From 3eb62072a2ba70291b916c2bc66adf30d342abac Mon Sep 17 00:00:00 2001 From: security-auditor Date: Thu, 7 May 2026 01:37:34 -0700 Subject: [PATCH] fix(ci): replace cross-repo actions/checkout with direct git clone MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit molecule-ci#2 attempted token: '' to force anonymous on the cross-repo checkout. CI on plugin-molecule-careful-bash@663bf72 (post-merge of #2) revealed actions/checkout@v4 errors with: ::error::Input required and not supplied: token Even though token's input definition is required:false with a default, the action's runtime auth-helper calls getInput('token', {required: true}) internally — empty string fails that check. Fix: replace the cross-repo actions/checkout with a direct git clone shell step. molecule-ci is public; anonymous git clone has neither the auth-trips-Gitea-404 problem (#2's target) nor the empty-token-input- required problem (#2's actual failure shape). 3 files updated, 4 sites total: * validate-plugin.yml (1 site) * validate-workspace-template.yml (2 sites) * validate-org-template.yml (1 site) Refs: internal#46. Closes the third root cause uncovered by the verification cycle on plugin-molecule-careful-bash. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/validate-org-template.yml | 10 +++----- .github/workflows/validate-plugin.yml | 25 ++++++++++--------- .../workflows/validate-workspace-template.yml | 20 ++++++--------- 3 files changed, 25 insertions(+), 30 deletions(-) diff --git a/.github/workflows/validate-org-template.yml b/.github/workflows/validate-org-template.yml index d0baa28..415fe6d 100644 --- a/.github/workflows/validate-org-template.yml +++ b/.github/workflows/validate-org-template.yml @@ -15,12 +15,10 @@ jobs: # 5 org-template repos as the validator evolved. Single source of # truth eliminates that drift class entirely. Mirrors the same # pattern already used by validate-workspace-template.yml. - - uses: actions/checkout@v4 - with: - repository: molecule-ai/molecule-ci - path: .molecule-ci-canonical - # Force anonymous; see validate-plugin.yml note. molecule-ci is public. - token: '' + # Direct git-clone — see validate-plugin.yml for the rationale. + # Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies. + - name: Fetch molecule-ci canonical scripts + run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical - uses: actions/setup-python@v5 with: python-version: "3.11" diff --git a/.github/workflows/validate-plugin.yml b/.github/workflows/validate-plugin.yml index d99c058..bc23dd6 100644 --- a/.github/workflows/validate-plugin.yml +++ b/.github/workflows/validate-plugin.yml @@ -15,18 +15,19 @@ jobs: # 20+ plugin repos as the validator evolved. Single source of # truth eliminates that drift class entirely. Mirrors the same # pattern already used by validate-workspace-template.yml. - - uses: actions/checkout@v4 - with: - repository: molecule-ai/molecule-ci - path: .molecule-ci-canonical - # Force anonymous fetch. molecule-ci is a public repo. On Gitea, - # actions/checkout@v4 sends the per-job ${{ github.token }} which - # is scoped to the calling repo only — Gitea 404s the cross-repo - # request instead of falling back to anon-public-read (different - # from GitHub's behaviour). Empty token bypasses auth entirely. - # See molecule-ci#1 commit + the post-public-flip CI run on - # plugin-molecule-careful-bash@663bf72 for the exact failure shape. - token: '' + # Direct git-clone instead of actions/checkout@v4 because: + # (a) actions/checkout@v4 sends Authorization: basic by default, + # and Gitea 404s the cross-repo authenticated request (different from + # GitHub which falls back to anon-public-read). + # (b) Passing token: '' triggers actions/checkout's runtime "Input required + # and not supplied: token" error — the input is documented as + # required:false but the action's runtime calls getInput with + # required:true on its auth-helper path. + # Anonymous git clone of public molecule-ci has neither problem. + # See molecule-ci#1 (lowercase fix) + #2 (token:'' attempt) + + # the post-merge CI run on plugin-molecule-careful-bash@663bf72. + - name: Fetch molecule-ci canonical scripts + run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical - uses: actions/setup-python@v5 with: python-version: "3.11" diff --git a/.github/workflows/validate-workspace-template.yml b/.github/workflows/validate-workspace-template.yml index bbc8fce..07d3495 100644 --- a/.github/workflows/validate-workspace-template.yml +++ b/.github/workflows/validate-workspace-template.yml @@ -54,12 +54,10 @@ jobs: # template repos as the validator evolved. Single source of truth # eliminates that drift class entirely — every template runs the # same canonical contract check on every CI run. - - uses: actions/checkout@v4 - with: - repository: molecule-ai/molecule-ci - path: .molecule-ci-canonical - # Force anonymous; see validate-plugin.yml note. molecule-ci is public. - token: '' + # Direct git-clone — see validate-plugin.yml for the rationale. + # Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies. + - name: Fetch molecule-ci canonical scripts + run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical - uses: actions/setup-python@v5 with: python-version: "3.11" @@ -135,12 +133,10 @@ jobs: if: github.event.pull_request.head.repo.fork != true steps: - uses: actions/checkout@v4 - - uses: actions/checkout@v4 - with: - repository: molecule-ai/molecule-ci - path: .molecule-ci-canonical - # Force anonymous; see validate-plugin.yml note. molecule-ci is public. - token: '' + # Direct git-clone — see validate-plugin.yml for the rationale. + # Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies. + - name: Fetch molecule-ci canonical scripts + run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical - uses: actions/setup-python@v5 with: python-version: "3.11" -- 2.45.2