Skip to content

Trigger codegraph snapshot rebuild on main push#7778

Closed
JadeCara wants to merge 2 commits intomainfrom
trigger-codegraph-snapshot
Closed

Trigger codegraph snapshot rebuild on main push#7778
JadeCara wants to merge 2 commits intomainfrom
trigger-codegraph-snapshot

Conversation

@JadeCara
Copy link
Copy Markdown
Contributor

@JadeCara JadeCara commented Mar 27, 2026

Summary

Sends a repository_dispatch event to ethyca/codegraph whenever fides main gets a new commit. This triggers a rebuild of the codegraph knowledge graph snapshot used by CI code-review workflows.

Uses the ethyca-cross-repo GitHub App token (same pattern as trigger_fidesplus_builds.yml).

Required setup

  • CROSS_REPO_APP_ID var and CROSS_REPO_APP_PRIVATE_KEY secret configured in fides repo settings

Test plan

  • Merge → next push to main triggers snapshot rebuild in codegraph repo

🤖 Generated with Claude Code

@claude
Add codegraph snapshot trigger on main push
5d7f07f 
Sends a repository_dispatch to ethyca/codegraph to rebuild the
knowledge graph snapshot whenever fides main gets a new commit.
The snapshot is used by CI code-review workflows for structural analysis.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown
Contributor

vercel bot commented Mar 27, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Actions Updated (UTC)
fides-plus-nightly Ignored Ignored Preview Mar 27, 2026 8:38pm
fides-privacy-center Ignored Ignored Mar 27, 2026 8:38pm

Request Review

claude[bot]
claude bot reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean, focused workflow that follows the existing trigger_fidesplus_builds.yml pattern well. A couple of minor notes:

Suggestions

  • peter-evans/repository-dispatch@v3 uses a mutable tag while actions/create-github-app-token is pinned to a full commit SHA — worth pinning both for supply chain consistency.

Nice to have

  • A concurrency group (cancel-in-progress) would avoid queuing redundant rebuilds when multiple commits land on main in quick succession.

Otherwise the logic is straightforward and correct — using ${{ github.sha }} directly avoids the need for a checkout step, the GitHub App token pattern is a good call, and the workflow_dispatch trigger is useful for manual resyncs.

.github/workflows/trigger_codegraph_snapshot.yml
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ steps.cross-repo-token.outputs.token }}
repository: ethyca/codegraph
Copy link
Copy Markdown

@claude claude bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Pin peter-evans/repository-dispatch to a full commit SHA

actions/create-github-app-token is pinned to a specific commit hash (fee1f7d63c2ff003460e3d139729b119787bc349), but peter-evans/repository-dispatch@v3 uses a mutable tag. A mutable tag can be force-pushed by the upstream maintainer, which is a supply chain risk — a compromised tag could execute arbitrary code in this workflow.

Consider pinning to the commit SHA for v3, e.g.:

uses: peter-evans/repository-dispatch@ce57c68e63d0b9b4429076b60fa0f8f50de4cb40 # v3

You can find the SHA via git ls-remote https://github.com/peter-evans/repository-dispatch refs/tags/v3.

.github/workflows/trigger_codegraph_snapshot.yml
push:
branches: [main]
workflow_dispatch:

Copy link
Copy Markdown

@claude claude bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice to have: Add a concurrency group to avoid redundant snapshot rebuilds

If several commits land on main in quick succession (e.g. a merge train or a batch of rebased commits), this workflow will queue a rebuild for each one. Since each new commit supersedes the previous snapshot, only the latest matters. A concurrency group that cancels in-progress runs would avoid wasted work in the codegraph repo:

concurrency:
  group: codegraph-snapshot
  cancel-in-progress: true

Low-priority — depends on how the codegraph rebuild handles concurrent triggers — but worth considering if rebuilds are expensive.

@JadeCara
Copy link
Copy Markdown
Contributor Author

JadeCara commented Mar 27, 2026
edited
Loading

Updated blocker (simplified):
DISPATCH_ACCESS_TOKEN PAT needs ethyca/codegraph added to its repo scope. App secrets are already available at org level.

@claude
Use DISPATCH_ACCESS_TOKEN instead of app token for dispatch
57ae339 
repository_dispatch requires write access. Reuse the existing
DISPATCH_ACCESS_TOKEN PAT (same as trigger_fidesplus_builds.yml)
so the GitHub App can stay read-only.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@JadeCara
Copy link
Copy Markdown
Contributor Author

JadeCara commented Mar 31, 2026

Closing — we're switching to a 4-hour snapshot schedule in codegraph instead of per-commit repository_dispatch triggers. Simpler and avoids cross-repo PAT scope requirements.

@JadeCara JadeCara closed this Mar 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JadeCara