Decide required status contexts for molecule-ci main branch protection #23

New Issue

Open

opened 2026-05-24 21:43:25 +00:00 by hongming · 32 comments

hongming commented 2026-05-24 21:43:25 +00:00

Owner

Copy Link

Copy Source

needs-hongming

Question

Should molecule-ci@main enable required status checks now that the merge queue workflow is live? Recommended candidate context from current status API evidence: gitea-merge-queue / queue (push).

Impact

Current branch protection has required_approvals=2, enable_merge_whitelist=false, and dismiss_stale_approvals=true, but enable_status_check=false with no required contexts. That means a red or inconsistent main workflow can be observed without branch protection enforcing any status context on future merges.

Fresh evidence, 2026-05-24 14:40 PDT

• Branch protection API for molecule-ci@main: enable_status_check=false, status_check_contexts=[], required_approvals=2, enable_merge_whitelist=false, dismiss_stale_approvals=true.
• Current head: 3b464deeb58134676040fd52bf82d432f2b98d38.
• Commit status API for that head showed no failure/error statuses and many successful gitea-merge-queue / queue (push) entries.
• Gitea DB action run sample at the same wake showed molecule-ci run 105332 on refs/heads/main for commit 3b464deeb581 with raw status 2 / Failure at 2026-05-24 21:40:14Z.

Non-actions taken

I did not mutate branch protection, rerun workflows, merge, force-push, push to main, rotate secrets, restart runners, or clean up infrastructure.

`needs-hongming` ## Question Should `molecule-ci@main` enable required status checks now that the merge queue workflow is live? Recommended candidate context from current status API evidence: `gitea-merge-queue / queue (push)`. ## Impact Current branch protection has `required_approvals=2`, `enable_merge_whitelist=false`, and `dismiss_stale_approvals=true`, but `enable_status_check=false` with no required contexts. That means a red or inconsistent `main` workflow can be observed without branch protection enforcing any status context on future merges. ## Fresh evidence, 2026-05-24 14:40 PDT - Branch protection API for `molecule-ci@main`: `enable_status_check=false`, `status_check_contexts=[]`, `required_approvals=2`, `enable_merge_whitelist=false`, `dismiss_stale_approvals=true`. - Current head: `3b464deeb58134676040fd52bf82d432f2b98d38`. - Commit status API for that head showed no failure/error statuses and many successful `gitea-merge-queue / queue (push)` entries. - Gitea DB action run sample at the same wake showed `molecule-ci` run `105332` on `refs/heads/main` for commit `3b464deeb581` with raw status `2` / `Failure` at `2026-05-24 21:40:14Z`. ## Non-actions taken I did not mutate branch protection, rerun workflows, merge, force-push, push to `main`, rotate secrets, restart runners, or clean up infrastructure.

hongming commented 2026-05-25 02:42:36 +00:00

Author

Owner

Copy Link

Copy Source

2026-05-24 19:40 PDT follow-up evidence for required-context decision:

• Branch protection is still enable_status_check=false, status_check_contexts=[] on molecule-ci@main.
• Current head remains 3b464deeb58134676040fd52bf82d432f2b98d38.
• Direct commit-status API for that head showed no failure/error statuses (pending=150, success=150).
• Fresh DB action-run sample still shows molecule-ci@main run 107778 on 3b464deeb581 with raw status 2 / Failure at 2026-05-25 02:40:14Z, alongside repeated cancelled queue runs.

This reinforces the original question: should branch protection require a repo-owned status context for molecule-ci@main, and which context should be canonical? No branch-protection mutation or workflow rerun performed.

2026-05-24 19:40 PDT follow-up evidence for required-context decision: - Branch protection is still `enable_status_check=false`, `status_check_contexts=[]` on `molecule-ci@main`. - Current head remains `3b464deeb58134676040fd52bf82d432f2b98d38`. - Direct commit-status API for that head showed no failure/error statuses (`pending=150`, `success=150`). - Fresh DB action-run sample still shows `molecule-ci@main` run `107778` on `3b464deeb581` with raw status `2` / `Failure` at `2026-05-25 02:40:14Z`, alongside repeated cancelled queue runs. This reinforces the original question: should branch protection require a repo-owned status context for `molecule-ci@main`, and which context should be canonical? No branch-protection mutation or workflow rerun performed.

hongming commented 2026-05-25 04:46:51 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-24 21:40 PDT / 2026-05-25 04:40 UTC):

• Branch protection for molecule-ci@main is still the outlier: required_approvals=2, enable_merge_whitelist=false, dismiss_stale_approvals=true, but enable_status_check=false and status_check_contexts=[].
• Current head 3b464deeb58134676040fd52bf82d432f2b98d38 still shows no failure/error commit statuses in the commit-status API (pending=150, success=150).
• DB evidence still shows a current-head failure row: action run 108759, refs/heads/main, SHA 3b464dee, raw status 2 / Failure, updated 2026-05-25 04:40:14Z, while run 108788 on the same SHA is Waiting and other same-SHA queue runs are cancelled.
• I did not add required contexts or mutate branch protection; this remains a human/owner-policy decision.

Hourly CI/security triage evidence (2026-05-24 21:40 PDT / 2026-05-25 04:40 UTC): - Branch protection for `molecule-ci@main` is still the outlier: `required_approvals=2`, `enable_merge_whitelist=false`, `dismiss_stale_approvals=true`, but `enable_status_check=false` and `status_check_contexts=[]`. - Current head `3b464deeb58134676040fd52bf82d432f2b98d38` still shows no failure/error commit statuses in the commit-status API (`pending=150`, `success=150`). - DB evidence still shows a current-head failure row: action run `108759`, `refs/heads/main`, SHA `3b464dee`, raw status `2` / `Failure`, updated `2026-05-25 04:40:14Z`, while run `108788` on the same SHA is `Waiting` and other same-SHA queue runs are cancelled. - I did not add required contexts or mutate branch protection; this remains a human/owner-policy decision.

hongming commented 2026-05-25 05:44:39 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-24 22:40 PDT / 2026-05-25 05:40 UTC):

• Branch protection for molecule-ci@main remains the outlier: required_approvals=2, enable_merge_whitelist=false, dismiss_stale_approvals=true, but enable_status_check=false and status_check_contexts=[].
• Current head 3b464deeb58134676040fd52bf82d432f2b98d38 still shows no failure/error commit statuses in the commit-status API (pending=160, success=160).
• DB rows in this pass showed molecule-ci@main same-SHA runs succeeding recently (109228, 109204, 109162) with older same-SHA cancellations still present. This is better than the prior hour's DB failure row, but branch protection still cannot require any context until contexts are chosen.
• No required-context or branch-protection mutation performed.

Hourly CI/security triage evidence (2026-05-24 22:40 PDT / 2026-05-25 05:40 UTC): - Branch protection for `molecule-ci@main` remains the outlier: `required_approvals=2`, `enable_merge_whitelist=false`, `dismiss_stale_approvals=true`, but `enable_status_check=false` and `status_check_contexts=[]`. - Current head `3b464deeb58134676040fd52bf82d432f2b98d38` still shows no failure/error commit statuses in the commit-status API (`pending=160`, `success=160`). - DB rows in this pass showed `molecule-ci@main` same-SHA runs succeeding recently (`109228`, `109204`, `109162`) with older same-SHA cancellations still present. This is better than the prior hour's DB failure row, but branch protection still cannot require any context until contexts are chosen. - No required-context or branch-protection mutation performed.

hongming commented 2026-05-25 07:58:32 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 00:55 PDT / 07:55 UTC):

• Branch protection for molecule-ci@main remains the outlier: required_approvals=2, whitelist disabled, stale approvals dismissed, but enable_status_check=false and status_check_contexts=[].
• Current head 3b464deeb58134676040fd52bf82d432f2b98d38 still shows no failure/error commit statuses (pending=185, success=185).
• DB rows showed fresh same-SHA molecule-ci@main success/waiting rows around 07:52-07:55 UTC, so no active DB failure was observed this pass; the policy gap remains the missing required contexts.
• No branch-protection or required-context mutation performed.

Hourly CI/security triage evidence (2026-05-25 00:55 PDT / 07:55 UTC): - Branch protection for `molecule-ci@main` remains the outlier: `required_approvals=2`, whitelist disabled, stale approvals dismissed, but `enable_status_check=false` and `status_check_contexts=[]`. - Current head `3b464deeb58134676040fd52bf82d432f2b98d38` still shows no failure/error commit statuses (`pending=185`, `success=185`). - DB rows showed fresh same-SHA `molecule-ci@main` success/waiting rows around 07:52-07:55 UTC, so no active DB failure was observed this pass; the policy gap remains the missing required contexts. - No branch-protection or required-context mutation performed.

hongming commented 2026-05-25 09:00:54 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 01:55 PDT / 08:55 UTC):

• Branch protection for molecule-ci@main is unchanged: required_approvals=2, whitelist disabled, stale approvals dismissed, but enable_status_check=false and status_check_contexts=[].
• Current head 3b464deeb58134676040fd52bf82d432f2b98d38 still shows no failure/error commit statuses (pending=197, success=197; recheck failure/error count 0).
• Recent DB rows show fresh same-SHA molecule-ci@main successes, with no active same-head DB failure observed this pass.
• No branch-protection or required-context mutation performed.

Hourly CI/security triage evidence (2026-05-25 01:55 PDT / 08:55 UTC): - Branch protection for `molecule-ci@main` is unchanged: `required_approvals=2`, whitelist disabled, stale approvals dismissed, but `enable_status_check=false` and `status_check_contexts=[]`. - Current head `3b464deeb58134676040fd52bf82d432f2b98d38` still shows no failure/error commit statuses (`pending=197`, `success=197`; recheck failure/error count `0`). - Recent DB rows show fresh same-SHA `molecule-ci@main` successes, with no active same-head DB failure observed this pass. - No branch-protection or required-context mutation performed.

hongming commented 2026-05-25 09:58:07 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 02:55 PDT / 09:55 UTC):

• Branch protection for molecule-ci@main is unchanged: required_approvals=2, whitelist disabled, stale approvals dismissed, but enable_status_check=false and status_check_contexts=[].
• Current head 3b464deeb58134676040fd52bf82d432f2b98d38 has no failure/error commit statuses: pending=205, success=205.
• Recent DB rows show fresh same-SHA successes with some expected cancelled queue churn; no active same-head DB failure observed this pass.
• No branch-protection or required-context mutation performed.

Hourly CI/security triage evidence (2026-05-25 02:55 PDT / 09:55 UTC): - Branch protection for `molecule-ci@main` is unchanged: `required_approvals=2`, whitelist disabled, stale approvals dismissed, but `enable_status_check=false` and `status_check_contexts=[]`. - Current head `3b464deeb58134676040fd52bf82d432f2b98d38` has no failure/error commit statuses: `pending=205`, `success=205`. - Recent DB rows show fresh same-SHA successes with some expected cancelled queue churn; no active same-head DB failure observed this pass. - No branch-protection or required-context mutation performed.

hongming commented 2026-05-25 11:00:33 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 03:55 PDT / 10:55 UTC):

• Current main head remains 3b464deeb58134676040fd52bf82d432f2b98d38.
• Gitea commit-status API showed no failure/error states: pending=217, success=217.
• Gitea DB cross-check for this same SHA on refs/heads/main showed normal merge-queue churn (Success=213, Cancelled=55), no Failure rows observed.
• Branch protection gap is unchanged and remains the reason this issue stays open: enable_status_check=false, status_check_contexts=[], while required_approvals=2, enable_merge_whitelist=false, and dismiss_stale_approvals=true are set.
• Local workflow scan still shows no permissions: write-all; known write scopes are the auto-promote/disable-auto-merge workflows (contents: write, pull-requests: write).
• No branch-protection mutation or workflow rerun performed.

Hourly CI/security triage evidence (2026-05-25 03:55 PDT / 10:55 UTC): - Current `main` head remains `3b464deeb58134676040fd52bf82d432f2b98d38`. - Gitea commit-status API showed no failure/error states: `pending=217`, `success=217`. - Gitea DB cross-check for this same SHA on `refs/heads/main` showed normal merge-queue churn (`Success=213`, `Cancelled=55`), no Failure rows observed. - Branch protection gap is unchanged and remains the reason this issue stays open: `enable_status_check=false`, `status_check_contexts=[]`, while `required_approvals=2`, `enable_merge_whitelist=false`, and `dismiss_stale_approvals=true` are set. - Local workflow scan still shows no `permissions: write-all`; known write scopes are the auto-promote/disable-auto-merge workflows (`contents: write`, `pull-requests: write`). - No branch-protection mutation or workflow rerun performed.

hongming commented 2026-05-25 11:57:43 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 04:55 PDT / 11:55 UTC):

• Current main head remains 3b464deeb58134676040fd52bf82d432f2b98d38.
• Gitea commit-status API showed no failure/error states: pending=225, success=225.
• Gitea DB cross-check for this same SHA on refs/heads/main showed normal merge-queue churn (Success=221, Cancelled=59), no Failure rows observed.
• Branch protection gap is unchanged and remains the reason this issue stays open: enable_status_check=false, status_check_contexts=[], while required_approvals=2, enable_merge_whitelist=false, and dismiss_stale_approvals=true are set.
• Local workflow scan still shows no permissions: write-all; known write scopes are the auto-promote/disable-auto-merge workflows (contents: write, pull-requests: write).
• No branch-protection mutation or workflow rerun performed.

Hourly CI/security triage evidence (2026-05-25 04:55 PDT / 11:55 UTC): - Current `main` head remains `3b464deeb58134676040fd52bf82d432f2b98d38`. - Gitea commit-status API showed no failure/error states: `pending=225`, `success=225`. - Gitea DB cross-check for this same SHA on `refs/heads/main` showed normal merge-queue churn (`Success=221`, `Cancelled=59`), no Failure rows observed. - Branch protection gap is unchanged and remains the reason this issue stays open: `enable_status_check=false`, `status_check_contexts=[]`, while `required_approvals=2`, `enable_merge_whitelist=false`, and `dismiss_stale_approvals=true` are set. - Local workflow scan still shows no `permissions: write-all`; known write scopes are the auto-promote/disable-auto-merge workflows (`contents: write`, `pull-requests: write`). - No branch-protection mutation or workflow rerun performed.

hongming commented 2026-05-25 13:58:28 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 06:55 PDT / 13:55 UTC):

• Current main head remains 3b464deeb58134676040fd52bf82d432f2b98d38.
• Gitea commit-status API showed no failure/error states: pending=233, success=233.
• Gitea DB cross-check for this same SHA on refs/heads/main showed merge-queue churn with one failed run row and one waiting run (Success=235, Cancelled=67, Failure=1, Waiting=1). The failed run is gitea-merge-queue.yml run index 313; its only job row is queue=Cancelled, so this appears to be queue cancellation/status drift rather than a failed task log.
• Branch protection gap is unchanged and remains the reason this issue stays open: enable_status_check=false, status_check_contexts=[], while required_approvals=2, enable_merge_whitelist=false, and dismiss_stale_approvals=true are set.
• Local workflow scan still shows no permissions: write-all; known write scopes are the auto-promote/disable-auto-merge workflows (contents: write, pull-requests: write).
• No branch-protection mutation or workflow rerun performed.

Hourly CI/security triage evidence (2026-05-25 06:55 PDT / 13:55 UTC): - Current `main` head remains `3b464deeb58134676040fd52bf82d432f2b98d38`. - Gitea commit-status API showed no failure/error states: `pending=233`, `success=233`. - Gitea DB cross-check for this same SHA on `refs/heads/main` showed merge-queue churn with one failed run row and one waiting run (`Success=235`, `Cancelled=67`, `Failure=1`, `Waiting=1`). The failed run is `gitea-merge-queue.yml` run index 313; its only job row is `queue=Cancelled`, so this appears to be queue cancellation/status drift rather than a failed task log. - Branch protection gap is unchanged and remains the reason this issue stays open: `enable_status_check=false`, `status_check_contexts=[]`, while `required_approvals=2`, `enable_merge_whitelist=false`, and `dismiss_stale_approvals=true` are set. - Local workflow scan still shows no `permissions: write-all`; known write scopes are the auto-promote/disable-auto-merge workflows (`contents: write`, `pull-requests: write`). - No branch-protection mutation or workflow rerun performed.

hongming commented 2026-05-25 14:58:35 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 07:55 PDT / 14:55 UTC):

• Current main head remains 3b464deeb58134676040fd52bf82d432f2b98d38.
• Gitea commit-status API showed no failure/error states: pending=239, success=239.
• Gitea DB cross-check for this same SHA on refs/heads/main showed merge-queue churn with one Failure row and one Waiting row (Success, Cancelled, Failure=1, Waiting=1). The failed run is again gitea-merge-queue.yml; the job row is queue=Cancelled, consistent with queue cancellation/status drift rather than a task-backed failure.
• Branch protection gap is unchanged and remains the reason this issue stays open: enable_status_check=false, status_check_contexts=[], while required_approvals=2, enable_merge_whitelist=false, and dismiss_stale_approvals=true are set.
• Local workflow scan still shows no permissions: write-all; known write scopes are the auto-promote/disable-auto-merge workflows (contents: write, pull-requests: write).
• No branch-protection mutation or workflow rerun performed.

Hourly CI/security triage evidence (2026-05-25 07:55 PDT / 14:55 UTC): - Current `main` head remains `3b464deeb58134676040fd52bf82d432f2b98d38`. - Gitea commit-status API showed no failure/error states: `pending=239`, `success=239`. - Gitea DB cross-check for this same SHA on `refs/heads/main` showed merge-queue churn with one Failure row and one Waiting row (`Success`, `Cancelled`, `Failure=1`, `Waiting=1`). The failed run is again `gitea-merge-queue.yml`; the job row is `queue=Cancelled`, consistent with queue cancellation/status drift rather than a task-backed failure. - Branch protection gap is unchanged and remains the reason this issue stays open: `enable_status_check=false`, `status_check_contexts=[]`, while `required_approvals=2`, `enable_merge_whitelist=false`, and `dismiss_stale_approvals=true` are set. - Local workflow scan still shows no `permissions: write-all`; known write scopes are the auto-promote/disable-auto-merge workflows (`contents: write`, `pull-requests: write`). - No branch-protection mutation or workflow rerun performed.

hongming commented 2026-05-25 15:58:29 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 08:55 PDT / 15:55 UTC):

• Current main head remains 3b464deeb58134676040fd52bf82d432f2b98d38.
• Gitea commit-status API showed no failure/error states: pending=239, success=239.
• DB still shows merge-queue cancellation/status drift (Failure=1, Waiting=1 among many Success/Cancelled rows), consistent with prior queue rows rather than a task-backed failure.
• Branch protection gap is unchanged and remains the reason this issue stays open: enable_status_check=false, status_check_contexts=[], while required_approvals=2, enable_merge_whitelist=false, and dismiss_stale_approvals=true are set.
• Local workflow scan still shows no permissions: write-all; known write scopes are auto-promote/disable-auto-merge workflows (contents: write, pull-requests: write).
• No branch-protection mutation or workflow rerun performed.

Hourly CI/security triage evidence (2026-05-25 08:55 PDT / 15:55 UTC): - Current `main` head remains `3b464deeb58134676040fd52bf82d432f2b98d38`. - Gitea commit-status API showed no failure/error states: `pending=239`, `success=239`. - DB still shows merge-queue cancellation/status drift (`Failure=1`, `Waiting=1` among many Success/Cancelled rows), consistent with prior queue rows rather than a task-backed failure. - Branch protection gap is unchanged and remains the reason this issue stays open: `enable_status_check=false`, `status_check_contexts=[]`, while `required_approvals=2`, `enable_merge_whitelist=false`, and `dismiss_stale_approvals=true` are set. - Local workflow scan still shows no `permissions: write-all`; known write scopes are auto-promote/disable-auto-merge workflows (`contents: write`, `pull-requests: write`). - No branch-protection mutation or workflow rerun performed.

hongming commented 2026-05-25 16:57:53 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 09:55 PDT / 16:55 UTC):

• Current main head remains 3b464deeb58134676040fd52bf82d432f2b98d38.
• Gitea commit-status API showed no failure/error states: pending=239, success=239.
• DB still shows merge-queue cancellation/status drift (Failure=1, Waiting=1 among many Success/Cancelled rows), consistent with prior queue rows rather than a task-backed failure.
• Branch protection gap is unchanged and remains the reason this issue stays open: enable_status_check=false, status_check_contexts=[], while required_approvals=2, enable_merge_whitelist=false, and dismiss_stale_approvals=true are set.
• Local workflow scan still shows no permissions: write-all; known write scopes are auto-promote/disable-auto-merge workflows (contents: write, pull-requests: write).
• No branch-protection mutation or workflow rerun performed.

Hourly CI/security triage evidence (2026-05-25 09:55 PDT / 16:55 UTC): - Current `main` head remains `3b464deeb58134676040fd52bf82d432f2b98d38`. - Gitea commit-status API showed no failure/error states: `pending=239`, `success=239`. - DB still shows merge-queue cancellation/status drift (`Failure=1`, `Waiting=1` among many Success/Cancelled rows), consistent with prior queue rows rather than a task-backed failure. - Branch protection gap is unchanged and remains the reason this issue stays open: `enable_status_check=false`, `status_check_contexts=[]`, while `required_approvals=2`, `enable_merge_whitelist=false`, and `dismiss_stale_approvals=true` are set. - Local workflow scan still shows no `permissions: write-all`; known write scopes are auto-promote/disable-auto-merge workflows (`contents: write`, `pull-requests: write`). - No branch-protection mutation or workflow rerun performed.

hongming commented 2026-05-25 18:00:16 +00:00

Author

Owner

Copy Link

Copy Source

2026-05-25 10:55 PDT triage update: current main remains 3b464deeb5. Commit-status API sample has no failure/error rows (pending=239, success=239), but the branch-protection gap is unchanged and still the main security posture finding here: enable_status_check=false, status_check_contexts=[], required approvals=2, merge whitelist enforcement disabled, stale approvals dismissed.

I did not mutate branch protection or rerun workflows. This remains a needs-human/config decision for required contexts before this repo can be considered aligned with the rest of the critical set.

2026-05-25 10:55 PDT triage update: current main remains 3b464deeb58134676040fd52bf82d432f2b98d38. Commit-status API sample has no failure/error rows (pending=239, success=239), but the branch-protection gap is unchanged and still the main security posture finding here: `enable_status_check=false`, `status_check_contexts=[]`, required approvals=2, merge whitelist enforcement disabled, stale approvals dismissed. I did not mutate branch protection or rerun workflows. This remains a needs-human/config decision for required contexts before this repo can be considered aligned with the rest of the critical set.

hongming commented 2026-05-25 18:57:53 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 11:55 PDT / 18:55 UTC):

Current main remains 3b464deeb58134676040fd52bf82d432f2b98d38. Commit-status API sample has no failure/error rows (pending=239, success=239). DB cross-check still shows the long-running merge-queue/cancellation pattern and one latest current-head action_run row at status=5 (Waiting), plus a failed row at index 375; the commit-status API did not surface that as a failure/error context.

Security posture gap is unchanged: branch protection has enable_status_check=false and status_check_contexts=[] while keeping required_approvals=2, merge whitelist enforcement disabled, stale approvals dismissed.

needs-hongming: please confirm which required status contexts should be enforced for molecule-ci@main so this repo can match the critical-repo branch-protection baseline. Impact: without required contexts, a two-approval merge can land without repo-owned CI being a protected gate. I did not mutate branch protection or rerun workflows.

Hourly CI/security triage evidence (2026-05-25 11:55 PDT / 18:55 UTC): Current main remains `3b464deeb58134676040fd52bf82d432f2b98d38`. Commit-status API sample has no failure/error rows (`pending=239`, `success=239`). DB cross-check still shows the long-running merge-queue/cancellation pattern and one latest current-head action_run row at `status=5` (Waiting), plus a failed row at index 375; the commit-status API did not surface that as a failure/error context. Security posture gap is unchanged: branch protection has `enable_status_check=false` and `status_check_contexts=[]` while keeping `required_approvals=2`, merge whitelist enforcement disabled, stale approvals dismissed. needs-hongming: please confirm which required status contexts should be enforced for `molecule-ci@main` so this repo can match the critical-repo branch-protection baseline. Impact: without required contexts, a two-approval merge can land without repo-owned CI being a protected gate. I did not mutate branch protection or rerun workflows.

hongming commented 2026-05-25 19:58:10 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 12:55 PDT / 19:55 UTC):

Current main remains 3b464deeb58134676040fd52bf82d432f2b98d38. Commit-status API sample has no failure/error rows (pending=245, success=245). DB cross-check now shows Success=241, Cancelled=135 for this SHA; the previous waiting/failed DB rows have moved out of the active risk shape.

Security posture gap is unchanged: branch protection has enable_status_check=false and status_check_contexts=[] while keeping required_approvals=2, merge whitelist enforcement disabled, stale approvals dismissed. The existing needs-hongming question from the prior pass still stands: which required status contexts should be enforced for molecule-ci@main?

I did not mutate branch protection or rerun workflows.

Hourly CI/security triage evidence (2026-05-25 12:55 PDT / 19:55 UTC): Current main remains `3b464deeb58134676040fd52bf82d432f2b98d38`. Commit-status API sample has no failure/error rows (`pending=245`, `success=245`). DB cross-check now shows `Success=241`, `Cancelled=135` for this SHA; the previous waiting/failed DB rows have moved out of the active risk shape. Security posture gap is unchanged: branch protection has `enable_status_check=false` and `status_check_contexts=[]` while keeping `required_approvals=2`, merge whitelist enforcement disabled, stale approvals dismissed. The existing needs-hongming question from the prior pass still stands: which required status contexts should be enforced for `molecule-ci@main`? I did not mutate branch protection or rerun workflows.

hongming commented 2026-05-25 20:57:25 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 13:55 PDT / 20:55 UTC):

Current main remains 3b464deeb58134676040fd52bf82d432f2b98d38. Commit-status API sample has no failure/error rows (pending=257, success=257). DB cross-check shows Success=253, Cancelled=135 for this SHA.

