10:57
@BYK BYK requested a review from a team as a code owner April 13, 2026 10:57
Comment thread .github/workflows/ci-poller.yml
Comment thread .github/workflows/ci-poller.yml Outdated
Comment thread .github/workflows/ci-pending.yml Outdated
@BYK BYK force-pushed the feat/ci-poller-variable-gate branch from d07e8df to aede05e Compare April 13, 2026 11:06
- ci-poller.yml: split "disable poller" into two steps — GITHUB_TOKEN
  for gh issue list (read), poller token only for gh variable set (write).
  The poller app may only have actions_variables permission.

- ci-pending.yml: reorder so label addition (critical) runs before
  poller token generation (non-critical). If the poller token step
  fails, the label is already applied.
Comment thread .github/workflows/ci-poller.yml Outdated
Comment thread .github/workflows/ci-poller.yml Outdated
Comment thread .github/workflows/ci-poller.yml Outdated
Comment thread .github/workflows/ci-poller.yml
Comment thread .github/workflows/ci-poller.yml Outdated
- Poller token step moved after CI check step so a token failure
  cannot block CI status checking
- Cleanup steps (remaining check + disable) use if: always() so
  CI_POLLER_HAS_PENDING does not get stuck on "true" if the CI
  check step fails
- Poller token only generated when needed (count == 0)
Comment thread .github/workflows/ci-poller.yml Outdated
Comment thread .github/workflows/ci-pending.yml
…est-effort steps

- ci-poller.yml: disable step checks steps.poller-token.outcome == success
  so it does not run (and fail) when token generation failed
- ci-pending.yml: poller token + variable set steps use continue-on-error
  since they are best-effort optimizations that must not block the
  critical label addition
Comment thread .github/workflows/ci-pending.yml

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit c4f7d01. Configure here.

Comment thread .github/workflows/ci-poller.yml Outdated
When workflow_dispatch bypasses the variable gate (variable is "false")
and finds pending issues that CI has not finished yet, the variable
must be set back to "true" so subsequent cron ticks continue checking.

Previously only the count==0 path was handled (disable). Now both
paths are covered: enable when issues remain, disable when resolved.
@BYK BYK merged commit 463835d into main Apr 13, 2026
10 checks passed
@BYK BYK deleted the feat/ci-poller-variable-gate branch April 13, 2026 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant