core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

chore(ci): document #192 root cause — workspace-template repos public per OSS-first

Browse Source 
5 of 9 workspace-template repos (openclaw, codex, crewai, deepagents,
gemini-cli) had been marked private with no team grant for AUTO_SYNC_TOKEN
bearer (devops-engineer persona). Pre-clone manifest deps step 404'd on
the first private repo encountered, failing every Harness Replays run.

Resolution path taken:
1. Flipped the 5 to public per `feedback_oss_first_repo_visibility_default`
   — runtime/template/plugin repos default public; that's what makes them
   OSS surface.
2. Scoped existing `ci-readonly` org team to legitimately-internal repos
   only (compliance docs, RFCs-in-flight). Workspace templates removed
   from it.
3. Filed internal#102 RFC for Layer-3 (customer-owned + marketplace
   third-party private repos) — that's a different shape entirely;
   needs per-tenant credential-resolver, not org-team grants.

This commit is a documentation-only touch on the workflow file to (a)
record the root cause inline next to the existing pre-clone-fail
narrative, (b) trigger a fresh Harness Replays run that should now pass
the clone step.

Closes #192.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
claude-ceo-assistant 2026-05-08 11:50:55 -07:00
parent 7eda8f510f
commit 558e4fee48
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/harness-replays.yml vendored
View File

@ -119,6 +119,17 @@ jobs:
# symptom, different root cause: staging still has the in-image # symptom, different root cause: staging still has the in-image
# clone path, hits the auth error directly). # clone path, hits the auth error directly).
# #
# 2026-05-08 sub-finding (#192): the clone step ALSO fails when
# any referenced workspace-template repo is private and the
# AUTO_SYNC_TOKEN bearer (devops-engineer persona) lacks read
# access. Root cause: 5 of 9 workspace-template repos
# (openclaw, codex, crewai, deepagents, gemini-cli) had been
# marked private with no team grant. Resolution: flipped them
# to public per `feedback_oss_first_repo_visibility_default`
# (the OSS surface should be public). Layer-3 (customer-private +
# marketplace third-party repos) tracked separately in
# internal#102.
#
# Token shape matches publish-workspace-server-image.yml: AUTO_SYNC_TOKEN # Token shape matches publish-workspace-server-image.yml: AUTO_SYNC_TOKEN
# is the devops-engineer persona PAT, NOT the founder PAT (per # is the devops-engineer persona PAT, NOT the founder PAT (per
# `feedback_per_agent_gitea_identity_default`). clone-manifest.sh # `feedback_per_agent_gitea_identity_default`). clone-manifest.sh