Skip to content

Medic #1520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
patrickhuie19 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Medic #1520

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1694098
adding medic workflows
patrickhuie19 Mar 6, 2026
9d7d150
refactoring
patrickhuie19 Apr 16, 2026
5486629
Merge branch 'main' into feat/medic-phase-a
patrickhuie19 Apr 17, 2026
34a8dc2
no frozen lockfile
patrickhuie19 Apr 17, 2026
c5e4396
lint
patrickhuie19 Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,8 @@

# data-analytics - temporarily add devex-cicd for dependency bumps
/actions/pr-quality-check/ @smartcontractkit/data-analytics @smartcontractkit/devex-cicd

# Medic (auto workflow retry only)
/actions/medic-workflow-retry-auto/** @smartcontractkit/foundations

Check failure on line 14 in .github/CODEOWNERS

View workflow job for this annotation

GitHub Actions / Enforce

Unknown owner 

make sure the team @smartcontractkit/foundations exists, is publicly visible, and has write access to the repository
Copy link
Copy Markdown
Collaborator

@chainchad chainchad Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make sure this team has write access to the repo.

/libs/medic/** @smartcontractkit/foundations

Check failure on line 15 in .github/CODEOWNERS

View workflow job for this annotation

GitHub Actions / Enforce

Unknown owner 

make sure the team @smartcontractkit/foundations exists, is publicly visible, and has write access to the repository
/.github/workflows/medic-*.yml @smartcontractkit/foundations

Check failure on line 16 in .github/CODEOWNERS

View workflow job for this annotation

GitHub Actions / Enforce

Unknown owner 

make sure the team @smartcontractkit/foundations exists, is publicly visible, and has write access to the repository
Copy link
Copy Markdown
Collaborator

@chainchad chainchad Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use a reusable workflow with .github/workflows/reusable-medic-* prefix.

18 changes: 18 additions & 0 deletions .github/medic.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Medic — auto workflow retry (`workflow_run`). Override in consuming repositories.
# https://github.com/smartcontractkit/.github

# Used for PR author allowlist when deciding whether to auto-retry a failed workflow.
merge_conflict:
allowed_authors:
- patrickhuie19
Copy link
Copy Markdown
Collaborator

@chainchad chainchad Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we specify teams instead of individuals?

Copy link
Copy Markdown
Contributor

@erikburt erikburt Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default CI token doesn't have read access to org teams/members. The workaround is what CORA does: https://github.com/smartcontractkit/.github/blob/main/.github/workflows/reusable-codeowners-review-analysis.yml#L62-L68 which uses the org-wide members GATI to get a GH token with that access.

But then you have to juggle the 2 tokens, because the org-level token has access to nothing else.

max_attempts: 3
activity_threshold_hours: 48
skip_labels:
- medic-skip
- do not merge
- do-not-merge
- wip

workflow_retry:
max_attempts: 3
retryable: []
45 changes: 45 additions & 0 deletions .github/workflows/medic-workflow-retry-auto.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: Medic - Auto Workflow Retry

on:
workflow_call:
secrets:
GCP_SERVICE_ACCOUNT_KEY:
required: true
GCP_PROJECT_ID:
required: true

permissions:
actions: write
checks: read
pull-requests: write
contents: read

concurrency:
group: medic-auto-retry-${{ github.event.workflow_run.id }}
cancel-in-progress: false

jobs:
auto-retry:
name: Auto retry failed workflow
if: >
github.event.workflow_run.conclusion == 'failure' &&
github.event.workflow_run.run_attempt < 3
Copy link
Copy Markdown
Contributor

@erikburt erikburt Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is hardcoded to 3 but the medic config allows for configuring max attempts.

runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

Check warning on line 30 in .github/workflows/medic-workflow-retry-auto.yml

View workflow job for this annotation

GitHub Actions / Validate Workflow Changes 

  1. Trusted actions should use a major version tag, if available. (trusted-tag-ref / warning)
  2. Action is using node20. Versions older than node24 are being deprecated. Use a newer version of the action if possible. (node-version / warning)
Copy link
Copy Markdown
Collaborator

@chainchad chainchad Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@v6

This solves the node20 issue and for official GH actions, we generally are OK with pinning to a major tag.


- name: Authenticate to GCP
uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2.1.13

Check warning on line 33 in .github/workflows/medic-workflow-retry-auto.yml

View workflow job for this annotation

GitHub Actions / Validate Workflow Changes 

  1. Action is using node20. Versions older than node24 are being deprecated. Use a newer version of the action if possible. (node-version / warning)
Copy link
Copy Markdown
Contributor

@erikburt erikburt Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bump to v3

uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0

with:
credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
Copy link
Copy Markdown
Collaborator

@chainchad chainchad Apr 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use federated access with OIDC for GCP instead of hardcoded key similar to how we use AWS IAM roles?

See: workload_identity_provider via https://github.com/google-github-actions/auth

Copy link
Copy Markdown
Collaborator

@chainchad chainchad Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, would this be an org-wide secret? That's the only way this would work as-is. Otherwise, for each repo that we want to use this workflow with, we'd have to set the repo-level secret. If we used OIDC, we could perhaps set it to allow any repo in the org smartcontractkit to auth.

create_credentials_file: true
export_environment_variables: true

- name: Auto retry failed workflow
uses: ./actions/medic-workflow-retry-auto
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
env:
ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
CLOUD_ML_REGION: us-east5
12 changes: 12 additions & 0 deletions actions/medic-workflow-retry-auto/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: Medic – Auto Workflow Retry
description:
Automatically retries failed workflow runs triggered by workflow_run events

inputs:
github-token:
description: GitHub token for API access and workflow re-run
required: true

runs:
using: node24
main: dist/index.js
Loading
Loading