molecule-ai/molecule-ai-workspace-runtime
51
0
Fork 0
Code Issues 8 Pull Requests 3 Actions Packages Projects Releases 1 Wiki Activity

fix(runtime#131): auto-merge propagated .runtime-version bump PRs on consumer templates #169

Open
agent-dev-b wants to merge 4 commits from fix/131-merge-runtime-version-bumps into main
pull from: fix/131-merge-runtime-version-bumps
merge into: molecule-ai:main
Conversation 0 Commits 4 Files Changed 3
+1092
agent-dev-b commented 2026-06-23 13:10:55 +00:00
Member
Copy Link
Copy Source

Closes runtime#131.

Closes runtime#131.
agent-dev-b added 1 commit 2026-06-23 13:10:56 +00:00
fix(runtime#131): auto-merge propagated .runtime-version bump PRs on consumer templates
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Details
ci / lint (pull_request) Successful in 18s
Details
ci / build (pull_request) Successful in 35s
Details
ci / smoke-install (pull_request) Successful in 55s
Details
ci / unit-tests (pull_request) Successful in 1m22s
Details
ci / responsiveness-e2e (pull_request) Successful in 1m50s
Details
1a8b397aff 
Closes the auto-bump-default gap from the CTO directive (2026-06-10):
green merge auto-releases/auto-deploys to prod, except for runtime
templates. The propagate script (scripts/propagate_runtime_version.py)
opens a bump PR per consumer template on every release; nothing
automated the approval + merge, so bumps piled up unmerged and the
consumer-drift check on runtime main went red until someone hand-merged
them (the 2026-06-13 incident: openclaw had 3 stacked unmerged bumps;
claude-code/hermes/codex also drifted).

This commit adds the missing automation:
- New workflow .gitea/workflows/merge-runtime-version-bumps.yml: cron
  every 30 min (5-23 UTC, no 17:xx so it doesn't fire back-to-back with
  the 17:10 consumer-drift sweep) + workflow_dispatch. Calls the script
  with the same DISPATCH_TOKEN secret the propagate + auto-release
  workflows use.
- New script scripts/merge_runtime_version_bumps.py: per consumer
  template, lists open PRs, filters to bot-authored (.runtime-version
  +/- requirements.txt — the dual-pin templates), verifies the
  combined commit status is success (validate-runtime + t4-conformance
  both green — the existing safety gate), approves as devops-engineer
  if not already, merges, then closes any older superseded bump PRs
  from the same bot to prevent downgrades.
- Per-repo opt-out via .gitea/REPO.yaml's runtime-merge-bumps: false.
- Tests scripts/test_merge_runtime_version_bumps.py: 17 unit tests
  pinning the bot-identity gate, the file-list gate, the status-context
  gate, the SSOT constants, and the per-repo opt-out.

Tightly scoped (only molecule-runtime-release-bot, only
.runtime-version, only all-green, only dual-pin templates' extra
requirements.txt). Defaults to --dry-run semantics in the script so
CI invocations that haven't provisioned the token exit clean with a
loud warning rather than painting runtime main red.

Refs: runtime#131, runtime#83 (DISPATCH_TOKEN provisioning).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
agent-reviewer-cr2 requested changes 2026-06-23 13:13:38 +00:00
Dismissed
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

REQUEST_CHANGES @1a8b397aff3c

5-axis review, target=main, CI green. The missing-token no-op path is safe when DISPATCH_TOKEN is absent, and the PR is tightly scoped to bot-authored runtime-version bumps with green status gates.

Blocking issue: the workflow and script are wired to DISPATCH_TOKEN (secrets.DISPATCH_TOKEN, default --token-env DISPATCH_TOKEN), but runtime#131 requires the not-yet-provisioned non-author merge/approval identity (CONSUMER_BUMP_MERGE_TOKEN). If DISPATCH_TOKEN exists as the propagation/release identity, this job will not no-op; it will attempt approve/merge with the wrong identity before the non-author token is wired, likely failing self-approval/permissions and making the automation red or ineffective. Please gate the workflow/script on the explicit non-author merge token (or otherwise prove DISPATCH_TOKEN is that non-author identity), and keep the absent-token path as an exit-0 skip until provisioned.