Security posture gap is unchanged: branch protection has enable_status_check=false and status_check_contexts=[] while keeping required_approvals=2, merge whitelist enforcement disabled, stale approvals dismissed. The existing needs-hongming question still stands: which required status contexts should be enforced for molecule-ci@main?

I did not mutate branch protection or rerun workflows.

Hourly CI/security triage evidence (2026-05-25 13:55 PDT / 20:55 UTC): Current main remains `3b464deeb58134676040fd52bf82d432f2b98d38`. Commit-status API sample has no failure/error rows (`pending=257`, `success=257`). DB cross-check shows `Success=253`, `Cancelled=135` for this SHA. Security posture gap is unchanged: branch protection has `enable_status_check=false` and `status_check_contexts=[]` while keeping `required_approvals=2`, merge whitelist enforcement disabled, stale approvals dismissed. The existing needs-hongming question still stands: which required status contexts should be enforced for `molecule-ci@main`? I did not mutate branch protection or rerun workflows.

hongming commented 2026-05-25 21:57:24 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 14:55 PDT / 21:55 UTC):

Current main remains 3b464deeb58134676040fd52bf82d432f2b98d38. Commit-status API sample has no failure/error rows (pending=269, success=269). DB cross-check shows Success=265, Cancelled=135 for this SHA.

Security posture gap is unchanged: branch protection has enable_status_check=false and status_check_contexts=[] while keeping required_approvals=2, merge whitelist enforcement disabled, stale approvals dismissed. The existing needs-hongming question still stands: which required status contexts should be enforced for molecule-ci@main?

I did not mutate branch protection or rerun workflows.

Hourly CI/security triage evidence (2026-05-25 14:55 PDT / 21:55 UTC): Current main remains `3b464deeb58134676040fd52bf82d432f2b98d38`. Commit-status API sample has no failure/error rows (`pending=269`, `success=269`). DB cross-check shows `Success=265`, `Cancelled=135` for this SHA. Security posture gap is unchanged: branch protection has `enable_status_check=false` and `status_check_contexts=[]` while keeping `required_approvals=2`, merge whitelist enforcement disabled, stale approvals dismissed. The existing needs-hongming question still stands: which required status contexts should be enforced for `molecule-ci@main`? I did not mutate branch protection or rerun workflows.

hongming commented 2026-05-25 22:57:23 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-25 15:55 PDT / 22:55 UTC):

Current main remains 3b464deeb58134676040fd52bf82d432f2b98d38. Commit-status API sample has no failure/error rows (pending=280, success=280). DB cross-check shows Success=276, Cancelled=136 for this SHA.

Security posture gap is unchanged: branch protection has enable_status_check=false and status_check_contexts=[] while keeping required_approvals=2, merge whitelist enforcement disabled, stale approvals dismissed. The existing needs-hongming question still stands: which required status contexts should be enforced for molecule-ci@main?

I did not mutate branch protection or rerun workflows.

Hourly CI/security triage evidence (2026-05-25 15:55 PDT / 22:55 UTC): Current main remains `3b464deeb58134676040fd52bf82d432f2b98d38`. Commit-status API sample has no failure/error rows (`pending=280`, `success=280`). DB cross-check shows `Success=276`, `Cancelled=136` for this SHA. Security posture gap is unchanged: branch protection has `enable_status_check=false` and `status_check_contexts=[]` while keeping `required_approvals=2`, merge whitelist enforcement disabled, stale approvals dismissed. The existing needs-hongming question still stands: which required status contexts should be enforced for `molecule-ci@main`? I did not mutate branch protection or rerun workflows.

hongming commented 2026-05-25 23:58:57 +00:00

Author

Owner

Copy Link

Copy Source

2026-05-25 23:55Z heartbeat triage evidence:

• Current main: 3b464deeb58134676040fd52bf82d432f2b98d38.
• Commit statuses sampled from Gitea API: success=291, pending=291, failure/error=0.
• Gitea DB action_run sample for this SHA: Success=287, Cancelled=137; no Failure rows.
• Branch protection still has enable_status_check=false and no required contexts; review gate remains required_approvals=2, merge whitelist disabled, stale approvals dismissed.
• Scoped workflow writes observed remain the expected existing surfaces: auto-promote-branch.yml / auto-promote-staging.yml use contents: write; disable-auto-merge-on-push.yml uses pull-requests: write; no permissions: write-all found in this scan.

No branch protection mutation, rerun, merge, or runner cleanup performed. Existing needs-hongming question on the required-context policy remains the active human decision.

2026-05-25 23:55Z heartbeat triage evidence: - Current main: `3b464deeb58134676040fd52bf82d432f2b98d38`. - Commit statuses sampled from Gitea API: success=291, pending=291, failure/error=0. - Gitea DB `action_run` sample for this SHA: Success=287, Cancelled=137; no Failure rows. - Branch protection still has `enable_status_check=false` and no required contexts; review gate remains `required_approvals=2`, merge whitelist disabled, stale approvals dismissed. - Scoped workflow writes observed remain the expected existing surfaces: `auto-promote-branch.yml` / `auto-promote-staging.yml` use `contents: write`; `disable-auto-merge-on-push.yml` uses `pull-requests: write`; no `permissions: write-all` found in this scan. No branch protection mutation, rerun, merge, or runner cleanup performed. Existing `needs-hongming` question on the required-context policy remains the active human decision.

hongming commented 2026-05-26 00:57:38 +00:00

Author

Owner

Copy Link

Copy Source

2026-05-26 00:55Z heartbeat triage evidence:

• Current main advanced to 670e2081fdfbad0722af89247cc252ce617f9208.
• Commit statuses sampled from Gitea API: success=11, pending=11, failure/error=0.
• Gitea DB action_run sample for this SHA: Success=9; no Failure rows.
• Branch protection still has enable_status_check=false and no required contexts; review gate remains required_approvals=2, merge whitelist disabled, stale approvals dismissed.
• Scoped workflow writes observed remain the expected existing surfaces: auto-promote-branch.yml / auto-promote-staging.yml use contents: write; disable-auto-merge-on-push.yml uses pull-requests: write; no permissions: write-all found in this scan.

No branch protection mutation, rerun, merge, or runner cleanup performed. Existing needs-hongming question on the required-context policy remains the active human decision.

