molecule-ai/molecule-ci
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: molecule-ai:main
Branches Tags
molecule-ai:main
molecule-ai:feat/audit-force-merge-composite-action
molecule-ai:fix/git-clone-instead-of-actions-checkout
molecule-ai:fix/anon-cross-repo-checkout
molecule-ai:fix/lowercase-org-slug
molecule-ai:docs/readme-add-publish-template-image-section
molecule-ai:auto/p135-fork-pr-lockdown
molecule-ai:auto/p133-readme-v1-pin
molecule-ai:auto/p9-reusable-auto-promote
molecule-ai:feat/strict-template-drift-check
molecule-ai:feat/build-arg-runtime-version
molecule-ai:docs/disable-auto-merge-readme
molecule-ai:feat/disable-auto-merge-on-push
molecule-ai:feat/lint-reads-runtime-manifest
molecule-ai:feat/lint-bare-imports-and-deeper-boot-smoke
molecule-ai:feat/boot-image-smoke-test
molecule-ai:v1
..
compare: molecule-ai:fix/anon-cross-repo-checkout
Branches Tags
molecule-ai:main
molecule-ai:feat/audit-force-merge-composite-action
molecule-ai:fix/git-clone-instead-of-actions-checkout
molecule-ai:fix/anon-cross-repo-checkout
molecule-ai:fix/lowercase-org-slug
molecule-ai:docs/readme-add-publish-template-image-section
molecule-ai:auto/p135-fork-pr-lockdown
molecule-ai:auto/p133-readme-v1-pin
molecule-ai:auto/p9-reusable-auto-promote
molecule-ai:feat/strict-template-drift-check
molecule-ai:feat/build-arg-runtime-version
molecule-ai:docs/disable-auto-merge-readme
molecule-ai:feat/disable-auto-merge-on-push
molecule-ai:feat/lint-reads-runtime-manifest
molecule-ai:feat/lint-bare-imports-and-deeper-boot-smoke
molecule-ai:feat/boot-image-smoke-test
molecule-ai:v1

No commits in common. "main" and "fix/anon-cross-repo-checkout" have entirely different histories.
main ... fix/anon-c

6 changed files with 35 additions and 242 deletions
Show Stats Expand all files Collapse all files

55
.gitea/actions/audit-force-merge/action.yml
View File

@ -1,55 +0,0 @@
name: 'Audit force-merge'
description: >-
§SOP-6 force-merge audit. Detects PRs merged with required-status-checks
not green at HEAD SHA and emits incident.force_merge JSON to runner
stdout. Vector docker_logs source ships the line to Loki on
molecule-canonical-obs (per reference_obs_stack_phase1).
# Why a composite action and not a reusable workflow:
# Gitea 1.22.6 does NOT support cross-repo `uses: org/repo/.gitea/
# workflows/X.yml@ref`. Cross-repo reusable workflows landed in
# go-gitea/gitea PR #32562 in Gitea 1.26.0 (Oct 2025). On 1.22.x the
# clone fails because act_runner mints a caller-scoped GITEA_TOKEN.
# Composite actions resolve via the actions-fetch path which works
# cross-repo on 1.22 against a public callee — that's us. Re-evaluate
# this choice when the operator host upgrades to Gitea ≥ 1.26.
inputs:
gitea-token:
description: >-
PAT for sop-tier-bot (or equivalent read-only audit identity).
Needs read:user,read:repository,read:issue scopes — admin scope
is intentionally NOT required.
required: true
gitea-host:
description: 'Gitea host'
required: false
default: 'git.moleculesai.app'
repo:
description: 'owner/name; typically ${{ github.repository }}'
required: true
pr-number:
description: 'PR number; typically ${{ github.event.pull_request.number }}'
required: true
required-checks:
description: >-
Newline-separated required-status-check context names. Mirror
of branch protection's status_check_contexts. Declared at the
caller because /branch_protections requires admin scope which
this audit identity intentionally does not hold (least-privilege).
When the required-check set changes, update both branch
protection AND this input.
required: true
runs:
using: composite
steps:
- name: Detect force-merge + emit audit event
shell: bash
env:
GITEA_TOKEN: ${{ inputs.gitea-token }}
GITEA_HOST: ${{ inputs.gitea-host }}
REPO: ${{ inputs.repo }}
PR_NUMBER: ${{ inputs.pr-number }}
REQUIRED_CHECKS: ${{ inputs.required-checks }}
run: bash "$GITHUB_ACTION_PATH/audit.sh"

