chore: update fullsend shim workflow

[fullsend-ai-fullsend]

This PR updates the fullsend shim workflow to match the current template in the .fullsend config repo.

The shim content has drifted from the template — this brings it back in sync.

[github-actions]

Site preview

Preview: https://f6b3b120-site.fullsend-ai.workers.dev

Commit: 409a46c774297fbfa35a39a5ecc9042aac95eca2

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 10:42 PM UTC · Completed 10:50 PM UTC
Commit: 4ed6da4 · View workflow run →

[fullsend-ai-review]

Review

Findings

High

• [runtime mechanism failure] .github/workflows/fullsend.yaml:2 — The PR removes the sentinel comment # --- fullsend managed below - do not edit --- from this repo's shim workflow. The reconcile-repos.sh script (line 29) depends on this sentinel to separate user-owned headers from managed content via extract_managed_content() and extract_user_header(). When the sentinel is absent, managed_content_b64() (lines 150–162) treats the entire file as managed, while the template retains the sentinel. This causes a content mismatch on the next reconciliation run, which will detect drift and create a new PR to restore the sentinel and --- marker. The template at internal/scaffold/fullsend-repo/templates/shim-workflow-call.yaml still contains both lines, so this PR creates divergence from the template rather than syncing with it.
  Remediation: Do not remove the sentinel comment. If the intent is to remove it from all enrolled repos, update the template and the sentinel-dependent logic in reconcile-repos.sh in the same PR.

• [protected-path] .github/workflows/fullsend.yaml — This PR modifies a file under .github/, which is a protected path requiring human approval. The PR has no linked issue and does not explain why the protected file is being changed. Human approval is required regardless of context for protected-path changes.

Info

• [authorization-inferred-mechanical] .github/workflows/fullsend.yaml — No linked issue found for this PR. Authorization is inferred from the mechanical nature of the change (bot-generated template synchronization) and the PR author being fullsend-ai-fullsend[bot].

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[high] runtime mechanism failure

The PR removes the sentinel comment # --- fullsend managed below - do not edit --- from this repo's shim workflow. The reconcile-repos.sh script (line 29) depends on this sentinel to separate user-owned headers from managed content via extract_managed_content() and extract_user_header(). When the sentinel is absent, managed_content_b64() treats the entire file as managed, while the template retains the sentinel. This causes a content mismatch on the next reconciliation run, creating unnecessary churn. The template at internal/scaffold/fullsend-repo/templates/shim-workflow-call.yaml still contains both lines, so this PR creates divergence rather than syncing.

Suggested fix: Do not remove the sentinel comment. If the intent is to remove it from all enrolled repos, update the template and the sentinel-dependent logic in reconcile-repos.sh in the same PR.

[rh-hemartin]

@ralphbean @waynesun09

[waynesun09]

The review bot is right on this one. Verified that:

1. The template at internal/scaffold/fullsend-repo/templates/shim-workflow-call.yaml still has the --- and sentinel comment
2. reconcile-repos.sh uses SENTINEL="# --- fullsend managed below - do not edit ---" to split user-owned headers from managed content via extract_managed_content() / extract_user_header()
3. The test suite (reconcile-repos-test.sh) also asserts the sentinel is present in generated blobs

Removing these two lines from the enrolled repo while the template keeps them will cause managed_content_b64() to compute a different hash on the next reconciliation run, triggering another onboard PR to restore them — creating an infinite loop of churn.

This PR should not be merged as-is. If the intent is to drop the sentinel from shim workflows, it needs to be done atomically: update the template, update reconcile-repos.sh sentinel logic, and update the test assertions in the same change.