Skip to content

fix: call fullsend postrun for pre-commit tools and fix summaries#41

Draft
waynesun09 wants to merge 1 commit into
mainfrom
postrun-command
Draft

fix: call fullsend postrun for pre-commit tools and fix summaries#41
waynesun09 wants to merge 1 commit into
mainfrom
postrun-command

Conversation

@waynesun09

Copy link
Copy Markdown
Member

⚠️ Depends on fullsend-ai/fullsend#3393 — do not merge before that PR merges and a fullsend release ships

This PR calls two new subcommands, fullsend postrun precommit-install and fullsend postrun fix-summary, which do not exist in any released version of fullsend yet. They are introduced by fullsend-ai/fullsend#3393. Merging this PR before that one merges (and before a fullsend release containing it is cut) will make every code/fix agent run in this org fail at the pre-commit/PR-summary step, since fullsend postrun will be an unknown subcommand.

Opened as a draft for this reason — please only mark ready for review / merge once fullsend-ai/fullsend#3393 has merged and shipped in a release, and the agents: SHA pin consuming repos use has been updated accordingly (or this repo's own dispatch is otherwise confirmed to run against a fullsend version that has postrun).

Summary

  • Fixes the same root cause as Post-script companion scripts not accessible when resolved from URL-based cache fullsend#3069 / #3070 as it manifests in this repo: post-code.sh, post-fix.sh, pre-code.sh, and pre-fix.sh locate companion scripts (resolve-precommit-tools.py, install-precommit-tools.sh, process-fix-result.py) via a SCRIPT_DIR-relative sibling lookup. Those companion scripts were never migrated into this repo during extraction, so the lookup has always silently failed here.
  • Effect: pre-commit tool auto-install is silently skipped (surfaces downstream as a confusing Executable X not found failure at the authoritative pre-commit gate), and fix-agent PR summary comments never post.
  • Replaces the sibling-script calls with fullsend postrun precommit-install / fullsend postrun fix-summary, which ship inside the fullsend binary itself — no sibling-file dependency, since fullsend is already present and running as the process orchestrating these scripts.

Related Issue

Fixes fullsend-ai/fullsend#3069
Fixes fullsend-ai/fullsend#3070

Changes

  • scripts/post-code.sh, scripts/post-fix.sh, scripts/pre-code.sh, scripts/pre-fix.sh: replace resolve-precommit-tools.py + install-precommit-tools.sh invocations with fullsend postrun precommit-install
  • scripts/post-fix.sh: replace process-fix-result.py invocation with fullsend postrun fix-summary, preserving the original exit-code distinction (bad input = fatal, post failure = warning-and-continue)

Testing

  • bash -n syntax check on all four modified scripts
  • shellcheck — no new findings
  • Existing scripts/post-code-test.sh and scripts/post-fix-test.sh suites pass unchanged

Companion scripts (resolve-precommit-tools.py, install-precommit-tools.sh,
process-fix-result.py) are located via SCRIPT_DIR-relative sibling
lookups. That works when scripts are resolved from a local scaffold
checkout, but silently fails here: this repo's post-code.sh/post-fix.sh/
pre-code.sh/pre-fix.sh are fetched by fullsend as single files from a
URL base, and the harness fetch pipeline has no sibling-file mechanism
for scripts (only for skills) — so those companion scripts were never
present next to the fetched pre/post scripts in this repo.

Effect: pre-commit tool auto-install silently skipped (surfaces
downstream as a confusing "Executable X not found" pre-commit failure),
and fix-agent PR summary comments never posted.

Requires fullsend-ai/fullsend#3393 to be merged and released first —
this PR calls `fullsend postrun precommit-install` / `fullsend postrun
fix-summary`, which do not exist in any fullsend release yet.

