Files
molecule-core/.gitea/workflows/e2e-external-connect-snippet.yml
T
hongming 36c6a45da8
Block integration-tester contamination artifacts / Block staging-trigger / invalid manifest contamination (pull_request) Successful in 6s
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s
CI / Python Lint & Test (pull_request) Successful in 5s
Concierge Creates Workspace Hermetic / Concierge Creates Workspace Hermetic (pull_request) Successful in 11s
E2E External Connect-Snippet + Leak-Lint / E2E External Connect-Snippet + Leak-Lint (pull_request) Successful in 14s
CI / Detect changes (pull_request) Successful in 22s
E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 12s
Harness Replays / detect-changes (pull_request) Successful in 7s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 12s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 7s
E2E API Smoke Test / detect-changes (pull_request) Successful in 30s
E2E Chat / detect-changes (pull_request) Successful in 31s
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 5s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 23s
lint-bp-context-emit-match / lint-bp-context-emit-match (pull_request) Successful in 17s
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 5s
Lint forbidden hand-written mcp__ tool-id literals / Scan for hand-written mcp__ tool-id literals (pull_request) Successful in 5s
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 6s
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 23s
Lint publish-runner timeout-minutes / Lint publish-runner timeout-minutes (pull_request) Successful in 12s
lint-no-coe-on-required / lint-no-coe-on-required (pull_request) Successful in 15s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 14s
Lint schedule budget / Zero-cron ratchet (pull_request) Successful in 16s
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 25s
lint-setup-go-cache / lint-setup-go-cache (pull_request) Successful in 16s
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 17s
lint-staging-tenant-cd-gate-chain / lint-staging-tenant-cd-gate-chain (pull_request) Successful in 19s
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 31s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
nodup-lint / no-duplication (pull_request) Successful in 13s
PR Diff Guard / PR diff guard (pull_request) Successful in 18s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s
CI / Canvas (Next.js) (pull_request) Successful in 4s
template-delivery-e2e / detect-changes (pull_request) Successful in 17s
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 5s
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 33s
E2E Chat / E2E Chat (pull_request) Successful in 5s
CI / Canvas Deploy Status (pull_request) Successful in 2s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s
template-delivery-e2e / Template-asset delivery (fresh seo-agent — config+prompts via asset channel, seo-all via plugin reconcile) (pull_request) Successful in 3s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 17s
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Successful in 29s
Harness Replays / Harness Replays (pull_request) Successful in 1m13s
sop-checklist / review-refire (pull_request_target) Has been skipped
sop-checklist / all-items-acked (pull_request) ack advisory until agent-team — would be failure: acked: 0/9 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +6 — body-
sop-checklist / na-declarations (pull_request) N/A: (none)
sop-checklist / all-items-acked (pull_request_target) Successful in 5s
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
reserved-path-review / reserved-path-review (pull_request_target) Approved via pull_request_review trigger
qa-review / approved (pull_request_review) Successful in 7s
security-review / approved (pull_request_target) Approved via pull_request_review trigger
reserved-path-review / reserved-path-review (pull_request_review) Successful in 7s
security-review / approved (pull_request_review) Successful in 8s
gate-check-v3 / gate-check (pull_request_target) Successful in 10s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m16s
gitea-merge-queue / queue (pull_request_review) Successful in 40s
CI / Platform (Go) (pull_request) Successful in 4m28s
CI / all-required (pull_request) Successful in 6s
audit-force-merge / audit (pull_request_target) Successful in 6s
ci-required-drift / drift (pull_request) Waiting to run
ci(bp): add bp-required directive to the connect-snippet leak gate (#3469)
lint_required_context_exists_in_bp (Tier 2g) flagged the new connect-snippet-e2e
emitter as having no BP directive. It is a real merge-blocking gate
(continue-on-error: false); main's ["*"] wildcard already enforces it, but the
lint still checks literal status_check_contexts membership. Per the established
convention (cf. #1142/#3081/#3285) add `# bp-required: pending #3469` directly
above the job key; #3469 tracks the literal BP enrollment (or teaching the lint
the "*" wildcard).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-06 00:52:47 -07:00

98 lines
4.1 KiB
YAML

