From 1719534bf34fceef5276cc7c99f1ffbcd2ba026a Mon Sep 17 00:00:00 2001 From: Molecule AI Core-DevOps Date: Tue, 12 May 2026 04:09:44 +0000 Subject: [PATCH] =?UTF-8?q?fix(ci):=20RFC=20internal#219=20Phase=204=20?= =?UTF-8?q?=E2=80=94=20all-required=20sentinel=20enforced,=20stable=20jobs?= =?UTF-8?q?=20hard-fail?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Phase 4 of the force-merge protection fix (internal#219 §2). Changes: - audit-force-merge.yml REQUIRED_CHECKS: add CI / all-required (pull_request) — closes the audit gap; force-merge audit now checks ci/all-required. - ci.yml: flip continue-on-error: false on stable jobs (changes, platform-build, canvas-build, shellcheck, python-lint) — confirmed green on main 2026-05-12 combined-status check. The all-required sentinel (continue-on-error: true) will be flipped once branch protection PATCH lands (Owner-tier, delegated separately). NOT included in this PR (separate Owner-tier action required): - Branch protection PATCH: add ci/all-required as required check on main. Needed to make the sentinel actually block merges. Delegate to Core Platform Lead. Refs: molecule-core#622, molecule-core#623 --- .gitea/workflows/audit-force-merge.yml | 1 + .gitea/workflows/ci.yml | 22 ++++++++++++++-------- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml index b625a3bd..dfa5ddbf 100644 --- a/.gitea/workflows/audit-force-merge.yml +++ b/.gitea/workflows/audit-force-merge.yml @@ -85,4 +85,5 @@ jobs: REQUIRED_CHECKS: | Secret scan / Scan diff for credential-shaped strings (pull_request) sop-tier-check / tier-check (pull_request) + CI / all-required (pull_request) run: bash .gitea/scripts/audit-force-merge.sh diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 198e4bc6..fe53a9de 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -70,10 +70,12 @@ jobs: changes: name: Detect changes runs-on: ubuntu-latest - # Phase 3 (RFC #219 §1): surface broken workflows without blocking - # the PR. Follow-up PR flips this off after the surfaced defects - # (if any) are triaged. - continue-on-error: true + # Phase 4 (RFC #219 §1): all required jobs >=98% green on main. + # Flip confirmed 2026-05-12 via combined-status check of latest main + # commit (all CI jobs green). `all-required` sentinel hard-fails + # when this job fails; no Phase 3 suppression needed. + # revert: add `continue-on-error: true` back if regressions appear. + continue-on-error: false outputs: platform: ${{ steps.check.outputs.platform }} canvas: ${{ steps.check.outputs.canvas }} @@ -124,7 +126,8 @@ jobs: name: Platform (Go) needs: changes runs-on: ubuntu-latest - continue-on-error: true + # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12. + continue-on-error: false defaults: run: working-directory: workspace-server @@ -271,7 +274,8 @@ jobs: name: Canvas (Next.js) needs: changes runs-on: ubuntu-latest - continue-on-error: true + # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12. + continue-on-error: false defaults: run: working-directory: canvas @@ -317,7 +321,8 @@ jobs: name: Shellcheck (E2E scripts) needs: changes runs-on: ubuntu-latest - continue-on-error: true + # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12. + continue-on-error: false steps: - if: needs.changes.outputs.scripts != 'true' run: echo "No tests/e2e/ or infra/scripts/ changes — skipping real shellcheck; this job always runs to satisfy the required-check name on branch protection." @@ -392,7 +397,8 @@ jobs: name: Python Lint & Test needs: changes runs-on: ubuntu-latest - continue-on-error: true + # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12. + continue-on-error: false env: WORKSPACE_ID: test defaults: