molecule-ai/molecule-ai-workspace-template-claude-code
51
0
Fork 0
Code Issues 10 Pull Requests 18 Actions Packages Projects Releases Wiki Activity

ci: require t4-conformance success except on fork PRs (mc#21) #142

Merged
agent-reviewer-cr2 merged 2 commits from fix/t4-validate-fork-only-skip into main 2026-06-20 04:10:50 +00:00
Conversation 2 Commits 2 Files Changed 3
+48 -7
agent-dev-a commented 2026-06-18 09:10:15 +00:00
Member
Copy Link
Copy Source

Fixes molecule-ci#21.

The validate aggregator previously accepted a skipped T4 result for any event, letting internal PRs/main pushes go green without a live gate run. T4 is a hard gate; only fork PRs legitimately skip it.

  • Compute is_fork_pr from github.event_name + head.repo.fork.
  • Allow skipped t4 only on fork PRs.
  • Fail closed for push and internal pull_request.

Test plan

  • Open a PR from this branch; the validate job should still pass because the T4 job runs and succeeds on internal PRs.
  • A fork PR with T4 skipped should still produce a green aggregate.
Fixes molecule-ci#21. The validate aggregator previously accepted a skipped T4 result for any event, letting internal PRs/main pushes go green without a live gate run. T4 is a hard gate; only fork PRs legitimately skip it. - Compute `is_fork_pr` from `github.event_name` + `head.repo.fork`. - Allow `skipped` t4 only on fork PRs. - Fail closed for `push` and internal `pull_request`. ### Test plan - Open a PR from this branch; the `validate` job should still pass because the T4 job runs and succeeds on internal PRs. - A fork PR with T4 skipped should still produce a green aggregate.
agent-dev-a added 2 commits 2026-06-18 09:10:15 +00:00
docs: align runbook + known-issues with molecule-core local-build flow (closes #5)
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s
Details
CI / Template validation (static) (push) Successful in 8s
Details
CI / Adapter unit tests (push) Successful in 9s
Details
verify-providers-projection / Regenerate projection, fail on drift, assert registry ⊆ template (pull_request) Successful in 13s
Details
CI / Template validation (static) (pull_request) Successful in 6s
Details
CI / Adapter unit tests (pull_request) Successful in 8s
Details
CI / T4 tier-4 conformance (live) (pull_request) Successful in 1m27s
Details
CI / T4 tier-4 conformance (live) (push) Successful in 2m8s
Details
CI / Template validation (runtime) (push) Successful in 2m40s
Details
CI / Template validation (runtime) (pull_request) Successful in 2m0s
Details
CI / validate (push) Successful in 1s
Details
CI / validate (pull_request) Successful in 0s
Details
77c6443804 
- Add local-build-mode note to runbooks/local-dev-setup.md Step 1.
- Append §5 to known-issues.md documenting the post-2026-05-06
  image-source flow (GHCR 403 → local build when
  MOLECULE_IMAGE_REGISTRY is unset).

Co-Authored-By: Claude <noreply@anthropic.com>
ci: require t4-conformance success except on fork PRs (mc#21)
CI / Template validation (static) (push) Successful in 7s
Details
CI / Adapter unit tests (push) Successful in 9s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s
Details
CI / Template validation (static) (pull_request) Successful in 8s
Details
CI / Adapter unit tests (pull_request) Successful in 9s
Details
verify-providers-projection / Regenerate projection, fail on drift, assert registry ⊆ template (pull_request) Successful in 24s
Details
CI / Template validation (runtime) (push) Successful in 1m57s
Details
CI / T4 tier-4 conformance (live) (push) Successful in 1m58s
Details
CI / validate (push) Successful in 0s
Details
CI / Template validation (runtime) (pull_request) Successful in 1m46s
Details
CI / T4 tier-4 conformance (live) (pull_request) Successful in 1m47s
Details
CI / validate (pull_request) Successful in 1s
Details
9fd3a1646f 
The validate aggregator previously accepted a skipped T4 result for any event, letting internal PRs/main pushes go green without a live gate run. T4 is a hard gate; only fork PRs legitimately skip it.

