From 7e2bde9b7735b75fd249b45c7e3d33c84def81fc Mon Sep 17 00:00:00 2001 From: security-auditor Date: Thu, 7 May 2026 01:23:37 -0700 Subject: [PATCH] fix(ci): force anon checkout of public molecule-ci to bypass Gitea cross-repo 404 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After lowercasing the slug (molecule-ci#1) and flipping molecule-ci public, plugin/template/org-template CI still failed at the SECOND actions/checkout step (the one that fetches molecule-ci itself for canonical validator scripts). Failure mode in act_runner log: Run actions/checkout@v4 repository: molecule-ai/molecule-ci path: .molecule-ci-canonical Syncing repository: molecule-ai/molecule-ci [git config http.https://git.moleculesai.app/.extraheader AUTHORIZATION: basic ***] ::error::The target couldn't be found. ❌ Failure - Main actions/checkout@v4 Root cause: actions/checkout@v4 sends `Authorization: basic ` — the per-job Gitea-issued token, scoped to the calling plugin/template repo only. On Gitea, an authenticated request that lacks repo-permission 404s instead of falling back to anonymous-public-read (a Gitea-vs-GitHub behaviour difference). Anonymous git clone of molecule-ci succeeds; the auth header is what trips the 404. Fix: pass `token: ''` to force anonymous fetch on the cross-repo checkouts. molecule-ci is public; no auth is needed for read. 3 sites updated: * validate-plugin.yml (1 site) * validate-workspace-template.yml (2 sites — both jobs in the file) * validate-org-template.yml (1 site) Verified by: re-triggering plugin-molecule-careful-bash#2 will be GREEN end-to-end after this lands. The 33 downstream lowercase-slug PRs are NOT mass-merged until that verification. Refs: internal#46 Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/validate-org-template.yml | 2 ++ .github/workflows/validate-plugin.yml | 8 ++++++++ .github/workflows/validate-workspace-template.yml | 4 ++++ 3 files changed, 14 insertions(+) diff --git a/.github/workflows/validate-org-template.yml b/.github/workflows/validate-org-template.yml index 5820481..d0baa28 100644 --- a/.github/workflows/validate-org-template.yml +++ b/.github/workflows/validate-org-template.yml @@ -19,6 +19,8 @@ jobs: with: repository: molecule-ai/molecule-ci path: .molecule-ci-canonical + # Force anonymous; see validate-plugin.yml note. molecule-ci is public. + token: '' - uses: actions/setup-python@v5 with: python-version: "3.11" diff --git a/.github/workflows/validate-plugin.yml b/.github/workflows/validate-plugin.yml index 21051f8..d99c058 100644 --- a/.github/workflows/validate-plugin.yml +++ b/.github/workflows/validate-plugin.yml @@ -19,6 +19,14 @@ jobs: with: repository: molecule-ai/molecule-ci path: .molecule-ci-canonical + # Force anonymous fetch. molecule-ci is a public repo. On Gitea, + # actions/checkout@v4 sends the per-job ${{ github.token }} which + # is scoped to the calling repo only — Gitea 404s the cross-repo + # request instead of falling back to anon-public-read (different + # from GitHub's behaviour). Empty token bypasses auth entirely. + # See molecule-ci#1 commit + the post-public-flip CI run on + # plugin-molecule-careful-bash@663bf72 for the exact failure shape. + token: '' - uses: actions/setup-python@v5 with: python-version: "3.11" diff --git a/.github/workflows/validate-workspace-template.yml b/.github/workflows/validate-workspace-template.yml index 3b7e47c..bbc8fce 100644 --- a/.github/workflows/validate-workspace-template.yml +++ b/.github/workflows/validate-workspace-template.yml @@ -58,6 +58,8 @@ jobs: with: repository: molecule-ai/molecule-ci path: .molecule-ci-canonical + # Force anonymous; see validate-plugin.yml note. molecule-ci is public. + token: '' - uses: actions/setup-python@v5 with: python-version: "3.11" @@ -137,6 +139,8 @@ jobs: with: repository: molecule-ai/molecule-ci path: .molecule-ci-canonical + # Force anonymous; see validate-plugin.yml note. molecule-ci is public. + token: '' - uses: actions/setup-python@v5 with: python-version: "3.11"