2026-05-26 00:55Z heartbeat triage evidence: - Current main advanced to `670e2081fdfbad0722af89247cc252ce617f9208`. - Commit statuses sampled from Gitea API: success=11, pending=11, failure/error=0. - Gitea DB `action_run` sample for this SHA: Success=9; no Failure rows. - Branch protection still has `enable_status_check=false` and no required contexts; review gate remains `required_approvals=2`, merge whitelist disabled, stale approvals dismissed. - Scoped workflow writes observed remain the expected existing surfaces: `auto-promote-branch.yml` / `auto-promote-staging.yml` use `contents: write`; `disable-auto-merge-on-push.yml` uses `pull-requests: write`; no `permissions: write-all` found in this scan. No branch protection mutation, rerun, merge, or runner cleanup performed. Existing `needs-hongming` question on the required-context policy remains the active human decision.

hongming commented 2026-05-26 01:58:47 +00:00

Author

Owner

Copy Link

Copy Source

2026-05-26 01:55Z heartbeat triage evidence:

• Current main remains 670e2081fdfbad0722af89247cc252ce617f9208.
• Commit statuses sampled from Gitea API: success=21, pending=21, failure/error=0.
• Gitea DB action_run sample for this SHA: Success=19, Cancelled=2; no Failure rows.
• Branch protection still has enable_status_check=false and no required contexts; review gate remains required_approvals=2, merge whitelist disabled, stale approvals dismissed.
• Scoped workflow writes observed remain the expected existing surfaces: auto-promote-branch.yml / auto-promote-staging.yml use contents: write; disable-auto-merge-on-push.yml uses pull-requests: write; no permissions: write-all found in this scan.

No branch protection mutation, rerun, merge, or runner cleanup performed. Existing needs-hongming question on the required-context policy remains the active human decision.

2026-05-26 01:55Z heartbeat triage evidence: - Current main remains `670e2081fdfbad0722af89247cc252ce617f9208`. - Commit statuses sampled from Gitea API: success=21, pending=21, failure/error=0. - Gitea DB `action_run` sample for this SHA: Success=19, Cancelled=2; no Failure rows. - Branch protection still has `enable_status_check=false` and no required contexts; review gate remains `required_approvals=2`, merge whitelist disabled, stale approvals dismissed. - Scoped workflow writes observed remain the expected existing surfaces: `auto-promote-branch.yml` / `auto-promote-staging.yml` use `contents: write`; `disable-auto-merge-on-push.yml` uses `pull-requests: write`; no `permissions: write-all` found in this scan. No branch protection mutation, rerun, merge, or runner cleanup performed. Existing `needs-hongming` question on the required-context policy remains the active human decision.

hongming commented 2026-05-26 02:57:43 +00:00

Author

Owner

Copy Link

Copy Source

2026-05-26 02:55Z heartbeat triage evidence:

• Current main remains 670e2081fdfbad0722af89247cc252ce617f9208.
• Commit statuses sampled from Gitea API: success=33, pending=33, failure/error=0.
• Gitea DB action_run sample for this SHA: Success=31, Cancelled=2; no Failure rows.
• Branch protection still has enable_status_check=false and no required contexts; review gate remains required_approvals=2, merge whitelist disabled, stale approvals dismissed.
• Scoped workflow writes observed remain the expected existing surfaces: auto-promote-branch.yml / auto-promote-staging.yml use contents: write; disable-auto-merge-on-push.yml uses pull-requests: write; no permissions: write-all found in this scan.

No branch protection mutation, rerun, merge, or runner cleanup performed. Existing needs-hongming question on the required-context policy remains the active human decision.

2026-05-26 02:55Z heartbeat triage evidence: - Current main remains `670e2081fdfbad0722af89247cc252ce617f9208`. - Commit statuses sampled from Gitea API: success=33, pending=33, failure/error=0. - Gitea DB `action_run` sample for this SHA: Success=31, Cancelled=2; no Failure rows. - Branch protection still has `enable_status_check=false` and no required contexts; review gate remains `required_approvals=2`, merge whitelist disabled, stale approvals dismissed. - Scoped workflow writes observed remain the expected existing surfaces: `auto-promote-branch.yml` / `auto-promote-staging.yml` use `contents: write`; `disable-auto-merge-on-push.yml` uses `pull-requests: write`; no `permissions: write-all` found in this scan. No branch protection mutation, rerun, merge, or runner cleanup performed. Existing `needs-hongming` question on the required-context policy remains the active human decision.

hongming commented 2026-05-26 03:58:11 +00:00

Author

Owner

Copy Link

Copy Source

2026-05-26 03:55Z heartbeat triage evidence:

• Current main remains 670e2081fdfbad0722af89247cc252ce617f9208.
• Commit statuses sampled from Gitea API: success=41, pending=41, failure/error=0.
• Gitea DB action_run sample for this SHA: Success=39, Failure=1, Cancelled=4, Running=1. Failed run title: Merge pull request 'style: ruff cleanup — split multi-import lines + remove unused imports' (#22) from fix/ruff-e401-f401-split-imports into main.
• Branch protection still has enable_status_check=false and no required contexts; review gate remains required_approvals=2, merge whitelist disabled, stale approvals dismissed.
• Scoped workflow writes observed remain expected existing surfaces; no permissions: write-all found in this scan.

No branch protection mutation, rerun, merge, or runner cleanup performed. Existing needs-hongming question on the required-context policy remains the active human decision.

2026-05-26 03:55Z heartbeat triage evidence: - Current main remains `670e2081fdfbad0722af89247cc252ce617f9208`. - Commit statuses sampled from Gitea API: success=41, pending=41, failure/error=0. - Gitea DB `action_run` sample for this SHA: Success=39, Failure=1, Cancelled=4, Running=1. Failed run title: `Merge pull request 'style: ruff cleanup — split multi-import lines + remove unused imports' (#22) from fix/ruff-e401-f401-split-imports into main`. - Branch protection still has `enable_status_check=false` and no required contexts; review gate remains `required_approvals=2`, merge whitelist disabled, stale approvals dismissed. - Scoped workflow writes observed remain expected existing surfaces; no `permissions: write-all` found in this scan. No branch protection mutation, rerun, merge, or runner cleanup performed. Existing `needs-hongming` question on the required-context policy remains the active human decision.

hongming commented 2026-05-26 04:58:10 +00:00

Author

Owner

Copy Link

Copy Source

2026-05-26 04:55Z heartbeat triage evidence:

• Current main remains 670e2081fdfbad0722af89247cc252ce617f9208.
• Commit statuses sampled from Gitea API: success=50, pending=50, failure/error=0.
• Gitea DB sample for this SHA: Success=48, Failure=1, Cancelled=7, Waiting=1; DB still reports a failed push run even though commit-status API has no failure/error status.
• Branch protection still has enable_status_check=false and no required contexts; review gate remains required_approvals=2, merge whitelist disabled, stale approvals dismissed.
• Scoped workflow writes observed remain expected existing surfaces; no permissions: write-all found in this scan.

No branch protection mutation, rerun, merge, or runner cleanup performed. Existing needs-hongming question on the required-context policy remains the active human decision.

