vndangkhoa/open-design
1
0
Fork 0
mirror of https://github.com/nexu-io/open-design.git synced 2026-06-01 03:14:35 +07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ci: make agent PR exploration trusted checkout lightweight (#3071)

Browse source 
The "Checkout trusted base scripts" step did a full actions/checkout of
this large repo on the self-hosted runner. On a recent run it stalled in
the initial `git fetch --depth=1 origin <sha>` for many minutes before
the agent script ever started, and the run had to be cancelled.

The trusted host side only needs the self-contained
`.github/scripts/agent-pr-explore-sandbox.sh`; PR code is checked out
inside Docker and PR context is gathered via the API. Replace the full
checkout with a single-file fetch via `gh api` (raw), pinned to the same
trusted base/dispatch commit, which avoids the git-protocol fetch of the
whole repo entirely.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
lefarcen 2026-05-27 12:18:19 +08:00 committed by GitHub
parent 324d56a74b
commit 80639d4da4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 19 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
.github/workflows/agent-pr-explore-sandbox.yml vendored
View file

@ -28,11 +28,25 @@ jobs:
timeout-minutes: 45 timeout-minutes: 45
steps: steps:
- name: Checkout trusted base scripts - name: Fetch trusted base script
uses: actions/checkout@v6.0.2 # Only the self-contained sandbox script is needed on the trusted host;
with: # PR code is checked out inside Docker. A full actions/checkout of this
ref: ${{ github.event.pull_request.base.sha || github.sha }} # large repo stalled on the self-hosted runner before the agent ever
persist-credentials: false # ran, so fetch just the one trusted file via the API instead. The ref
# is pinned to the trusted base/dispatch commit, never PR head.
shell: bash
env:
GH_TOKEN: ${{ github.token }}
TRUSTED_REF: ${{ github.event.pull_request.base.sha || github.sha }}
run: |
set -euo pipefail
mkdir -p .github/scripts
gh api \
-H 'Accept: application/vnd.github.raw' \
"repos/$GITHUB_REPOSITORY/contents/.github/scripts/agent-pr-explore-sandbox.sh?ref=$TRUSTED_REF" \
> .github/scripts/agent-pr-explore-sandbox.sh
chmod +x .github/scripts/agent-pr-explore-sandbox.sh
echo "Fetched trusted agent-pr-explore-sandbox.sh at $TRUSTED_REF"
- name: Resolve PR metadata - name: Resolve PR metadata
id: pr id: pr