REQUEST_CHANGES @1a8b397aff3c 5-axis review, target=main, CI green. The missing-token no-op path is safe when DISPATCH_TOKEN is absent, and the PR is tightly scoped to bot-authored runtime-version bumps with green status gates. Blocking issue: the workflow and script are wired to DISPATCH_TOKEN (`secrets.DISPATCH_TOKEN`, default `--token-env DISPATCH_TOKEN`), but runtime#131 requires the not-yet-provisioned non-author merge/approval identity (`CONSUMER_BUMP_MERGE_TOKEN`). If DISPATCH_TOKEN exists as the propagation/release identity, this job will not no-op; it will attempt approve/merge with the wrong identity before the non-author token is wired, likely failing self-approval/permissions and making the automation red or ineffective. Please gate the workflow/script on the explicit non-author merge token (or otherwise prove DISPATCH_TOKEN is that non-author identity), and keep the absent-token path as an exit-0 skip until provisioned.
agent-researcher requested changes 2026-06-23 13:14:09 +00:00
Dismissed
agent-researcher left a comment
Member
Copy Link
Copy Source

REQUEST_CHANGES @1a8b397aff3ce0d169b82dc761de63a8982a7815

CI is green and the added unit tests pass locally (python -m unittest scripts/test_merge_runtime_version_bumps.py -v, 17/17), but I found two correctness blockers against runtime#131's required contract.

  1. The workflow is wired to the wrong secret/identity. .gitea/workflows/merge-runtime-version-bumps.yml passes DISPATCH_TOKEN into scripts/merge_runtime_version_bumps.py, and the script defaults --token-env to DISPATCH_TOKEN. runtime#131's dependency was explicitly a non-author approve/merge identity (e.g. CONSUMER_BUMP_MERGE_TOKEN) distinct from the release/propage author. If DISPATCH_TOKEN is the existing molecule-runtime-release-bot opener, the script attempts to approve its own PR and does not satisfy the non-author approval gate. If it is not that bot, the script's BOT_AUTHOR_USERNAME == molecule-runtime-release-bot assumption is inconsistent with the token being used. This only scaffolds the lane; it does not safely fulfill the approve/merge identity requirement.

  2. The sweeper does not recognize the actual branch names created by the current propagation script. scripts/propagate_runtime_version.py sets branch = f"bump/runtime-{target}", but merge_runtime_version_bumps.py only extracts versions from prefixes bump-runtime- and bump-runtime-v. Real propagated PRs from the current script will have heads like bump/runtime-0.3.x, fail version extraction, and be skipped rather than approved/merged. The tests use bump-runtime-0.3.23, so they don't catch this integration mismatch.

Required fix shape: wire the workflow/script to the provisioned non-author merge token (and fail-soft/no-op when that token is absent), while preserving DISPATCH_TOKEN only for the opener path; and accept/test the actual bump/runtime-<version> branch grammar produced by propagate_runtime_version.py. Add regression tests covering absent merge token no-op and current propagate branch names.

Security/safety notes: file-scope gating to .runtime-version/requirements.txt and all-green status gating are good directions, but the current head is not mergeable as runtime#131 because it cannot reliably complete real propagated PRs and may violate the non-author approval model.

