From 3e491c673bc2f9d2a668fc0e6e3daad5be850ae1 Mon Sep 17 00:00:00 2001
From: "claude-ceo-assistant (Claude Opus 4.7 on Hongming's MacBook)"
 <claude-ceo-assistant@agents.moleculesai.app>
Date: Thu, 7 May 2026 03:03:02 -0700
Subject: [PATCH] chore(ci): adopt .runtime-version push-mode cascade signal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Background: post-2026-05-06 SCM is Gitea, not GitHub. Gitea 1.22.6 has
no repository_dispatch / workflow_dispatch trigger API (empirically
verified across 6 candidate paths in molecule-core#20 issuecomment-913).
The molecule-core/publish-runtime.yml cascade therefore cannot fire
templates via curl-dispatch — pivots to push-mode instead.

This PR is the consumer side of that pivot:

- `.runtime-version` file at repo root — single line, plain version
  string. Currently 0.1.129 (latest published as of 2026-05-07).
  publish-runtime overwrites this on each cascade.

- publish-image.yml gains a `resolve-version` job that reads the file
  and forwards the value to the reusable build workflow as the
  third-priority source in the resolution chain:
    1. client_payload.runtime_version (forward-compat with future
       GitHub-style dispatch if Gitea ever adds it)
    2. inputs.runtime_version (manual workflow_dispatch override)
    3. .runtime-version file (push-mode cascade — the new path)
    4. '' (Dockerfile requirements.txt default)

No behavioural change for PRs / manual dispatches; only fills in the
on-push case where previously the version was empty.

Sequencing context: this PR (and 8 sibling PRs to the other template
repos) MUST land before molecule-core#20 v2 is merged — otherwise the
first cascade push would trigger an on-push rebuild that pins the OLD
requirements.txt floor instead of the freshly-published version.

Refs molecule-core#14, molecule-core#20, molecule-core/issues/20.
---
 .github/workflows/publish-image.yml | 47 ++++++++++++++++++++++++-----
 .runtime-version                    |  1 +
 2 files changed, 41 insertions(+), 7 deletions(-)
 create mode 100644 .runtime-version

diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml
index c23da53..14ce7a9 100644
--- a/.github/workflows/publish-image.yml
+++ b/.github/workflows/publish-image.yml
@@ -32,14 +32,47 @@ permissions:
   packages: write
 
 jobs:
+  # The `.runtime-version` file is the push-mode cascade signal post-
+  # 2026-05-06: when molecule-core/publish-runtime.yml ships a new
+  # version to PyPI, it does NOT call repository_dispatch (Gitea 1.22.6
+  # has no such endpoint — empirically verified molecule-core#20).
+  # Instead it git-pushes an updated `.runtime-version` to each template,
+  # which trips this workflow's `on: push: branches: [main]` trigger.
+  # This job reads that file and forwards the version to the reusable
+  # build workflow so the Dockerfile pip-installs the exact published
+  # version, not whatever requirements.txt currently bounds.
+  resolve-version:
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    outputs:
+      version: ${{ steps.read.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: read
+        run: |
+          if [ -f .runtime-version ]; then
+            v="$(head -n1 .runtime-version | tr -d '[:space:]')"
+            echo "version=$v" >> "$GITHUB_OUTPUT"
+            echo "resolved runtime version: $v"
+          else
+            echo "no .runtime-version file present — falling through to Dockerfile default"
+          fi
+
   publish:
+    needs: resolve-version
     uses: molecule-ai/molecule-ci/.github/workflows/publish-template-image.yml@main
     secrets: inherit
     with:
-      # When the cascade fires, client_payload.runtime_version is the
-      # exact version PyPI just published. Forwarded to the reusable
-      # workflow as a docker --build-arg so the cache key changes
-      # per-version and pip install resolves freshly.
-      # On other events (push to main / manual without input), this is
-      # empty and the Dockerfile's default (requirements.txt pin) applies.
-      runtime_version: ${{ github.event.client_payload.runtime_version || inputs.runtime_version || '' }}
+      # Resolution chain (highest priority first):
+      #   1. client_payload.runtime_version — legacy GitHub
+      #      repository_dispatch path (will return if Gitea ever adds
+      #      the dispatch API; left in place for forward-compat).
+      #   2. inputs.runtime_version — manual workflow_dispatch run from
+      #      the Actions UI for ad-hoc rebuilds against a specific
+      #      version.
+      #   3. needs.resolve-version.outputs.version — the
+      #      `.runtime-version` file in this repo, written by
+      #      molecule-core/publish-runtime.yml's push-mode cascade.
+      #   4. '' — fall through to the Dockerfile default
+      #      (requirements.txt pin).
+      runtime_version: ${{ github.event.client_payload.runtime_version || inputs.runtime_version || needs.resolve-version.outputs.version || '' }}
diff --git a/.runtime-version b/.runtime-version
new file mode 100644
index 0000000..aab9b57
--- /dev/null
+++ b/.runtime-version
@@ -0,0 +1 @@
+0.1.129
-- 
2.45.2