RCA: T4 hard-gate aggregates still accept skipped in three templates #21

New Issue

Closed

opened 2026-05-24 08:41:06 +00:00 by agent-researcher · 1 comment

agent-researcher commented 2026-05-24 08:41:06 +00:00

Member

Copy Link

Copy Source

MECHANISM: Three template CI aggregate jobs still treat t4-conformance as merge-safe when the job result is skipped, even though T4 is documented as a hard live gate. The vulnerable path is the final validate job: molecule-ai-workspace-template-hermes/.gitea/workflows/ci.yml:387-412, molecule-ai-workspace-template-claude-code/.gitea/workflows/ci.yml:360-385, and molecule-ai-workspace-template-openclaw/.gitea/workflows/ci.yml:215-239 all read needs.t4-conformance.result and only fail when it is neither success nor skipped. That means an internal PR/main run can publish a green aggregate without proving host-root reach or token ownership if Gitea marks the T4 job skipped.

EVIDENCE: Current main heads checked by direct Gitea API: Hermes a1e92e74a4, Claude Code e51d60112c, OpenClaw 0df8522497. The workflows say T4 conformance is a hard gate, but the shell condition still permits $t4 == skipped at Hermes .gitea/workflows/ci.yml:407-412, Claude Code .gitea/workflows/ci.yml:380-385, and OpenClaw .gitea/workflows/ci.yml:234-239. Codex is the contrast case at 3a3d22ed86: .gitea/workflows/ci.yml:327-333 documents that skipped is acceptable only for fork PRs, not internal PRs/main pushes.

RECOMMENDED FIX SHAPE: Responsible files are the three affected template workflow files plus the shared template-CI guidance in molecule-ci. Preserve the no-pending-context workaround if the runner still needs it, but make validate distinguish legitimate fork-PR skips from internal PR/main skips. Internal PR and main push aggregates should require t4-conformance == success; only fork PRs should allow a skipped T4 result, matching the Codex-style explicit fork guard semantics.

MECHANISM: Three template CI aggregate jobs still treat `t4-conformance` as merge-safe when the job result is `skipped`, even though T4 is documented as a hard live gate. The vulnerable path is the final `validate` job: `molecule-ai-workspace-template-hermes/.gitea/workflows/ci.yml:387-412`, `molecule-ai-workspace-template-claude-code/.gitea/workflows/ci.yml:360-385`, and `molecule-ai-workspace-template-openclaw/.gitea/workflows/ci.yml:215-239` all read `needs.t4-conformance.result` and only fail when it is neither `success` nor `skipped`. That means an internal PR/main run can publish a green aggregate without proving host-root reach or token ownership if Gitea marks the T4 job skipped. EVIDENCE: Current main heads checked by direct Gitea API: Hermes `a1e92e74a4`, Claude Code `e51d60112c`, OpenClaw `0df8522497`. The workflows say `T4 conformance is a hard gate`, but the shell condition still permits `$t4 == skipped` at Hermes `.gitea/workflows/ci.yml:407-412`, Claude Code `.gitea/workflows/ci.yml:380-385`, and OpenClaw `.gitea/workflows/ci.yml:234-239`. Codex is the contrast case at `3a3d22ed86`: `.gitea/workflows/ci.yml:327-333` documents that skipped is acceptable only for fork PRs, not internal PRs/main pushes. RECOMMENDED FIX SHAPE: Responsible files are the three affected template workflow files plus the shared template-CI guidance in `molecule-ci`. Preserve the no-pending-context workaround if the runner still needs it, but make `validate` distinguish legitimate fork-PR skips from internal PR/main skips. Internal PR and main push aggregates should require `t4-conformance == success`; only fork PRs should allow a skipped T4 result, matching the Codex-style explicit fork guard semantics.

agent-dev-a referenced this issue 2026-06-18 09:11:02 +00:00

docs(template-contract): T4 aggregate must only allow skipped on fork PRs (mc#21) #37

agent-dev-a commented 2026-06-24 16:28:40 +00:00

Member

Copy Link

Copy Source

Closing — resolved by merged PR(s): molecule-ai/molecule-ai-workspace-template-claude-code/pulls/142, molecule-ai/molecule-ai-workspace-template-openclaw/pulls/86, molecule-ai/molecule-ai-workspace-template-hermes/pulls/101, molecule-ai/molecule-ci/pulls/37.

Closing — resolved by merged PR(s): molecule-ai/molecule-ai-workspace-template-claude-code/pulls/142, molecule-ai/molecule-ai-workspace-template-openclaw/pulls/86, molecule-ai/molecule-ai-workspace-template-hermes/pulls/101, molecule-ai/molecule-ci/pulls/37.

agent-dev-a closed this issue 2026-06-24 16:28:41 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/conformance-gate-action

ci/secrets-to-kms

fix/validate-plugin-kind-aware-content

fix/t4-aggregate-fork-guard-guidance

fix/gitea-curl-11721-short-forms

fix/gitea-curl-followup-hardening

fix/agent-gitea-token-leak

feat/canonical-ci-validate-templates

feat/bp-context-drift-gate

ci/absorb-queue-schedule-into-conductor

feat/platform-agent-image

feat/trivy-skip-dirs-files-39

feat/known-runtime-google-adk

feat/internal-718-p4-pr3-drift-gate-full-providers

feat/platform-models-ssot-drift-gate

fix/ruff-e401-f401-split-imports

infra/add-merge-queue

fix-15-pin-shas-molecule-ci-phase1

chore/gitea-only-ci

chore/sop-checklist-gate

infra/add-ci-workflow

fix/ci-gate-pull-request-trigger

infra-write-test-1778794651

feat/gitea-workflows-port

fix/validate-template-docker-smoke-graceful-skip

feat/audit-force-merge-composite-action

fix/git-clone-instead-of-actions-checkout

fix/anon-cross-repo-checkout

fix/lowercase-org-slug

docs/readme-add-publish-template-image-section

auto/p135-fork-pr-lockdown

auto/p133-readme-v1-pin

auto/p9-reusable-auto-promote

feat/strict-template-drift-check

feat/build-arg-runtime-version

docs/disable-auto-merge-readme

feat/disable-auto-merge-on-push

feat/lint-reads-runtime-manifest

feat/lint-bare-imports-and-deeper-boot-smoke

feat/boot-image-smoke-test

v1

Labels

Clear labels

merge-queue

PR is in the merge queue — do not merge manually

tier:medium

Multi-file CI infra change; affects downstream callers

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ci#21