From 796201e09f684fad8544a355ba6794e3de565298 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Sun, 10 May 2026 01:11:45 +0000
Subject: [PATCH 1/2] fix(ci): replace dorny/paths-filter with shell-based git
 diff (Gitea Actions compatibility)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

dorny/paths-filter is GitHub-Actions-only and does not work correctly on
Gitea Actions — it silently returns no file changes regardless of what
files were modified, causing the harness-replays workflow to silently
skip on Gitea even when workspace-server/** or canvas/** files change.

Verified: zero harness-replays statuses on PR #188 and #168 (both changed
workspace-server files) vs GitHub Actions where the same workflow
correctly detects changes.

Replace with a shell-based approach that uses:
- github.event.pull_request.base.sha  (Gitea + GitHub: merge-base for PRs)
- github.event.before                (Gitea + GitHub: previous tip for pushes)
- git diff --name-only <BASE> github.sha (portable git, works on both platforms)

Also adds detect-changes.debug output so future no-op passes show WHY
the workflow decided to skip, and the first real run on Gitea will
confirm the diff detection is working.

Closes #141 (followup: root-cause fix still TBD — failure logs
inaccessible via Gitea Actions API).
---
 .github/workflows/harness-replays.yml | 46 +++++++++++++++++++++------
 1 file changed, 36 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/harness-replays.yml b/.github/workflows/harness-replays.yml
index 23681ff7..ab247f7e 100644
--- a/.github/workflows/harness-replays.yml
+++ b/.github/workflows/harness-replays.yml
@@ -56,21 +56,40 @@ jobs:
       run: ${{ steps.decide.outputs.run }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
-        id: filter
-        with:
-          filters: |
-            run:
-              - 'workspace-server/**'
-              - 'canvas/**'
-              - 'tests/harness/**'
-              - '.github/workflows/harness-replays.yml'
       - id: decide
         run: |
+          # workflow_dispatch: always run (manual trigger)
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
             echo "run=true" >> "$GITHUB_OUTPUT"
+            echo "debug=manual-trigger" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Determine the base commit to diff against.
+          # For pull_request: use base.sha (the merge-base with main/staging).
+          # For push: use github.event.before (the previous tip of the branch).
+          # Fallback for new branches (all-zeros SHA): run everything.
+          if [ "${{ github.event_name }}" = "pull_request" ] && \
+             [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            BASE="${{ github.event.pull_request.base.sha }}"
+          elif [ -n "${{ github.event.before }}" ] && \
+               ! echo "${{ github.event.before }}" | grep -qE '^0+$'; then
+            BASE="${{ github.event.before }}"
           else
-            echo "run=${{ steps.filter.outputs.run }}" >> "$GITHUB_OUTPUT"
+            # New branch or github.event.before unavailable — run everything.
+            echo "run=true" >> "$GITHUB_OUTPUT"
+            echo "debug=new-branch-fallback" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # GitHub Actions and Gitea Actions both expose github.sha for HEAD.
+          DIFF=$(git diff --name-only "$BASE" "${{ github.sha }}" 2>/dev/null)
+          echo "debug=diff-base=$BASE diff-files=$DIFF" >> "$GITHUB_OUTPUT"
+
+          if echo "$DIFF" | grep -qE '^workspace-server/|^canvas/|^tests/harness/|^.github/workflows/harness-replays\.yml$'; then
+            echo "run=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "run=false" >> "$GITHUB_OUTPUT"
           fi
 
   # ONE job that always runs. Real work is gated per-step on
@@ -91,10 +110,17 @@ jobs:
         run: |
           echo "No workspace-server / canvas / tests/harness / workflow changes — Harness Replays gate satisfied without running."
           echo "::notice::Harness Replays no-op pass (paths filter excluded this commit)."
+          echo "::notice::Debug: ${{ needs.detect-changes.outputs.debug }}"
 
       - if: needs.detect-changes.outputs.run == 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      # Log what files were detected so future failures include the diff.
+      - name: Log detected changes
+        if: needs.detect-changes.outputs.run == 'true'
+        run: |
+          echo "::notice::detect-changes debug: ${{ needs.detect-changes.outputs.debug }}"
+
       # github-app-auth sibling-checkout removed 2026-05-07 (#157):
       # the plugin was dropped + Dockerfile.tenant no longer COPYs it.
 

From 9c35057c985542b29109286a6a6fc9bf722a59e9 Mon Sep 17 00:00:00 2001
From: Molecule AI Core Platform Lead
 <core-platform-lead@agents.moleculesai.app>
Date: Sun, 10 May 2026 01:18:14 +0000
Subject: [PATCH 2/2] trigger