Background: post-2026-05-06 SCM is Gitea, not GitHub. Gitea 1.22.6 has
no repository_dispatch / workflow_dispatch trigger API (empirically
verified across 6 candidate paths in molecule-core#20 issuecomment-913).
The molecule-core/publish-runtime.yml cascade therefore cannot fire
templates via curl-dispatch — pivots to push-mode instead.
This PR is the consumer side of that pivot:
- .runtime-version file at repo root — single line, plain version
string. Currently 0.1.129 (latest published as of 2026-05-07).
publish-runtime overwrites this on each cascade.
- publish-image.yml gains a resolve-version job that reads the file
and forwards the value to the reusable build workflow as the
third-priority source in the resolution chain.
Sequencing context: this PR (and 8 sibling PRs to the other template
repos) MUST land before molecule-core#20 v2 is merged.
Refs molecule-core#14, molecule-core#20.
Per saved memory feedback_act_runner_needs_config_file_env: runners 1-8
were spawned without -e CONFIG_FILE=/config.yaml; act_runner fell back
to /data/config.yaml and ignored runner.envs the whole time. Orchestrator
recreated 1-8 with full proper env. All 16 now uniform with
AGENT_TOOLSDIRECTORY + RUNNER_TOOL_CACHE + GITHUB_SERVER_URL + GH_HOST.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per saved memory feedback_runner_config_partial_deploy: orchestrator
identified that runners 1-8 last restarted before AGENT_TOOLSDIRECTORY
+ RUNNER_TOOL_CACHE were added; cycle 7 retrigger landed ~50% on stale
runners. Orchestrator restarted 1-8 at ~09:37; this empty commit
re-triggers CI on the now-consistent runner pool.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The 3-line wrapper at .github/workflows/secret-scan.yml referenced
`uses: molecule-ai/molecule-core/.github/workflows/secret-scan.yml@staging`.
molecule-core is private; act_runner clones cross-repo reusable
workflows anonymously, so the resolve fails at 0s with no logs.
Same root cause + same fix that molecule-controlplane already shipped
(see its secret-scan.yml comment block lines 10-22). Inlining keeps
the gate functional until Gitea is upgraded or the canonical scanner
moves to a public repo. When either lands, this file reverts to the
3-line wrapper.
Refs: internal#46 Phase 3 Class 2.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Empty commit to re-run CI against the act_runner config that landed
in /opt/molecule/runners/config.yaml (cycle ~58 internal#46 Phase 3).
No source change. CI now runs setup-python with /tmp/hostedtoolcache,
which works (verified in cycle 6 task 1022 log, careful-bash#2).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Gitea is case-sensitive on owner slugs; canonical is lowercase
`molecule-ai/...`. Mixed-case `Molecule-AI/...` refs fail-at-0s
when the runner tries to resolve the cross-repo workflow / checkout.
Same fix as molecule-controlplane#12. Mechanical case-correction;
no behavior change beyond making CI resolve again.
Refs: internal#46
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The python:3.11-slim base ships old transitives Trivy correctly flags
as fixable HIGH:
- jaraco.context 5.3.0 → 6.1.0 (CVE-2026-23949 path traversal)
- wheel 0.45.1 → 0.46.2 (CVE-2026-24049 wheel install RCE)
- (one more truncated in the gate's log table)
Bumping pip+setuptools+wheel before requirements install upgrades these
metadata packages so the gate passes. molecule-ci#38 Phase-1.
Why this matters now: today's a2a-sdk strict-mode fix (commit e1628c4
in molecule-core) shipped to PyPI 0.1.94 (11:13). Without an image
rebuild the langgraph workspace template stays on the broken runtime
and the synthetic E2E (#2566, priority-high, failing 36+h) keeps red.
The cascade fix (molecule-core#2575) restored the dispatch path; this
unblocks the actual rebuild.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previous commit's regex substitution dropped `COPY requirements.txt .`
and the initial `RUN pip install --no-cache-dir -r requirements.txt`
because of a bash-heredoc escape interaction (the \1 backref was
consumed before the python regex saw it, leaving a SOH char). This
restores both lines with the conditional version-pin upgrade after.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the cache trap structurally for this template — same fix
already shipped in claude-code + hermes. publish-image.yml caller
forwards client_payload.runtime_version (set by cascade) to the
molecule-ci reusable workflow as runtime_version input. Reusable
workflow forwards it to docker build as a --build-arg. Dockerfile
declares ARG RUNTIME_VERSION before the pip install layer so cache
key is sensitive to the version. The pip install RUN does an extra
targeted upgrade to guarantee the exact version when ARG is set.
Pairs with molecule-ci PR #12 + molecule-core PR #2181.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two compounding bugs from the post-#87 extraction caught by today's
template sweep (matches the same fixes already shipped in claude-code
and gemini-cli):
1. adapter.py never aliased LangGraphAdapter to the contract name
`Adapter`, which `molecule_runtime.adapters.get_adapter()` reads
via `getattr(mod, "Adapter")`. Without it, every workspace
startup fails preflight with "no \`Adapter\` class is exported".
2. Two bare imports of runtime modules
(`from agent`, `from a2a_executor`) never got qualified to
`from molecule_runtime.X import Y`. They worked when runtime was
bundled into workspace/ but explode in the standalone template
repo with ModuleNotFoundError.
Same migration debt class fixed for hermes (a2a-sdk migration),
claude-code (5 imports), gemini-cli (4 imports + alias) earlier today.
Both gates now in molecule-ci PR #8 will catch this class of bug
at PR time going forward.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds 'repository_dispatch' trigger (event-type: runtime-published) so
molecule-core's publish-runtime.yml cascade job can fire this template's
image rebuild after a new molecule-ai-workspace-runtime PyPI release.
Without this, every runtime release waited for the next push: main /
manual workflow_dispatch to propagate to the published image. With it,
runtime fixes flow monorepo → PyPI → all 8 template images
automatically.
Part of the runtime CD chain. See molecule-core docs/workspace-runtime-package.md.
Co-authored-by: Hongming Wang <hongmingwangalt@gmail.com>
Pin LF on shell, Python, YAML, and Dockerfile so Windows Docker Desktop
checkouts don't introduce CRLF that breaks #!/bin/sh shebangs in the
container — that exact failure mode took down 14 workspaces during
#1933 fix v1 (exec /entrypoint.sh: no such file or directory cascade).
Same pattern as the .gitattributes already in
molecule-ai-workspace-template-claude-code, applied to the other 7
template repos.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a one-line caller for the publish-template-image.yml reusable
workflow in molecule-ci. On every push to main, this repo's
Dockerfile is now built and pushed to
ghcr.io/molecule-ai/workspace-template-langgraph:latest (plus a per-commit
sha tag). Closes the gap where template changes required a manual
tenant-side rebuild.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds standard credential gitignore (.env / *.pem / .secrets/ / .auth_token).
Per-CEO directive 2026-04-16: every plugin and template repo should
gitignore credentials so self-hosters can't accidentally commit real
tokens to public repos.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