118
.gitea/actions/audit-force-merge/audit.sh
View File

@ -1,118 +0,0 @@
#!/usr/bin/env bash
# audit-force-merge — detect a §SOP-6 force-merge on a closed PR, emit
# `incident.force_merge` to stdout as structured JSON.
#
# Invoked by the `audit-force-merge` composite action defined alongside
# this script (action.yml). Caller workflows fire on
# `pull_request_target: closed` and gate on `merged == true`. See
# action.yml for the supported inputs.
#
# Vector's docker_logs source picks up runner stdout; the JSON gets
# shipped to Loki on molecule-canonical-obs, indexable by event_type.
# Query example:
#
# {host="operator"} |= "event_type" |= "incident.force_merge" | json
#
# A force-merge is detected when a merged PR had at least one of the
# caller-declared required-status-check contexts in a state other than
# "success" at the PR HEAD. That's exactly what the Gitea
# force_merge:true API call lets through, so it's a faithful detector
# of the override path.
#
# Required env (set by the composite action via inputs):
# GITEA_TOKEN, GITEA_HOST, REPO, PR_NUMBER, REQUIRED_CHECKS
#
# REQUIRED_CHECKS is newline-separated context names. Declared by the
# caller (mirror of branch protection's status_check_contexts) rather
# than fetched from /branch_protections, which requires admin scope —
# the audit identity is intentionally read-only (least-privilege; see
# memory/feedback_least_privilege_via_workflow_env).
set -euo pipefail
: "${GITEA_TOKEN:?required}"
: "${GITEA_HOST:?required}"
: "${REPO:?required}"
: "${PR_NUMBER:?required}"
: "${REQUIRED_CHECKS:?required (newline-separated context names)}"
OWNER="${REPO%%/*}"
NAME="${REPO##*/}"
API="https://${GITEA_HOST}/api/v1"
AUTH="Authorization: token ${GITEA_TOKEN}"
# 1. Fetch the PR. If not merged, no-op.
PR=$(curl -sS -H "$AUTH" "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}")
MERGED=$(echo "$PR" | jq -r '.merged // false')
if [ "$MERGED" != "true" ]; then
echo "::notice::PR #${PR_NUMBER} closed without merge — no audit emission."
exit 0
fi
MERGE_SHA=$(echo "$PR" | jq -r '.merge_commit_sha // empty')
MERGED_BY=$(echo "$PR" | jq -r '.merged_by.login // "unknown"')
TITLE=$(echo "$PR" | jq -r '.title // ""')
BASE_BRANCH=$(echo "$PR" | jq -r '.base.ref // "main"')
HEAD_SHA=$(echo "$PR" | jq -r '.head.sha // empty')
if [ -z "$MERGE_SHA" ]; then
echo "::warning::PR #${PR_NUMBER} merged=true but no merge_commit_sha — cannot evaluate force-merge."
exit 0
fi
# 2. Required status checks declared in the workflow env.
REQUIRED="$REQUIRED_CHECKS"
if [ -z "${REQUIRED//[[:space:]]/}" ]; then
echo "::notice::REQUIRED_CHECKS empty — force-merge not applicable."
exit 0
fi
# 3. Status-check state at the PR HEAD (where checks ran). The merge
# commit doesn't get its own checks; we evaluate the PR's last
# commit, which is what branch protection compared against.
STATUS=$(curl -sS -H "$AUTH" \
"${API}/repos/${OWNER}/${NAME}/commits/${HEAD_SHA}/status")
declare -A CHECK_STATE
while IFS=$'\t' read -r ctx state; do
[ -n "$ctx" ] && CHECK_STATE[$ctx]="$state"
done < <(echo "$STATUS" | jq -r '.statuses // [] | .[] | "\(.context)\t\(.status)"')
# 4. For each required check, was it green at merge? YAML block scalars
# (`|`) leave a trailing newline; skip blank/whitespace-only lines.
FAILED_CHECKS=()
while IFS= read -r req; do
trimmed="${req#"${req%%[![:space:]]*}"}" # ltrim
trimmed="${trimmed%"${trimmed##*[![:space:]]}"}" # rtrim
[ -z "$trimmed" ] && continue
state="${CHECK_STATE[$trimmed]:-missing}"
if [ "$state" != "success" ]; then
FAILED_CHECKS+=("${trimmed}=${state}")
fi
done <<< "$REQUIRED"
if [ "${#FAILED_CHECKS[@]}" -eq 0 ]; then
echo "::notice::PR #${PR_NUMBER} merged with all required checks green — not a force-merge."
exit 0
fi
# 5. Emit structured audit event.
NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
FAILED_JSON=$(printf '%s\n' "${FAILED_CHECKS[@]}" | jq -R . | jq -s .)
# Print as a single-line JSON so Vector's parse_json transform can pick
# it up cleanly from docker_logs.
jq -nc \
--arg event_type "incident.force_merge" \
--arg ts "$NOW" \
--arg repo "$REPO" \
--argjson pr "$PR_NUMBER" \
--arg title "$TITLE" \
--arg base "$BASE_BRANCH" \
--arg merged_by "$MERGED_BY" \
--arg merge_sha "$MERGE_SHA" \
--argjson failed_checks "$FAILED_JSON" \
'{event_type: $event_type, ts: $ts, repo: $repo, pr: $pr, title: $title,
base_branch: $base, merged_by: $merged_by, merge_sha: $merge_sha,
failed_checks: $failed_checks}'
echo "::warning::FORCE-MERGE detected on PR #${PR_NUMBER} by ${MERGED_BY}: ${#FAILED_CHECKS[@]} required check(s) not green at merge time."