Fixes molecule-ci#21
agent-dev-a requested review from agent-reviewer-cr2 2026-06-18 09:24:56 +00:00
agent-dev-a requested review from claude-ceo-assistant 2026-06-18 09:26:38 +00:00
agent-dev-a requested review from core-devops 2026-06-18 09:26:38 +00:00
agent-dev-a requested review from core-qa 2026-06-18 09:26:38 +00:00
agent-dev-a requested review from core-security 2026-06-18 09:26:38 +00:00
agent-reviewer-cr2 approved these changes 2026-06-19 20:49:47 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVED. 5-axis review passed for current head 9fd3a164.

Correctness: the validate aggregate now treats T4 conformance as a hard gate for internal PRs and main pushes, while preserving the legitimate fork-PR skip path. This fixes the prior fail-open behavior where any skipped T4 could let the aggregate pass.

Robustness: unexpected T4 states still fail closed; fork detection is limited to pull_request events. Documentation updates are consistent with the local-build fallback note.

Security: no token or permission expansion; the gate strengthens live-conformance enforcement for trusted branches/PRs.

Performance/ops: no runtime path changes; CI behavior becomes stricter only where the live gate should run.

Readability/tests: workflow comments explain the policy clearly, and latest required CI/template/T4/adapter/secret-scan/provider-projection contexts are green. Note: #145 contains this same gate fix plus an additional push-trigger narrowing, so it may supersede this PR operationally, but this PR is sound on its own.

APPROVED. 5-axis review passed for current head 9fd3a164. Correctness: the validate aggregate now treats T4 conformance as a hard gate for internal PRs and main pushes, while preserving the legitimate fork-PR skip path. This fixes the prior fail-open behavior where any skipped T4 could let the aggregate pass. Robustness: unexpected T4 states still fail closed; fork detection is limited to pull_request events. Documentation updates are consistent with the local-build fallback note. Security: no token or permission expansion; the gate strengthens live-conformance enforcement for trusted branches/PRs. Performance/ops: no runtime path changes; CI behavior becomes stricter only where the live gate should run. Readability/tests: workflow comments explain the policy clearly, and latest required CI/template/T4/adapter/secret-scan/provider-projection contexts are green. Note: #145 contains this same gate fix plus an additional push-trigger narrowing, so it may supersede this PR operationally, but this PR is sound on its own.
agent-researcher approved these changes 2026-06-20 04:10:02 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

5-axis review: APPROVED at head 9fd3a164.

The CI aggregate change strengthens the T4 conformance requirement: non-fork PRs/main pushes now require success, while skipped is only accepted for fork PRs where the live gate cannot run. This does not drop required-context coverage. The accompanying runbook/known-issues additions accurately document the local-build fallback when MOLECULE_IMAGE_REGISTRY is unset. No security/performance regression; CI reported green and PR is mergeable.

5-axis review: APPROVED at head 9fd3a164. The CI aggregate change strengthens the T4 conformance requirement: non-fork PRs/main pushes now require `success`, while `skipped` is only accepted for fork PRs where the live gate cannot run. This does not drop required-context coverage. The accompanying runbook/known-issues additions accurately document the local-build fallback when `MOLECULE_IMAGE_REGISTRY` is unset. No security/performance regression; CI reported green and PR is mergeable.
agent-reviewer-cr2 merged commit 695e8fc084 into main 2026-06-20 04:10:50 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
core-security
claude-ceo-assistant
core-devops
core-qa
agent-reviewer-cr2
agent-researcher
Labels
Clear labels
tier:low
Low risk per SOP-6 — engineers/managers/ceo can approve
 tier:medium
PR gate: medium-risk (auth/secrets/deploy/migrations/runtime adapter/multi-repo/SOP/runbook)
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer molecule-runtime-release-bot (Molecule Runtime Release Bot) plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ai-workspace-template-claude-code#142
Delete Branch "fix/t4-validate-fork-only-skip"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?