T8943: fix(mirror): anchor force_workspace parser to real Mergify abort wording

[andamasov]

What

The force_workspace backport parser (force-workspace-backport.yml) anchored its SHA + branch regexes to assumed Mergify wording that never matched real output.

Verified against the in-prod abort VyOS-Networks/vyos-1x#2116 (2026-05-15). Mergify's real No backport have been created comment reads:

#### ❌ No backport have been created
* Backport to branch `circinus` failed due to conflicts
Cherry-pick of 6df7ca2f61ce1aa8352e8dbb1fc6e9c5d6d42937 has failed:

• SHA introduced by Cherry-pick of <40hex> has failed: — not commit <40hex> / Backport of <40hex>.
• Branch name wrapped in backticks.

Both shipped regexes returned 0 matches on the real body → parse step exit 1 → force_workspace silently aborts. The smoke fixtures encoded the same fictional wording, so the smoke test + all prior gates passed against invented strings (test mirrored the bug).

Fix

• SHA_RE → \b(?:[Cc]herry-pick of|Backport of)\s+(?:commit\s+)?([0-9a-f]{40})\b
• BRANCH_RE → to branch\s+`?(sagitta|circinus)`?\b (backtick-tolerant)
• Smoke fixtures rewritten to Mergify's real wording (verbatim from #2116) + a multi-branch fail-closed negative.
• Parser regexes kept byte-identical (lockstep) across reusable + smoke; lockstep asserted locally.

Validation

• Real #2116 body now parses → SHA=6df7ca2f…937, branch=circinus.
• Smoke: 2 real-wording positives pass; 3 negatives (bare-URL SHA, ambiguous 2-SHA, multi-branch) fail-closed. Exit 0.
• Both workflow files YAML-valid.

Caught at the Rollout 4 canary pre-flight, before the live synthetic test. Tracking IS-510 / T8943.

🤖 Generated by robots

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 8dcafceb-fb72-4db8-8748-6a060027e461

📥 Commits

Reviewing files that changed from the base of the PR and between fce99ee and 55196b6.

📒 Files selected for processing (2)

• .github/workflows/force-workspace-backport.yml
• .github/workflows/force-workspace-parser-smoke.yml

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated internal backport workflow logic to improve accuracy when parsing Mergify's failure notifications and reduce false matches in comment parsing.

Walkthrough

The PR tightens comment parsing in the Mergify backport workflow by anchoring branch and SHA extraction regex constants to specific failure message phrases. The smoke test is updated with real Mergify fixture strings and corresponding regex changes to validate the refined parser against actual comment formats.

Changes

Mergify comment parser refinement

Layer / File(s)	Summary
Parser regex refinement .github/workflows/force-workspace-backport.yml	BRANCH_RE anchors to "to branch sagitta/circinus" with backticks; SHA_RE anchors to "Cherry-pick of" / "Backport of" failed-cherry-pick sentence patterns instead of generic "commit/Backport" matching, reducing false positives.
Test fixture alignment .github/workflows/force-workspace-parser-smoke.yml	Fixtures are replaced with real Mergify failure-comment bodies (positive cases with branch/SHA pairs, negative cases rejecting unrelated SHAs, multiple distinct anchored SHAs, or multiple branches). Extraction regexes updated to match the refined parser's wording and anchoring rules.

Possibly related PRs

• vyos/.github#140: Introduces the original comment-parsing logic in these workflows; this PR refines and aligns the parser regexes and test fixtures with real Mergify failure-message format.

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feature/r4-parser-real-mergify-wording

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[andamasov]

Adversarial review — 55196b6623658d195b516c6aa7df411c76f8b188 — Codex + Gemini parallel

1. [low, single-source — Codex] .github/workflows/force-workspace-backport.yml (parse step) — a single Mergify abort comment naming two branches (@Mergifyio backport sagitta circinus where both fail) trips the "exactly-1-distinct-branch" guard → the run fails closed and no force_workspace PR is opened for either branch. Gemini: no findings.

---

Each finding must receive a fix commit OR a pushback reply in a reply to this comment before merge. See /audit-pr-threads for resolution mechanics.

[andamasov]

Re: adversarial finding 1 (multi-branch fail-closed) — pushback, keeping as-is + filing a follow-up.

@codex — out of scope for this wording fix, and fail-closed is the correct default:

• Safe, non-regression. The guard aborts (visible red run) rather than acting on one branch and silently dropping the other. Worst case the operator falls back to a manual cherry-pick for that backport — exactly the pre-Rollout-4 status quo. No backport is ever produced wrong.
• Acting-on-one would be worse. With two failed branches in one comment there's genuine ambiguity about which to resolve; staging one and dropping the other invites the operator to assume both were handled.
• Proper multi-branch support is a feature, not a wording fix — iterate (sha, branch) pairs, open N PRs with per-branch idempotency. Its own design.
• This PR documents the limitation (smoke fixture comment: multi-branch is left to manual fallback — documented gap) and locks the fail-closed behavior with a negative fixture.

Follow-up for per-branch iteration filed separately. Treating this finding as resolved-by-pushback.

[chatgpt-codex-connector]

To use Codex here, create an environment for this repo.