chore(manifest): drop reno-stars + 5 org-templates flipped public; document OSS-surface contract
All checks were successful
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 1s
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 1s
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 1s
pr-guards / disable-auto-merge-on-push (pull_request) Successful in 4s
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 6s
cascade-list-drift-gate / check (pull_request) Successful in 7s
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 7s
branch-protection drift check / Branch protection drift (pull_request) Successful in 11s
E2E API Smoke Test / detect-changes (pull_request) Successful in 10s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 10s
CI / Detect changes (pull_request) Successful in 11s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 10s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 10s
Harness Replays / detect-changes (pull_request) Successful in 10s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 10s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 10s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s
CI / Platform (Go) (pull_request) Successful in 2s
CI / Python Lint & Test (pull_request) Successful in 4s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 5s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 36s
Harness Replays / Harness Replays (pull_request) Successful in 49s
CI / Canvas (Next.js) (pull_request) Successful in 1m31s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
All checks were successful
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 1s
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 1s
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 1s
pr-guards / disable-auto-merge-on-push (pull_request) Successful in 4s
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 6s
cascade-list-drift-gate / check (pull_request) Successful in 7s
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 7s
branch-protection drift check / Branch protection drift (pull_request) Successful in 11s
E2E API Smoke Test / detect-changes (pull_request) Successful in 10s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 10s
CI / Detect changes (pull_request) Successful in 11s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 10s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 10s
Harness Replays / detect-changes (pull_request) Successful in 10s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 10s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 10s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s
CI / Platform (Go) (pull_request) Successful in 2s
CI / Python Lint & Test (pull_request) Successful in 4s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 5s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 36s
Harness Replays / Harness Replays (pull_request) Successful in 49s
CI / Canvas (Next.js) (pull_request) Successful in 1m31s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Follow-up to the workspace-template visibility flip in558e4fee. After flipping the 5 private workspace-templates public (#192 root cause), the harness-replays clone moved one step deeper to the org-templates list, where 6 of 7 were also private. Hongming-confirmed flip plan: - 5 of 6 (molecule-dev, free-beats-all, medo-smoke, molecule-worker-gemini, ux-ab-lab) — flipped public per `feedback_oss_first_repo_visibility_default`. These are unambiguously OSS-template-shape: generic README, no customer-shaped names, no creds in content. - 1 of 6 (reno-stars) — name itself is customer-shaped (would expose customer/tenant identity). Kept private; removed from manifest.json per Hongming. Will be handled at provision-time via the per-tenant credential resolver designed in internal#102 (Layer-3 RFC). Documents the OSS-surface contract in two places: - manifest.json _comment: every entry MUST be public; Layer-3 lives elsewhere - clone-manifest.sh comment block: rationale + the explicit ci-readonly team-grant escape hatch (review-gated, not default). Closes the second clone-fail layer of #192. Combined with558e4fee+ the workspace-template visibility flips, the Pre-clone manifest deps step should now succeed anonymously for the full registered set. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
claude-ceo-assistant
parent
558e4fee48
commit
15935143c8
@ -1,5 +1,5 @@
|
|||||||
{
|
{
|
||||||
"_comment": "Pin refs to release tags for reproducible builds. 'main' is OK while all repos are internal.",
|
