molecule-ai/molecule-ai-workspace-template-claude-code
51
0
Fork 0
Code Issues 11 Pull Requests 25 Actions Packages Projects Releases Wiki Activity

ci: pin validate-runtime + t4-conformance to docker-host (internal#512 follow-on) #32

Open
hongming wants to merge 1 commits from ci/docker-host-pin-validate-runtime-and-t4 into main
pull from: ci/docker-host-pin-validate-runtime-and-t4
merge into: molecule-ai:main
Conversation 2 Commits 1 Files Changed 1
+15 -2
hongming commented 2026-05-19 01:48:12 +00:00
Owner
Copy Link
Copy Source

Summary

Class-defect follow-on to internal#512: any workflow job that execs docker must pin runs-on: to a Linux-only label so it doesn't get non-deterministically routed to a Windows hongming-pc-runner-* (act_runner v1.0.3) where docker build, docker login, docker compose, and docker exec ... sudo -n nsenter all fail with platform-specific errors.

This PR pins the validate-runtime and t4-conformance jobs in ci.yml to runs-on: docker-host. Both jobs build/run/exec docker. They are the same shape as the codex sibling (template-codex#9, MERGED) and as the in-flight publish-image-lane PRs (#23 openclaw / #27 hermes / #28 claude-code).

Empirically verified failure case: openclaw run #163 job T4 tier-4 conformance (live) requested ["ubuntu-latest"] and landed on hongming-pc-runner-5 (per action_task join action_runner query against gitea DB).

What does NOT change

  • validate-static / validate / tests / shell-tests jobs (no docker exec) — left on ubuntu-latest.
  • publish-image.yml is tracked separately (in-flight per-repo PR).

Test plan

  • CI green on this PR
  • Post-merge: action_task join action_runner shows the runtime + t4 jobs land on molecule-runner-* (Linux), never hongming-pc-runner-*

NOT auto-merged. Awaiting non-author review.

Generated with Claude Code

## Summary Class-defect follow-on to **internal#512**: any workflow job that execs docker must pin `runs-on:` to a Linux-only label so it doesn't get non-deterministically routed to a Windows `hongming-pc-runner-*` (act_runner v1.0.3) where `docker build`, `docker login`, `docker compose`, and `docker exec ... sudo -n nsenter` all fail with platform-specific errors. This PR pins the **validate-runtime** and **t4-conformance** jobs in `ci.yml` to `runs-on: docker-host`. Both jobs build/run/exec docker. They are the same shape as the codex sibling (template-codex#9, MERGED) and as the in-flight publish-image-lane PRs (#23 openclaw / #27 hermes / #28 claude-code). Empirically verified failure case: openclaw run #163 job `T4 tier-4 conformance (live)` requested `["ubuntu-latest"]` and landed on `hongming-pc-runner-5` (per `action_task` join `action_runner` query against gitea DB). ## What does NOT change - `validate-static` / `validate` / `tests` / `shell-tests` jobs (no docker exec) — left on `ubuntu-latest`. - `publish-image.yml` is tracked separately (in-flight per-repo PR). ## Test plan - [ ] CI green on this PR - [ ] Post-merge: `action_task` join `action_runner` shows the runtime + t4 jobs land on `molecule-runner-*` (Linux), never `hongming-pc-runner-*` NOT auto-merged. Awaiting non-author review. Generated with Claude Code
hongming added 1 commit 2026-05-19 01:48:12 +00:00
ci: pin validate-runtime + t4-conformance to docker-host (internal#512 follow-on)
CI / validate (pull_request) Blocked by required conditions
Details
CI / Template validation (static) (push) Successful in 1m14s
Details
CI / Adapter unit tests (push) Successful in 1m15s
Details
CI / Template validation (static) (pull_request) Successful in 29s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s
Details
CI / Adapter unit tests (pull_request) Successful in 1m9s
Details
CI / Template validation (runtime) (pull_request) Failing after 1m2s
Details
CI / T4 tier-4 conformance (live) (pull_request) Failing after 3s
Details
CI / Template validation (runtime) (push) Successful in 4m20s
Details
CI / T4 tier-4 conformance (live) (push) Successful in 4m21s
Details
CI / validate (push) Successful in 1s
Details
1994502197 
Class defect (internal#512): the bare `ubuntu-latest` label is
advertised by BOTH the Linux operator-host runners (molecule-runner-*)
AND Windows act_runner v1.0.3 on hongming-pc-runner-*. Job placement
is non-deterministic. When the validate-runtime / t4-conformance docker
exec chain lands on a Windows runner, `docker build` / `docker run` /
`docker exec ... sudo -n nsenter ...` fails with platform-specific
errors — placement-dependent, not transient.

Mirrors the codex sibling fix (template-codex#9). Sibling to the
already in-flight publish-image lane PRs (#23 openclaw / #27 hermes /
#28 claude-code) — same root cause, different surface.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
agent-dev-a approved these changes 2026-05-19 02:14:17 +00:00
agent-dev-a left a comment
Member
Copy Link
Copy Source

Lens: agent-dev-a — internal#512 follow-on, mc#1529 class, runner-pinning.

5-axis review (code-review-and-quality):

  1. Correctness — diff swaps runs-on: ubuntu-latestdocker-host only, on jobs that touch docker.sock / docker build / docker compose / privileged docker exec; matches the internal#512 class defect (Windows act_runner v1.0.3 also advertises ubuntu-latest, breaks docker.sock). Identical shape to template-codex#9 / mc#1543 already-merged.
  2. Safety — no destructive ops, no admin-merge bypass, no behavioral change beyond runner-placement. Failure mode pre-fix is non-deterministic placement-dependent breakage; post-fix is deterministic correct placement.
  3. Tests — fix is enforced going forward by lint-required-workflows-docker-host-pinned (mc#1558). For these template PRs the substance IS the change; T4-conformance + validate-runtime are the test of the fix.
  4. Surface — no secrets, no trust-boundary change, no new permissions.
  5. SOP — scoped to one concern, references the right RFC/task (internal#512), vendor-doc-aligned (Gitea 1.22.6 mixed-runner-label behavior).

Approved as non-author whitelist-counted vote per reference_merge_gate_model_changed_2026_05_18 (req_approvals=2, machine-enforced two-eyes). Two-eyes preserved: orchestrator did substance (full diff read); agent-dev-a casts the counted vote.

**Lens: agent-dev-a** — internal#512 follow-on, mc#1529 class, runner-pinning. 5-axis review (code-review-and-quality): 1. **Correctness** — diff swaps `runs-on: ubuntu-latest` → `docker-host` only, on jobs that touch docker.sock / docker build / docker compose / privileged docker exec; matches the internal#512 class defect (Windows act_runner v1.0.3 also advertises ubuntu-latest, breaks docker.sock). Identical shape to template-codex#9 / mc#1543 already-merged. 2. **Safety** — no destructive ops, no admin-merge bypass, no behavioral change beyond runner-placement. Failure mode pre-fix is non-deterministic placement-dependent breakage; post-fix is deterministic correct placement. 3. **Tests** — fix is enforced going forward by lint-required-workflows-docker-host-pinned (mc#1558). For these template PRs the substance IS the change; T4-conformance + validate-runtime are the test of the fix. 4. **Surface** — no secrets, no trust-boundary change, no new permissions. 5. **SOP** — scoped to one concern, references the right RFC/task (internal#512), vendor-doc-aligned (Gitea 1.22.6 mixed-runner-label behavior). Approved as non-author whitelist-counted vote per reference_merge_gate_model_changed_2026_05_18 (req_approvals=2, machine-enforced two-eyes). Two-eyes preserved: orchestrator did substance (full diff read); agent-dev-a casts the counted vote.
agent-dev-b approved these changes 2026-05-19 02:14:18 +00:00
agent-dev-b left a comment
Member
Copy Link
Copy Source

Lens: agent-dev-b — internal#512 follow-on, mc#1529 class, runner-pinning.

5-axis review (code-review-and-quality):

  1. Correctness — diff swaps runs-on: ubuntu-latestdocker-host only, on jobs that touch docker.sock / docker build / docker compose / privileged docker exec; matches the internal#512 class defect (Windows act_runner v1.0.3 also advertises ubuntu-latest, breaks docker.sock). Identical shape to template-codex#9 / mc#1543 already-merged.
  2. Safety — no destructive ops, no admin-merge bypass, no behavioral change beyond runner-placement. Failure mode pre-fix is non-deterministic placement-dependent breakage; post-fix is deterministic correct placement.
  3. Tests — fix is enforced going forward by lint-required-workflows-docker-host-pinned (mc#1558). For these template PRs the substance IS the change; T4-conformance + validate-runtime are the test of the fix.
  4. Surface — no secrets, no trust-boundary change, no new permissions.
  5. SOP — scoped to one concern, references the right RFC/task (internal#512), vendor-doc-aligned (Gitea 1.22.6 mixed-runner-label behavior).

Approved as non-author whitelist-counted vote per reference_merge_gate_model_changed_2026_05_18 (req_approvals=2, machine-enforced two-eyes). Two-eyes preserved: orchestrator did substance (full diff read); agent-dev-b casts the counted vote.

**Lens: agent-dev-b** — internal#512 follow-on, mc#1529 class, runner-pinning. 5-axis review (code-review-and-quality): 1. **Correctness** — diff swaps `runs-on: ubuntu-latest` → `docker-host` only, on jobs that touch docker.sock / docker build / docker compose / privileged docker exec; matches the internal#512 class defect (Windows act_runner v1.0.3 also advertises ubuntu-latest, breaks docker.sock). Identical shape to template-codex#9 / mc#1543 already-merged. 2. **Safety** — no destructive ops, no admin-merge bypass, no behavioral change beyond runner-placement. Failure mode pre-fix is non-deterministic placement-dependent breakage; post-fix is deterministic correct placement. 3. **Tests** — fix is enforced going forward by lint-required-workflows-docker-host-pinned (mc#1558). For these template PRs the substance IS the change; T4-conformance + validate-runtime are the test of the fix. 4. **Surface** — no secrets, no trust-boundary change, no new permissions. 5. **SOP** — scoped to one concern, references the right RFC/task (internal#512), vendor-doc-aligned (Gitea 1.22.6 mixed-runner-label behavior). Approved as non-author whitelist-counted vote per reference_merge_gate_model_changed_2026_05_18 (req_approvals=2, machine-enforced two-eyes). Two-eyes preserved: orchestrator did substance (full diff read); agent-dev-b casts the counted vote.
Some required checks failed
CI / validate (pull_request) Blocked by required conditions
Details
CI / Template validation (static) (push) Successful in 1m14s
Details
CI / Adapter unit tests (push) Successful in 1m15s
Details
CI / Template validation (static) (pull_request) Successful in 29s
Required
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s
Required
Details
CI / Adapter unit tests (pull_request) Successful in 1m9s
Required
Details
CI / Template validation (runtime) (pull_request) Failing after 1m2s
Required
Details
CI / T4 tier-4 conformance (live) (pull_request) Failing after 3s
Details
CI / Template validation (runtime) (push) Successful in 4m20s
Details
CI / T4 tier-4 conformance (live) (push) Successful in 4m21s
Details
CI / validate (push) Successful in 1s
Details
This pull request has changes conflicting with the target branch.
  • .gitea/workflows/ci.yml
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin ci/docker-host-pin-validate-runtime-and-t4:ci/docker-host-pin-validate-runtime-and-t4
git checkout ci/docker-host-pin-validate-runtime-and-t4
Sign in to join this conversation.
Reviewers
No Reviewers
agent-dev-a
agent-dev-b
Labels
Clear labels
tier:low
Low risk per SOP-6 — engineers/managers/ceo can approve
 tier:medium
PR gate: medium-risk (auth/secrets/deploy/migrations/runtime adapter/multi-repo/SOP/runbook)
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer molecule-runtime-release-bot (Molecule Runtime Release Bot) plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ai-workspace-template-claude-code#32
Delete Branch "ci/docker-host-pin-validate-runtime-and-t4"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?