name: E2E External Connect-Snippet + Leak-Lint
# Per-PR CI-E2E lane for the "Connect your external agent" flow + the
# class-level internal-address leak-lint.
#
# WHY ITS OWN LANE
# The fix (molecule-controlplane #1050) makes the CP inject the PUBLIC
# tunnel URL (EXTERNAL_PLATFORM_URL / PLATFORM_URL) so the connect snippet
# the workspace-server returns is the public https://<slug>.moleculesai.app,
# never the in-box host.docker.internal published-port address. #1050 added
# CP-side unit tests; this lane adds the CORE-side, end-to-end guard the
# principal asked for:
# • a hermetic E2E that drives the REAL connect-snippet endpoint
# (GET /workspaces/:id/external/connection) with the EXACT env the CP
# injects and asserts platform_url / registry_endpoint /
# heartbeat_endpoint are public HTTPS with NO host.docker.internal /
# 127.0.0.1 / localhost / raw :<port>
# (TestE2E_ExternalConnectSnippet_*); and
# • a class-level leak-lint that reds CI even for a NEW external endpoint
# added later — it enforces that every BuildExternalConnectionPayload
# caller sources its base from the sanitized externalPlatformURL()
# chokepoint, that no external_*.go builder hardcodes an internal
# address, and that the chokepoint never leaks under the prod env
# (TestLeakLint_*).
#
# These tests ALSO run in the required `Platform (Go)` gate (go test ./...),
# so a regression reds CI there too; this lane surfaces them as an explicit,
# fast, named status context scoped to the handlers package.
#
# SCOPE NOTE
# The guard is confined to molecule-core's EXTERNAL-facing handlers. The
# legit in-box host.docker.internal lives in molecule-controlplane (the
# local_docker provisioner / resolveTenantPlatformURL) — a different repo,
# never touched here.
#
# Gitea port notes (per the .gitea/workflows house style):
# - no merge_group (no Gitea merge queue), no workflow_dispatch.inputs,
# no environment: blocks; GITHUB_SERVER_URL pinned at workflow level.
on:
push:
branches: [main, staging]
paths:
- 'workspace-server/internal/handlers/**'
- '.gitea/workflows/e2e-external-connect-snippet.yml'
pull_request:
branches: [main, staging]
paths:
- 'workspace-server/internal/handlers/**'
- '.gitea/workflows/e2e-external-connect-snippet.yml'
concurrency:
group: e2e-connect-snippet-${{ github.event.pull_request.head.sha || github.sha }}
cancel-in-progress: true
permissions:
contents: read
env:
GITHUB_SERVER_URL: https://git.moleculesai.app
jobs:
# Real merge-blocking connect-snippet leak gate. main's ["*"] all-green
# wildcard already enforces this context; the literal BP enrollment (or
# teaching lint_required_context_exists_in_bp.py the "*" wildcard) is #3469.
# bp-required: pending #3469
connect-snippet-e2e:
name: E2E External Connect-Snippet + Leak-Lint
runs-on: ubuntu-latest
# Real gate — a connect-snippet regression (internal address leaking into
# a customer-facing response) must fail this lane. No continue-on-error.
continue-on-error: false
timeout-minutes: 12
defaults:
run:
working-directory: workspace-server
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: 'stable'
# cache:false — the self-hosted runner bind-mounts a persistent
# GOCACHE/GOMODCACHE; actions/cache corrupts it by untarring over the
# bind mount. Same rationale as ci.yml's Platform (Go) job.
cache: false
- name: Resolve Go module deps
run: go mod download
- name: Run connect-snippet E2E + leak-lint
# Hermetic: sqlmock + miniredis + gin httptest — no live infra, no
# postgres/redis service. -run selects only this lane's tests; the rest
# of the handlers suite is exercised by the required Platform (Go) gate.
run: |
go test -count=1 -timeout 5m -v ./internal/handlers/ \
-run '^TestE2E_ExternalConnectSnippet|^TestLeakLint_'