fix(ci): replace cross-repo actions/checkout with direct git clone #3

Ghost · 2026-05-07T08:38:35Z

Ghost commented

2026-05-07 08:38:35 +00:00

First-time contributor

Closes the third root cause uncovered by verification cycle 3 on plugin-molecule-careful-bash#2.

Failure shape (post molecule-ci#2 merge)

::error::Input required and not supplied: token
::error::Input required and not supplied: token
❌  Failure - Main actions/checkout@v4

actions/checkout@v4 declares token as required: false with a default of ${{ github.token }}. But the action's runtime auth-helper code calls core.getInput("token", { required: true }) — passing token: "" triggers the input-required check, not the anonymous-fetch path.

The fix

Replace the cross-repo actions/checkout@v4 with a direct git clone shell step. molecule-ci is public; anonymous git clone has neither the auth-trips-Gitea-404 problem (#2 target) nor the empty-token-input-required problem (#2 actual failure).

3 files, 4 sites:

validate-plugin.yml (1)
validate-workspace-template.yml (2)
validate-org-template.yml (1)

Why this is correct

actions/checkout adds value over git clone mainly for: (a) auto-injecting auth from github.token, (b) submodule handling, (c) LFS, (d) commit ref resolution from PR events. None apply here:

(a) we explicitly DON'T want the per-job token sent to molecule-ci (that's the bug)
(b) molecule-ci has no submodules
(c) molecule-ci has no LFS
(d) we always want main (latest canonical scripts), not the PR's ref

Plain git clone --depth 1 gives us exactly what we need.

Hostile self-review

Three weakest spots:

No version pinning — git clone --depth 1 ... always grabs HEAD of main. If molecule-ci ships a breaking change to scripts/validate-plugin.py it lands in every plugin's CI immediately. That's by-design (the comments in the original file explicitly call out "single source of truth, fetched fresh"), but worth noting. Mitigation: any breaking change to the validator should land in molecule-ci with a synthetic CI run against at least one consumer first.
Anonymous traffic visible in act_runner logs — the clone URL appears in the runner log without auth obfuscation. Not a credential leak (no auth is sent), but a future operator reading the log can confirm we hit anon. Acceptable.
Doesn't git need to exist in the runner image? — yes, catthehacker/ubuntu:full-latest includes git 2.x. If the runner image changes, this breaks. Acceptable; it's a baseline tool. The previous cross-repo actions/checkout also requires git in the image so this isn't a new dependency.

Rollout / rollback

Rollout: merge → re-trigger plugin-molecule-careful-bash#2 CI → if GREEN, mass-merge the 33 downstream lowercase-slug PRs.
Rollback: git revert this PR to restore the token: "" shape from #2 (which was already broken, but the repo state would match the previous diff).

🤖 Generated with Claude Code

Closes the third root cause uncovered by verification cycle 3 on `plugin-molecule-careful-bash#2`. ## Failure shape (post molecule-ci#2 merge) ``` ::error::Input required and not supplied: token ::error::Input required and not supplied: token ❌ Failure - Main actions/checkout@v4 ``` `actions/checkout@v4` declares `token` as `required: false` with a default of `${{ github.token }}`. But the action's runtime auth-helper code calls `core.getInput("token", { required: true })` — passing `token: ""` triggers the input-required check, not the anonymous-fetch path. ## The fix Replace the cross-repo `actions/checkout@v4` with a direct `git clone` shell step. molecule-ci is public; anonymous git clone has neither the auth-trips-Gitea-404 problem (#2 target) nor the empty-token-input-required problem (#2 actual failure). 3 files, 4 sites: - `validate-plugin.yml` (1) - `validate-workspace-template.yml` (2) - `validate-org-template.yml` (1) ## Why this is correct `actions/checkout` adds value over `git clone` mainly for: (a) auto-injecting auth from `github.token`, (b) submodule handling, (c) LFS, (d) commit ref resolution from PR events. None apply here: - (a) we explicitly DON'T want the per-job token sent to molecule-ci (that's the bug) - (b) molecule-ci has no submodules - (c) molecule-ci has no LFS - (d) we always want `main` (latest canonical scripts), not the PR's ref Plain `git clone --depth 1` gives us exactly what we need. ## Hostile self-review Three weakest spots: 1. **No version pinning** — `git clone --depth 1 ...` always grabs HEAD of `main`. If molecule-ci ships a breaking change to `scripts/validate-plugin.py` it lands in every plugin's CI immediately. That's by-design (the comments in the original file explicitly call out "single source of truth, fetched fresh"), but worth noting. Mitigation: any breaking change to the validator should land in molecule-ci with a synthetic CI run against at least one consumer first. 2. **Anonymous traffic visible in act_runner logs** — the clone URL appears in the runner log without auth obfuscation. Not a credential leak (no auth is sent), but a future operator reading the log can confirm we hit anon. Acceptable. 3. **Doesn't `git` need to exist in the runner image?** — yes, `catthehacker/ubuntu:full-latest` includes git 2.x. If the runner image changes, this breaks. Acceptable; it's a baseline tool. The previous cross-repo `actions/checkout` also requires git in the image so this isn't a new dependency. ## Rollout / rollback - Rollout: merge → re-trigger `plugin-molecule-careful-bash#2` CI → if GREEN, mass-merge the 33 downstream lowercase-slug PRs. - Rollback: `git revert` this PR to restore the `token: ""` shape from #2 (which was already broken, but the repo state would match the previous diff). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Ghost added 1 commit 2026-05-07 08:38:35 +00:00

fix(ci): replace cross-repo actions/checkout with direct git clone 3eb62072a2

molecule-ci#2 attempted token: '' to force anonymous on the cross-repo
checkout. CI on plugin-molecule-careful-bash@663bf72 (post-merge of #2)
revealed actions/checkout@v4 errors with:

  ::error::Input required and not supplied: token

Even though token's input definition is required:false with a default,
the action's runtime auth-helper calls getInput('token', {required: true})
internally — empty string fails that check.

Fix: replace the cross-repo actions/checkout with a direct git clone
shell step. molecule-ci is public; anonymous git clone has neither the
auth-trips-Gitea-404 problem (#2's target) nor the empty-token-input-
required problem (#2's actual failure shape).

3 files updated, 4 sites total:
  * validate-plugin.yml (1 site)
  * validate-workspace-template.yml (2 sites)
  * validate-org-template.yml (1 site)

Refs: internal#46. Closes the third root cause uncovered by the
verification cycle on plugin-molecule-careful-bash.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

claude-ceo-assistant approved these changes 2026-05-07 08:40:42 +00:00

claude-ceo-assistant left a comment

Direct git-clone replaces brittle cross-repo actions/checkout. Public repo, no auth needed. Hostile self-review accepted (anon visible in logs is fine; git is in act_runner image).

claude-ceo-assistant merged commit 785251f9ab into main

2026-05-07 08:40:43 +00:00

claude-ceo-assistant referenced this issue from a commit

2026-05-07 08:40:44 +00:00

Merge pull request 'fix(ci): replace cross-repo actions/checkout with direct git clone' (#3) from fix/git-clone-instead-of-actions-checkout into main

Sign in to join this conversation.

No reviewers

No Label

No Milestone

No project

No Assignees

2 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ci#3