feat(caretaker): egress cloud run service skeleton#28167
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request adds a new automated egress service to the caretaker agent suite. The service acts as a bridge between GCP Pub/Sub and GitHub, allowing the system to react to verified events by performing automated repository operations. It is built as a lightweight Express application optimized for deployment on Google Cloud Run, ensuring secure and reliable execution of GitHub tasks. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
📊 PR Size: size/L
|
There was a problem hiding this comment.
Code Review
This pull request introduces a new Node.js/TypeScript Express-based egress service designed to run on Cloud Run and handle GitHub actions via Pub/Sub push subscriptions. Feedback highlights a critical security vulnerability regarding missing authentication on the POST endpoint, and suggests centralizing environment variable parsing and improving string validation for comments.
|
Ready for review! @gundermanc |
| * SPDX-License-Identifier: Apache-2.0 | ||
| */ | ||
|
|
||
| export type EgressAction = 'COMMENT' | 'LABEL' | 'PATCH'; |
There was a problem hiding this comment.
Are any of these contracts between the different jobs or service components? If so, can we make sure to not duplicate them? Ideally we put our contracts in a common place where all components can reference them.
There was a problem hiding this comment.
That is a great point. This contract is shared between the Python Triage Worker (triage-worker/utils/egress.py) and the TypeScript Egress Service (egress-service/src/types.ts) over Pub/Sub JSON messages. But because each Cloud Run service is deployed as a standalone container scoped strictly to its own root directory (cloudrun/egress-service/ and cloudrun/triage-worker/ ), container build contexts cannot import files outside their service folder. This is something I'm actively thinking through, we can chat more about it since there are a few other areas that I would want to share down the line (such as DB operations)
Summary
Implements the caretaker Egress Cloud Run Service skeleton into
tools/caretaker-agent/cloudrun/egress-service/. This service provides a lightweight HTTP server to receive verified action event messages pushed via Cloud Pub/Sub (egress-actionstopic) from the Triage Worker, decode Base64 payloads, validate event schemas, and dispatch execution to an egress action handler.Details
src/app.ts,src/server.ts): Provides a lightweight Cloud Run HTTP endpoint to handle GCP Pub/Sub push message delivery, decode Base64 payloads, and return structured health status (/GET) for liveness/readiness probes.How to Validate
Pre-Merge Checklist