feat: rewrite dispatcher — poll for merged vault PRs, enforce admin approval #76

New issue

Closed

opened 2026-03-31 19:54:04 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-03-31 19:54:04 +00:00

Collaborator

Context

The edge dispatcher (docker/edge/dispatcher.sh) currently polls vault/actions/*.json and fires anything it finds — no approval gate. Rewrite it to use merged PRs as the trigger.

New flow

Poll loop: git pull the ops repo every 60s
Scan vault/actions/ for TOML files that do NOT have a corresponding .result.json
For each new TOML file, verify it arrived via a merged PR where the merger has admin role (Forgejo API: check merge commit author or PR merger field)
Validate the TOML using the validator from #74
Extract the secrets array — only inject those specific env vars into the runner container (read from .env.vault.enc, decrypt with SOPS, filter to declared secrets only)
Launch: docker compose run --rm runner <formula> <action-id>
Write <action-id>.result.json with exit code, timestamp, runner logs summary

Admin enforcement

The dispatcher MUST verify that the TOML file entered main via a PR that was merged by a Forgejo admin. Use the Forgejo API to check the merge event. If the file appeared via direct push or non-admin merge, log a warning and skip it.

Secret filtering

Only secrets listed in the TOML secrets array get injected. The dispatcher decrypts .env.vault.enc, extracts only the named variables, and passes them via -e KEY=VALUE to the runner. Unknown secret names are rejected.

What to change

Rewrite docker/edge/dispatcher.sh (replace current content entirely)
The dispatcher still runs inside the edge container (Caddy sidecar with bash + jq + sops + git)

Verification

Create a vault PR on ops repo, merge as admin — dispatcher picks it up and launches runner
Create a vault PR, merge as non-admin bot — dispatcher skips it with warning
TOML requesting unknown secret — dispatcher rejects with error
Result file written after successful run

Dependencies

Depends on #73 (teardown), #74 (TOML schema).

## Context The edge dispatcher (`docker/edge/dispatcher.sh`) currently polls `vault/actions/*.json` and fires anything it finds — no approval gate. Rewrite it to use merged PRs as the trigger. ## New flow 1. Poll loop: `git pull` the ops repo every 60s 2. Scan `vault/actions/` for TOML files that do NOT have a corresponding `.result.json` 3. For each new TOML file, verify it arrived via a merged PR where the merger has admin role (Forgejo API: check merge commit author or PR merger field) 4. Validate the TOML using the validator from #74 5. Extract the `secrets` array — only inject those specific env vars into the runner container (read from `.env.vault.enc`, decrypt with SOPS, filter to declared secrets only) 6. Launch: `docker compose run --rm runner <formula> <action-id>` 7. Write `<action-id>.result.json` with exit code, timestamp, runner logs summary ## Admin enforcement The dispatcher MUST verify that the TOML file entered main via a PR that was merged by a Forgejo admin. Use the Forgejo API to check the merge event. If the file appeared via direct push or non-admin merge, log a warning and skip it. ## Secret filtering Only secrets listed in the TOML `secrets` array get injected. The dispatcher decrypts `.env.vault.enc`, extracts only the named variables, and passes them via `-e KEY=VALUE` to the runner. Unknown secret names are rejected. ## What to change - Rewrite `docker/edge/dispatcher.sh` (replace current content entirely) - The dispatcher still runs inside the edge container (Caddy sidecar with bash + jq + sops + git) ## Verification - Create a vault PR on ops repo, merge as admin — dispatcher picks it up and launches runner - Create a vault PR, merge as non-admin bot — dispatcher skips it with warning - TOML requesting unknown secret — dispatcher rejects with error - Result file written after successful run ## Dependencies Depends on #73 (teardown), #74 (TOML schema).