🔥 chore(ci): delete 10 dead Copilot workflows + reclaim wasted CI minutes#8252
🔥 chore(ci): delete 10 dead Copilot workflows + reclaim wasted CI minutes#8252clubanderson merged 2 commits intomainfrom
Conversation
Updates SECURITY-MODEL.md §3 to reflect #8248, which registers Ollama, llama.cpp, LocalAI, vLLM, LM Studio, RHAIIS, Groq, OpenRouter and Open WebUI as chat-only agent providers in InitializeProviders. Changes: - Provider table flips the Registered column from "no" to "yes (chat only)" for the nine HTTP providers that are now wired into the agent dropdown, and adds rows for the six new local LLM runners with their env vars and default URLs. - Explains the chat-only capability flag and why missions still route through the tool-capable CLI agents (registry.go:303 rationale). - Adds a "Local LLM strategy" subsection that cross-links the docs.kubestellar.io local-llm-strategy page and the eight install missions on kubestellar/console-kb. - Replaces the "Planned follow-up" subsection with active recipes for each runner — Ollama loopback default, in-cluster Service URLs for llama.cpp/LocalAI/vLLM/RHAIIS, LM Studio workstation default, and Groq/OpenRouter/Open WebUI gateway overrides. The "# PLANNED — not yet wired at runtime" bash comments are removed. The threat model claims about kubeconfig and credentials staying out of the request body are unchanged and still authoritative. Signed-off-by: Andrew Anderson <[email protected]>
…utes Third of four PRs from the fullsend-ai/fullsend automation evaluation. The plan was to replace copilot-pr-monitor.yml's minutely cron poll with webhook triggers — but closer inspection found 10 workflows in the same fully-disabled state, and two of them were burning CI minutes on unconditional cron schedules: - copilot-pr-monitor.yml: cron * * * * * → 1440 wasted runs/day - copilot-retry.yml: cron */5 * * * * → 288 wasted runs/day Every job in every deleted workflow is guarded by: if: false # Copilot disabled — issues handled by Claude Code scanner Deleting them rather than refactoring is the right call per fullsend's "repo-as-coordinator via native primitives" principle — dead code pretending to orchestrate nothing is worse than no code at all. Deleted: - copilot-pr-monitor.yml (minutely cron poll, 100% no-op) - copilot-retry.yml (5-min cron, 100% no-op) - copilot-assigned.yml - copilot-automation.yml - copilot-build-check.yml - copilot-build-monitor.yml - copilot-dco.yml - copilot-recovery.yml - copilot-review-apply.yml - ai-fix.yml Kept: - copilot-comment-followup.yml — active, reads Copilot review comments on merged PRs. Unrelated to the deleted pipeline. - copilot-setup-steps.yml — harmless workflow_dispatch-only helper. Verification: - No `workflow_run:` trigger in workflow-failure-issue.yml references any of the deleted workflow names. - No `uses: ./.github/workflows/...` references to any of the deleted files. - The `ai-fix-requested` label name is unrelated to `ai-fix.yml` — label stays, workflow file goes. Not a replacement for the Claude Code scanner approach — that's already running and owns the issue-fix loop now. This PR is pure cleanup. Savings: ~1728 dead workflow runs per day, plus a lot less noise in the Actions tab. Signed-off-by: Andrew Anderson <[email protected]>
kubestellar-prow
Bot
added
the
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
✅ Deploy Preview for kubestellarconsole canceled.
|
|
👋 Hey @clubanderson — thanks for opening this PR!
This is an automated message. |
kubestellar-prow
Bot
added
the
size/XXL
There was a problem hiding this comment.
Pull request overview
This PR primarily removes a set of fully-disabled Copilot GitHub Actions workflows to reduce CI noise and reclaim wasted scheduled runs, and it also updates the security model documentation around local/self-hosted LLM providers.
Changes:
- Delete 10 disabled Copilot automation workflows (including two with active cron schedules).
