feat(workflow): implement SDK parity dispatch logic#26
feat(workflow): implement SDK parity dispatch logic#26
Conversation
salihdev0
commented
Apr 9, 2026
salihdev0
commented
- Added preflight checks to skip dispatch for fork pull requests due to lack of parity secrets.
- Enhanced skip summary output for better visibility on skipped dispatches.
- Integrated steps for creating a GitHub App token and checking out the main parity repository.
- Ensured dispatch only occurs if preflight checks pass, maintaining security and integrity.
- Added preflight checks to skip dispatch for fork pull requests due to lack of parity secrets. - Enhanced skip summary output for better visibility on skipped dispatches. - Integrated steps for creating a GitHub App token and checking out the main parity repository. - Ensured dispatch only occurs if preflight checks pass, maintaining security and integrity.
There was a problem hiding this comment.
Pull request overview
This PR replaces a reusable SDK parity dispatch workflow call with an in-repo implementation that performs preflight gating, generates a GitHub App token, checks out the parity “main” repository, and runs a private composite action to dispatch parity checks.
Changes:
- Replaced
uses: ...reusable-sdk-parity-dispatch.ymlwith explicit job steps for dispatch. - Added a fork-PR preflight gate and a step-summary output when dispatch is skipped.
- Added GitHub App token creation + checkout of the parity main repo, then dispatch via a local composite action path.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | ||
| if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then | ||
| should_skip=true | ||
| skip_reason="Fork pull requests do not receive parity secrets, so dispatch is skipped safely." | ||
| fi |
There was a problem hiding this comment.
Preflight only skips fork PRs, but Dependabot PRs also do not receive repository secrets by default. This job will likely fail on Dependabot updates when PARITY_APP_ID/PARITY_APP_PRIVATE_KEY are unavailable. Consider extending preflight to skip when github.actor == 'dependabot[bot]' (or more generally when required secrets evaluate to empty) and write the same skip summary.
| PARITY_MAIN_REPO: ${{ secrets.PARITY_MAIN_REPO }} | ||
| # Replace with an immutable parity release tag once the private composite action is published. | ||
| PARITY_MAIN_REF: main |
There was a problem hiding this comment.
PARITY_MAIN_REF is set to main, which is mutable and makes the workflow non-reproducible (and increases supply-chain risk if the parity repo changes unexpectedly). Prefer pinning to an immutable tag or commit SHA once available, and/or require an explicit version input/secret.
| if: steps.preflight.outputs.should_skip != 'true' | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ steps.app_token.outputs.token }} | ||
| repository: ${{ env.PARITY_MAIN_REPO }} | ||
| ref: ${{ env.PARITY_MAIN_REF }} | ||
| path: parity-main |
There was a problem hiding this comment.
actions/checkout persists the provided token in the git config by default. Since this uses an App token, set persist-credentials: false (or otherwise ensure credentials are removed) to reduce the chance of the token being reused/exposed by subsequent steps or composite actions.
