chore: osv-worker deployment#4175
Conversation
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
There was a problem hiding this comment.
Pull request overview
This PR introduces a dedicated Temporal worker service (osv-worker) for OSV advisory sync within the packages_worker app, moving OSV scheduled workflow executions off the shared packages-worker queue.
Changes:
- Route the OSV sync schedule to the
osv-workerTemporal task queue. - Add a new
osv-workerentrypoint plusstart/devscripts to run it. - Add Docker Compose service definitions and include
osv-workerin the packages build service list.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| services/apps/packages_worker/src/osv/schedule.ts | Updates the OSV schedule’s taskQueue to osv-worker. |
| services/apps/packages_worker/src/bin/osv-worker.ts | Adds a dedicated worker entrypoint that initializes the service, registers the OSV schedule, then starts the worker. |
| services/apps/packages_worker/package.json | Adds start:osv-worker, dev:osv-worker, and dev:osv-worker:local scripts. |
| scripts/services/osv-worker.yaml | Adds compose definitions for osv-worker and osv-worker-dev. |
| scripts/builders/packages.env | Adds osv-worker to the packages services build list. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| action: { | ||
| type: 'startWorkflow', | ||
| workflowType: osvSync, | ||
| taskQueue: 'packages-worker', | ||
| taskQueue: 'osv-worker', | ||
| // Headroom for npm (~1 hour today) + Maven (~5 minutes) + derive |
…oyment Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ec0769a. Configure here.
| type: 'startWorkflow', | ||
| workflowType: osvSync, | ||
| taskQueue: 'packages-worker', | ||
| taskQueue: 'osv-worker', |
There was a problem hiding this comment.
Existing schedule keeps old queue
Medium Severity
This change routes new osv-advisories-sync schedules to osv-worker, but scheduleOsvSync only calls create and treats ScheduleAlreadyRunning as success without updating the action. Environments that already registered the schedule still start workflows on packages-worker, so the new osv-worker deployment may never receive scheduled OSV sync runs until the Temporal schedule is recreated or updated manually.
Reviewed by Cursor Bugbot for commit ec0769a. Configure here.
This pull request introduces support for a new
osv-workerservice in the packages infrastructure. The main changes include adding Docker and service configuration for the new worker, updating build scripts, and integrating new start and development scripts. Additionally, the OSV sync workflow is updated to use its dedicated task queue.New osv-worker service integration:
osv-worker.yaml) to define theosv-workerandosv-worker-devservices, including environment variables, build context, and volume mounts for development.packages.envto includeosv-workerfor Docker builds.Script and workflow updates:
package.jsonfor starting and developing theosv-worker, including local development variants. [1] [2]taskQueueinscheduleOsvSyncfrompackages-workertoosv-workerto route OSV sync jobs to the new worker.Note
Medium Risk
Changing the scheduled workflow task queue requires deploying
osv-workerbefore or with this change; otherwise daily OSV sync jobs will not be picked up until the new worker is running.Overview
Splits OSV advisory sync onto a dedicated Temporal worker (
osv-worker) instead of the sharedpackages-workerqueue.Adds deployment plumbing:
osv-workerinpackages.envimage builds, a newosv-worker.yamlCompose stack (prod + dev with lib volume mounts), andstart/dev/localnpm scripts. A newosv-worker.tsentrypoint registers the daily OSV schedule on startup then runs the worker.scheduleOsvSyncnow targets task queueosv-worker, so scheduledosvSyncworkflows only run when this service is deployed and listening on that queue.Reviewed by Cursor Bugbot for commit ec0769a. Bugbot is set up for automated code reviews on this repo. Configure here.