core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
c8205b009a
molecule-core/.github/workflows
History
Hongming Wang c8205b009a ci: daily Railway pin-audit cron + issue-on-failure (#2169) 
Acceptance criterion 3 of #2001 ("CI check that fails if TENANT_IMAGE
contains a SHA-shaped suffix") was deferred from PR #2168 because
querying Railway from a GitHub Actions runner needs RAILWAY_TOKEN
plumbed as a repo secret. The detection script + regression test in
#2168 cover detection; this is the automation-cadence layer.

Daily 13:00 UTC schedule (06:00 PT) + workflow_dispatch. Daily is the
right cadence for variables-tier config — Railway env var changes are
deliberate operator actions, low-frequency. Hourly would risk Railway
API rate-limit surprises.

Issue-on-failure pattern mirrors e2e-staging-sanity.yml — drift opens
a `railway-drift` priority-high issue (or comments on the open one),
and a subsequent clean run auto-closes it with a "drift resolved"
comment. No human-in-the-loop needed for the close.

Schedule-vs-dispatch secret hardening per
feedback_schedule_vs_dispatch_secrets_hardening:
- Schedule trigger HARD-FAILS on missing RAILWAY_AUDIT_TOKEN
  (silent-success was the failure mode that bit us before)
- workflow_dispatch SOFT-SKIPS so an operator can dry-run the
  workflow shape during initial token provisioning

Operator action required before this gate is live:
- Provision a Railway API token, read-only `variables` scope on the
  molecule-platform project (id 7ccc8c68-61f4-42ab-9be5-586eeee11768)
- Store as repo secret RAILWAY_AUDIT_TOKEN
- Rotate per the standard 90-day schedule

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 17:43:01 -07:00
..
auto-promote-on-e2e.yml ci: ancestry-check on auto-promote :latest (#2244) 2026-04-29 16:18:42 -07:00
auto-promote-staging.yml Merge remote-tracking branch 'origin/staging' into docs/auto-promote-staging-prereq-comment 2026-04-28 20:46:42 -07:00
auto-sync-main-to-staging.yml fix(ci): auto-sync opens a PR + uses merge queue, not direct push 2026-04-28 15:59:26 -07:00
auto-tag-runtime.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
block-internal-paths.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
canary-staging.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
canary-verify.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
check-merge-group-trigger.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
ci.yml ci: collapse all 4 path-filtered required checks to single-job-with-conditional-steps 2026-04-29 16:09:22 -07:00
codeql.yml chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps) 2026-04-28 17:44:55 -07:00
e2e-api.yml ci: collapse two-jobs-sharing-name path-filter pattern in e2e-api/e2e-staging-canvas 2026-04-29 17:29:44 -07:00
e2e-staging-canvas.yml ci: collapse two-jobs-sharing-name path-filter pattern in e2e-api/e2e-staging-canvas 2026-04-29 17:29:44 -07:00
e2e-staging-saas.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
e2e-staging-sanity.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
pr-guards.yml ci: add pr-guards caller that disables auto-merge on push 2026-04-27 06:39:31 -07:00
promote-latest.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
publish-canvas-image.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
publish-runtime.yml Merge pull request #2249 from Molecule-AI/fix/publish-runtime-cascade-hard-fail-on-push 2026-04-29 01:33:10 +00:00
publish-workspace-server-image.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
railway-pin-audit.yml ci: daily Railway pin-audit cron + issue-on-failure (#2169) 2026-04-29 17:43:01 -07:00
redeploy-tenants-on-main.yml ci(redeploy): fire post-main tenant fleet redeploy via CP admin endpoint 2026-04-24 14:34:28 -07:00
retarget-main-to-staging.yml ci(retarget): handle 422 'duplicate PR' by closing redundant main-PR (closes #1884) 2026-04-26 00:53:55 -07:00
runtime-pin-compat.yml chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps) 2026-04-28 17:44:55 -07:00
runtime-prbuild-compat.yml chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps) 2026-04-28 17:44:55 -07:00
secret-pattern-drift.yml chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps) 2026-04-28 17:44:55 -07:00
secret-scan.yml chore(security): pin Actions to SHAs + enable Dependabot auto-bumps 2026-04-28 15:37:06 -07:00
sweep-cf-orphans.yml Merge pull request #2248 from Molecule-AI/fix/sweep-cf-orphans-hard-fail-on-schedule 2026-04-29 01:16:22 +00:00
sweep-stale-e2e-orgs.yml ci: hourly sweep of stale e2e-* orgs on staging 2026-04-24 23:07:57 -07:00
test-ops-scripts.yml chore(deps): batch dep bumps — 6 safe upgrades (4 actions majors + 2 npm dev deps) 2026-04-28 17:44:55 -07:00