Skip to content

ci: add daily auto-PR cron to refresh CQL catalogs#518

Open
mattmillerai wants to merge 2 commits into
mainfrom
matt/be-2992-refresh-cql-catalogs
Open

ci: add daily auto-PR cron to refresh CQL catalogs#518
mattmillerai wants to merge 2 commits into
mainfrom
matt/be-2992-refresh-cql-catalogs

Conversation

@mattmillerai

Copy link
Copy Markdown
Collaborator

ELI-5

The CQL engine ships three little data files (supported_nodes.yaml, cloud_disable_config.yaml, no_gpu_nodes.json) that it reads at runtime. They were hand-committed once and have been drifting — and no_gpu_nodes.json is still an empty placeholder ({"no_gpu_nodes": []}, count 0), which quietly makes the CLI's "no-GPU" CQL predicates dead. This adds a nightly GitHub Actions cron that re-fetches all three from their canonical sources and opens a single auto-PR whenever any of them changes, so a human just reviews and merges instead of hand-editing.

What this does

Adds .github/workflows/refresh-cql-catalogs.yml — structurally the sibling of the MCP repo's refresh-object-info workflow, but it writes raw files into comfy_cli/cql/data/ (no gzip step; the files are loaded via importlib.resources.files("comfy_cli.cql.data") and packaged automatically, so committing the raw files is the whole refresh).

  • Trigger: daily schedule cron (06:30 UTC) + workflow_dispatch.
  • Sources:
    • supported_nodes.yaml, cloud_disable_config.yamlComfy-Org/comfy-complete@main raw URLs (public, tokenless).
    • no_gpu_nodes.jsonComfy-Org/cloud@main (private; fetched via gh api blobs with a read token).
  • Sanity guards (BE-2966 lesson — fail loudly, never skip):
    • the run fails if the cloud read token is unset (secret-present check);
    • it asserts the fetched no_gpu_nodes count is > 0 before anything is committed, so the current empty-placeholder state can never be silently re-committed;
    • each YAML is asserted to parse.
  • PR flow: git diff per file; if anything changed, force-push a single bot branch auto/refresh-cql-catalogs (reset onto origin/main) and open/update one PR, filtered to --state open, with a per-file delta summary (e.g. no_gpu node count 0 → ~1203).

⚠️ Human prerequisites (must be provisioned before this cron can run — flagged so they aren't silently unprovisioned like BE-2966)

This repo has no GitHub-App or cross-repo token wiring today, yet it runs detect-unreviewed-merge.yml (SOC 2), so the auto-PR must be authored by a non-human app. A human must provision, on Comfy-Org/comfy-cli:

  1. The CLOUD_CODE_BOT GitHub App installed with Pull-requests: write, exposing the APP_ID variable and the CLOUD_CODE_BOT_PRIVATE_KEY secret (mirror the MCP repo).
  2. A fine-grained PAT (or app token) with Contents: Read on Comfy-Org/cloud as the CLOUD_REPO_READ_TOKEN secret (used only to fetch no_gpu_nodes.json).

The workflow is built to fail loudly (not skip) when either is missing. Fallback: if provisioning the private-cloud token is blocked, the two tokenless comfy-complete files can be shipped alone and no_gpu left as a follow-up — but that would mean explicitly deferring the 0→~1203 fix, not shipping a cron that silently never updates no_gpu.

Verification done

  • Workflow YAML parses; the "detect changes" delta logic exercised under bash (yaml +N/-N lines, no_gpu count 0 → N, unchanged files skipped, multiline $GITHUB_OUTPUT heredoc well-formed).
  • The count > 0 guard fires on the current empty placeholder (count 0 → exit 1), and both public comfy-complete raw URLs fetch + parse.
  • git checkout -B <branch> origin/main with locally-modified staged files carries the changes over (plus a cp-restore backstop), so the branch-reset step is safe.
  • importlib.resources.files("comfy_cli.cql.data") still resolves all three files — no path/packaging change.

Judgment calls

  • Action pinning: used bare @v6/@v3 tags for actions/* to match this repo's existing workflows (they all use bare tags), rather than the MCP repo's SHA-pinned style.
  • Cloud path in a public repo: the workflow necessarily names the private Comfy-Org/cloud source path for no_gpu_nodes.json. This is inherent to the ticket's design and low-sensitivity (a file path guarded by a private-repo token), so it's referenced factually and minimally.
  • CI-on-branch-update: like the MCP refresh-object-info sibling, the branch is pushed with the default token and the PR is authored by the app token; CI fires on the app-authored PR creation. Matches the proven reference.

@mattmillerai mattmillerai added the agent-coded PR authored by the agent-work loop label Jul 14, 2026
@mattmillerai mattmillerai marked this pull request as ready for review July 14, 2026 20:16
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 14 seconds

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 7a8d4790-065e-4e81-ad16-a613629f0cda

📥 Commits

Reviewing files that changed from the base of the PR and between a732f5c and 55d57a0.

📒 Files selected for processing (1)
  • .github/workflows/refresh-cql-catalogs.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch matt/be-2992-refresh-cql-catalogs
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch matt/be-2992-refresh-cql-catalogs

Comment @coderabbitai help to get the list of available commands.

@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Jul 14, 2026
@mattmillerai mattmillerai added the cursor-review Request Cursor bot review label Jul 14, 2026
@dosubot dosubot Bot added the enhancement New feature or request label Jul 14, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔍 Cursor Review — Consolidated panel

Triggered by @mattmillerai.

Found 9 finding(s).

Severity Count
🟠 High 2
🟡 Medium 4
🟢 Low 3

Panel: 6/8 reviewers contributed findings.

Reviewers that did not contribute: kimi-k2.5:adversarial (empty), kimi-k2.5:edge-case (empty)

Comment thread .github/workflows/refresh-cql-catalogs.yml
Comment thread .github/workflows/refresh-cql-catalogs.yml
Comment thread .github/workflows/refresh-cql-catalogs.yml Outdated
Comment thread .github/workflows/refresh-cql-catalogs.yml Outdated
Comment thread .github/workflows/refresh-cql-catalogs.yml Outdated
Comment thread .github/workflows/refresh-cql-catalogs.yml Outdated
Comment thread .github/workflows/refresh-cql-catalogs.yml Outdated
Comment thread .github/workflows/refresh-cql-catalogs.yml Outdated
Comment thread .github/workflows/refresh-cql-catalogs.yml Outdated
- Push/checkout with the app token (not GITHUB_TOKEN) so the auto-PR push
  fires the synchronize event and CI actually runs (requires Contents:
  write on the app; documented in the header).
- Detect drift against origin/main, not the checked-out HEAD, so a
  workflow_dispatch from a stale branch can't mask real drift.
- Assert no_gpu_nodes is a list (not just count >= 1) before committing,
  so a str/dict schema regression can't slip past the guard.
- Pin the Contents API read to @main and pyyaml to 6.0.2 (supply-chain).
- git checkout -f so the branch reset can't abort on local changes.
- Route the delta summary through an env var (script-injection sink) and
  select only OPEN, same-repo PRs (isCrossRepository == false).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

agent-coded PR authored by the agent-work loop cursor-review Request Cursor bot review enhancement New feature or request size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant