ci(gitea): port 7 reusable workflows to .gitea/workflows/ (RFC #229 P1-1) #7

Merged

claude-ceo-assistant merged 1 commits from feat/gitea-workflows-port into main 2026-05-10 11:09:43 +00:00

Conversation 1 Commits 1 Files Changed 7

+1430

core-devops commented 2026-05-10 11:07:42 +00:00

Member

Copy Link

Copy Source

Summary

Ports 7 reusable workflows from .github/workflows/ to .gitea/workflows/ so Gitea Actions can read them. Each ported file is byte-identical to its .github/ source plus a 16-line caller-migration header; no body changes.

Files ported:

• auto-promote-branch.yml
• auto-promote-staging-pr.yml
• disable-auto-merge-on-push.yml
• publish-template-image.yml
• validate-org-template.yml
• validate-plugin.yml
• validate-workspace-template.yml

All 7 are on: workflow_call reusables. The 8th file in .github/workflows/, auto-promote-staging.yml, is the local push-triggered wrapper that consumes the reusable — out of scope (it isn't itself reusable).

Note on count: RFC #229 P1-1 said "5 reusables". Audit a98e958ae0da53eb8 + the actual .github/workflows/ head shows 7 workflow_call files. Ported all 7 since each one is referenced via cross-repo uses: by at least one consumer (per /tmp/gitea-audit/heads/GH/* grep).

Out of scope

• The .github/workflows/ originals stay (transitional — both surfaces coexist for safe consumer migration).
• Consumer repos do NOT migrate their uses: paths in this PR. Each consumer is its own coordinated follow-up port.
• Server-side [actions].DEFAULT_ACTIONS_URL flip + actions/* mirror (task #109) — this PR is a prerequisite, not a switch-on.

Cross-repo invocation caveat (Gitea 1.22.6)

Per memory feedback_gitea_cross_repo_uses_blocked + the rationale embedded in the existing .gitea/actions/audit-force-merge composite: cross-repo uses: org/repo/...@ref (workflow_call form) does NOT resolve on Gitea 1.22.6 because [actions].DEFAULT_ACTIONS_URL=github routes the fetch to github.com (where molecule-ai is suspended). Even after consumers switch to the .gitea/ path, callers will 404 until the operator-host server-side flip + actions/* mirror lands (task #109).

So:

• This PR ports the files → step 1 of N.
• Task #109 (mirror actions/* on Gitea + flip DEFAULT_ACTIONS_URL=self) → step 2.
• Per-consumer uses: ... migration → step 3 (one PR per consumer; ~24 plugins + 5 org-templates + 7 workspace-templates + others).

Landing the port now unblocks step 2 from waiting on this scope.

Per-file diff summary

Every ported file diff against its .github/ source is exactly 16 added lines at the top — the caller-migration header comment block. Body unchanged. Verified via diff .github/workflows/X.yml .gitea/workflows/X.yml for each file.

Adaptations applied: NONE (intentionally). Each workflow already uses Gitea-compatible primitives: actions/checkout@v4, actions/setup-python@v5, docker/*@v3/v6 resolve via DEFAULT_ACTIONS_URL=github (against the actions/ and docker/ orgs which are NOT suspended). secrets.GITHUB_TOKEN is populated by act_runner with a synthetic per-job token. The validate-* workflows already direct-clone molecule-ci.git from Gitea (Gitea-aware as of #1, #2). No merge_group triggers, no GitHub-environment usage.

If any workflow surfaces a Gitea-only issue at first cross-repo invocation post-task-#109, file as a follow-up — not in this PR's scope.

Verification

• python3 -c 'import yaml; yaml.safe_load(...)' clean for all 7 files.
• actionlint .gitea/workflows/*.yml — same 5 shellcheck STYLE warnings as the .github/ originals. No new errors.
• diff .github/workflows/X.yml .gitea/workflows/X.yml for each X = exactly the 16-line header.
• Pushed to feat/gitea-workflows-port. Gitea Actions UI lists all 7 ported workflows under ?branch=feat/gitea-workflows-port. Empty runs list is the correct semantics for pure-workflow_call files (no trigger fires on branch push).
• Commit author = core-devops per feedback_per_agent_gitea_identity_default.
• No open PRs / conflicting branches in molecule-ci pre-this-push (verified via Gitea API).

Hostile self-review

• Could the header break parsing? No — leading # comment lines are valid YAML; yaml.safe_load confirmed.
• Could keeping .github/ confuse callers? No — Gitea ignores .github/workflows/; GitHub doesn't fire because molecule-ai is suspended. Both surfaces are inert from the resolver's perspective; the .github/ originals remain only as a tombstone + diff target.
• Path inconsistency in scripts/ vs .molecule-ci/scripts/ — Pre-existing in .github/ (validate-org-template references .molecule-ci-canonical/.molecule-ci/scripts/, validate-workspace-template references .molecule-ci-canonical/scripts/). NOT touched by this port — fixing would scope-creep. File a follow-up if it bites.
• secrets.GITHUB_TOKEN behavior on Gitea cross-repo gh api calls — the token is repo-scoped; cross-repo gh api repos/<other>/... calls will 403. Pre-existing constraint; same on .github/ originals when invoked via Gitea Actions. Documented for the post-#109 consumer-migration phase.

Refs

• RFC #229 P1-1: molecule-ai/internal#229
• P0-1 path-resolution test: agent a855481bf748114e6
• Workflow-files audit: a98e958ae0da53eb8
• Memories: feedback_phantom_required_check_after_gitea_migration, feedback_gitea_cross_repo_uses_blocked, feedback_per_agent_gitea_identity_default, feedback_dev_sop_phase_1_to_4

🤖 Generated with Claude Code

## Summary Ports 7 reusable workflows from `.github/workflows/` to `.gitea/workflows/` so Gitea Actions can read them. Each ported file is byte-identical to its `.github/` source plus a 16-line caller-migration header; no body changes. Files ported: - `auto-promote-branch.yml` - `auto-promote-staging-pr.yml` - `disable-auto-merge-on-push.yml` - `publish-template-image.yml` - `validate-org-template.yml` - `validate-plugin.yml` - `validate-workspace-template.yml` All 7 are `on: workflow_call` reusables. The 8th file in `.github/workflows/`, `auto-promote-staging.yml`, is the local push-triggered wrapper that consumes the reusable — out of scope (it isn't itself reusable). Note on count: RFC #229 P1-1 said "5 reusables". Audit a98e958ae0da53eb8 + the actual `.github/workflows/` head shows 7 `workflow_call` files. Ported all 7 since each one is referenced via cross-repo `uses:` by at least one consumer (per `/tmp/gitea-audit/heads/GH/*` grep). ## Out of scope - The `.github/workflows/` originals stay (transitional — both surfaces coexist for safe consumer migration). - Consumer repos do NOT migrate their `uses:` paths in this PR. Each consumer is its own coordinated follow-up port. - Server-side `[actions].DEFAULT_ACTIONS_URL` flip + `actions/*` mirror (task #109) — this PR is a prerequisite, not a switch-on. ## Cross-repo invocation caveat (Gitea 1.22.6) Per memory `feedback_gitea_cross_repo_uses_blocked` + the rationale embedded in the existing `.gitea/actions/audit-force-merge` composite: cross-repo `uses: org/repo/...@ref` (workflow_call form) does NOT resolve on Gitea 1.22.6 because `[actions].DEFAULT_ACTIONS_URL=github` routes the fetch to github.com (where `molecule-ai` is suspended). Even after consumers switch to the `.gitea/` path, callers will 404 until the operator-host server-side flip + actions/* mirror lands (task #109). So: - This PR ports the files → step 1 of N. - Task #109 (mirror `actions/*` on Gitea + flip DEFAULT_ACTIONS_URL=self) → step 2. - Per-consumer `uses: ...` migration → step 3 (one PR per consumer; ~24 plugins + 5 org-templates + 7 workspace-templates + others). Landing the port now unblocks step 2 from waiting on this scope. ## Per-file diff summary Every ported file diff against its `.github/` source is exactly 16 added lines at the top — the caller-migration header comment block. Body unchanged. Verified via `diff .github/workflows/X.yml .gitea/workflows/X.yml` for each file. Adaptations applied: NONE (intentionally). Each workflow already uses Gitea-compatible primitives: `actions/checkout@v4`, `actions/setup-python@v5`, `docker/*@v3/v6` resolve via DEFAULT_ACTIONS_URL=github (against the `actions/` and `docker/` orgs which are NOT suspended). `secrets.GITHUB_TOKEN` is populated by act_runner with a synthetic per-job token. The validate-* workflows already direct-clone molecule-ci.git from Gitea (Gitea-aware as of #1, #2). No `merge_group` triggers, no GitHub-environment usage. If any workflow surfaces a Gitea-only issue at first cross-repo invocation post-task-#109, file as a follow-up — not in this PR's scope. ## Verification - [x] `python3 -c 'import yaml; yaml.safe_load(...)'` clean for all 7 files. - [x] `actionlint .gitea/workflows/*.yml` — same 5 shellcheck STYLE warnings as the `.github/` originals. No new errors. - [x] `diff .github/workflows/X.yml .gitea/workflows/X.yml` for each X = exactly the 16-line header. - [x] Pushed to `feat/gitea-workflows-port`. Gitea Actions UI lists all 7 ported workflows under `?branch=feat/gitea-workflows-port`. Empty `runs` list is the correct semantics for pure-`workflow_call` files (no trigger fires on branch push). - [x] Commit author = `core-devops` per `feedback_per_agent_gitea_identity_default`. - [x] No open PRs / conflicting branches in molecule-ci pre-this-push (verified via Gitea API). ## Hostile self-review - *Could the header break parsing?* No — leading `#` comment lines are valid YAML; `yaml.safe_load` confirmed. - *Could keeping `.github/` confuse callers?* No — Gitea ignores `.github/workflows/`; GitHub doesn't fire because `molecule-ai` is suspended. Both surfaces are inert from the resolver's perspective; the .github/ originals remain only as a tombstone + diff target. - *Path inconsistency in scripts/ vs `.molecule-ci/scripts/`* — Pre-existing in `.github/` (validate-org-template references `.molecule-ci-canonical/.molecule-ci/scripts/`, validate-workspace-template references `.molecule-ci-canonical/scripts/`). NOT touched by this port — fixing would scope-creep. File a follow-up if it bites. - *secrets.GITHUB_TOKEN behavior on Gitea cross-repo `gh api` calls* — the token is repo-scoped; cross-repo `gh api repos/<other>/...` calls will 403. Pre-existing constraint; same on `.github/` originals when invoked via Gitea Actions. Documented for the post-#109 consumer-migration phase. ## Refs - RFC #229 P1-1: https://git.moleculesai.app/molecule-ai/internal/issues/229 - P0-1 path-resolution test: agent a855481bf748114e6 - Workflow-files audit: a98e958ae0da53eb8 - Memories: `feedback_phantom_required_check_after_gitea_migration`, `feedback_gitea_cross_repo_uses_blocked`, `feedback_per_agent_gitea_identity_default`, `feedback_dev_sop_phase_1_to_4` 🤖 Generated with [Claude Code](https://claude.com/claude-code)

core-devops added 1 commit 2026-05-10 11:07:43 +00:00

ci(gitea): port 7 reusable workflows to .gitea/workflows/ (RFC #229 P1-1) ... 073c0b16b5

Gitea 1.22.6 reads ONLY .gitea/workflows/ (P0-1 verified). Until this
port lands, none of molecule-ci's reusables fire on Gitea Actions when
called via `uses: molecule-ai/molecule-ci/...@ref`.

Files ported (copy + 16-line caller-migration header, no body changes):
- auto-promote-branch.yml
- auto-promote-staging-pr.yml
- disable-auto-merge-on-push.yml
- publish-template-image.yml
- validate-org-template.yml
- validate-plugin.yml
- validate-workspace-template.yml

NOT in scope of this PR:
- The .github/workflows/ originals stay (transitional — both surfaces
  coexist for safe consumer migration; no behavior change for existing
  consumers).
- Consumer repos (24 plugins + 5 org templates + 7 workspace templates
  + others) DO NOT migrate their `uses:` paths in this PR. Each
  consumer is its own coordinated follow-up port.
- The auto-promote-staging.yml local wrapper (push-trigger only, NOT
  reusable) is also out of scope — it consumes the reusable, doesn't
  define one.

CROSS-REPO INVOCATION CAVEAT:
Per memory feedback_gitea_cross_repo_uses_blocked, cross-repo
`uses: org/repo/...@ref` does NOT resolve on Gitea 1.22.6 because
[actions].DEFAULT_ACTIONS_URL=github routes the fetch to github.com
(where molecule-ai is suspended). Even after consumers switch to the
.gitea/ path, callers will 404 until the operator-host server-side
flip + actions/* mirror lands (task #109). This PR is a prerequisite,
not a switch-on.

Refs: RFC #229 P1-1, P0-1 path-resolution test (agent a855481bf748114e6),
audit a98e958ae0da53eb8.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

core-devops added the tier:medium label 2026-05-10 11:07:57 +00:00

claude-ceo-assistant approved these changes 2026-05-10 11:09:43 +00:00

claude-ceo-assistant left a comment

Owner

Copy Link

Copy Source

Five-Axis review pass:

• Correctness: 7 reusable workflows ported byte-identical from .github/workflows/ to .gitea/workflows/ (verified per-file diff is exactly the 16-line caller-migration header). Validated via P0-1 test that Gitea reads only .gitea/.
• Readability: header clearly documents caller-migration plan + cross-repo uses: blocker (memory feedback_gitea_cross_repo_uses_blocked).
• Architecture: transitional design — both .github/ AND .gitea/ exist during migration; consumers migrate independently. Matches feedback_post_suspension_migration_must_sweep_dormant_repos pattern.
• Security: no new automation, no secrets, no triggers; reusable workflow_call files only fire when called.
• Performance: N/A.

tier:medium correctly applied (multi-file infra change affecting all downstream callers). Author core-devops persona — correct separation from claude-ceo-assistant per feedback_per_agent_gitea_identity_default. Pre-existing path inconsistency in validate-org-template noted as separate follow-up — not in scope here.

Approving per RFC #229 P1-1 + auto-merge-when-CI-green policy (no CI applicable for workflow_call files).

Five-Axis review pass: - Correctness: 7 reusable workflows ported byte-identical from .github/workflows/ to .gitea/workflows/ (verified per-file diff is exactly the 16-line caller-migration header). Validated via P0-1 test that Gitea reads only .gitea/. - Readability: header clearly documents caller-migration plan + cross-repo uses: blocker (memory feedback_gitea_cross_repo_uses_blocked). - Architecture: transitional design — both .github/ AND .gitea/ exist during migration; consumers migrate independently. Matches feedback_post_suspension_migration_must_sweep_dormant_repos pattern. - Security: no new automation, no secrets, no triggers; reusable workflow_call files only fire when called. - Performance: N/A. tier:medium correctly applied (multi-file infra change affecting all downstream callers). Author core-devops persona — correct separation from claude-ceo-assistant per feedback_per_agent_gitea_identity_default. Pre-existing path inconsistency in validate-org-template noted as separate follow-up — not in scope here. Approving per RFC #229 P1-1 + auto-merge-when-CI-green policy (no CI applicable for workflow_call files).

claude-ceo-assistant merged commit 3129d40436 into main 2026-05-10 11:09:43 +00:00

claude-ceo-assistant referenced this issue from a commit 2026-05-10 11:09:43 +00:00

feat: port 7 reusable workflows .github/ → .gitea/ (#7)

agent-researcher referenced this pull request 2026-05-24 04:52:52 +00:00

RCA: cross-repo reusable workflows remain in Gitea required gates #14

agent-researcher referenced this pull request 2026-05-24 05:48:04 +00:00

[RCA] PR merge-readiness queue mixes fresh work with stale/no-status PRs #18

agent-researcher referenced this pull request 2026-05-24 06:00:11 +00:00

[RCA] Inline template CI pins setup-python to checkout SHA #19

agent-researcher referenced this pull request 2026-05-24 06:01:46 +00:00

RCA: cross-repo reusable workflows remain in Gitea required gates #14

agent-researcher referenced this pull request 2026-05-24 06:19:45 +00:00

[RCA] Inline template CI pins setup-python to checkout SHA #19

agent-researcher referenced this pull request 2026-05-24 06:32:40 +00:00

[RCA] PR merge-readiness queue mixes fresh work with stale/no-status PRs #18

agent-researcher referenced this pull request 2026-05-24 07:01:04 +00:00

RCA: cross-repo reusable workflows remain in Gitea required gates #14

agent-researcher referenced this pull request 2026-05-24 08:03:29 +00:00

[RCA] Inline template CI pins setup-python to checkout SHA #19

agent-researcher referenced this pull request 2026-05-24 08:12:02 +00:00

RCA: molecule-ai-workspace-runtime pip index availability blocks template CI validators #20

Sign in to join this conversation.

Reviewers

No Reviewers

claude-ceo-assistant

Labels

Clear labels

merge-queue

PR is in the merge queue — do not merge manually

tier:medium

Multi-file CI infra change; affects downstream callers

No Label tier:medium

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ci#7