2026-05-26 04:55Z heartbeat triage evidence: - Current main remains `670e2081fdfbad0722af89247cc252ce617f9208`. - Commit statuses sampled from Gitea API: success=50, pending=50, failure/error=0. - Gitea DB sample for this SHA: Success=48, Failure=1, Cancelled=7, Waiting=1; DB still reports a failed push run even though commit-status API has no failure/error status. - Branch protection still has `enable_status_check=false` and no required contexts; review gate remains `required_approvals=2`, merge whitelist disabled, stale approvals dismissed. - Scoped workflow writes observed remain expected existing surfaces; no `permissions: write-all` found in this scan. No branch protection mutation, rerun, merge, or runner cleanup performed. Existing `needs-hongming` question on the required-context policy remains the active human decision.

hongming commented 2026-05-26 13:21:52 +00:00

Author

Owner

Copy Link

Copy Source

CI/security heartbeat — 2026-05-26 06:17 PDT / 13:17 UTC

Fresh evidence:

• main is 670e2081fd.
• commit-status counts from the Gitea API: success=121, pending=121, failure/error=0.
• Action DB sample for this exact head after re-query: Success=119, Cancelled=38, Waiting=1; no Failure rows.
• Branch protection still has enable_status_check=false and an empty required-context list, with required_approvals=2, merge whitelist disabled, stale approvals dismissed.
• Open PRs sampled: #12 (infra/add-ci-workflow) pending=6/success=6 and #9 pending=2/success=2, no failed contexts at sample time.
• Workflow permission scan in critical repos found no permissions: write-all. Known scoped writes remain in molecule-ci auto-promote workflows (contents: write) and disable-auto-merge-on-push (pull-requests: write), and codex-channel publish uses id-token: write.

No branch protection mutation performed.

CI/security heartbeat — 2026-05-26 06:17 PDT / 13:17 UTC Fresh evidence: - main is 670e2081fdfbad0722af89247cc252ce617f9208. - commit-status counts from the Gitea API: success=121, pending=121, failure/error=0. - Action DB sample for this exact head after re-query: Success=119, Cancelled=38, Waiting=1; no Failure rows. - Branch protection still has enable_status_check=false and an empty required-context list, with required_approvals=2, merge whitelist disabled, stale approvals dismissed. - Open PRs sampled: #12 (infra/add-ci-workflow) pending=6/success=6 and #9 pending=2/success=2, no failed contexts at sample time. - Workflow permission scan in critical repos found no permissions: write-all. Known scoped writes remain in molecule-ci auto-promote workflows (contents: write) and disable-auto-merge-on-push (pull-requests: write), and codex-channel publish uses id-token: write. No branch protection mutation performed.

hongming commented 2026-05-26 17:33:45 +00:00

Author

Owner

Copy Link

Copy Source

CI/security heartbeat — 2026-05-26 10:28 PDT / 17:28 UTC

Fresh evidence:

• main remains 670e2081fd.
• commit-status counts from API: success=166, pending=166, no failure/error.
• DB sample for this exact head: Success=164, Cancelled=43, no Failure rows.
• Branch protection still has enable_status_check=false and no required contexts, with required_approvals=2, merge whitelist disabled, stale approvals dismissed.
• Open PR sample: #12 and #9 have no failed contexts at sample time.
• Critical-repo workflow permission scan again found no ; known scoped writes/OIDC remain in molecule-ci auto-promote/disable-auto-merge workflows and codex-channel publish.

No branch protection mutation performed.

CI/security heartbeat — 2026-05-26 10:28 PDT / 17:28 UTC Fresh evidence: - main remains 670e2081fdfbad0722af89247cc252ce617f9208. - commit-status counts from API: success=166, pending=166, no failure/error. - DB sample for this exact head: Success=164, Cancelled=43, no Failure rows. - Branch protection still has enable_status_check=false and no required contexts, with required_approvals=2, merge whitelist disabled, stale approvals dismissed. - Open PR sample: #12 and #9 have no failed contexts at sample time. - Critical-repo workflow permission scan again found no ; known scoped writes/OIDC remain in molecule-ci auto-promote/disable-auto-merge workflows and codex-channel publish. No branch protection mutation performed.

hongming commented 2026-05-26 18:30:52 +00:00

Author

Owner

Copy Link

Copy Source

CI/security heartbeat — 2026-05-26 11:28 PDT / 18:28 UTC

Fresh evidence:

• main remains 670e2081fdfbad0722af89247cc252ce617f9208.
• API statuses: success=178, pending=178, no failure/error statuses.
• DB sample for this exact head: Success=176, Cancelled=43.
• Branch protection still has enable_status_check=false and an empty required-context list, with required approvals=2, merge whitelist disabled, stale approvals dismissed.
• Critical-repo workflow scan again found no permissions: write-all; known scoped writes/OIDC remain in molecule-ci auto-promote/disable-auto-merge workflows and codex-channel-molecule publish.

No branch protection mutation performed.

CI/security heartbeat — 2026-05-26 11:28 PDT / 18:28 UTC Fresh evidence: - main remains `670e2081fdfbad0722af89247cc252ce617f9208`. - API statuses: `success=178`, `pending=178`, no failure/error statuses. - DB sample for this exact head: Success=176, Cancelled=43. - Branch protection still has `enable_status_check=false` and an empty required-context list, with required approvals=2, merge whitelist disabled, stale approvals dismissed. - Critical-repo workflow scan again found no `permissions: write-all`; known scoped writes/OIDC remain in `molecule-ci` auto-promote/disable-auto-merge workflows and `codex-channel-molecule` publish. No branch protection mutation performed.

hongming commented 2026-05-26 20:30:52 +00:00

Author

Owner

Copy Link

Copy Source

2026-05-26 13:28 PDT triage update:

Fresh evidence:

• molecule-ci@670e2081fdfbad0722af89247cc252ce617f9208 has API statuses success=200, pending=200, no failure/error.
• DB sample for this head: Success=198, Cancelled=45.
• Branch protection still has enable_status_check=false and no required contexts, with required_approvals=2 and dismiss_stale_approvals=true.

No branch protection mutation performed.

2026-05-26 13:28 PDT triage update: Fresh evidence: - `molecule-ci@670e2081fdfbad0722af89247cc252ce617f9208` has API statuses `success=200`, `pending=200`, no failure/error. - DB sample for this head: Success=198, Cancelled=45. - Branch protection still has `enable_status_check=false` and no required contexts, with `required_approvals=2` and `dismiss_stale_approvals=true`. No branch protection mutation performed.

hongming commented 2026-05-26 21:35:11 +00:00

Author

Owner

Copy Link

Copy Source

CI/security heartbeat 2026-05-26 14:28 PDT fresh sample:

• molecule-ci@670e2081fdfbad0722af89247cc252ce617f9208: API statuses success=210, pending=210, no failure/error.
• DB sample: Success=208, Cancelled=47, Waiting=1. Waiting row is merge-queue workflow gitea-merge-queue.yml for PR #22 merge commit on main.
• Branch protection still has enable_status_check=false and no required contexts; approvals=2 and stale-approval dismissal remain enabled.
• No branch protection mutation performed.