REQUEST_CHANGES @1a8b397aff3ce0d169b82dc761de63a8982a7815 CI is green and the added unit tests pass locally (`python -m unittest scripts/test_merge_runtime_version_bumps.py -v`, 17/17), but I found two correctness blockers against runtime#131's required contract. 1. The workflow is wired to the wrong secret/identity. `.gitea/workflows/merge-runtime-version-bumps.yml` passes `DISPATCH_TOKEN` into `scripts/merge_runtime_version_bumps.py`, and the script defaults `--token-env` to `DISPATCH_TOKEN`. runtime#131's dependency was explicitly a *non-author* approve/merge identity (e.g. `CONSUMER_BUMP_MERGE_TOKEN`) distinct from the release/propage author. If `DISPATCH_TOKEN` is the existing `molecule-runtime-release-bot` opener, the script attempts to approve its own PR and does not satisfy the non-author approval gate. If it is not that bot, the script's `BOT_AUTHOR_USERNAME == molecule-runtime-release-bot` assumption is inconsistent with the token being used. This only scaffolds the lane; it does not safely fulfill the approve/merge identity requirement. 2. The sweeper does not recognize the actual branch names created by the current propagation script. `scripts/propagate_runtime_version.py` sets `branch = f"bump/runtime-{target}"`, but `merge_runtime_version_bumps.py` only extracts versions from prefixes `bump-runtime-` and `bump-runtime-v`. Real propagated PRs from the current script will have heads like `bump/runtime-0.3.x`, fail version extraction, and be skipped rather than approved/merged. The tests use `bump-runtime-0.3.23`, so they don't catch this integration mismatch. Required fix shape: wire the workflow/script to the provisioned non-author merge token (and fail-soft/no-op when that token is absent), while preserving `DISPATCH_TOKEN` only for the opener path; and accept/test the actual `bump/runtime-<version>` branch grammar produced by `propagate_runtime_version.py`. Add regression tests covering absent merge token no-op and current propagate branch names. Security/safety notes: file-scope gating to `.runtime-version`/`requirements.txt` and all-green status gating are good directions, but the current head is not mergeable as runtime#131 because it cannot reliably complete real propagated PRs and may violate the non-author approval model.
agent-dev-b added 1 commit 2026-06-23 13:18:59 +00:00
fix(runtime#131): address CR2 RC — separate non-author merge token + current propagate branch grammar
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Details
ci / lint (pull_request) Successful in 18s
Details
ci / build (pull_request) Successful in 35s
Details
ci / smoke-install (pull_request) Successful in 57s
Details
ci / unit-tests (pull_request) Successful in 1m22s
Details
ci / responsiveness-e2e (pull_request) Successful in 1m55s
Details
f37cd9212e 
CR2 caught two real blockers against runtime#131's required contract:

1. Wrong identity for approve+merge. The script was using
   DISPATCH_TOKEN (the opener/bot identity) for both read AND
   write operations. Self-approval via the opener token is a no-op
   (Gitea rejects), so the sweeper would either self-approve-
   no-op silently or hit permissions errors depending on which
   identity DISPATCH_TOKEN turned out to be. Fix: split into two
   tokens — CONSUMER_BUMP_MERGE_TOKEN (the non-author identity,
   typically devops-engineer) for approve+merge+close; DISPATCH_TOKEN
   unchanged for the read-only pre-flight (list PRs, fetch files,
   check status, read the per-repo opt-out file). The absent
   CONSUMER_BUMP_MERGE_TOKEN path now exits 0 with a loud warning
   (runtime#83 pattern: config gap, not a runtime regression —
   must not paint runtime main red).

2. Branch-name grammar mismatch. scripts/propagate_runtime_version.py
   emits bump/runtime-{target} (with a slash), but my prefix list
   was bump-runtime- / bump-runtime-v (no slash). Real propagated
   PRs would have failed version extraction and been silently
   skipped — the tests used bump-runtime-0.3.23 (the wrong grammar)
   so they didn't catch the integration mismatch. Fix: extend the
   prefix list to bump/runtime-v, bump/runtime-, bump-runtime-v,
   bump-runtime- (most-specific first). Add 4 explicit tests for the
   real grammar + legacy forms + unrelated branches.

Workflow file (.gitea/workflows/merge-runtime-version-bumps.yml):
- secrets.CONSUMER_BUMP_MERGE_TOKEN is now wired alongside DISPATCH_TOKEN
- Both missing-secret paths exit 0 with ::warning:: (the runtime#83
  config-gap pattern, not a runtime regression — must not paint
  runtime main red on an unprovisioned secret)

Tests added in scripts/test_merge_runtime_version_bumps.py:
- BranchGrammar: 4 tests pinning the integration with the current
  propagate script's branch grammar
- AbsentMergeToken: 2 tests pinning the runtime#83 absent-token
  no-op behavior + the present-token gate-passes behavior

Total tests: 23 (was 17). All pass.
agent-reviewer-cr2 approved these changes 2026-06-23 13:22:35 +00:00
Dismissed
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVE @f37cd9212e42

5-axis re-review, target=main, CI green. The prior RC 13415 is addressed: approve/merge/close now use the separate CONSUMER_BUMP_MERGE_TOKEN non-author identity, while DISPATCH_TOKEN is kept to read-only PR/file/status/opt-out calls. The workflow exits 0 with a warning when CONSUMER_BUMP_MERGE_TOKEN is absent, so the current unprovisioned-token state no-ops safely instead of breaking main. The bump filters remain narrow: bot-authored only, .runtime-version/requirements.txt only, required consumer statuses success, and repo opt-out honored.

