Go to file

Hongming Wang 56facc8a42 fix(validate): fetch validator scripts from molecule-ci instead of expecting them in caller The validate-org-template.yml and validate-plugin.yml workflows expected `.molecule-ci/scripts/` to be vendored INTO each calling repo. That worked for the repos that copied the directory in, but broke on the ones that didn't: - molecule-ai-org-template-medo-smoke - molecule-ai-org-template-molecule-worker-gemini - molecule-ai-org-template-reno-stars - molecule-ai-plugin-molecule-compliance - molecule-ai-plugin-molecule-freeze-scope - molecule-ai-plugin-molecule-prompt-watchdog Surfaced when the secret-scan rollout PRs hit those repos and the required validate check failed on missing `.molecule-ci/scripts/requirements.txt`. Mirror the same fix already in validate-workspace-template.yml: a second `actions/checkout@v4` of molecule-ci into `.molecule-ci-canonical/`, with script paths re-pointed accordingly. Single source of truth — callers never need to vendor or sync. Also adds `.molecule-ci-canonical` to the secret-scan SKIP_DIRS so the side-checked-out tree doesn't get walked. Callers can drop their vendored `.molecule-ci/scripts/` copies in a follow-up cleanup. Both shapes work after this PR — the vendored copy is harmless dead weight, not a conflict. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-04-29 01:56:25 -07:00
.github/workflows	fix(validate): fetch validator scripts from molecule-ci instead of expecting them in caller	2026-04-29 01:56:25 -07:00
.molecule-ci/scripts	fix(validator): address post-merge review findings on #17 + #18 (#19 )	2026-04-28 12:17:44 -07:00
docs	feat(validate-workspace-template): strict drift gate + canonical-fetch workflow	2026-04-27 14:50:55 -07:00
scripts	fix(validator): handle abstract intermediates + class-aliasing + lock GITHUB_TOKEN scope (#21 )	2026-04-28 12:27:09 -07:00
.gitignore	chore: remove accidentally-committed __pycache__ + gitignore Python caches (#20 )	2026-04-28 12:18:46 -07:00
README.md	docs: add disable-auto-merge-on-push to README (#11 )	2026-04-27 06:46:40 -07:00

README.md

molecule-ci

Shared CI workflows for the Molecule AI ecosystem. Every plugin, workspace template, and org template repo calls these reusable workflows to enforce a standard validation gate.

Usage

Plugin repos (`molecule-ai-plugin-*`)

# .github/workflows/ci.yml
name: CI
on: [push, pull_request]
jobs:
  validate:
    uses: Molecule-AI/molecule-ci/.github/workflows/validate-plugin.yml@main

Workspace template repos (`molecule-ai-workspace-template-*`)

# .github/workflows/ci.yml
name: CI
on: [push, pull_request]
jobs:
  validate:
    uses: Molecule-AI/molecule-ci/.github/workflows/validate-workspace-template.yml@main

Org template repos (`molecule-ai-org-template-*`)

# .github/workflows/ci.yml
name: CI
on: [push, pull_request]
jobs:
  validate:
    uses: Molecule-AI/molecule-ci/.github/workflows/validate-org-template.yml@main

Any repo with auto-merge enabled

PR-time guards (currently: disable auto-merge on follow-up push). Consume from a thin caller:

# .github/workflows/pr-guards.yml
name: pr-guards
on:
  pull_request:
    types: [synchronize]
permissions:
  pull-requests: write
jobs:
  disable-auto-merge-on-push:
    uses: Molecule-AI/molecule-ci/.github/workflows/disable-auto-merge-on-push.yml@main

When the team lands more PR-time guards in this repo, add them as additional jobs in the same caller — keeps each consuming repo's footprint to one file.

What each workflow validates

validate-plugin

Check	Severity	What it catches
`plugin.yaml` exists	Error	Missing manifest
Required fields (name, version, description)	Error	Incomplete plugin
Has content (SKILL.md, hooks/, skills/, or rules/)	Error	Empty plugin
SKILL.md starts with heading	Warning	Bad formatting
No committed secrets	Error	Leaked API keys
No build artifacts	Error	node_modules, pycache

validate-workspace-template

Check	Severity	What it catches
`config.yaml` exists	Error	Missing config
Required fields (name, runtime)	Error	Incomplete template
`template_schema_version: 1`	Error	Missing version contract
Known runtime check	Warning	Typo in runtime name
`adapter.py` imports molecule_runtime	Warning	Legacy imports
Dockerfile builds	Error	Broken image
molecule-ai-workspace-runtime dependency	Warning	Missing base package
No committed secrets	Error	Leaked API keys

validate-org-template

Check	Severity	What it catches
`org.yaml` exists	Error	Missing org definition
Required fields (name)	Error	Incomplete template
Workspace structure valid	Error	Malformed hierarchy
`files_dir` references exist	Warning	Broken system-prompt paths
`template_schema_version` present	Warning	Missing version contract
No committed secrets	Error	Leaked API keys

disable-auto-merge-on-push

PR-time safety guard. When pull_request:synchronize fires (= a new commit pushed to an open PR) and auto-merge is already enabled, this workflow disables auto-merge and posts a comment requiring the operator to re-engage explicitly.

Why it exists: on 2026-04-27, molecule-core PR #2174 auto-merged with only its first commit because the second commit was pushed AFTER the merge queue had locked the PR's SHA. The second commit ended up orphaned on a merged-and-deleted branch.

Pairs with the org-wide repo setting "Automatically delete head branches" (already enabled on all 10 Molecule-AI repos). Defense in depth:

Repo setting blocks pushes to a merged-and-deleted branch (catches the post-merge orphan case).
This workflow catches the in-queue race (push during queue processing) by force-disabling auto-merge.

Together they cover the full lifecycle of "auto-merge enabled → new commits arrive" without operator discipline.

False-positive note: if a CI bot pushes (dependency update, secret rotation), this also disables auto-merge. That's intentional — the operator who originally enabled auto-merge gets notified and re-engages, which is exactly the verify-after-machine-edits behavior we want.