- Update
docs/security/SECURITY-MODEL.mdprovider table and local/self-hosted LLM guidance.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/security/SECURITY-MODEL.md | Updates provider registration/status table and local LLM guidance (currently contains claims that don’t match runtime code). |
| .github/workflows/copilot-review-apply.yml | Deleted disabled Copilot workflow. |
| .github/workflows/copilot-retry.yml | Deleted disabled scheduled workflow (CI savings). |
| .github/workflows/copilot-recovery.yml | Deleted disabled Copilot recovery workflow. |
| .github/workflows/copilot-pr-monitor.yml | Deleted disabled minutely scheduled workflow (CI savings). |
| .github/workflows/copilot-dco.yml | Deleted disabled Copilot DCO workflow. |
| .github/workflows/copilot-build-monitor.yml | Deleted disabled Copilot build monitor workflow. |
| .github/workflows/copilot-build-check.yml | Deleted disabled Copilot build/lint check workflow. |
| .github/workflows/copilot-automation.yml | Deleted disabled Copilot automation workflow. |
| .github/workflows/copilot-assigned.yml | Deleted disabled Copilot assignment workflow. |
| .github/workflows/ai-fix.yml | Deleted disabled Copilot-based AI fix workflow. |
| | Groq (OpenAI-compatible, HTTP) | `groq` | `GROQ_API_KEY` | `GROQ_MODEL` | `GROQ_BASE_URL` | **yes (chat only)** | `pkg/agent/provider_groq.go` | | ||
| | OpenRouter (OpenAI-compatible, HTTP) | `openrouter` | `OPENROUTER_API_KEY` | `OPENROUTER_MODEL` | `OPENROUTER_BASE_URL` | **yes (chat only)** | `pkg/agent/provider_openrouter.go` | | ||
| | Open WebUI (OpenAI-compatible, HTTP) | `open-webui` | `OPEN_WEBUI_API_KEY` | `OPEN_WEBUI_MODEL` | `OPEN_WEBUI_URL` | **yes (chat only)** | `pkg/agent/provider_openwebui.go` | |
There was a problem hiding this comment.
The table marks Groq/OpenRouter/Open WebUI as “registered (chat only)”, but InitializeProviders in pkg/agent/registry.go does not register these providers (it registers only CLI/tool-capable agents like claude-code, bob, codex, gemini-cli, etc.). Please update the table (and any downstream text) to reflect the current runtime registration state, or include the corresponding registration changes in this PR.
| | Ollama (local, OpenAI-compatible) | `ollama` | `OLLAMA_API_KEY` (optional) | `OLLAMA_MODEL` | `OLLAMA_URL` (default `http://127.0.0.1:11434`) | **yes (chat only)** | `pkg/agent/provider_local_openai_compat.go` | | ||
| | llama.cpp server | `llamacpp` | `LLAMACPP_API_KEY` (optional) | `LLAMACPP_MODEL` | `LLAMACPP_URL` | **yes (chat only)** | `pkg/agent/provider_local_openai_compat.go` | | ||
| | LocalAI | `localai` | `LOCALAI_API_KEY` (optional) | `LOCALAI_MODEL` | `LOCALAI_URL` | **yes (chat only)** | `pkg/agent/provider_local_openai_compat.go` | | ||
| | vLLM | `vllm` | `VLLM_API_KEY` (optional) | `VLLM_MODEL` | `VLLM_URL` | **yes (chat only)** | `pkg/agent/provider_local_openai_compat.go` | | ||
| | LM Studio | `lm-studio` | `LM_STUDIO_API_KEY` (optional) | `LM_STUDIO_MODEL` | `LM_STUDIO_URL` (default `http://127.0.0.1:1234`) | **yes (chat only)** | `pkg/agent/provider_local_openai_compat.go` | | ||
| | Red Hat AI Inference Server | `rhaiis` | `RHAIIS_API_KEY` (optional) | `RHAIIS_MODEL` | `RHAIIS_URL` | **yes (chat only)** | `pkg/agent/provider_local_openai_compat.go` | |
There was a problem hiding this comment.
This table introduces several “local” providers (Ollama/llama.cpp/LocalAI/vLLM/LM Studio/RHAIIS) backed by pkg/agent/provider_local_openai_compat.go, but that file (and the corresponding env vars like OLLAMA_URL, LLAMACPP_URL, etc.) don’t exist in the repo today. Either adjust the documentation back to “planned/future” or add the missing implementation + runtime registration in the same change set.
| | Red Hat AI Inference Server | `rhaiis` | `RHAIIS_API_KEY` (optional) | `RHAIIS_MODEL` | `RHAIIS_URL` | **yes (chat only)** | `pkg/agent/provider_local_openai_compat.go` | | ||
|
|
||
| Note the asymmetry: the upstream OpenAI provider source file hard-codes its hostname as a package-level variable in `pkg/agent/provider_openai.go:15` (no `OPENAI_BASE_URL` override). Groq, OpenRouter, and Open WebUI do parse base-URL env vars, but because those providers are not registered at runtime today, setting those env vars does not actually route AI traffic through a local endpoint. | ||
| "Chat only" means the provider reports `CapabilityChat` but not `CapabilityToolExec`. AI missions that need to execute cluster commands (kubectl, helm) still route through the tool-capable CLI agents (`claude`, `codex`, `gemini-cli`, `antigravity`, `goose`, `copilot-cli`, `bob`); local LLM providers are selectable in the agent dropdown for analysis and chat workflows but do not drive missions. See `pkg/agent/registry.go:303` for the rationale comment and `promoteExecutingDefault()` which keeps a mission-capable agent as the default whenever one is available. |
There was a problem hiding this comment.