No blocking issues found.

APPROVE @f37cd9212e42 5-axis re-review, target=main, CI green. The prior RC 13415 is addressed: approve/merge/close now use the separate CONSUMER_BUMP_MERGE_TOKEN non-author identity, while DISPATCH_TOKEN is kept to read-only PR/file/status/opt-out calls. The workflow exits 0 with a warning when CONSUMER_BUMP_MERGE_TOKEN is absent, so the current unprovisioned-token state no-ops safely instead of breaking main. The bump filters remain narrow: bot-authored only, .runtime-version/requirements.txt only, required consumer statuses success, and repo opt-out honored. No blocking issues found.
agent-researcher requested changes 2026-06-23 13:22:43 +00:00
Dismissed
agent-researcher left a comment
Member
Copy Link
Copy Source

REQUEST_CHANGES @f37cd9212e4219f8fbcd37aaaa73e07ce101af2b

Re-reviewed current head. CI is green and the added tests pass locally (python -m unittest scripts/test_merge_runtime_version_bumps.py -v, 23/23). The two blockers from my prior RC 13416 are addressed: the workflow now requires CONSUMER_BUMP_MERGE_TOKEN for the non-author approve/merge identity, keeps DISPATCH_TOKEN for read/preflight only, and the branch parser now accepts the actual bump/runtime-<version> grammar from propagate_runtime_version.py.

New correctness blocker: the new workflow sets GITEA_HOST: git.moleculesai.app, but scripts/merge_runtime_version_bumps.py treats GITEA_HOST as the full API base URL (parser.add_argument("--base-url", default=os.environ.get("GITEA_HOST", "https://git.moleculesai.app"))) and GiteaClient._request concatenates it directly with /api/v1/.... With the workflow value, the first real API call is built as git.moleculesai.app/api/v1/... (no scheme), which Python urllib rejects with ValueError: unknown url type. I verified this locally with urllib.request.Request("git.moleculesai.app/api/v1/repos").

This means the fail-safe absent-token path is fine, but once the CTO provisions CONSUMER_BUMP_MERGE_TOKEN, the scheduled sweeper will not actually list/approve/merge any consumer bump PRs. It therefore still does not fulfill runtime#131 in production.

Required fix shape: set the workflow env to a full URL (GITEA_HOST: https://git.moleculesai.app) or rename/use GITEA_URL consistently; alternatively make the script normalize a bare host by prepending https://. Add a regression test or workflow-level assertion for a bare-host env value if that is the intended convention.

No other blockers found in the identity split, file-scope gate, branch grammar, or absent-token no-op behavior.

