fix(ci): eval canary must run as public-owner sentinel, not E2E user#383
Merged
Conversation
The nightly eval canary pinned the eval owner to the E2E user via
RAG_EVAL_OWNER_EMAIL. Since the corpus went all-public (owner_id = NULL),
that user owns 0 retrievable documents, so the golden retrieval eval
returns 0 candidates and fails --fail-on-threshold every run.
resolveEvalOwnerId (scripts/eval-utils.ts) already defaults to the
public-owner sentinel 00000000-0000-0000-0000-000000000000 when no owner
is set (the fix established in the eval-owner-default change). Drop the
owner pin so the canary inherits that sentinel and scopes to the public
corpus, and remove the now-unused E2E_USER_EMAIL from the required-secrets
preflight.
Note: this removes the *owner* failure only. The canary's current red is a
stale/unregistered OPENAI_API_KEY repo secret ("Unregistered API key" at
the embedding step); rotating that secret is an operator action. With both
addressed the canary should pass in one run.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01R5KT4sYGB8TGQ4jV888EPH
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
BigSimmo
marked this pull request as ready for review
July 8, 2026 07:57
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The nightly Eval Canary has failed every run since it was created (runs #1–#3: two scheduled, one
workflow_dispatch). This PR fixes one of the two reasons.Diagnosed from run #3's job log (
85793690941): secrets preflight ✅ →check:supabase-project✅ → golden retrieval eval fails in ~2s. Two independent problems:Owner mis-scoping (fixed here). The workflow pinned the eval owner via
RAG_EVAL_OWNER_EMAIL: ${{ secrets.E2E_USER_EMAIL }}. The live corpus went all-public (owner_id = NULL), so that user owns 0 retrievable documents → 0 candidates →--fail-on-thresholdtrips.resolveEvalOwnerId(scripts/eval-utils.ts) already defaults to the public-owner sentinel00000000-…-0000when no owner is set. This PR drops the owner pin so the canary inherits that sentinel, and removes the now-unusedE2E_USER_EMAILfrom the required-secrets preflight.Stale OpenAI secret (operator action — NOT in this PR). The actual current red is
Unregistered API keyat the embedding step, i.e. a stale/revokedOPENAI_API_KEYrepo secret (consistent with the documented Jul 5–6 key rotations that were never propagated to Actions secrets). Rotating that secret is an operator action I can't perform. Until it is rotated the canary stays red; with both addressed it should pass in one run.Why this matters: a guard that is red every night for an infra reason can't signal a real regression — it masks exactly the silent-degradation failure mode the canary exists to catch.
Verification
npx prettier --check .github/workflows/eval-canary.yml— passes.github/workflows/eval-canary.yml(env pin removed + preflight line removed; explanatory comment added)scripts/eval-utils.ts:ownerId ?? (ownerEmail → lookup) ?? DEFAULT_EVAL_OWNER_ID— removing the email override falls through to the public sentinelOPENAI_API_KEYrepo secret to the current valid key, then trigger oneworkflow_dispatchrun and confirm green before trusting the nightly cadenceOffline health snapshot of
main(Node 24.18.0, separate from this change):lint0 errors / 11 pre-existing warnings,typecheckclean,test1317 passed / 3 skipped / 0 failed.Clinical Governance Preflight
CI-only change to a scheduled eval workflow. No ingestion, answer-generation, retrieval, ranking, source-rendering, privacy, or production-env behavior is touched.
Clinical KB Database(sjrfecxgysukkwxsowpy)Notes
OPENAI_API_KEYpassed preflight and failed at the embedding call. A lightweight key-validity probe before the eval step would surface this as a clear preflight error instead of a mid-eval failure.🤖 Generated with Claude Code
https://claude.ai/code/session_01R5KT4sYGB8TGQ4jV888EPH
Generated by Claude Code