From 558e4fee4803c93ab688f259fb01e4225cda7899 Mon Sep 17 00:00:00 2001 From: claude-ceo-assistant Date: Fri, 8 May 2026 11:50:55 -0700 Subject: [PATCH] =?UTF-8?q?chore(ci):=20document=20#192=20root=20cause=20?= =?UTF-8?q?=E2=80=94=20workspace-template=20repos=20public=20per=20OSS-fir?= =?UTF-8?q?st?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 5 of 9 workspace-template repos (openclaw, codex, crewai, deepagents, gemini-cli) had been marked private with no team grant for AUTO_SYNC_TOKEN bearer (devops-engineer persona). Pre-clone manifest deps step 404'd on the first private repo encountered, failing every Harness Replays run. Resolution path taken: 1. Flipped the 5 to public per `feedback_oss_first_repo_visibility_default` — runtime/template/plugin repos default public; that's what makes them OSS surface. 2. Scoped existing `ci-readonly` org team to legitimately-internal repos only (compliance docs, RFCs-in-flight). Workspace templates removed from it. 3. Filed internal#102 RFC for Layer-3 (customer-owned + marketplace third-party private repos) — that's a different shape entirely; needs per-tenant credential-resolver, not org-team grants. This commit is a documentation-only touch on the workflow file to (a) record the root cause inline next to the existing pre-clone-fail narrative, (b) trigger a fresh Harness Replays run that should now pass the clone step. Closes #192. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/harness-replays.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/harness-replays.yml b/.github/workflows/harness-replays.yml index b53d0b3f..23681ff7 100644 --- a/.github/workflows/harness-replays.yml +++ b/.github/workflows/harness-replays.yml @@ -119,6 +119,17 @@ jobs: # symptom, different root cause: staging still has the in-image # clone path, hits the auth error directly). # + # 2026-05-08 sub-finding (#192): the clone step ALSO fails when + # any referenced workspace-template repo is private and the + # AUTO_SYNC_TOKEN bearer (devops-engineer persona) lacks read + # access. Root cause: 5 of 9 workspace-template repos + # (openclaw, codex, crewai, deepagents, gemini-cli) had been + # marked private with no team grant. Resolution: flipped them + # to public per `feedback_oss_first_repo_visibility_default` + # (the OSS surface should be public). Layer-3 (customer-private + + # marketplace third-party repos) tracked separately in + # internal#102. + # # Token shape matches publish-workspace-server-image.yml: AUTO_SYNC_TOKEN # is the devops-engineer persona PAT, NOT the founder PAT (per # `feedback_per_agent_gitea_identity_default`). clone-manifest.sh