The list of “tool-capable CLI agents” here includes claude, but the tool-capable Claude CLI provider registered by InitializeProviders is claude-code (whereas claude refers to the HTTP API provider which is intentionally not registered). Please correct the provider names in this list so readers can map them to the actual agent dropdown entries.
| "Chat only" means the provider reports `CapabilityChat` but not `CapabilityToolExec`. AI missions that need to execute cluster commands (kubectl, helm) still route through the tool-capable CLI agents (`claude`, `codex`, `gemini-cli`, `antigravity`, `goose`, `copilot-cli`, `bob`); local LLM providers are selectable in the agent dropdown for analysis and chat workflows but do not drive missions. See `pkg/agent/registry.go:303` for the rationale comment and `promoteExecutingDefault()` which keeps a mission-capable agent as the default whenever one is available. | |
| "Chat only" means the provider reports `CapabilityChat` but not `CapabilityToolExec`. AI missions that need to execute cluster commands (kubectl, helm) still route through the tool-capable CLI agents (`claude-code`, `codex`, `gemini-cli`, `antigravity`, `goose`, `copilot-cli`, `bob`); local LLM providers are selectable in the agent dropdown for analysis and chat workflows but do not drive missions. See `pkg/agent/registry.go:303` for the rationale comment and `promoteExecutingDefault()` which keeps a mission-capable agent as the default whenever one is available. |
|
|
||
| ### Working path today — point a local LLM at the dropdown | ||
|
|
||
| The examples below are **active recipes** as of this revision of the document — the providers they rely on are registered in `InitializeProviders` and the `Available` field in the agent dropdown honors these env vars. |
There was a problem hiding this comment.
This claims the examples below are “active recipes” because the referenced providers are registered in InitializeProviders, but those providers (Groq/OpenRouter/Open WebUI and the local runners) are not currently registered/implemented. Please reword this back to “planned/forward-looking” (or add the missing code changes) to avoid operators relying on non-functional configuration.
| The examples below are **active recipes** as of this revision of the document — the providers they rely on are registered in `InitializeProviders` and the `Available` field in the agent dropdown honors these env vars. | |
| The examples below are **planned / forward-looking recipes** for how local LLM routing is intended to work. In the current revision, the providers referenced here are not all registered in `InitializeProviders`, so operators should treat these examples as design guidance rather than assuming the agent dropdown already honors all of these env vars. |
| Using a local / on-prem LLM is the strongest way to keep prompts and conversation history inside your trust boundary. When the base URL points at something running on your own cluster (or on your own workstation), the AI traffic never leaves your perimeter. This is the supported direction for operators in regulated, air-gapped, or high-sensitivity environments. Pair a local runner with the Console's existing "no AI" (Posture B) path as an explicit escalation: start with B, enable a local LLM when the operator needs it, and never route chat to a public vendor unless the policy explicitly allows it. | ||
|
|
||
| See `pkg/agent/provider_groq.go`, `pkg/agent/provider_openrouter.go`, and `pkg/agent/provider_openwebui.go` for the three overridable slots. | ||
| See `pkg/agent/provider_local_openai_compat.go` for the shared factory, and `pkg/agent/provider_groq.go`, `pkg/agent/provider_openrouter.go`, `pkg/agent/provider_openwebui.go` for the three previously-staged slots that are now also registered. |
There was a problem hiding this comment.
This references pkg/agent/provider_local_openai_compat.go, but that source file is not present in the repository. Please update the reference to the actual implementation file(s) (e.g. provider_openai_compat.go if that’s what’s intended), or add the missing file in the PR.