10
.github/workflows/validate-org-template.yml vendored
View File

@ -15,10 +15,12 @@ jobs:
# 5 org-template repos as the validator evolved. Single source of
# truth eliminates that drift class entirely. Mirrors the same
# pattern already used by validate-workspace-template.yml.
# Direct git-clone — see validate-plugin.yml for the rationale.
# Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies.
- name: Fetch molecule-ci canonical scripts
run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
- uses: actions/checkout@v4
with:
repository: molecule-ai/molecule-ci
path: .molecule-ci-canonical
# Force anonymous; see validate-plugin.yml note. molecule-ci is public.
token: ''
- uses: actions/setup-python@v5
with:
python-version: "3.11"

25
.github/workflows/validate-plugin.yml vendored
View File

@ -15,19 +15,18 @@ jobs:
# 20+ plugin repos as the validator evolved. Single source of
# truth eliminates that drift class entirely. Mirrors the same
# pattern already used by validate-workspace-template.yml.
# Direct git-clone instead of actions/checkout@v4 because:
# (a) actions/checkout@v4 sends Authorization: basic <github.token> by default,
# and Gitea 404s the cross-repo authenticated request (different from
# GitHub which falls back to anon-public-read).
# (b) Passing token: '' triggers actions/checkout's runtime "Input required
# and not supplied: token" error — the input is documented as
# required:false but the action's runtime calls getInput with
# required:true on its auth-helper path.
# Anonymous git clone of public molecule-ci has neither problem.
# See molecule-ci#1 (lowercase fix) + #2 (token:'' attempt) +
# the post-merge CI run on plugin-molecule-careful-bash@663bf72.
- name: Fetch molecule-ci canonical scripts
run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
- uses: actions/checkout@v4
with:
repository: molecule-ai/molecule-ci
path: .molecule-ci-canonical
# Force anonymous fetch. molecule-ci is a public repo. On Gitea,
# actions/checkout@v4 sends the per-job ${{ github.token }} which
# is scoped to the calling repo only — Gitea 404s the cross-repo
# request instead of falling back to anon-public-read (different
# from GitHub's behaviour). Empty token bypasses auth entirely.
# See molecule-ci#1 commit + the post-public-flip CI run on
# plugin-molecule-careful-bash@663bf72 for the exact failure shape.
token: ''
- uses: actions/setup-python@v5
with:
python-version: "3.11"