"_comment": "OSS surface registry — every repo listed here MUST be public on git.moleculesai.app. Layer-3 customer/private templates are NOT registered here; they are handled at provision-time via the per-tenant credential resolver (see internal#102 RFC). 'main' refs are pinned to tags before broad rollout.",
|
||||||
"version": 1,
|
"version": 1,
|
||||||
"plugins": [
|
"plugins": [
|
||||||
{"name": "browser-automation", "repo": "molecule-ai/molecule-ai-plugin-browser-automation", "ref": "main"},
|
{"name": "browser-automation", "repo": "molecule-ai/molecule-ai-plugin-browser-automation", "ref": "main"},
|
||||||
@ -40,7 +40,6 @@
|
|||||||
{"name": "free-beats-all", "repo": "molecule-ai/molecule-ai-org-template-free-beats-all", "ref": "main"},
|
{"name": "free-beats-all", "repo": "molecule-ai/molecule-ai-org-template-free-beats-all", "ref": "main"},
|
||||||
{"name": "medo-smoke", "repo": "molecule-ai/molecule-ai-org-template-medo-smoke", "ref": "main"},
|
{"name": "medo-smoke", "repo": "molecule-ai/molecule-ai-org-template-medo-smoke", "ref": "main"},
|
||||||
{"name": "molecule-worker-gemini", "repo": "molecule-ai/molecule-ai-org-template-molecule-worker-gemini", "ref": "main"},
|
{"name": "molecule-worker-gemini", "repo": "molecule-ai/molecule-ai-org-template-molecule-worker-gemini", "ref": "main"},
|
||||||
{"name": "reno-stars", "repo": "molecule-ai/molecule-ai-org-template-reno-stars", "ref": "main"},
|
|
||||||
{"name": "ux-ab-lab", "repo": "molecule-ai/molecule-ai-org-template-ux-ab-lab", "ref": "main"},
|
{"name": "ux-ab-lab", "repo": "molecule-ai/molecule-ai-org-template-ux-ab-lab", "ref": "main"},
|
||||||
{"name": "mock-bigorg", "repo": "molecule-ai/molecule-ai-org-template-mock-bigorg", "ref": "main"}
|
{"name": "mock-bigorg", "repo": "molecule-ai/molecule-ai-org-template-mock-bigorg", "ref": "main"}
|
||||||
]
|
]
|
||||||
|
|||||||
@ -8,27 +8,24 @@
|
|||||||
# Requires: git, jq (lighter than python3 — ~2MB vs ~50MB in Alpine)
|
# Requires: git, jq (lighter than python3 — ~2MB vs ~50MB in Alpine)
|
||||||
#
|
#
|
||||||
# Auth (optional):
|
# Auth (optional):
|
||||||
# When MOLECULE_GITEA_TOKEN is set, embed it as the basic-auth password so
|
# Post-2026-05-08 (#192): every repo in manifest.json is public on
|
||||||
# private Gitea repos clone successfully. When unset, clone anonymously
|
# git.moleculesai.app. Anonymous clone works for the entire registered
|
||||||
# (works only for repos that are public on git.moleculesai.app).
|
# set. The OSS-surface contract is recorded in manifest.json's _comment
|
||||||
|
# — Layer-3 customer/private templates (e.g. reno-stars) are NOT in the
|
||||||
|
# manifest; they are handled at provision-time via the per-tenant
|
||||||
|
# credential resolver (internal#102 RFC).
|
||||||
#
|
#
|
||||||
# This is the path the publish-workspace-server-image.yml workflow uses:
|
# MOLECULE_GITEA_TOKEN is therefore optional today. Kept supported for
|
||||||
# it injects AUTO_SYNC_TOKEN (devops-engineer persona PAT, repo:read on
|
# two reasons: (a) historical CI configs that still inject
|
||||||
# the molecule-ai org) so the in-CI pre-clone step succeeds for ALL
|
# AUTO_SYNC_TOKEN remain harmless, (b) reserved for the case where a
|
||||||
# manifest entries — including the 5 private workspace-template-* repos
|
# private internal-only template is later registered via a ci-readonly
|
||||||
# (codex, crewai, deepagents, gemini-cli, langgraph) and all 7
|
# team grant — review must explicitly sign off on that, since it
|
||||||
# org-template-* repos.
|
# violates the public-OSS-surface contract.
|
||||||
#
|
#
|
||||||
# The token never enters the Docker image: this script runs in the
|
# The token (when set) never enters the Docker image: this script runs
|
||||||
# trusted CI context BEFORE `docker buildx build`, populates
|
# in the trusted CI context BEFORE `docker buildx build`, populates
|
||||||
# .tenant-bundle-deps/, then `Dockerfile.tenant` COPYs from there with
|
# .tenant-bundle-deps/, then `Dockerfile.tenant` COPYs from there with
|
||||||
# the .git directories already stripped (see line ~67 below).
|
# the .git directories already stripped (see line ~67 below).
|
||||||
#
|
|
||||||
# For backward compatibility — and so a fresh clone works without
|
|
||||||
# secrets when (eventually) the workspace-template-* repos flip public —
|
|
||||||
# the unset path remains a plain anonymous HTTPS clone. That path will
|
|
||||||
# FAIL with "could not read Username" on private repos today; CI MUST
|
|
||||||
# set MOLECULE_GITEA_TOKEN.
|
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user