From 67840629ebfb1165b4cd238abe2d1b4bb02f0679 Mon Sep 17 00:00:00 2001 From: hongming-pc2 Date: Sat, 9 May 2026 23:55:20 -0700 Subject: [PATCH 1/2] fix(internal#214): refresh go.sum for the go.moleculesai.app/plugin/gh-identity vanity path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit go.sum still carried the pre-suspension github.com/Molecule-AI/molecule-ai-plugin-gh-identity entries while go.mod requires go.moleculesai.app/plugin/gh-identity — so `go build` failed with 'missing go.sum entry'. With the go.moleculesai.app go-import responder now live (operator-host Caddy block, internal#214), `go mod tidy` resolves the vanity path natively; this is the resulting go.sum (no replace directive, no go.mod change beyond the tidy). Note: `go build ./cmd/server` still fails on unrelated pre-existing errors — internal/plugins/source.go vs drift_sweeper.go SourceResolver redeclaration (#123) and internal/router/router.go:505 using `plgh` before its declaration — those are addressed (in progress, not yet clean) on fix/pluginresolver-conflict. Co-Authored-By: Claude Opus 4.7 (1M context) --- workspace-server/go.mod | 2 +- workspace-server/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/workspace-server/go.mod b/workspace-server/go.mod index da40c36a..ca1b7459 100644 --- a/workspace-server/go.mod +++ b/workspace-server/go.mod @@ -4,7 +4,6 @@ go 1.25.0 require ( github.com/DATA-DOG/go-sqlmock v1.5.2 - go.moleculesai.app/plugin/gh-identity v0.0.0-20260509010445-788988195fce github.com/alicebob/miniredis/v2 v2.37.0 github.com/creack/pty v1.1.24 github.com/docker/docker v28.5.2+incompatible @@ -19,6 +18,7 @@ require ( github.com/opencontainers/image-spec v1.1.1 github.com/redis/go-redis/v9 v9.19.0 github.com/robfig/cron/v3 v3.0.1 + go.moleculesai.app/plugin/gh-identity v0.0.0-20260509010445-788988195fce golang.org/x/crypto v0.50.0 gopkg.in/yaml.v3 v3.0.1 ) diff --git a/workspace-server/go.sum b/workspace-server/go.sum index a31b0c4e..4008b4e0 100644 --- a/workspace-server/go.sum +++ b/workspace-server/go.sum @@ -4,8 +4,6 @@ github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7Oputl github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Molecule-AI/molecule-ai-plugin-gh-identity v0.0.0-20260424033845-4fd5ac7be30f h1:YkLRhUg+9qr9OV9N8dG1Hj0Ml7TThHlRwh5F//oUJVs= -github.com/Molecule-AI/molecule-ai-plugin-gh-identity v0.0.0-20260424033845-4fd5ac7be30f/go.mod h1:NqdtlWZDJvpXNJRHnMkPhTKHdA1LZTNH+63TB66JSOU= github.com/alicebob/miniredis/v2 v2.37.0 h1:RheObYW32G1aiJIj81XVt78ZHJpHonHLHW7OLIshq68= github.com/alicebob/miniredis/v2 v2.37.0/go.mod h1:TcL7YfarKPGDAthEtl5NBeHZfeUQj6OXMm/+iu5cLMM= github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs= @@ -154,6 +152,8 @@ github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw= github.com/zeebo/xxh3 v1.1.0 h1:s7DLGDK45Dyfg7++yxI0khrfwq9661w9EN78eP/UZVs= github.com/zeebo/xxh3 v1.1.0/go.mod h1:IisAie1LELR4xhVinxWS5+zf1lA4p0MW4T+w+W07F5s= +go.moleculesai.app/plugin/gh-identity v0.0.0-20260509010445-788988195fce h1:ftm0ba0ukLlfqeFes+/jWnXH8XULXmRpMy3fOCZ83/U= +go.moleculesai.app/plugin/gh-identity v0.0.0-20260509010445-788988195fce/go.mod h1:0aAqoDle2V7Cywso94MXdv1DH/HEe/0oZmcbqWYMK7g= go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE= go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= From 03689e3d9af93e13ce9d38f07e99d71ecea72665 Mon Sep 17 00:00:00 2001 From: Molecule AI Core-DevOps Date: Sun, 10 May 2026 07:55:39 +0000 Subject: [PATCH 2/2] ci: pin GitHub Actions by SHA instead of mutable tags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - actions/checkout@v6 → @de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2) in secret-pattern-drift.yml - pypa/gh-action-pypi-publish@release/v1 → @cef221092ed1bacb1cc03d23a2d87d1d172e277b in publish-runtime.yml Mutable action tags (e.g. @v6, @release/v1) can silently resolve to different code over time, creating supply-chain risk. SHA-pinning ensures the exact commit runs every time. Workspace Dockerfile was already compliant (python:3.11-slim@sha256:...). Co-Authored-By: Claude Opus 4.7 --- .github/workflows/publish-runtime.yml | 2 +- .github/workflows/secret-pattern-drift.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-runtime.yml b/.github/workflows/publish-runtime.yml index 53a19d19..6118c113 100644 --- a/.github/workflows/publish-runtime.yml +++ b/.github/workflows/publish-runtime.yml @@ -180,7 +180,7 @@ jobs: # environment pypi-publish. The action mints a short-lived OIDC # token and exchanges it for a PyPI upload credential — no static # API token in this repo's secrets. - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: packages-dir: ${{ runner.temp }}/runtime-build/dist/ diff --git a/.github/workflows/secret-pattern-drift.yml b/.github/workflows/secret-pattern-drift.yml index fa7fffa8..2517fea9 100644 --- a/.github/workflows/secret-pattern-drift.yml +++ b/.github/workflows/secret-pattern-drift.yml @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: