From 9b77ef14ccdee94b797da1f691a1c6d5863efe75 Mon Sep 17 00:00:00 2001
From: Molecule AI Plugin-Dev <plugin-dev@agents.moleculesai.app>
Date: Wed, 13 May 2026 04:21:42 +0000
Subject: [PATCH 1/2] =?UTF-8?q?fix(ci):=20inline=20ci=20workflow=20?=
 =?UTF-8?q?=E2=80=94=20Gitea=201.22.6=20cross-repo=20uses=20broken?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaces workflow_call (uses: molecule-ai/molecule-ci/...) with an
inline jobs block. The cross-repo workflow_call pattern no-ops on
Gitea 1.22.6 because DEFAULT_ACTIONS_URL=github routes the fetch
to github.com (where molecule-ai is suspended), causing a 404.
Canonical validate-plugin.py is still fetched from molecule-ci on
every run so validator changes propagate without repo-specific vendor
drift.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 66 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 65 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 27c2e43..942fc51 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -2,4 +2,68 @@ name: CI
 on: [push, pull_request]
 jobs:
   validate:
-    uses: molecule-ai/molecule-ci/.gitea/workflows/validate-plugin.yml@main
+    name: Plugin validation
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      # Canonical validator script fetched fresh on every run.
+      # Single source of truth avoids the drift class where validator
+      # changes weren't propagated to all 21 plugin repos.
+      # Anonymous git clone to avoid Gitea 1.22.6 auth fallback issue.
+      - name: Fetch molecule-ci canonical scripts
+        run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+          cache-dependency-path: .molecule-ci-canonical/.molecule-ci/scripts/requirements.txt
+      - run: pip install pyyaml -q
+      - run: python3 .molecule-ci-canonical/.molecule-ci/scripts/validate-plugin.py
+      - name: Check for secrets
+        run: |
+          python3 - << 'PYEOF'
+          import os, re, sys
+          from pathlib import Path
+
+          PATTERNS = [
+              re.compile(r'''["']sk-ant-[a-zA-Z0-9]{50,}["']'''),
+              re.compile(r'''["']ghp_[a-zA-Z0-9]{36,}["']'''),
+              re.compile(r'''["']AKIA[A-Z0-9]{16}["']'''),
+              re.compile(r'''["']Bearer\s+[a-zA-Z0-9_.-]{20,}["']'''),
+              re.compile(r'''ghp_[a-zA-Z0-9]{36,}'''),
+              re.compile(r'''sk-ant-[a-zA-Z0-9]{50,}'''),
+          ]
+          SKIP_DIRS = {'.molecule-ci', '.molecule-ci-canonical', '.git', 'node_modules', '__pycache__'}
+          EXTENSIONS = {'.yaml', '.yml', '.md', '.py', '.sh'}
+
+          def is_false_positive(line):
+              ctx = line.lower()
+              return '...' in ctx or '<example' in ctx or '</example' in ctx
+
+          root = Path(os.environ.get('GITHUB_WORKSPACE', '.'))
+          warnings = []
+          for dirpath, dirnames, filenames in os.walk(root):
+              dirnames[:] = [d for d in dirnames if d not in SKIP_DIRS]
+              for filename in filenames:
+                  if Path(filename).suffix not in EXTENSIONS:
+                      continue
+                  filepath = Path(dirpath) / filename
+                  try:
+                      with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
+                          for lineno, line in enumerate(f.readlines(), 1):
+                              for pattern in PATTERNS:
+                                  for match in pattern.finditer(line):
+                                      if not is_false_positive(line):
+                                          warnings.append(f"  {filepath}:{lineno}: {match.group(0)[:40]}...")
+                  except Exception:
+                      pass
+
+          if warnings:
+              print("::error::Potential secret found in committed files:")
+              for w in warnings:
+                  print(w)
+              sys.exit(1)
+          else:
+              print("::notice::No secrets detected")
+          PYEOF
-- 
2.52.0


From 07a6911e522448400944bdf64d8617da9d927314 Mon Sep 17 00:00:00 2001
From: Molecule AI Plugin-Dev <plugin-dev@agents.moleculesai.app>
Date: Wed, 13 May 2026 08:47:17 +0000
Subject: [PATCH 2/2] fix(ci): remove name override to post correct CI context

Branch protection requires 'CI / validate (pull_request)'. The 'name: Plugin validation'
job override caused 'CI / Plugin validation' instead. Removing the override so the
job name defaults to 'validate', matching the required status check.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 942fc51..d56e0ce 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -2,7 +2,6 @@ name: CI
 on: [push, pull_request]
 jobs:
   validate:
-    name: Plugin validation
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-- 
2.52.0