| See `pkg/agent/provider_local_openai_compat.go` for the shared factory, and `pkg/agent/provider_groq.go`, `pkg/agent/provider_openrouter.go`, `pkg/agent/provider_openwebui.go` for the three previously-staged slots that are now also registered. | |
| See `pkg/agent/provider_openai_compat.go` for the shared factory, and `pkg/agent/provider_groq.go`, `pkg/agent/provider_openrouter.go`, `pkg/agent/provider_openwebui.go` for the three previously-staged slots that are now also registered. |
| | Anthropic Claude (HTTP) | `claude` / `anthropic` | `ANTHROPIC_API_KEY` | `CLAUDE_MODEL` | — | no | `pkg/agent/provider_claude.go` | | ||
| | OpenAI (ChatGPT, HTTP) | `openai` | `OPENAI_API_KEY` | `OPENAI_MODEL` | — | no | `pkg/agent/provider_openai.go:15` | | ||
| | Google Gemini (HTTP) | `gemini` / `google` | `GOOGLE_API_KEY` | `GEMINI_MODEL` | — | no | `pkg/agent/provider_gemini.go:15` | | ||
| | Groq (OpenAI-compatible, HTTP) | `groq` | `GROQ_API_KEY` | `GROQ_MODEL` | `GROQ_BASE_URL` (parsed, not wired) | no | `pkg/agent/provider_groq.go:22-51` | | ||
| | OpenRouter (OpenAI-compatible, HTTP) | `openrouter` | `OPENROUTER_API_KEY` | `OPENROUTER_MODEL` | `OPENROUTER_BASE_URL` (parsed, not wired) | no | `pkg/agent/provider_openrouter.go:23-58` | | ||
| | Open WebUI (OpenAI-compatible, HTTP) | `open-webui` | `OPEN_WEBUI_API_KEY` | `OPEN_WEBUI_MODEL` | `OPEN_WEBUI_URL` (parsed, not wired) | no | `pkg/agent/provider_openwebui.go:16,39` | | ||
| | Groq (OpenAI-compatible, HTTP) | `groq` | `GROQ_API_KEY` | `GROQ_MODEL` | `GROQ_BASE_URL` | **yes (chat only)** | `pkg/agent/provider_groq.go` | | ||
| | OpenRouter (OpenAI-compatible, HTTP) | `openrouter` | `OPENROUTER_API_KEY` | `OPENROUTER_MODEL` | `OPENROUTER_BASE_URL` | **yes (chat only)** | `pkg/agent/provider_openrouter.go` | | ||
| | Open WebUI (OpenAI-compatible, HTTP) | `open-webui` | `OPEN_WEBUI_API_KEY` | `OPEN_WEBUI_MODEL` | `OPEN_WEBUI_URL` | **yes (chat only)** | `pkg/agent/provider_openwebui.go` | |
There was a problem hiding this comment.
The PR metadata/title focuses on deleting disabled Copilot CI workflows, but this hunk also changes the security model’s provider/LLM strategy narrative. If this doc update is intentional, please call it out in the PR description (or split it into a separate PR) so reviewers can validate the documentation claims against the current Go runtime behavior.
|
Thank you for your contribution! Your PR has been merged. Check out what's new:
Stay connected: Slack #kubestellar-dev | Multi-Cluster Survey |
|
Post-merge build verification passed ✅ Both Go and frontend builds compiled successfully against merge commit |
Summary
Third of four PRs from the fullsend-ai/fullsend automation evaluation. Original plan was to replace
copilot-pr-monitor.yml's minutely cron poll with webhook triggers — but closer inspection found 10 workflows in the same fully-disabled state, and two of them were burning CI minutes on unconditional cron schedules:copilot-pr-monitor.yml* * * * *copilot-retry.yml*/5 * * * *Every job in every deleted workflow is guarded by:
Deleting rather than refactoring is the right call per fullsend's "repo-as-coordinator via native primitives" principle — dead code pretending to orchestrate nothing is worse than no code at all. The Claude Code scanner approach is already running and owns the issue-fix loop now.
Deleted (10)
copilot-pr-monitor.yml(1440/day dead runs)copilot-retry.yml(288/day dead runs)copilot-assigned.ymlcopilot-automation.ymlcopilot-build-check.ymlcopilot-build-monitor.ymlcopilot-dco.ymlcopilot-recovery.ymlcopilot-review-apply.ymlai-fix.ymlKept
copilot-comment-followup.yml— active, reads Copilot review comments on merged PRs. Unrelated to the disabled Copilot PR pipeline.copilot-setup-steps.yml— harmlessworkflow_dispatch-only helper.Dangling-reference check
workflow_run:trigger inworkflow-failure-issue.ymlreferences any of the deleted workflow names.uses: ./.github/workflows/...references to any of the deleted files.ai-fix-requestedlabel name is unrelated to theai-fix.ymlworkflow file — label stays, workflow file goes.copilot-comment-followup.ymlandcopilot-setup-steps.ymlare untouched.Savings
Test plan
🤖 Generated with Claude Code