Fixes fullsend-ai/fullsend#3069
Fixes fullsend-ai/fullsend#3070

Assisted-by: Claude
Signed-off-by: Wayne Sun <gsun@redhat.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 7, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 5:54 PM UTC · Completed 6:03 PM UTC
Commit: 7d82582 · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review — comment

PR: #41fix: call fullsend postrun for pre-commit tools and fix summaries
Author: waynesun09 · Draft: yes · Base: main · Files: 4 · Δ: +24 / −86

Clean simplification — replaces dead sibling-script lookups (resolve-precommit-tools.py, install-precommit-tools.sh, process-fix-result.py) with fullsend postrun subcommands that ship inside the already-present fullsend binary. Net deletion of 62 lines. Scope is tight — only the 4 pre/post scripts are touched, and the PR body clearly documents the dependency on fullsend-ai/fullsend#3393.

One medium finding worth addressing before this leaves draft:


Findings

1. fullsend postrun precommit-install runs unguarded under set -euo pipefail — soft-failure → hard-failure regression

Severity medium
Category error-handling
Files scripts/post-code.sh, scripts/post-fix.sh, scripts/pre-code.sh, scripts/pre-fix.sh

The old code wrapped the tool-resolution step in an explicit guard:

if python3 "${RESOLVE_SCRIPT}" ... > "${MANIFEST}"; then
  ...
else
  echo "::warning::Pre-commit tool resolution failed — continuing without auto-install"
fi

A failure emitted a GitHub Actions warning and the script continued to the authoritative pre-commit check, push, and PR-creation steps.

The new code runs the replacement bare:

fullsend postrun precommit-install "${PRECOMMIT_INSTALL_ARGS[@]}"

Under set -e, any non-zero exit from this command terminates the entire script. In the post-scripts this blocks branch push and PR creation; in the pre-scripts it prevents the agent from running at all. Pre-commit tool installation is a best-effort optimization — a transient failure (network timeout, binary version mismatch, unexpected input) should not be fatal.

Other fullsend CLI calls in this codebase follow the exit-code-capture pattern (e.g., fullsend post-review ... || POST_REVIEW_EXIT=$? in post-review.sh:314). The fullsend postrun fix-summary call in this same PR correctly preserves the pattern.

Remediation: Guard the call in all four scripts, e.g.:

fullsend postrun precommit-install "${PRECOMMIT_INSTALL_ARGS[@]}" \
  || echo "::warning::fullsend postrun precommit-install failed — continuing without auto-install"

Alternatively, if fullsend postrun precommit-install is designed to always exit 0 (handling errors internally), add a comment documenting that contract so future maintainers know the bare call is intentional.

2. Token passed as CLI argument (--token) — visible in process table

Severity low
Category secrets-handling
File scripts/post-fix.sh

The new fix-summary invocation passes the token on the command line:

fullsend postrun fix-summary --result "${RESULT_FILE}" --repo "${REPO_FULL_NAME}" \
  --pr "${PR_NUMBER}" --token "${GH_TOKEN}"

This exposes the token in /proc/<pid>/cmdline (readable by same-UID processes). The old python3 call inherited GH_TOKEN from the environment, keeping it out of the process argument list.

Mitigating factors: This is an established pattern in the codebase — post-review.sh, post-triage.sh, and post-prioritize.sh all pass tokens via --token. The token is already masked via ::add-mask:: (line 83). The practical risk on an ephemeral single-user CI runner is low. No action required unless the team decides to remediate all call sites together.


Dimensions reviewed

Dimension Result
Correctness 1 medium (error-handling regression)
Security 1 low (token on CLI — established pattern)
Intent & coherence ✅ Scope matches authorized work; architectural direction is sound
Style & conventions ✅ Consistent with existing patterns
Documentation ✅ No stale references found
Cross-repo contracts ✅ Internal scripts, not public API — temporal dependency on fullsend#3393 is acknowledged via draft status

📋 Review by fullsend — PR #41 · head 7d82582

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

requires-manual-review Review requires human judgment

Projects

None yet

1 participant