molecule-ai/molecule-ci
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
35 Commits 16 Branches 1 Tag 266 KiB
Python 94.7%
Shell 5.3%
8309a55e6c
Go to file
Hongming Wang 8309a55e6c
feat(validator): runtime-load check for adapter.py contract (#17) 
Adds the third workstream of #90 (eliminate template repo drift): a
strong contract check that exercises adapter.py the same way the
runtime does at workspace boot. Without this, a template can have a
syntactically-valid Dockerfile + an adapter.py that ImportErrors at
runtime, build clean through Docker smoke, and crash on first user
prompt — exactly the human-error class #90 is meant to eliminate.

Existing checks ranked from weakest to strongest:

  1. check_adapter()         — text-grep for legacy `molecule_ai`
                                imports. Catches one specific footgun.
  2. Docker build smoke      — `docker build` succeeds. Doesn't RUN
                                the image, so adapter.py is never
                                imported. Misses every adapter-load
                                bug.
  3. (NEW) check_adapter_runtime_load — imports adapter.py via the
                                same `importlib.spec_from_file_location`
                                path the runtime uses, and asserts at
                                least one class inherits from
                                molecule_runtime.adapters.base.BaseAdapter.

Hard-error conditions:
  - adapter.py raises any exception during import (SyntaxError,
    ImportError, NameError, etc.). Same exception would crash the
    workspace at boot.
  - No class in the module inherits from BaseAdapter. The runtime's
    class-discovery silently falls through to the default langgraph
    executor in this case — exactly the silent-failure shape the
    contract is meant to catch.

Skip conditions:
  - No adapter.py exists. Templates without one inherit the default
    executor by design (policy, not drift).
  - molecule-ai-workspace-runtime not importable in the validator
    env. Warns loudly so the CI-config bug surfaces, but doesn't
    hard-fail (we'd be reporting "your adapter is broken" when the
    actual cause is missing infra).

Workflow update: validate-workspace-template.yml now installs the
template's requirements.txt before invoking the validator (or
falls back to installing molecule-ai-workspace-runtime alone if the
template has no requirements.txt). This satisfies the runtime-load
check's import dependencies the same way the workspace container
does at boot — `pip install -r requirements.txt`.

Verified locally:
  - 20/20 tests in test_validate_workspace_template.py pass
    (14 existing + 6 new).
  - Real langgraph template passes the full new validator including
    runtime-load (0 warnings, 0 errors).
  - Surveyed all 8 production templates' adapter.py shapes; every
    one already inherits from BaseAdapter, so this check turns green
    on first run with zero per-template fixups needed.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 12:02:33 -07:00
.github/workflows feat(validator): runtime-load check for adapter.py contract (#17) 2026-04-28 12:02:33 -07:00
.molecule-ci/scripts feat(validator): runtime-load check for adapter.py contract (#17) 2026-04-28 12:02:33 -07:00
docs feat(validate-workspace-template): strict drift gate + canonical-fetch workflow 2026-04-27 14:50:55 -07:00
scripts feat(validator): runtime-load check for adapter.py contract (#17) 2026-04-28 12:02:33 -07:00
.gitignore chore: gitignore credentials for molecule-ci 2026-04-16 09:18:35 -07:00
README.md docs: add disable-auto-merge-on-push to README (#11) 2026-04-27 06:46:40 -07:00

README.md

molecule-ci

Shared CI workflows for the Molecule AI ecosystem. Every plugin, workspace template, and org template repo calls these reusable workflows to enforce a standard validation gate.

Usage

Plugin repos (molecule-ai-plugin-*)

# .github/workflows/ci.yml
name: CI
on: [push, pull_request]
jobs:
  validate:
    uses: Molecule-AI/molecule-ci/.github/workflows/validate-plugin.yml@main

Workspace template repos (molecule-ai-workspace-template-*)

# .github/workflows/ci.yml
name: CI
on: [push, pull_request]
jobs:
  validate:
    uses: Molecule-AI/molecule-ci/.github/workflows/validate-workspace-template.yml@main

Org template repos (molecule-ai-org-template-*)

# .github/workflows/ci.yml
name: CI
on: [push, pull_request]
jobs:
  validate:
    uses: Molecule-AI/molecule-ci/.github/workflows/validate-org-template.yml@main

Any repo with auto-merge enabled

PR-time guards (currently: disable auto-merge on follow-up push). Consume from a thin caller:

# .github/workflows/pr-guards.yml
name: pr-guards
on:
  pull_request:
    types: [synchronize]
permissions:
  pull-requests: write
jobs:
  disable-auto-merge-on-push:
    uses: Molecule-AI/molecule-ci/.github/workflows/disable-auto-merge-on-push.yml@main

When the team lands more PR-time guards in this repo, add them as additional jobs in the same caller — keeps each consuming repo's footprint to one file.

What each workflow validates

validate-plugin

Check Severity What it catches
plugin.yaml exists Error Missing manifest
Required fields (name, version, description) Error Incomplete plugin
Has content (SKILL.md, hooks/, skills/, or rules/) Error Empty plugin
SKILL.md starts with heading Warning Bad formatting
No committed secrets Error Leaked API keys
No build artifacts Error node_modules, pycache

validate-workspace-template

Check Severity What it catches
config.yaml exists Error Missing config
Required fields (name, runtime) Error Incomplete template
template_schema_version: 1 Error Missing version contract
Known runtime check Warning Typo in runtime name
adapter.py imports molecule_runtime Warning Legacy imports
Dockerfile builds Error Broken image
molecule-ai-workspace-runtime dependency Warning Missing base package
No committed secrets Error Leaked API keys

validate-org-template

Check Severity What it catches
org.yaml exists Error Missing org definition
Required fields (name) Error Incomplete template
Workspace structure valid Error Malformed hierarchy
files_dir references exist Warning Broken system-prompt paths
template_schema_version present Warning Missing version contract
No committed secrets Error Leaked API keys

disable-auto-merge-on-push

PR-time safety guard. When pull_request:synchronize fires (= a new commit pushed to an open PR) and auto-merge is already enabled, this workflow disables auto-merge and posts a comment requiring the operator to re-engage explicitly.

Why it exists: on 2026-04-27, molecule-core PR #2174 auto-merged with only its first commit because the second commit was pushed AFTER the merge queue had locked the PR's SHA. The second commit ended up orphaned on a merged-and-deleted branch.

Pairs with the org-wide repo setting "Automatically delete head branches" (already enabled on all 10 Molecule-AI repos). Defense in depth:

  1. Repo setting blocks pushes to a merged-and-deleted branch (catches the post-merge orphan case).
  2. This workflow catches the in-queue race (push during queue processing) by force-disabling auto-merge.

Together they cover the full lifecycle of "auto-merge enabled → new commits arrive" without operator discipline.

False-positive note: if a CI bot pushes (dependency update, secret rotation), this also disables auto-merge. That's intentional — the operator who originally enabled auto-merge gets notified and re-engages, which is exactly the verify-after-machine-edits behavior we want.

License

Business Source License 1.1 — © Molecule AI.