20
.github/workflows/validate-workspace-template.yml vendored
View File

@ -54,10 +54,12 @@ jobs:
# template repos as the validator evolved. Single source of truth
# eliminates that drift class entirely — every template runs the
# same canonical contract check on every CI run.
# Direct git-clone — see validate-plugin.yml for the rationale.
# Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies.
- name: Fetch molecule-ci canonical scripts
run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
- uses: actions/checkout@v4
with:
repository: molecule-ai/molecule-ci
path: .molecule-ci-canonical
# Force anonymous; see validate-plugin.yml note. molecule-ci is public.
token: ''
- uses: actions/setup-python@v5
with:
python-version: "3.11"
@ -133,10 +135,12 @@ jobs:
if: github.event.pull_request.head.repo.fork != true
steps:
- uses: actions/checkout@v4
# Direct git-clone — see validate-plugin.yml for the rationale.
# Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies.
- name: Fetch molecule-ci canonical scripts
run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
- uses: actions/checkout@v4
with:
repository: molecule-ai/molecule-ci
path: .molecule-ci-canonical
# Force anonymous; see validate-plugin.yml note. molecule-ci is public.
token: ''
- uses: actions/setup-python@v5
with:
python-version: "3.11"

49
.molecule-ci/scripts/validate-org-template.py
View File

@ -2,47 +2,19 @@
"""Validate a Molecule AI org template repo."""
import os, sys, yaml
# Support custom YAML tags used by org templates. Two shapes:
#
# - `!include teams/pm.yaml` → scalar string referencing another YAML
# file in the same repo. Platform inlines at load time.
#
# - `!external\n repo: ...\n ref: ...\n path: ...` → mapping
# referencing a workspace tree to fetch from another repo. Platform
# fetches into a content-addressable cache at load time
# (internal#77 / molecule-core#105).
#
# Both shapes resolve at platform load time, not at validation time.
# The validator treats them as opaque references — it does NOT chase
# them down. We mark each parsed value with a sentinel subtype so the
# `validate_workspace` walk knows to skip them rather than tripping
# the "missing 'name'" branch.
class IncludeRef(str):
"""`!include path/to.yaml` — opaque reference, skipped by validator."""
class ExternalRef(dict):
"""`!external` mapping — opaque reference, skipped by validator."""
# Support !include and other custom YAML tags used by org templates.
# These resolve at platform load time, not at validation time — we just
# need to parse past them without crashing.
class PermissiveLoader(yaml.SafeLoader):
pass
def _include_constructor(loader, node):
return IncludeRef(loader.construct_scalar(node))
def _external_constructor(loader, node):
return ExternalRef(loader.construct_mapping(node))
def _generic_constructor(loader, tag_suffix, node):
# Fallback for unknown tags. Preserve the parsed shape so legacy
# docs that lean on tags we have not modeled yet still parse.
if isinstance(node, yaml.MappingNode):
return loader.construct_mapping(node)
if isinstance(node, yaml.SequenceNode):
return loader.construct_sequence(node)
return loader.construct_scalar(node)
PermissiveLoader.add_constructor("!include", _include_constructor)
PermissiveLoader.add_constructor("!external", _external_constructor)
PermissiveLoader.add_multi_constructor("!", _generic_constructor)
errors = []
@ -61,13 +33,7 @@ if not org.get("workspaces") and not org.get("defaults"):
errors.append("org.yaml must have at least 'workspaces' or 'defaults'")
def validate_workspace(ws, path=""):
# `!include path/to.yaml` parses as IncludeRef (str subclass).
# `!external {repo, ref, path}` parses as ExternalRef (dict subclass).
# Both are opaque references — skip without chasing.
if isinstance(ws, (IncludeRef, ExternalRef)):
return []
# Legacy unknown-tag scalars (handled by _generic_constructor) stay
# as plain strings; they are not workspace dicts either.
# !include tags resolve to strings at parse time; skip non-dicts
if not isinstance(ws, dict):
return []
ws_errors = []
@ -93,11 +59,6 @@ if errors:
def count_ws(nodes):
c = 0
for n in nodes:
# Skip opaque references — we do not know how many workspaces
# they expand to without resolving them, and resolution is the
# platform's job, not the validator's.
if isinstance(n, (IncludeRef, ExternalRef)):
continue
if not isinstance(n, dict):
continue
c += 1
@ -105,4 +66,4 @@ def count_ws(nodes):
return c
total = count_ws(org.get("workspaces", []))
print(f"✓ org.yaml valid: {org['name']} ({total} direct workspaces; external refs not counted)")
print(f"✓ org.yaml valid: {org['name']} ({total} workspaces)")