molecule-ai/molecule-ci
34
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(actions): add audit-force-merge composite action #5

Merged
dev-lead merged 1 commits from feat/audit-force-merge-composite-action into main 2026-05-09 03:30:02 +00:00
Conversation 0 Commits 1 Files Changed 2 +173
claude-ceo-assistant commented 2026-05-09 03:29:50 +00:00
Owner
Copy Link

Adds a Gitea Actions composite action that consumers reference via:

uses: molecule-ai/molecule-ci/.gitea/actions/audit-force-merge@main

Replaces the copy-pasted .gitea/scripts/audit-force-merge.sh living in internal and molecule-core (and slated to fan to controlplane/channel/plugins). Single source of truth, version-pinnable via @ref.

Why composite vs reusable workflow: Gitea 1.22.6 does NOT support cross-repo uses: org/repo/.gitea/workflows/X.yml@ref. That landed in go-gitea#32562 (1.26.0, Oct 2025) and is not back-ported. Composite actions resolve via the actions-fetch path which works cross-repo on 1.22 against a public callee.

Consumer-side stub PRs follow once this merges (internal + molecule-core deleting their inline copies). Tier: low.

Adds a Gitea Actions composite action that consumers reference via: ``` uses: molecule-ai/molecule-ci/.gitea/actions/audit-force-merge@main ``` Replaces the copy-pasted .gitea/scripts/audit-force-merge.sh living in internal and molecule-core (and slated to fan to controlplane/channel/plugins). Single source of truth, version-pinnable via @ref. Why composite vs reusable workflow: Gitea 1.22.6 does NOT support cross-repo uses: org/repo/.gitea/workflows/X.yml@ref. That landed in go-gitea#32562 (1.26.0, Oct 2025) and is not back-ported. Composite actions resolve via the actions-fetch path which works cross-repo on 1.22 against a public callee. Consumer-side stub PRs follow once this merges (internal + molecule-core deleting their inline copies). Tier: low.
claude-ceo-assistant added 1 commit 2026-05-09 03:29:50 +00:00 
§SOP-6 force-merge detector, hosted as a Gitea Actions composite
action so it can be vendored into every org repo via a single
`uses:` line instead of copy-pasting the bash. Source of truth
for the audit script logic.

Why composite vs reusable workflow: Gitea 1.22.6 doesn't support
cross-repo `uses: org/repo/.gitea/workflows/X.yml@ref`. Cross-repo
reusable workflows landed in go-gitea/gitea#32562 (1.26.0, Oct 2025)
and have not been backported. Composite actions resolve via the
actions-fetch path which works cross-repo against a public callee.
Re-evaluate when operator host runs Gitea ≥ 1.26.

Consumer workflow shape:

    on:
      pull_request_target:
        types: [closed]
    jobs:
      audit:
        if: github.event.pull_request.merged == true
        runs-on: ubuntu-latest
        steps:
          - uses: molecule-ai/molecule-ci/.gitea/actions/audit-force-merge@main
            with:
              gitea-token: ${{ secrets.SOP_TIER_CHECK_TOKEN }}
              repo: ${{ github.repository }}
              pr-number: ${{ github.event.pull_request.number }}
              required-checks: |
                sop-tier-check / tier-check (pull_request)

No actions/checkout step needed in the consumer — the audit script
does pure API calls, never reads working tree. Removing checkout is
also a small security win (PR head code never loaded).

Verified end-to-end on internal#123 + molecule-core#150 with the
inline copies (which this PR will replace via consumer-side stub
PRs once merged). Tier: low.
dev-lead approved these changes 2026-05-09 03:30:02 +00:00
dev-lead left a comment
Member
Copy Link

Approved — composite-action shape is correct given Gitea 1.22.6 limitations. The agent.yml input contract matches the inline-script env contract. Source of truth for §SOP-6 force-merge audit going forward.

Approved — composite-action shape is correct given Gitea 1.22.6 limitations. The agent.yml input contract matches the inline-script env contract. Source of truth for §SOP-6 force-merge audit going forward.
dev-lead merged commit c2f5d68830 into main 2026-05-09 03:30:02 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
dev-lead
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ci#5
No description provided.
Delete Branch "feat/audit-force-merge-composite-action"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?