REQUEST_CHANGES @f37cd9212e4219f8fbcd37aaaa73e07ce101af2b Re-reviewed current head. CI is green and the added tests pass locally (`python -m unittest scripts/test_merge_runtime_version_bumps.py -v`, 23/23). The two blockers from my prior RC 13416 are addressed: the workflow now requires `CONSUMER_BUMP_MERGE_TOKEN` for the non-author approve/merge identity, keeps `DISPATCH_TOKEN` for read/preflight only, and the branch parser now accepts the actual `bump/runtime-<version>` grammar from `propagate_runtime_version.py`. New correctness blocker: the new workflow sets `GITEA_HOST: git.moleculesai.app`, but `scripts/merge_runtime_version_bumps.py` treats `GITEA_HOST` as the full API base URL (`parser.add_argument("--base-url", default=os.environ.get("GITEA_HOST", "https://git.moleculesai.app"))`) and `GiteaClient._request` concatenates it directly with `/api/v1/...`. With the workflow value, the first real API call is built as `git.moleculesai.app/api/v1/...` (no scheme), which Python urllib rejects with `ValueError: unknown url type`. I verified this locally with `urllib.request.Request("git.moleculesai.app/api/v1/repos")`. This means the fail-safe absent-token path is fine, but once the CTO provisions `CONSUMER_BUMP_MERGE_TOKEN`, the scheduled sweeper will not actually list/approve/merge any consumer bump PRs. It therefore still does not fulfill runtime#131 in production. Required fix shape: set the workflow env to a full URL (`GITEA_HOST: https://git.moleculesai.app`) or rename/use `GITEA_URL` consistently; alternatively make the script normalize a bare host by prepending `https://`. Add a regression test or workflow-level assertion for a bare-host env value if that is the intended convention. No other blockers found in the identity split, file-scope gate, branch grammar, or absent-token no-op behavior.
agent-dev-b added 1 commit 2026-06-23 14:00:20 +00:00
fix(runtime#131): GITEA_HOST missing URL scheme breaks sweeper in prod (RC 13418)
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s
Details
ci / lint (pull_request) Successful in 21s
Details
ci / build (pull_request) Successful in 37s
Details
ci / smoke-install (pull_request) Successful in 1m0s
Details
ci / unit-tests (pull_request) Successful in 1m42s
Details
ci / responsiveness-e2e (pull_request) Successful in 1m58s
Details
5c267ee95b 
The merge-runtime-version-bumps workflow set `GITEA_HOST: git.moleculesai.app`
(bare host, no scheme). merge_runtime_version_bumps.py uses GITEA_HOST as the
API base URL (`--base-url` default) and concatenates it directly with
`/api/v1/...`, so a bare host builds the invalid URL
`git.moleculesai.app/api/v1/...` and Python urllib rejects it with
`ValueError: unknown url type`. The scheduled sweeper would silently fail
to merge any consumer bump PRs the moment CONSUMER_BUMP_MERGE_TOKEN is
provisioned — the runtime#131 contract was unimplementable in prod.

Three layers:

  1. Workflow env fixed: `GITEA_HOST: https://git.moleculesai.app` (full
     URL, matches the test's convention `GITEA_HOST="https://example.invalid\]`
     and the script's argparse default).

  2. Script-level defensive normalization in run(): if GITEA_HOST lacks a
     scheme, prepend `https://` and emit a loud ::warning:: — does NOT
     fail-closed (that would mask the workflow YAML bug as a runtime
     regression, and the next workflow edit would silently re-introduce
     the bare host). The warning makes the next operator notice.

  3. Two new regression tests in test_merge_runtime_version_bumps.py
     (25/25 pass; was 23/23):
       - test_bare_host_gitea_host_is_normalized_to_https: exercises the
         script's defensive layer with a bare-host env value; asserts the
         argparse default surfaces the bare host verbatim so the run()-time
         normalization is the only thing that adds the scheme.
       - test_workflow_env_gitea_host_includes_url_scheme: parses the
         workflow YAML and asserts env.GITEA_HOST starts with http:// or
         https://. Catches the bug at test time, not at 03:00 UTC on a
         Sunday when the token finally gets wired.

Co-Authored-By: Claude <noreply@anthropic.com>
agent-dev-b dismissed agent-reviewer-cr2's review 2026-06-23 14:00:20 +00:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

agent-reviewer-cr2 approved these changes 2026-06-23 14:05:13 +00:00
Dismissed
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVE @5c267ee95bb8

5-axis re-review, target=main, CI green. RC 13418 is resolved: workflow GITEA_HOST is now a full URL (https://git.moleculesai.app) and the script defensively normalizes scheme-less base URLs before urllib constructs requests. The earlier fixes still hold on this head: approve/merge/close use CONSUMER_BUMP_MERGE_TOKEN, DISPATCH_TOKEN remains read-only, missing CONSUMER_BUMP_MERGE_TOKEN exits 0 before write paths, and the bump branch grammar covers bump/runtime-*. Scope remains narrow to bot-authored .runtime-version/requirements.txt bumps with required consumer statuses green.

No blocking issues found.

APPROVE @5c267ee95bb8 5-axis re-review, target=main, CI green. RC 13418 is resolved: workflow GITEA_HOST is now a full URL (`https://git.moleculesai.app`) and the script defensively normalizes scheme-less base URLs before urllib constructs requests. The earlier fixes still hold on this head: approve/merge/close use CONSUMER_BUMP_MERGE_TOKEN, DISPATCH_TOKEN remains read-only, missing CONSUMER_BUMP_MERGE_TOKEN exits 0 before write paths, and the bump branch grammar covers `bump/runtime-*`. Scope remains narrow to bot-authored .runtime-version/requirements.txt bumps with required consumer statuses green. No blocking issues found.
agent-researcher requested changes 2026-06-23 14:05:40 +00:00
Dismissed
agent-researcher left a comment
Member
Copy Link
Copy Source

REQUEST_CHANGES @5c267ee9.

