From 1d8c101c948e884abc325968566ef2e6ad3603e6 Mon Sep 17 00:00:00 2001 From: devops-engineer Date: Thu, 7 May 2026 05:12:06 -0700 Subject: [PATCH] =?UTF-8?q?chore:=20drop=20github-app-auth=20+=20swap=20GH?= =?UTF-8?q?CR=E2=86=92ECR=20(closes=20#157,=20#161)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two coupled cleanups for the post-2026-05-06 stack: #157 — drop molecule-ai-plugin-github-app-auth ============================================ The plugin injected GITHUB_TOKEN/GH_TOKEN via the App's installation-access flow (~hourly rotation). Per-agent Gitea identities replaced this approach after the 2026-05-06 suspension — workspaces now provision with a per-persona Gitea PAT from .env instead of an App-rotated token. The plugin code itself lived on github.com/Molecule-AI/molecule-ai-plugin-github-app-auth which is also unreachable post-suspension; checking it out at CI build time was already failing. Removed: - workspace-server/cmd/server/main.go: githubappauth import + the `if os.Getenv("GITHUB_APP_ID") != ""` block that called BuildRegistry. gh-identity remains as the active mutator. - workspace-server/Dockerfile + Dockerfile.tenant: COPY of the sibling repo + the `replace github.com/Molecule-AI/molecule-ai- plugin-github-app-auth => /plugin` directive injection. - workspace-server/go.mod + go.sum: github-app-auth dep entry (cleaned up by `go mod tidy`). - 3 workflows: actions/checkout steps for the sibling plugin repo: - .github/workflows/codeql.yml (Go matrix path) - .github/workflows/harness-replays.yml - .github/workflows/publish-workspace-server-image.yml Verified `go build ./cmd/server` + `go vet ./...` pass post-removal. #161 — swap GHCR→ECR for publish-workspace-server-image ======================================================= Same workflow used to push to ghcr.io/molecule-ai/platform + platform-tenant. ghcr.io/molecule-ai is gone post-suspension. The operator's ECR org (153263036946.dkr.ecr.us-east-2.amazonaws.com/ molecule-ai/) already hosts platform-tenant + workspace-template-* + runner-base images and is the post-suspension SSOT for container images. This PR aligns publish-workspace-server-image with that stack. - env.IMAGE_NAME + env.TENANT_IMAGE_NAME repointed to ECR URL. - docker/login-action swapped for aws-actions/configure-aws- credentials@v4 + aws-actions/amazon-ecr-login@v2 chain (the standard ECR auth pattern; uses AWS_ACCESS_KEY_ID/SECRET secrets bound to the molecule-cp IAM user). The :staging- + :staging-latest tag policy is unchanged — staging-CP's TENANT_IMAGE pin still points at :staging-latest, just with the new registry prefix. Refs molecule-core#157, #161; parallel to org-wide CI-green sweep. --- .github/workflows/codeql.yml | 13 +---- .github/workflows/harness-replays.yml | 12 +---- .../publish-workspace-server-image.yml | 47 +++++++++---------- workspace-server/Dockerfile | 12 ++--- workspace-server/Dockerfile.tenant | 5 +- workspace-server/cmd/server/main.go | 38 ++++----------- workspace-server/go.mod | 1 - workspace-server/go.sum | 2 - 8 files changed, 43 insertions(+), 87 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7e475a2a..3a7939e8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -55,17 +55,8 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Checkout sibling plugin repo - # Same reasoning as publish-workspace-server-image.yml — the Go - # module's replace directive needs the plugin source so - # CodeQL's "go build" phase can resolve. - if: matrix.language == 'go' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - repository: Molecule-AI/molecule-ai-plugin-github-app-auth - path: molecule-ai-plugin-github-app-auth - token: ${{ secrets.PLUGIN_REPO_PAT || secrets.GITHUB_TOKEN }} - + # github-app-auth sibling-checkout removed 2026-05-07 (#157): + # plugin was dropped + the Dockerfile no longer needs it. # jq is pre-installed on ubuntu-latest — no setup step needed. - name: Initialize CodeQL diff --git a/.github/workflows/harness-replays.yml b/.github/workflows/harness-replays.yml index 5dc5d36d..dcd53f0a 100644 --- a/.github/workflows/harness-replays.yml +++ b/.github/workflows/harness-replays.yml @@ -95,16 +95,8 @@ jobs: - if: needs.detect-changes.outputs.run == 'true' uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Checkout sibling plugin repo - # Dockerfile.tenant copies molecule-ai-plugin-github-app-auth/ - # at the build-context root (see workspace-server/Dockerfile.tenant - # line 19). PLUGIN_REPO_PAT pattern matches publish-workspace-server-image.yml. - if: needs.detect-changes.outputs.run == 'true' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - repository: Molecule-AI/molecule-ai-plugin-github-app-auth - path: molecule-ai-plugin-github-app-auth - token: ${{ secrets.PLUGIN_REPO_PAT || secrets.GITHUB_TOKEN }} + # github-app-auth sibling-checkout removed 2026-05-07 (#157): + # the plugin was dropped + Dockerfile.tenant no longer COPYs it. - name: Install Python deps for replays # peer-discovery-404 (and future replays) eval Python against the diff --git a/.github/workflows/publish-workspace-server-image.yml b/.github/workflows/publish-workspace-server-image.yml index a0113b4e..f9df59d4 100644 --- a/.github/workflows/publish-workspace-server-image.yml +++ b/.github/workflows/publish-workspace-server-image.yml @@ -60,8 +60,8 @@ permissions: packages: write env: - IMAGE_NAME: ghcr.io/molecule-ai/platform - TENANT_IMAGE_NAME: ghcr.io/molecule-ai/platform-tenant + IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform + TENANT_IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant jobs: build-and-push: @@ -70,31 +70,28 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Checkout sibling plugin repo - # workspace-server/Dockerfile expects - # ./molecule-ai-plugin-github-app-auth at build-context root because - # the Go module has a `replace` directive pointing at /plugin inside - # the image. Pre-repo-split the plugin lived in the monorepo; the - # 2026-04-18 restructure moved it out but didn't add this clone step - # — which is why publish was failing after that restructure. - # - # Uses a fine-grained PAT (PLUGIN_REPO_PAT) because the plugin repo - # is private and the default GITHUB_TOKEN is scoped to THIS repo. - # The PAT needs Contents:Read on Molecule-AI/molecule-ai-plugin- - # github-app-auth. Falls back to the default token for the (rare) - # case where an operator made the plugin repo public. - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - repository: Molecule-AI/molecule-ai-plugin-github-app-auth - path: molecule-ai-plugin-github-app-auth - token: ${{ secrets.PLUGIN_REPO_PAT || secrets.GITHUB_TOKEN }} + # github-app-auth sibling-checkout removed 2026-05-07 (#157): + # plugin was dropped + workspace-server/Dockerfile no longer + # COPYs it. - - name: Log in to GHCR - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + - name: Configure AWS credentials for ECR + # GHCR was the pre-suspension target; the molecule-ai org on + # GitHub got swept 2026-05-06 and ghcr.io/molecule-ai/* is no + # longer reachable. Post-suspension target is the operator's + # ECR org (153263036946.dkr.ecr.us-east-2.amazonaws.com/ + # molecule-ai/*), which already hosts platform-tenant + + # workspace-template-* + runner-base images. AWS creds come + # from the AWS_ACCESS_KEY_ID/SECRET secrets bound to the + # molecule-cp IAM user. Closes #161. + uses: aws-actions/configure-aws-credentials@v4 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-2 + + - name: Log in to ECR + id: ecr-login + uses: aws-actions/amazon-ecr-login@v2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 diff --git a/workspace-server/Dockerfile b/workspace-server/Dockerfile index d6754312..dea2e223 100644 --- a/workspace-server/Dockerfile +++ b/workspace-server/Dockerfile @@ -5,15 +5,11 @@ FROM golang:1.25-alpine AS builder WORKDIR /app -# Plugin source for replace directive in go.mod -COPY molecule-ai-plugin-github-app-auth/ /plugin/ COPY workspace-server/go.mod workspace-server/go.sum ./ -# Add replace directives for Docker builds: -# 1. Platform → plugin (plugin source at /plugin/) -# 2. Plugin → platform (plugin's go.mod has a relative replace that doesn't -# work in Docker; fix it to point at /app where the platform source lives) -RUN echo 'replace github.com/Molecule-AI/molecule-ai-plugin-github-app-auth => /plugin' >> go.mod -RUN sed -i 's|replace github.com/Molecule-AI/molecule-monorepo/platform => .*|replace github.com/Molecule-AI/molecule-monorepo/platform => /app|' /plugin/go.mod +# github-app-auth plugin removed 2026-05-07 (#157): per-agent Gitea +# identities replaced the GitHub-App-installation token flow after the +# 2026-05-06 suspension. Pre-removal this stage COPY'd the sibling +# plugin repo + injected a `replace` directive; both are gone. RUN go mod download COPY workspace-server/ . # GIT_SHA mirror of Dockerfile.tenant — see that file for the rationale. diff --git a/workspace-server/Dockerfile.tenant b/workspace-server/Dockerfile.tenant index 6ccc737e..6915365d 100644 --- a/workspace-server/Dockerfile.tenant +++ b/workspace-server/Dockerfile.tenant @@ -16,9 +16,10 @@ # ── Stage 1: Go platform binary ────────────────────────────────────── FROM golang:1.25-alpine AS go-builder WORKDIR /app -COPY molecule-ai-plugin-github-app-auth/ /plugin/ COPY workspace-server/go.mod workspace-server/go.sum ./ -RUN echo 'replace github.com/Molecule-AI/molecule-ai-plugin-github-app-auth => /plugin' >> go.mod +# github-app-auth plugin removed 2026-05-07 (#157): per-agent Gitea +# identities replaced GitHub-App tokens post-suspension. The sibling +# COPY + replace directive are gone. RUN go mod download COPY workspace-server/ . diff --git a/workspace-server/cmd/server/main.go b/workspace-server/cmd/server/main.go index cba0334c..a767c190 100644 --- a/workspace-server/cmd/server/main.go +++ b/workspace-server/cmd/server/main.go @@ -29,8 +29,7 @@ import ( // External plugins — each registers EnvMutator(s) that run at workspace // provision time. Loaded via soft-dep gates in main() so self-hosters - // without the App or without per-agent identity configured keep working. - githubappauth "github.com/Molecule-AI/molecule-ai-plugin-github-app-auth/pluginloader" + // without per-agent identity configured keep working. ghidentity "github.com/Molecule-AI/molecule-ai-plugin-gh-identity/pluginloader" "github.com/Molecule-AI/molecule-monorepo/platform/pkg/provisionhook" @@ -179,12 +178,15 @@ func main() { } // External-plugin env mutators — each plugin contributes 0+ mutators - // onto a shared registry. Order matters: gh-identity populates - // MOLECULE_AGENT_ROLE-derived attribution env vars that downstream - // mutators and the workspace's install.sh can then read. Keep - // github-app-auth last because it fails loudly on misconfig and its - // failure mode is "no GITHUB_TOKEN" — worth surfacing after the - // cheaper mutators already ran. + // onto a shared registry. gh-identity populates MOLECULE_AGENT_ROLE- + // derived attribution env vars that the workspace's install.sh can + // then read. + // + // github-app-auth was dropped 2026-05-07 (closes #157): per-agent + // Gitea identities (this gh-identity plugin's role-derived path) + // replaced GitHub-App-installation tokens after the 2026-05-06 + // suspension. Workspaces now provision with a per-persona Gitea PAT + // from .env instead of an App-rotated GITHUB_TOKEN. envReg := provisionhook.NewRegistry() // gh-identity plugin — per-agent attribution via env injection + gh @@ -198,26 +200,6 @@ func main() { log.Printf("gh-identity: registered (config file=%q)", os.Getenv("MOLECULE_GH_IDENTITY_CONFIG_FILE")) } - // github-app-auth plugin — injects GITHUB_TOKEN + GH_TOKEN into every - // workspace env using the App's installation access token (rotates ~hourly). - // Soft-skip when GITHUB_APP_* env vars are absent so dev/self-hosters - // without an App configured keep working; fail-loud only on MISCONFIG - // (e.g. APP_ID set but key file missing), not on unset. - if os.Getenv("GITHUB_APP_ID") != "" { - if reg, err := githubappauth.BuildRegistry(); err != nil { - log.Fatalf("github-app-auth plugin: %v", err) - } else { - // Copy the plugin's mutators onto the shared registry so the - // TokenProvider probe (FirstTokenProvider) still finds them. - for _, m := range reg.Mutators() { - envReg.Register(m) - } - log.Printf("github-app-auth: registered, %d mutator(s) added to chain", reg.Len()) - } - } else { - log.Println("github-app-auth: GITHUB_APP_ID unset — skipping plugin registration (agents will use any PAT from .env)") - } - wh.SetEnvMutators(envReg) log.Printf("env-mutator chain: %v", envReg.Names()) diff --git a/workspace-server/go.mod b/workspace-server/go.mod index 47b22a2b..85a949fa 100644 --- a/workspace-server/go.mod +++ b/workspace-server/go.mod @@ -5,7 +5,6 @@ go 1.25.0 require ( github.com/DATA-DOG/go-sqlmock v1.5.2 github.com/Molecule-AI/molecule-ai-plugin-gh-identity v0.0.0-20260424033845-4fd5ac7be30f - github.com/Molecule-AI/molecule-ai-plugin-github-app-auth v0.0.0-20260421064811-7d98ae51e31d github.com/alicebob/miniredis/v2 v2.37.0 github.com/creack/pty v1.1.24 github.com/docker/docker v28.5.2+incompatible diff --git a/workspace-server/go.sum b/workspace-server/go.sum index 7d9c3c3d..a31b0c4e 100644 --- a/workspace-server/go.sum +++ b/workspace-server/go.sum @@ -6,8 +6,6 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/Molecule-AI/molecule-ai-plugin-gh-identity v0.0.0-20260424033845-4fd5ac7be30f h1:YkLRhUg+9qr9OV9N8dG1Hj0Ml7TThHlRwh5F//oUJVs= github.com/Molecule-AI/molecule-ai-plugin-gh-identity v0.0.0-20260424033845-4fd5ac7be30f/go.mod h1:NqdtlWZDJvpXNJRHnMkPhTKHdA1LZTNH+63TB66JSOU= -github.com/Molecule-AI/molecule-ai-plugin-github-app-auth v0.0.0-20260421064811-7d98ae51e31d h1:GpYhP6FxaJZc1Ljy5/YJ9ZIVGvfOqZBmDolNr2S5x2g= -github.com/Molecule-AI/molecule-ai-plugin-github-app-auth v0.0.0-20260421064811-7d98ae51e31d/go.mod h1:3a6LR/zd7FjR9ZwLTbytwYlWuCBsbCOVFlEg0WnoYiM= github.com/alicebob/miniredis/v2 v2.37.0 h1:RheObYW32G1aiJIj81XVt78ZHJpHonHLHW7OLIshq68= github.com/alicebob/miniredis/v2 v2.37.0/go.mod h1:TcL7YfarKPGDAthEtl5NBeHZfeUQj6OXMm/+iu5cLMM= github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=