fix(scripts): bound outbound fetches in unattended release/observability scripts (#7014)#7044
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7044 +/- ##
==========================================
+ Coverage 89.37% 93.74% +4.37%
==========================================
Files 692 692
Lines 68748 68706 -42
Branches 18769 18760 -9
==========================================
+ Hits 61442 64409 +2967
+ Misses 5545 3302 -2243
+ Partials 1761 995 -766
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Tip ✅ LoopOver review result - approve/merge recommendedReview updated: 2026-07-17 19:42:53 UTC
Review summary Nits — 5 non-blocking
Decision drivers
Context & advisory signals — never blocks the verdict
Linked issue satisfactionPartially addressed Review context
Contributor next steps
Signal definitions
🧪 Chat with LoopOverAsk LoopOver a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://loopover.ai/docs/loopover-commands 🧪 Experimental — new and may change. 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.
|
Summary
Three unattended, CI-workflow-driven scripts made outbound fetches with no per-request timeout, so a single hung connection could block the job past its intended deadline (or indefinitely) — unlike sibling scripts in the same release/observability-automation family (e.g.
smoke-production.mjs'sfetchWithTimeout) that already guard against exactly this.scripts/check-mcp-release-due.mjs'sgithubRequest()(runs via.github/workflows/mcp-release-watch.yml) — added anAbortSignal.timeoutto itsapi.github.comfetch.scripts/smoke-observability-traces.mjs— both the trace-push fetch and each polling fetch in the generated smoke script now carry a per-callAbortSignal.timeout(OBSERVABILITY_SMOKE_TIMEOUT_MS). Previously only the between-iterations deadline was checked, so a single hung request could still block past it.scripts/smoke-observability-metrics.mjs— the same fix for all three of its fetches (collector push, collector poll, and the app's own/metricsprobe).Why
These jobs run without a human watching. A dead/slow endpoint on any of these fetches would hang the CI job rather than fail fast, which is the exact failure mode the per-request timeout in the sibling scripts already prevents.
Validation
node --checkclean.mcp-release,mcp-release-candidate,selfhost-observability-config,observability-ci,smoke-production-versions,smoke-selfhost-script) pass unchanged.test/unit/observability-release-fetch-timeout.test.tsasserts everyfetch(in these scripts is now paired with anAbortSignal.timeout(— one guard per outbound call, so an un-bounded fetch can't silently regress back in.Closes #7014