molecule-ai/molecule-core
41
0
Fork 2
Code Issues 44 Pull Requests 16 Actions 2 Packages Projects Releases Wiki Activity

fix(sop-tier-check): add jq fallback at script level + step-level continue-on-error
Some checks failed
sop-tier-check / tier-check (pull_request) Failing after 15s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Failing after 12m43s
Details

Browse Source 
Root cause: Job-level `continue-on-error: true` is silently ignored by
Gitea Actions (only step-level is supported). When the jq binary download
fails on runners with restricted network access, the job reports "failure"
and blocks all PR merges.

Fixes:
1. Workflow: add `continue-on-error: true` to the "Install jq" step.
   This prevents the step's `set -e` from failing the job when curl
   can't reach GitHub releases.
2. Script: add jq binary download + apt-get fallback at script startup.
   Second line of defense — runs before script uses jq. Idempotent.

Combined effect: if the workflow-level install fails, the script self-
installs before using jq. Neither failure mode blocks PR merges.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · core-devops 2026-05-11 06:34:28 +00:00
parent ab32e47953
commit 22858d5f7f
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.gitea/scripts/sop-tier-check.sh
View File

@ -44,6 +44,20 @@
set -euo pipefail
# Ensure jq is available. Runners may not have it pre-installed, and the
# workflow-level jq install can fail on runners with network restrictions
# (GitHub releases not reachable). This fallback is idempotent — no-op
# when jq is already on PATH.
if ! command -v jq &>/dev/null; then
echo "::notice::jq not found on PATH — installing..."
timeout 60 curl -sSL \
"https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
-o /usr/local/bin/jq \
&& chmod +x /usr/local/bin/jq \
|| apt-get update -qq && apt-get install -y -qq jq
echo "::notice::jq installed: $(jq --version)"
fi
debug() {
if [ "${SOP_DEBUG:-}" = "1" ]; then
echo " [debug] $*" >&2

6
.gitea/workflows/sop-tier-check.yml
View File

@ -86,6 +86,12 @@ jobs:
# more reliable than apt-get in containerized environments). Falls
# back to apt-get if the download fails. The smoke test confirms
# jq is on PATH before the main script runs.
#
# IMPORTANT: continue-on-error: true is REQUIRED at the step level.
# Job-level continue-on-error is ignored by Gitea Actions (only step
# level is supported). Without this, network failures on the jq curl
# download cause the entire job to fail and block all PRs.
continue-on-error: true
run: |
set -e
timeout 60 curl -sSL \