CI/security heartbeat 2026-05-26 14:28 PDT fresh sample: - `molecule-ci@670e2081fdfbad0722af89247cc252ce617f9208`: API statuses `success=210`, `pending=210`, no failure/error. - DB sample: Success=208, Cancelled=47, Waiting=1. Waiting row is merge-queue workflow `gitea-merge-queue.yml` for PR #22 merge commit on main. - Branch protection still has `enable_status_check=false` and no required contexts; approvals=2 and stale-approval dismissal remain enabled. - No branch protection mutation performed.

hongming commented 2026-05-26 22:30:56 +00:00

Author

Owner

Copy Link

Copy Source

CI/security heartbeat 2026-05-26 15:28 PDT fresh sample:

• molecule-ci@670e2081fdfbad0722af89247cc252ce617f9208: API statuses success=219, pending=219, no failure/error.
• DB sample: Success=217, Cancelled=50.
• Branch protection still has enable_status_check=false and no required contexts; approvals=2 and stale-approval dismissal remain enabled.
• No branch protection mutation performed.

CI/security heartbeat 2026-05-26 15:28 PDT fresh sample: - `molecule-ci@670e2081fdfbad0722af89247cc252ce617f9208`: API statuses `success=219`, `pending=219`, no failure/error. - DB sample: Success=217, Cancelled=50. - Branch protection still has `enable_status_check=false` and no required contexts; approvals=2 and stale-approval dismissal remain enabled. - No branch protection mutation performed.

hongming commented 2026-05-30 22:14:48 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-30 15:10 PDT / 22:10 UTC)

Fresh molecule-ci/main evidence:

• Current head: 522a5a68a1.
• Latest per-context statuses sampled from Gitea API: success=4, no latest failure/error contexts. Raw status rows include many historical pending/success merge-queue entries, but latest-per-context is green.
• Branch protection gap is unchanged: enable_status_check=false and status_check_contexts=[] while required_approvals=2, dismiss_stale_approvals=true, and merge whitelist enforcement disabled.
• Workflow scan found no permissions: write-all; expected scoped write surfaces remain auto-promote/disable-auto-merge workflows.

No branch-protection mutation or workflow rerun performed. The standing needs-hongming decision remains: choose the required status contexts for molecule-ci@main so this critical repo matches the rest of the protected-branch baseline.

Hourly CI/security triage evidence (2026-05-30 15:10 PDT / 22:10 UTC) Fresh molecule-ci/main evidence: - Current head: 522a5a68a182ced0d419d25d3d997d93a80cc206. - Latest per-context statuses sampled from Gitea API: success=4, no latest failure/error contexts. Raw status rows include many historical pending/success merge-queue entries, but latest-per-context is green. - Branch protection gap is unchanged: enable_status_check=false and status_check_contexts=[] while required_approvals=2, dismiss_stale_approvals=true, and merge whitelist enforcement disabled. - Workflow scan found no permissions: write-all; expected scoped write surfaces remain auto-promote/disable-auto-merge workflows. No branch-protection mutation or workflow rerun performed. The standing needs-hongming decision remains: choose the required status contexts for molecule-ci@main so this critical repo matches the rest of the protected-branch baseline.

hongming commented 2026-05-30 23:12:37 +00:00

Author

Owner

Copy Link

Copy Source

Hourly CI/security triage evidence (2026-05-30 16:10 PDT / 23:10 UTC)

Fresh molecule-ci/main evidence:

• Current head remains 522a5a68a1.
• Robust latest-per-context statuses: success=4, no latest failure/error/pending contexts.
• Branch protection gap is unchanged: enable_status_check=false and status_check_contexts=[] while required_approvals=2, dismiss_stale_approvals=true, and merge whitelist enforcement is disabled.
• Workflow scan still found no permissions: write-all; expected scoped write surfaces remain auto-promote/disable-auto-merge workflows.

No branch-protection mutation or workflow rerun performed. Standing needs-hongming decision remains: choose required status contexts for molecule-ci@main.

Hourly CI/security triage evidence (2026-05-30 16:10 PDT / 23:10 UTC) Fresh molecule-ci/main evidence: - Current head remains 522a5a68a182ced0d419d25d3d997d93a80cc206. - Robust latest-per-context statuses: success=4, no latest failure/error/pending contexts. - Branch protection gap is unchanged: enable_status_check=false and status_check_contexts=[] while required_approvals=2, dismiss_stale_approvals=true, and merge whitelist enforcement is disabled. - Workflow scan still found no permissions: write-all; expected scoped write surfaces remain auto-promote/disable-auto-merge workflows. No branch-protection mutation or workflow rerun performed. Standing needs-hongming decision remains: choose required status contexts for molecule-ci@main.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/validate-plugin-kind-aware-content

fix/t4-aggregate-fork-guard-guidance

fix/gitea-curl-11721-short-forms

fix/gitea-curl-followup-hardening

fix/agent-gitea-token-leak

feat/canonical-ci-validate-templates

feat/bp-context-drift-gate

ci/absorb-queue-schedule-into-conductor

feat/platform-agent-image

feat/trivy-skip-dirs-files-39

feat/known-runtime-google-adk

feat/internal-718-p4-pr3-drift-gate-full-providers

feat/platform-models-ssot-drift-gate

fix/ruff-e401-f401-split-imports

infra/add-merge-queue

fix-15-pin-shas-molecule-ci-phase1

chore/gitea-only-ci

chore/sop-checklist-gate

infra/add-ci-workflow

fix/ci-gate-pull-request-trigger

infra-write-test-1778794651

feat/gitea-workflows-port

fix/validate-template-docker-smoke-graceful-skip

feat/audit-force-merge-composite-action

fix/git-clone-instead-of-actions-checkout

fix/anon-cross-repo-checkout

fix/lowercase-org-slug

docs/readme-add-publish-template-image-section

auto/p135-fork-pr-lockdown

auto/p133-readme-v1-pin

auto/p9-reusable-auto-promote

feat/strict-template-drift-check

feat/build-arg-runtime-version

docs/disable-auto-merge-readme

feat/disable-auto-merge-on-push

feat/lint-reads-runtime-manifest

feat/lint-bare-imports-and-deeper-boot-smoke

feat/boot-image-smoke-test

v1

Labels

Clear labels

merge-queue

PR is in the merge queue — do not merge manually

tier:medium

Multi-file CI infra change; affects downstream callers

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ci#23