fix(ci): ci-required-drift uses scoped mc-drift-bot token (mirrors controlplane)
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 27s
CI / Detect changes (pull_request) Successful in 1m39s
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m29s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 21s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m29s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m27s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m19s
gate-check-v3 / gate-check (pull_request) Successful in 33s
qa-review / approved (pull_request) Failing after 27s
sop-tier-check / tier-check (pull_request) Successful in 27s
security-review / approved (pull_request) Failing after 36s
CI / Platform (Go) (pull_request) Successful in 17s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 26s
CI / Canvas (Next.js) (pull_request) Successful in 28s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 16s
CI / Python Lint & Test (pull_request) Successful in 23s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 7s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 11s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s
audit-force-merge / audit (pull_request) Successful in 21s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / all-required (pull_request) Successful in 6s
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 27s
CI / Detect changes (pull_request) Successful in 1m39s
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m29s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 21s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m29s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m27s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m19s
gate-check-v3 / gate-check (pull_request) Successful in 33s
qa-review / approved (pull_request) Failing after 27s
sop-tier-check / tier-check (pull_request) Successful in 27s
security-review / approved (pull_request) Failing after 36s
CI / Platform (Go) (pull_request) Successful in 17s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 26s
CI / Canvas (Next.js) (pull_request) Successful in 28s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 16s
CI / Python Lint & Test (pull_request) Successful in 23s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 7s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 11s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s
audit-force-merge / audit (pull_request) Successful in 21s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / all-required (pull_request) Successful in 6s
Companion to molecule-controlplane PR#134. The `ci-required-drift`
detector calls GET /repos/{owner}/{repo}/branch_protections/{branch},
which Gitea 1.22.6 gates behind the repo-ADMIN role. The previous
fallback chain (`secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN`)
had only read or write — neither admin — so drift runs would 403.
Switch to `secrets.DRIFT_BOT_TOKEN`, owned by the new least-privilege
`mc-drift-bot` persona (team: drift-bot, permission: admin, scope:
read:repository,write:issue,read:organization, repos: this + CP).
Note: this repo's drift detector additionally requires the
`all-required` sentinel job in ci.yml, which is being added in PR#553.
After both PRs merge the drift workflow will be fully green.
Audit trail in internal#329. Sibling pattern: internal#327
(publish-runtime-bot). Per feedback_per_agent_gitea_identity_default.
This commit is contained in:
parent
9558b7d8fb
commit
02aed70291
@ -77,13 +77,18 @@ jobs:
|
||||
run: python -m pip install --quiet 'PyYAML==6.0.2'
|
||||
- name: Run drift detector
|
||||
env:
|
||||
# GITEA_TOKEN reads protection + writes issues. molecule-core
|
||||
# uses `SOP_TIER_CHECK_TOKEN` as the org-level secret name for
|
||||
# read-only Gitea API access from CI (set by audit-force-merge
|
||||
# and sop-tier-check too). Falls back to the auto-injected
|
||||
# GITHUB_TOKEN if the org-level secret isn't set
|
||||
# (transitional repos).
|
||||
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
# DRIFT_BOT_TOKEN is owned by mc-drift-bot, a least-privilege
|
||||
# Gitea persona whose ONLY job is reading branch_protections
|
||||
# and posting the [ci-drift] tracking issue. The endpoint
|
||||
# `GET /repos/.../branch_protections/{branch}` requires
|
||||
# repo-ADMIN role (Gitea 1.22.6) — SOP_TIER_CHECK_TOKEN and the
|
||||
# auto-injected GITHUB_TOKEN do NOT have it (read-only / write
|
||||
# without admin), so the previous fallback chain 403'd.
|
||||
# Mirrors the controlplane fix landed in CP PR#134.
|
||||
# Provisioning trail: internal#329 (audit) + parent pattern
|
||||
# internal#327 (publish-runtime-bot). Per
|
||||
# `feedback_per_agent_gitea_identity_default`.
|
||||
GITEA_TOKEN: ${{ secrets.DRIFT_BOT_TOKEN }}
|
||||
GITEA_HOST: git.moleculesai.app
|
||||
REPO: ${{ github.repository }}
|
||||
# Branches whose protection we compare against. molecule-core
|
||||
|
||||
Loading…
Reference in New Issue
Block a user