diff --git a/.gitea/workflows/continuous-synth-e2e.yml b/.gitea/workflows/continuous-synth-e2e.yml index f3b5ddb2..6b3c72b6 100644 --- a/.gitea/workflows/continuous-synth-e2e.yml +++ b/.gitea/workflows/continuous-synth-e2e.yml @@ -131,7 +131,7 @@ jobs: # Forced false for cron; respected for manual dispatch E2E_KEEP_ORG: ${{ github.event.inputs.keep_org == 'true' && '1' || '' }} MOLECULE_CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }} - MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} # MiniMax key is the canary's PRIMARY auth path. claude-code # template's `minimax` provider routes ANTHROPIC_BASE_URL to # api.minimax.io/anthropic and reads MINIMAX_API_KEY at boot. @@ -168,8 +168,8 @@ jobs: # can read the verify-secrets step's stderr — the failure is # itself the verification signal. if [ -z "${MOLECULE_ADMIN_TOKEN:-}" ]; then - echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret missing — synth E2E cannot run" - echo "::error::Set it at Settings → Secrets and Variables → Actions (same secret used by canary-staging.yml and all e2e-staging workflows)." + echo "::error::CP_STAGING_ADMIN_API_TOKEN secret missing — synth E2E cannot run" + echo "::error::Set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway." exit 1 fi diff --git a/.gitea/workflows/redeploy-tenants-on-staging.yml b/.gitea/workflows/redeploy-tenants-on-staging.yml index b0713bf1..3f1774b5 100644 --- a/.gitea/workflows/redeploy-tenants-on-staging.yml +++ b/.gitea/workflows/redeploy-tenants-on-staging.yml @@ -90,16 +90,13 @@ jobs: run: sleep 30 - name: Call staging-CP redeploy-fleet - # MOLECULE_STAGING_ADMIN_TOKEN must be set as a repo/org secret + # CP_STAGING_ADMIN_API_TOKEN must be set as a repo/org secret # on molecule-ai/molecule-core. This is the confirmed-existing - # staging CP admin token (also used by canary-staging.yml and - # all e2e-staging-*.yml workflows). The alternative name - # CP_STAGING_ADMIN_API_TOKEN (per the original port comment) was - # never populated in Gitea per issue #425 §425 audit. Using the - # confirmed-working MOLECULE_STAGING_ADMIN_TOKEN instead. + # staging CP admin token. Pull the value from staging-CP's + # CP_ADMIN_API_TOKEN env in Railway (per the original port comment). env: CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }} - MOLECULE_STAGING_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + MOLECULE_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} TARGET_TAG: ${{ inputs.target_tag || 'staging-latest' }} CANARY_SLUG: ${{ inputs.canary_slug || '' }} SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }} @@ -114,13 +111,13 @@ jobs: # serve stale staging tenants. Soft-skip on operator dispatch. if [ -z "${MOLECULE_STAGING_ADMIN_TOKEN:-}" ]; then if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - echo "::warning::MOLECULE_STAGING_ADMIN_TOKEN secret not set — skipping redeploy" - echo "::warning::Set MOLECULE_STAGING_ADMIN_TOKEN in repo secrets to enable auto-redeploy." - echo "::notice::This secret is shared with canary-staging.yml and all e2e-staging workflows." + echo "::warning::CP_STAGING_ADMIN_API_TOKEN secret not set — skipping redeploy" + echo "::warning::Set CP_STAGING_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy." + echo "::notice::Pull the value from staging-CP's CP_ADMIN_API_TOKEN env in Railway." exit 0 fi - echo "::error::staging redeploy cannot run — MOLECULE_STAGING_ADMIN_TOKEN secret missing" - echo "::error::set it at Settings → Secrets and Variables → Actions (same secret used by canary-staging.yml)." + echo "::error::staging redeploy cannot run — CP_STAGING_ADMIN_API_TOKEN secret missing" + echo "::error::set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway." exit 1 fi