Implement workflow system for semaphore ui #3488
Conversation
Co-authored-by: denguk <[email protected]>
|
Cursor Agent can help with this pull request. Just |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| run, err := helpers.Store(r).GetWorkflowRun(workflowRunID) | ||
| if err != nil { | ||
| helpers.WriteError(w, err) |
There was a problem hiding this comment.
The workflow run detail endpoint fetches a run solely by run_id and returns it without checking that it belongs to the project/workflow in the path. Because WorkflowMiddleware only loads the workflow (lines 19–38) and GetWorkflowRun then calls helpers.Store(r).GetWorkflowRun(runID) without comparing run.WorkflowID/ProjectID to the request context, a user who knows another project’s run ID can read its status and node_runs via /project/{projectId}/workflows/{workflowId}/runs/{runId} even if the IDs don’t match. This leaks execution data across projects.
Useful? React with 👍 / 👎.
| run, err := helpers.Store(r).GetWorkflowRun(workflowRunID) | ||
| if err != nil { |
There was a problem hiding this comment.
The stop endpoint also looks up the run by ID only (GetWorkflowRun(runID)) before force-updating its status and node runs. There is no check that the run’s project_id/workflow_id matches the route parameters loaded by WorkflowMiddleware, so a user with access to any project can issue /project/{projectId}/workflows/{workflowId}/runs/{runId}/stop against a foreign run ID and mark another project’s run as stopped. This allows cross-project disruption of executions.
Useful? React with 👍 / 👎.
| const linksToSave = this.workflow.links.map((link) => ({ | ||
| ...link, | ||
| // Remove temp IDs if they exist | ||
| id: link.id || undefined, |
There was a problem hiding this comment.
When saving a workflow, linksToSave is sent to the API exactly as stored in this.workflow.links with only the id field stripped. New links are built from getNodeId, which returns temp_id strings for unsaved nodes; those string from_node_id/to_node_id values are forwarded here without remapping to real node IDs. The backend WorkflowLink expects integers, so saving a workflow that includes links to newly added nodes will fail to unmarshal/insert, preventing users from persisting new connections until after IDs somehow exist.
Useful? React with 👍 / 👎.
SONNET 4.5
Add a Workflow feature with a visual editor and execution engine to enable multi-step automation pipelines.
This PR introduces a complete workflow orchestration system, including new database models, a REST API, a robust execution engine, and a Vue.js frontend for visual editing and real-time monitoring. It allows users to define and run complex, multi-step automation processes with sequential, parallel, and conditional logic, addressing a critical missing feature in Semaphore UI.