molecule-core

History

Hongming Wang 75200f4adc ci: auto-retarget bot PRs opened against main → staging (#1853 ) Mechanical enforcement of SHARED_RULES rule 8 ("Staging-first workflow, no exceptions"). Today I manually retargeted 17+ bot PRs; next cycle there will be more. Prompt-level enforcement is leaking — 5 of 8 engineer role prompts (core-be, core-fe, app-fe, app-qa, devops-engineer) don't have the staging-first section that backend-engineer and frontend-engineer do. This Action closes the loop mechanically: - Fires on `pull_request_target` opened/reopened against main. - Only retargets bot-authored PRs (user.type=='Bot' OR login ends in '[bot]' OR == 'app/molecule-ai' OR == 'molecule-ai[bot]'). - Human-authored PRs (the CEO's staging→main promotion PR) pass through untouched — they're the authorised exception. - Posts an explainer comment so the agent that opened the PR learns why and can adjust its prompt. Why `pull_request_target` not `pull_request`: `pull_request` from a fork would run with read-only tokens and can't call the PATCH endpoint. `pull_request_target` runs with the base repository's context + its `pull-requests: write` permission, which is exactly what we need. Follow-up (not in this PR): add the staging-first section to the 5 missing role prompts in molecule-ai-org-template-molecule-dev so the rule is also documented where agents read it, not just enforced. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: molecule-ai[bot] <276602405+molecule-ai[bot]@users.noreply.github.com>	2026-04-23 19:20:40 +00:00
..
workflows	ci: auto-retarget bot PRs opened against main → staging (#1853 )	2026-04-23 19:20:40 +00:00

ci: auto-retarget bot PRs opened against main → staging (#1853 )

Mechanical enforcement of SHARED_RULES rule 8 ("Staging-first workflow,
no exceptions"). Today I manually retargeted 17+ bot PRs; next cycle
there will be more. Prompt-level enforcement is leaking — 5 of 8
engineer role prompts (core-be, core-fe, app-fe, app-qa, devops-engineer)
don't have the staging-first section that backend-engineer and
frontend-engineer do.

This Action closes the loop mechanically:

- Fires on `pull_request_target` opened/reopened against main.
- Only retargets bot-authored PRs (user.type=='Bot' OR login ends in
  '[bot]' OR == 'app/molecule-ai' OR == 'molecule-ai[bot]').
- Human-authored PRs (the CEO's staging→main promotion PR) pass through
  untouched — they're the authorised exception.
- Posts an explainer comment so the agent that opened the PR learns why
  and can adjust its prompt.

Why `pull_request_target` not `pull_request`:
`pull_request` from a fork would run with read-only tokens and can't
call the PATCH endpoint. `pull_request_target` runs with the base
repository's context + its `pull-requests: write` permission, which is
exactly what we need.

Follow-up (not in this PR): add the staging-first section to the 5
missing role prompts in molecule-ai-org-template-molecule-dev so the
rule is also documented where agents read it, not just enforced.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: molecule-ai[bot] <276602405+molecule-ai[bot]@users.noreply.github.com>

2026-04-23 19:20:40 +00:00

workflows

ci: auto-retarget bot PRs opened against main → staging (#1853 )

2026-04-23 19:20:40 +00:00