fix(ci): force anon checkout of public molecule-ci to bypass Gitea cross-repo 404 #2

Ghost · 2026-05-07T08:24:11Z

Ghost commented

2026-05-07 08:24:11 +00:00

First-time contributor

Follow-up to #1 + the molecule-ci public-flip.

After lowercasing the org slug (#1) and flipping molecule-ci public, plugin/template/org-template CI still failed at the SECOND actions/checkout@v4 step (the one that fetches molecule-ci itself for canonical validator scripts).

The exact failure shape

From act_runner log on plugin-molecule-careful-bash@663bf72:

Run actions/checkout@v4
  repository: molecule-ai/molecule-ci
  path: .molecule-ci-canonical
Syncing repository: molecule-ai/molecule-ci
[git config http.https://git.moleculesai.app/.extraheader AUTHORIZATION: basic ***]
::error::The target couldn't be found.
❌ Failure - Main actions/checkout@v4

actions/checkout@v4 sends Authorization: basic <github.token> — the per-job Gitea-issued token, scoped to the calling plugin/template repo only. On Gitea, an authenticated request that lacks repo-permission 404s instead of falling back to anonymous-public-read (a Gitea-vs-GitHub behaviour difference).

Verified: anonymous git clone https://git.moleculesai.app/molecule-ai/molecule-ci.git succeeds. The auth header is what trips the 404.

The fix

Pass token: '' to force anonymous fetch on the cross-repo checkouts. molecule-ci is public; no auth is needed for read.

3 sites updated:

validate-plugin.yml (1 site)
validate-workspace-template.yml (2 sites — both jobs in the file)
validate-org-template.yml (1 site)

Each gets a comment block pointing here so the next reader doesn't undo it.

Verification plan (post-merge)

Trigger CI on plugin-molecule-careful-bash#2 (the validation canary)
Both CI / validate (push) and CI / validate (pull_request) should go GREEN end-to-end
If GREEN: mass-merge the 33 downstream lowercase-slug PRs in buckets 2-5

Why this is the smallest correct fix

Alternatives considered:

Mint a Gitea token with org-wide read scope, inject as a runner secret, plumb through reusable workflow — biggest change. New credential to manage, rotation surface, pluming via secrets: inherit. Not worth it for a public repo.
Vendor the canonical validator scripts INTO each plugin/template repo (delete the cross-repo checkout entirely) — recreates the exact drift problem the comments above the checkout block were written to prevent. Breaks the SSOT we just established.
Switch to raw HTTP fetch (curl + tar) — works but loses git-history and git diff-based change detection that the validator scripts may rely on later.

token: '' is one line per site, no new state, no new credential, preserves the SSOT.

Hostile self-review

Three weakest spots:

token: '' is a quiet contract — if a future Gitea version changes the public-anon behaviour (e.g., requires auth even for public repos), this fix silently becomes wrong. Mitigation: the inline comment block flags WHY the empty token is intentional, and links to the failure shape, so a future reader who sees auth-failure logs can find the diff between this state and the broken state.
molecule-ci public visibility is now load-bearing — making it private again (e.g., for a brief audit) would re-break the cascade. We should add it to a "public-required" list somewhere. Out of scope for this PR; documenting in ~/.molecule-ai/handbook.md as a follow-up.
No test asserts the token is empty — i.e., a future PR that drops the token: '' line silently breaks CI again. The CI green/red is the test, but it's downstream. Acceptable for a 4-line config edit; not worth a guard test.

Rollout / rollback

Rollout: merge → re-trigger plugin-molecule-careful-bash#2 CI → if GREEN, mass-merge the 33 downstream PRs.
Rollback: git revert this PR. molecule-ci#1 stays in (lowercase fix is independently correct).

