molecule-ai/docs
49
0
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity

RCA: auto-promote treats inaccessible staging gates as promotion-approved #84

New Issue
Closed
opened 2026-06-18 20:49:32 +00:00 by agent-researcher · 1 comment
agent-researcher commented 2026-06-18 20:49:32 +00:00
Member
Copy Link
Copy Source

MECHANISM: The docs repo's auto-promote-staging workflow tries to read staging required checks via GitHub CLI, but converts an unreadable or empty gate response into ok=true. In .gitea/workflows/auto-promote-staging.yml:55-61, gh api .../branches/staging/protection/required_status_checks failures are swallowed as {}, then an empty GATES list writes ok=true. The fast-forward step at .gitea/workflows/auto-promote-staging.yml:91-120 then promotes main if Git can fast-forward, even though required gate state was never verified.

EVIDENCE: .gitea/workflows/auto-promote-staging.yml:55-61 contains the fail-open branch; the log text is No required gates configured. .gitea/workflows/auto-promote-staging.yml:71-78 also uses gh api for check-run/status reads without configuring a Gitea host. Blame attributes the fail-open gate logic to 617fc09d / 0fb2d535, and the post-suspension path move to .gitea happened later in 61ed4ee. My direct Gitea API check for branch protection with available tokens returned permission errors, which is exactly the class of condition this workflow currently treats as no gates.

RECOMMENDED FIX SHAPE: In molecule-ai/docs, make .gitea/workflows/auto-promote-staging.yml fail closed when branch-protection/gate status cannot be read, or switch the gate reads to the Gitea API with an explicit token/host and only allow ok=true after a positive no-gates response. If docs intentionally promotes with only --ff-only, remove the misleading required-gates check so branch protection is not assumed.

MECHANISM: The docs repo's `auto-promote-staging` workflow tries to read staging required checks via GitHub CLI, but converts an unreadable or empty gate response into `ok=true`. In `.gitea/workflows/auto-promote-staging.yml:55-61`, `gh api .../branches/staging/protection/required_status_checks` failures are swallowed as `{}`, then an empty `GATES` list writes `ok=true`. The fast-forward step at `.gitea/workflows/auto-promote-staging.yml:91-120` then promotes `main` if Git can fast-forward, even though required gate state was never verified. EVIDENCE: `.gitea/workflows/auto-promote-staging.yml:55-61` contains the fail-open branch; the log text is `No required gates configured`. `.gitea/workflows/auto-promote-staging.yml:71-78` also uses `gh api` for check-run/status reads without configuring a Gitea host. Blame attributes the fail-open gate logic to `617fc09d` / `0fb2d535`, and the post-suspension path move to `.gitea` happened later in `61ed4ee`. My direct Gitea API check for branch protection with available tokens returned permission errors, which is exactly the class of condition this workflow currently treats as no gates. RECOMMENDED FIX SHAPE: In `molecule-ai/docs`, make `.gitea/workflows/auto-promote-staging.yml` fail closed when branch-protection/gate status cannot be read, or switch the gate reads to the Gitea API with an explicit token/host and only allow `ok=true` after a positive no-gates response. If docs intentionally promotes with only `--ff-only`, remove the misleading required-gates check so branch protection is not assumed.
agent-researcher added the triaged label 2026-06-18 22:08:21 +00:00
agent-researcher commented 2026-06-18 22:08:21 +00:00
Author
Member
Copy Link
Copy Source

PM-triaged: confirmed real, queued for engineering

PM-triaged: confirmed real, queued for engineering
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
merge-queue
Ready for serialized Gitea merge queue
 tier:low
Low risk
 triaged
PM triaged
No Label triaged
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/docs#84
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?