fix(ci): force anon checkout of public molecule-ci to bypass Gitea cross-repo 404

After lowercasing the slug (molecule-ci#1) and flipping molecule-ci public, plugin/template/org-template CI still failed at the SECOND actions/checkout step (the one that fetches molecule-ci itself for canonical validator scripts). Failure mode in act_runner log: Run actions/checkout@v4 repository: molecule-ai/molecule-ci path: .molecule-ci-canonical Syncing repository: molecule-ai/molecule-ci [git config http.https://git.moleculesai.app/.extraheader AUTHORIZATION: basic ***] ::error::The target couldn't be found. ❌ Failure - Main actions/checkout@v4 Root cause: actions/checkout@v4 sends `Authorization: basic <github.token>` — the per-job Gitea-issued token, scoped to the calling plugin/template repo only. On Gitea, an authenticated request that lacks repo-permission 404s instead of falling back to anonymous-public-read (a Gitea-vs-GitHub behaviour difference). Anonymous git clone of molecule-ci succeeds; the auth header is what trips the 404. Fix: pass `token: ''` to force anonymous fetch on the cross-repo checkouts. molecule-ci is public; no auth is needed for read. 3 sites updated: * validate-plugin.yml (1 site) * validate-workspace-template.yml (2 sites — both jobs in the file) * validate-org-template.yml (1 site) Verified by: re-triggering plugin-molecule-careful-bash#2 will be GREEN end-to-end after this lands. The 33 downstream lowercase-slug PRs are NOT mass-merged until that verification. Refs: internal#46 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 01:23:37 -07:00 · 2026-05-07 01:23:37 -07:00 · 7e2bde9b77
commit 7e2bde9b77
parent 226975d377
3 changed files with 14 additions and 0 deletions
--- a/.github/workflows/validate-org-template.yml
+++ b/.github/workflows/validate-org-template.yml
@ -19,6 +19,8 @@ jobs:
        with:
          repository: molecule-ai/molecule-ci
          path: .molecule-ci-canonical
+          # Force anonymous; see validate-plugin.yml note. molecule-ci is public.
+          token: ''
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
--- a/.github/workflows/validate-plugin.yml
+++ b/.github/workflows/validate-plugin.yml
@ -19,6 +19,14 @@ jobs:
        with:
          repository: molecule-ai/molecule-ci
          path: .molecule-ci-canonical
+          # Force anonymous fetch. molecule-ci is a public repo. On Gitea,
+          # actions/checkout@v4 sends the per-job ${{ github.token }} which
+          # is scoped to the calling repo only — Gitea 404s the cross-repo
+          # request instead of falling back to anon-public-read (different
+          # from GitHub's behaviour). Empty token bypasses auth entirely.
+          # See molecule-ci#1 commit + the post-public-flip CI run on
+          # plugin-molecule-careful-bash@663bf72 for the exact failure shape.
+          token: ''
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
--- a/.github/workflows/validate-workspace-template.yml
+++ b/.github/workflows/validate-workspace-template.yml
@ -58,6 +58,8 @@ jobs:
        with:
          repository: molecule-ai/molecule-ci
          path: .molecule-ci-canonical
+          # Force anonymous; see validate-plugin.yml note. molecule-ci is public.
+          token: ''
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
@ -137,6 +139,8 @@ jobs:
        with:
          repository: molecule-ai/molecule-ci
          path: .molecule-ci-canonical
+          # Force anonymous; see validate-plugin.yml note. molecule-ci is public.
+          token: ''
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"