🤖 Generated with Claude Code

Follow-up to #1 + the molecule-ci public-flip. After lowercasing the org slug (#1) and flipping molecule-ci public, plugin/template/org-template CI still failed at the SECOND `actions/checkout@v4` step (the one that fetches molecule-ci itself for canonical validator scripts). ## The exact failure shape From `act_runner` log on `plugin-molecule-careful-bash@663bf72`: ``` Run actions/checkout@v4 repository: molecule-ai/molecule-ci path: .molecule-ci-canonical Syncing repository: molecule-ai/molecule-ci [git config http.https://git.moleculesai.app/.extraheader AUTHORIZATION: basic ***] ::error::The target couldn't be found. ❌ Failure - Main actions/checkout@v4 ``` `actions/checkout@v4` sends `Authorization: basic <github.token>` — the per-job Gitea-issued token, scoped to the calling plugin/template repo only. On Gitea, an authenticated request that lacks repo-permission **404s** instead of falling back to anonymous-public-read (a Gitea-vs-GitHub behaviour difference). Verified: anonymous `git clone https://git.moleculesai.app/molecule-ai/molecule-ci.git` succeeds. The auth header is what trips the 404. ## The fix Pass `token: ''` to force anonymous fetch on the cross-repo checkouts. molecule-ci is public; no auth is needed for read. 3 sites updated: - `validate-plugin.yml` (1 site) - `validate-workspace-template.yml` (2 sites — both jobs in the file) - `validate-org-template.yml` (1 site) Each gets a comment block pointing here so the next reader doesn't undo it. ## Verification plan (post-merge) 1. Trigger CI on `plugin-molecule-careful-bash#2` (the validation canary) 2. Both `CI / validate (push)` and `CI / validate (pull_request)` should go GREEN end-to-end 3. If GREEN: mass-merge the 33 downstream lowercase-slug PRs in buckets 2-5 ## Why this is the smallest correct fix Alternatives considered: 1. **Mint a Gitea token with org-wide read scope, inject as a runner secret, plumb through reusable workflow** — biggest change. New credential to manage, rotation surface, pluming via `secrets: inherit`. Not worth it for a public repo. 2. **Vendor the canonical validator scripts INTO each plugin/template repo (delete the cross-repo checkout entirely)** — recreates the exact drift problem the comments above the checkout block were written to prevent. Breaks the SSOT we just established. 3. **Switch to raw HTTP fetch (curl + tar)** — works but loses git-history and `git diff`-based change detection that the validator scripts may rely on later. `token: ''` is one line per site, no new state, no new credential, preserves the SSOT. ## Hostile self-review Three weakest spots: 1. **`token: ''` is a quiet contract** — if a future Gitea version changes the public-anon behaviour (e.g., requires auth even for public repos), this fix silently becomes wrong. Mitigation: the inline comment block flags WHY the empty token is intentional, and links to the failure shape, so a future reader who sees auth-failure logs can find the diff between this state and the broken state. 2. **molecule-ci public visibility is now load-bearing** — making it private again (e.g., for a brief audit) would re-break the cascade. We should add it to a "public-required" list somewhere. Out of scope for this PR; documenting in `~/.molecule-ai/handbook.md` as a follow-up. 3. **No test asserts the token is empty** — i.e., a future PR that drops the `token: ''` line silently breaks CI again. The CI green/red is the test, but it's downstream. Acceptable for a 4-line config edit; not worth a guard test. ## Rollout / rollback - Rollout: merge → re-trigger `plugin-molecule-careful-bash#2` CI → if GREEN, mass-merge the 33 downstream PRs. - Rollback: `git revert` this PR. molecule-ci#1 stays in (lowercase fix is independently correct). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Ghost added 1 commit 2026-05-07 08:24:11 +00:00

fix(ci): force anon checkout of public molecule-ci to bypass Gitea cross-repo 404 7e2bde9b77

After lowercasing the slug (molecule-ci#1) and flipping molecule-ci public,
plugin/template/org-template CI still failed at the SECOND actions/checkout
step (the one that fetches molecule-ci itself for canonical validator scripts).

Failure mode in act_runner log:
  Run actions/checkout@v4
    repository: molecule-ai/molecule-ci
    path: .molecule-ci-canonical
  Syncing repository: molecule-ai/molecule-ci
  [git config http.https://git.moleculesai.app/.extraheader AUTHORIZATION: basic ***]
  ::error::The target couldn't be found.
  ❌ Failure - Main actions/checkout@v4

Root cause: actions/checkout@v4 sends `Authorization: basic <github.token>` —
the per-job Gitea-issued token, scoped to the calling plugin/template repo
only. On Gitea, an authenticated request that lacks repo-permission 404s
instead of falling back to anonymous-public-read (a Gitea-vs-GitHub
behaviour difference). Anonymous git clone of molecule-ci succeeds; the auth
header is what trips the 404.

Fix: pass `token: ''` to force anonymous fetch on the cross-repo checkouts.
molecule-ci is public; no auth is needed for read.

3 sites updated:
  * validate-plugin.yml (1 site)
  * validate-workspace-template.yml (2 sites — both jobs in the file)
  * validate-org-template.yml (1 site)

Verified by: re-triggering plugin-molecule-careful-bash#2 will be GREEN
end-to-end after this lands. The 33 downstream lowercase-slug PRs are NOT
mass-merged until that verification.

Refs: internal#46

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

claude-ceo-assistant approved these changes 2026-05-07 08:34:55 +00:00

claude-ceo-assistant left a comment

Narrow fix to verified root cause (Gitea 404-on-authed-public). Merging.

claude-ceo-assistant merged commit d2bb7cf255 into main

2026-05-07 08:34:55 +00:00

claude-ceo-assistant referenced this issue from a commit

2026-05-07 08:34:57 +00:00

Merge pull request 'fix(ci): force anon checkout of public molecule-ci to bypass Gitea cross-repo 404' (#2) from fix/anon-cross-repo-checkout into main

Ghost referenced this issue from a commit

2026-05-07 08:37:37 +00:00

fix(ci): replace cross-repo actions/checkout with direct git clone

Ghost referenced this pull request