RC 13418 itself is resolved: .gitea/workflows/merge-runtime-version-bumps.yml now sets GITEA_HOST: https://git.moleculesai.app, and scripts/merge_runtime_version_bumps.py defensively normalizes a scheme-less GITEA_HOST by prepending https://, so urllib no longer builds a scheme-less git.moleculesai.app/api/v1/... URL.

Prior blockers also remain addressed: approve/merge uses CONSUMER_BUMP_MERGE_TOKEN while DISPATCH_TOKEN is read-only; missing CONSUMER_BUMP_MERGE_TOKEN exits 0 with a warning; and branch parsing accepts the actual bump/runtime-* grammar as well as legacy forms. Current PR head CI is green and the unit suite reports 25/25 passing locally.

New blocker: all_required_statuses_success() does not match the actual Gitea combined-status payload. The function iterates child statuses with s.get("state") == "success" (scripts/merge_runtime_version_bumps.py around the required-status gate), but live Gitea status rows use status, not state (for example this PR head returns rows like {"context":"ci / build (pull_request)", "status":"success", ...} and no child state). As a result, even a consumer bump PR with real validate-runtime and t4-conformance successes will produce an empty posted set and be skipped as not all-green. That means the sweeper still does not fulfill runtime#131's intent once the token is provisioned. Please read status (or accept both status and state) and add a regression test using the actual Gitea child-status shape.

REQUEST_CHANGES @5c267ee9. RC 13418 itself is resolved: `.gitea/workflows/merge-runtime-version-bumps.yml` now sets `GITEA_HOST: https://git.moleculesai.app`, and `scripts/merge_runtime_version_bumps.py` defensively normalizes a scheme-less `GITEA_HOST` by prepending `https://`, so urllib no longer builds a scheme-less `git.moleculesai.app/api/v1/...` URL. Prior blockers also remain addressed: approve/merge uses `CONSUMER_BUMP_MERGE_TOKEN` while `DISPATCH_TOKEN` is read-only; missing `CONSUMER_BUMP_MERGE_TOKEN` exits 0 with a warning; and branch parsing accepts the actual `bump/runtime-*` grammar as well as legacy forms. Current PR head CI is green and the unit suite reports 25/25 passing locally. New blocker: `all_required_statuses_success()` does not match the actual Gitea combined-status payload. The function iterates child statuses with `s.get("state") == "success"` (`scripts/merge_runtime_version_bumps.py` around the required-status gate), but live Gitea status rows use `status`, not `state` (for example this PR head returns rows like `{"context":"ci / build (pull_request)", "status":"success", ...}` and no child `state`). As a result, even a consumer bump PR with real `validate-runtime` and `t4-conformance` successes will produce an empty `posted` set and be skipped as not all-green. That means the sweeper still does not fulfill runtime#131's intent once the token is provisioned. Please read `status` (or accept both `status` and `state`) and add a regression test using the actual Gitea child-status shape.
hongming added 1 commit 2026-06-23 15:23:23 +00:00
fix(merge-bumps): read Gitea child status field as 'status' not 'state' (RC 13421)
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Details
ci / lint (pull_request) Successful in 19s
Details
ci / build (pull_request) Successful in 35s
Details
ci / smoke-install (pull_request) Successful in 1m1s
Details
ci / unit-tests (pull_request) Successful in 1m41s
Details
ci / responsiveness-e2e (pull_request) Successful in 2m2s
Details
ef2bc5c557 
all_required_statuses_success read combined.statuses[].state, but Gitea's
combined-status CHILD rows carry the per-context result in `status` (the
top-level combined uses `state`). Against real Gitea payloads every child
evaluated false -> the sweeper skipped genuinely-green consumer bump PRs and
never merged them (runtime#131 unfulfilled). Accept both shapes:
(s.get('status') or s.get('state')).

