core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
d890fd9a3f
molecule-core/.github/workflows
History
Hongming Wang c89f17a2aa fix(branch-protection-drift): hard-fail on schedule only, soft-skip + warn on PR 
#2834 added a hard-fail when GH_TOKEN_FOR_ADMIN_API is missing on
schedule + pull_request + workflow_dispatch. The PR-trigger hard-fail
is now blocking every PR in the repo because the secret hasn't been
provisioned yet — including the staging→main auto-promote PR (#2831),
which has no path to set repo secrets itself.

Per feedback_schedule_vs_dispatch_secrets_hardening.md the original
concern is automated/silent triggers losing the gate without a human
to notice. That concern applies to **schedule** specifically:

- schedule: cron, no human, silent soft-skip = invisible regression →
  KEEP HARD-FAIL.
- pull_request: a human is reviewing the PR diff and will see workflow
  warnings inline. A PR cannot retroactively drift live state — drift
  happens *between* PRs (UI clicks, manual gh api PATCH), which the
  schedule canary catches. The PR-time gate would only catch typos in
  apply.sh, which the *_payload unit tests catch more directly.
  → SOFT-SKIP with a prominent warning.
- workflow_dispatch: operator override, may not have configured the
  secret yet. → SOFT-SKIP with warning.

The skip is explicit (SKIP_DRIFT_CHECK=1 surfaced to env, then a step
`if:` guard) so it's auditable in the workflow run UI, not silently
swallowed.

Unblocks #2831 (auto-promote staging→main) + every PR currently behind
this check.
2026-05-04 21:20:30 -07:00
..
auto-promote-on-e2e.yml fix(auto-promote): treat E2E completed/cancelled as defer, not failure 2026-05-04 19:26:29 -07:00
auto-promote-staging.yml
auto-sync-main-to-staging.yml
auto-tag-runtime.yml
block-internal-paths.yml
branch-protection-drift.yml fix(branch-protection-drift): hard-fail on schedule only, soft-skip + warn on PR 2026-05-04 21:20:30 -07:00
canary-staging.yml fix(workflows): preserve curl stderr in 8 status-capture sites 2026-05-04 18:54:50 -07:00
canary-verify.yml
cascade-list-drift-gate.yml
check-merge-group-trigger.yml
check-migration-collisions.yml
ci.yml
codeql.yml
continuous-synth-e2e.yml
e2e-api.yml
e2e-staging-canvas.yml fix(workflows): preserve curl stderr in 8 status-capture sites 2026-05-04 18:54:50 -07:00
e2e-staging-external.yml fix(workflows): preserve curl stderr in 8 status-capture sites 2026-05-04 18:54:50 -07:00
e2e-staging-saas.yml fix(workflows): preserve curl stderr in 8 status-capture sites 2026-05-04 18:54:50 -07:00
e2e-staging-sanity.yml fix(workflows): preserve curl stderr in 8 status-capture sites 2026-05-04 18:54:50 -07:00
harness-replays.yml
lint-curl-status-capture.yml
pr-guards.yml
promote-latest.yml
publish-canvas-image.yml
publish-runtime.yml
publish-workspace-server-image.yml
railway-pin-audit.yml
redeploy-tenants-on-main.yml fix(workflows): preserve curl stderr in 8 status-capture sites 2026-05-04 18:54:50 -07:00
redeploy-tenants-on-staging.yml fix(workflows): preserve curl stderr in 8 status-capture sites 2026-05-04 18:54:50 -07:00
retarget-main-to-staging.yml
runtime-pin-compat.yml
runtime-prbuild-compat.yml
secret-pattern-drift.yml
secret-scan.yml
sweep-aws-secrets.yml
sweep-cf-orphans.yml
sweep-cf-tunnels.yml
sweep-stale-e2e-orgs.yml fix(workflows): preserve curl stderr in 8 status-capture sites 2026-05-04 18:54:50 -07:00
test-ops-scripts.yml