Background: post-2026-05-06 SCM is Gitea, not GitHub. Gitea 1.22.6 has
no repository_dispatch / workflow_dispatch trigger API (empirically
verified across 6 candidate paths in molecule-core#20 issuecomment-913).
The molecule-core/publish-runtime.yml cascade therefore cannot fire
templates via curl-dispatch — pivots to push-mode instead.
This PR is the consumer side of that pivot:
- .runtime-version file at repo root — single line, plain version
string. Currently 0.1.129 (latest published as of 2026-05-07).
publish-runtime overwrites this on each cascade.
- publish-image.yml gains a resolve-version job that reads the file
and forwards the value to the reusable build workflow as the
third-priority source in the resolution chain.
Sequencing context: this PR (and 8 sibling PRs to the other template
repos) MUST land before molecule-core#20 v2 is merged.
Refs molecule-core#14, molecule-core#20.
openclaw npm pins engines.node >= 22.14.0, but the workspace AMI
ships Node 18.19.1. adapter.py:setup() runs `npm install -g
openclaw` against system Node and fails with EBADENGINE, raising
RuntimeError before the runtime binds port 8000 — workspace boots
to status=failed within ~2 min.
The CP cloud-init script invokes /opt/adapter/install.sh as the
runtime user before starting molecule-runtime, exactly for this
class of "host system deps a Python adapter can't fix from inside
its own venv" cases. hermes ships one for the gateway daemon;
openclaw has needed one ever since Node 22 became mandatory.
Idempotent — early-exits if Node >= 22 is already present, so the
hook becomes a no-op once the AMI gets bumped to ship Node 22
directly (which is the durable fix; this PR is the bridge).
The boot-smoke gate (molecule-core#2275) invokes adapters with stub
creds and no network so it can exercise executor.execute() lazy
imports. OpenClaw's setup() spawns a real `openclaw gateway --dev`
subprocess that needs valid creds + network — under smoke env it
exits immediately, raising RuntimeError("OpenClaw gateway process
exited") and failing the publish-image workflow.
Add a 1-line opt-out at the top of setup() so the runtime can reach
its smoke short-circuit. Real production boots are unaffected.
Closes the openclaw failure surfaced when running publish-image
across all 8 workspace templates with the new boot-smoke step.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Lazy import inside async def execute() used the v0 a2a-sdk symbol +
import path. Module-load doesn't evaluate it so the boot-smoke gate
in molecule-ci's publish-template-image workflow didn't catch it,
but the image ships broken — first A2A message hits ImportError:
from a2a.utils import new_agent_text_message
ImportError: cannot import name 'new_agent_text_message' from 'a2a.utils'
Verified against the running image (a2a-sdk==1.0.2):
a2a.utils.new_agent_text_message: False
a2a.helpers.new_agent_text_message: False
a2a.utils.new_text_message: False
a2a.helpers.new_text_message: True
Surfaced via cross-template audit while verifying v0.1.36 cascade
health. crewai/openclaw/autogen all share the same lazy-import bug.
Fix: rename symbol + switch import path.
Refs: molecule-core memory `reference_a2a_sdk_v0_to_v1_migration`,
task #131 (smoke gate doesn't catch lazy imports).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previous commit's regex substitution dropped `COPY requirements.txt .`
and the initial `RUN pip install --no-cache-dir -r requirements.txt`
because of a bash-heredoc escape interaction (the \1 backref was
consumed before the python regex saw it, leaving a SOH char). This
restores both lines with the conditional version-pin upgrade after.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the cache trap structurally for this template — same fix
already shipped in claude-code + hermes. publish-image.yml caller
forwards client_payload.runtime_version (set by cascade) to the
molecule-ci reusable workflow as runtime_version input. Reusable
workflow forwards it to docker build as a --build-arg. Dockerfile
declares ARG RUNTIME_VERSION before the pip install layer so cache
key is sensitive to the version. The pip install RUN does an extra
targeted upgrade to guarantee the exact version when ARG is set.
Pairs with molecule-ci PR #12 + molecule-core PR #2181.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`molecule_runtime.adapters.get_adapter()` reads
`getattr(mod, "Adapter")` after importing ADAPTER_MODULE.
Without the alias the workspace startup fails preflight with
"no \`Adapter\` class is exported".
Same fix already shipped in claude-code, hermes, gemini-cli,
langgraph, deepagents today. Surfaced by today's wire-real E2E
sweep against fresh template images. The new bare-imports lint
in molecule-ci PR #8 catches related issues automatically.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds 'repository_dispatch' trigger (event-type: runtime-published) so
molecule-core's publish-runtime.yml cascade job can fire this template's
image rebuild after a new molecule-ai-workspace-runtime PyPI release.
Without this, every runtime release waited for the next push: main /
manual workflow_dispatch to propagate to the published image. With it,
runtime fixes flow monorepo → PyPI → all 8 template images
automatically.
Part of the runtime CD chain. See molecule-core docs/workspace-runtime-package.md.
Co-authored-by: Hongming Wang <hongmingwangalt@gmail.com>
Pin LF on shell, Python, YAML, and Dockerfile so Windows Docker Desktop
checkouts don't introduce CRLF that breaks #!/bin/sh shebangs in the
container — that exact failure mode took down 14 workspaces during
#1933 fix v1 (exec /entrypoint.sh: no such file or directory cascade).
Same pattern as the .gitattributes already in
molecule-ai-workspace-template-claude-code, applied to the other 7
template repos.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a one-line caller for the publish-template-image.yml reusable
workflow in molecule-ci. On every push to main, this repo's
Dockerfile is now built and pushed to
ghcr.io/molecule-ai/workspace-template-openclaw:latest (plus a per-commit
sha tag). Closes the gap where template changes required a manual
tenant-side rebuild.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds standard credential gitignore (.env / *.pem / .secrets/ / .auth_token).
Per-CEO directive 2026-04-16: every plugin and template repo should
gitignore credentials so self-hosters can't accidentally commit real
tokens to public repos.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