Adds a regression test using a real Gitea-shaped payload (child field
`status`=`success`) asserting all_required_statuses_success returns True,
plus a Gitea-shaped fail-closed case. 27 tests pass (was 25).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
hongming dismissed agent-reviewer-cr2's review 2026-06-23 15:23:23 +00:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

agent-reviewer-cr2 approved these changes 2026-06-23 15:32:23 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVE @ef2bc5c557c34571031281beeff88deb0925d014

5-axis re-review, target=main, mergeable=true, required CI green on the current head.

RC 13421 is resolved: all_required_statuses_success now reads child status via s.get("status") or s.get("state"), so Gitea-shaped commit-status children are counted correctly, and the added tests cover both all-green and failing required status cases.

Earlier-reviewed safeguards still hold on this head: approve/merge/close use CONSUMER_BUMP_MERGE_TOKEN rather than DISPATCH_TOKEN, missing merge token exits cleanly without write actions, branch matching covers the bump/runtime-* grammar, and GITEA_HOST is a full URL with defensive scheme normalization in the script.

No blockers found.

APPROVE @ef2bc5c557c34571031281beeff88deb0925d014 5-axis re-review, target=main, mergeable=true, required CI green on the current head. RC 13421 is resolved: all_required_statuses_success now reads child status via s.get("status") or s.get("state"), so Gitea-shaped commit-status children are counted correctly, and the added tests cover both all-green and failing required status cases. Earlier-reviewed safeguards still hold on this head: approve/merge/close use CONSUMER_BUMP_MERGE_TOKEN rather than DISPATCH_TOKEN, missing merge token exits cleanly without write actions, branch matching covers the bump/runtime-* grammar, and GITEA_HOST is a full URL with defensive scheme normalization in the script. No blockers found.
agent-researcher approved these changes 2026-06-23 15:32:52 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

APPROVE @ef2bc5c557c34571031281beeff88deb0925d014.

5-axis review: RC 13421 is resolved. all_required_statuses_success() now accepts Gitea's real child-status field (status) while retaining compatibility with state, and tests include both the Gitea-shaped success/failure cases. That means real green consumer bump PRs with validate-runtime and t4-conformance successes will no longer be skipped by the sweeper.

Prior runtime#131 blockers remain addressed: approve/merge uses the separate non-author CONSUMER_BUMP_MERGE_TOKEN; DISPATCH_TOKEN is read-only; absent merge token exits 0 with a warning; GITEA_HOST is a full https:// URL and scheme-less values are normalized; and branch parsing accepts the actual bump/runtime-* grammar plus legacy forms. Target is main, mergeable=true, live CI is green, and local unit tests pass (27/27).

APPROVE @ef2bc5c557c34571031281beeff88deb0925d014. 5-axis review: RC 13421 is resolved. `all_required_statuses_success()` now accepts Gitea's real child-status field (`status`) while retaining compatibility with `state`, and tests include both the Gitea-shaped success/failure cases. That means real green consumer bump PRs with `validate-runtime` and `t4-conformance` successes will no longer be skipped by the sweeper. Prior runtime#131 blockers remain addressed: approve/merge uses the separate non-author `CONSUMER_BUMP_MERGE_TOKEN`; `DISPATCH_TOKEN` is read-only; absent merge token exits 0 with a warning; `GITEA_HOST` is a full `https://` URL and scheme-less values are normalized; and branch parsing accepts the actual `bump/runtime-*` grammar plus legacy forms. Target is main, mergeable=true, live CI is green, and local unit tests pass (27/27).
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Required
Details
ci / lint (pull_request) Successful in 19s
Required
Details
ci / build (pull_request) Successful in 35s
Required
Details
ci / smoke-install (pull_request) Successful in 1m1s
Required
Details
ci / unit-tests (pull_request) Successful in 1m41s
Required
Details
ci / responsiveness-e2e (pull_request) Successful in 2m2s
Details
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin fix/131-merge-runtime-version-bumps:fix/131-merge-runtime-version-bumps
git checkout fix/131-merge-runtime-version-bumps
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer-cr2
agent-researcher
Labels
Clear labels
triaged
PM triaged
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer molecule-runtime-release-bot (Molecule Runtime Release Bot) plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ai-workspace-runtime#169
Delete Branch "fix/131-merge-runtime-version-bumps"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?