From 28f5f9b97efba0d8d208149bce3e29fa2d177a51 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Mon, 11 May 2026 11:44:17 +0000
Subject: [PATCH] =?UTF-8?q?fix(ci):=20revert=20MOLECULE=5FSTAGING=5FADMIN?=
 =?UTF-8?q?=5FTOKEN=20=E2=86=92=20CP=5FSTAGING=5FADMIN=5FAPI=5FTOKEN?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Empirical verification (claude-ceo-assistant, hongming-pc2 reviews):
MOLECULE_STAGING_ADMIN_TOKEN does NOT exist in the Gitea org/repo
secret store. The confirmed-existing staging admin token is
CP_STAGING_ADMIN_API_TOKEN (populated during the Class-A run from
staging-CP's CP_ADMIN_API_TOKEN Railway env).

Revert the MOLECULE_STAGING_ADMIN_TOKEN secret reference in
continuous-synth-e2e.yml and redeploy-tenants-on-staging.yml back
to CP_STAGING_ADMIN_API_TOKEN. Keep the env-var names the script
uses internally (MOLECULE_ADMIN_TOKEN / MOLECULE_STAGING_ADMIN_TOKEN)
since those are just variable names — what matters is which Gitea
secret provides the value.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/continuous-synth-e2e.yml     |  6 +++---
 .../workflows/redeploy-tenants-on-staging.yml | 21 ++++++++-----------
 2 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/.gitea/workflows/continuous-synth-e2e.yml b/.gitea/workflows/continuous-synth-e2e.yml
index f3b5ddb2..6b3c72b6 100644
--- a/.gitea/workflows/continuous-synth-e2e.yml
+++ b/.gitea/workflows/continuous-synth-e2e.yml
@@ -131,7 +131,7 @@ jobs:
       # Forced false for cron; respected for manual dispatch
       E2E_KEEP_ORG: ${{ github.event.inputs.keep_org == 'true' && '1' || '' }}
       MOLECULE_CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }}
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
       # MiniMax key is the canary's PRIMARY auth path. claude-code
       # template's `minimax` provider routes ANTHROPIC_BASE_URL to
       # api.minimax.io/anthropic and reads MINIMAX_API_KEY at boot.
@@ -168,8 +168,8 @@ jobs:
           # can read the verify-secrets step's stderr — the failure is
           # itself the verification signal.
           if [ -z "${MOLECULE_ADMIN_TOKEN:-}" ]; then
-            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret missing — synth E2E cannot run"
-            echo "::error::Set it at Settings → Secrets and Variables → Actions (same secret used by canary-staging.yml and all e2e-staging workflows)."
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret missing — synth E2E cannot run"
+            echo "::error::Set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
             exit 1
           fi
 
diff --git a/.gitea/workflows/redeploy-tenants-on-staging.yml b/.gitea/workflows/redeploy-tenants-on-staging.yml
index b0713bf1..3f1774b5 100644
--- a/.gitea/workflows/redeploy-tenants-on-staging.yml
+++ b/.gitea/workflows/redeploy-tenants-on-staging.yml
@@ -90,16 +90,13 @@ jobs:
         run: sleep 30
 
       - name: Call staging-CP redeploy-fleet
-        # MOLECULE_STAGING_ADMIN_TOKEN must be set as a repo/org secret
+        # CP_STAGING_ADMIN_API_TOKEN must be set as a repo/org secret
         # on molecule-ai/molecule-core. This is the confirmed-existing
-        # staging CP admin token (also used by canary-staging.yml and
-        # all e2e-staging-*.yml workflows). The alternative name
-        # CP_STAGING_ADMIN_API_TOKEN (per the original port comment) was
-        # never populated in Gitea per issue #425 §425 audit. Using the
-        # confirmed-working MOLECULE_STAGING_ADMIN_TOKEN instead.
+        # staging CP admin token. Pull the value from staging-CP's
+        # CP_ADMIN_API_TOKEN env in Railway (per the original port comment).
         env:
           CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }}
-          MOLECULE_STAGING_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
+          MOLECULE_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
           TARGET_TAG: ${{ inputs.target_tag || 'staging-latest' }}
           CANARY_SLUG: ${{ inputs.canary_slug || '' }}
           SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }}
@@ -114,13 +111,13 @@ jobs:
           # serve stale staging tenants. Soft-skip on operator dispatch.
           if [ -z "${MOLECULE_STAGING_ADMIN_TOKEN:-}" ]; then
             if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-              echo "::warning::MOLECULE_STAGING_ADMIN_TOKEN secret not set — skipping redeploy"
-              echo "::warning::Set MOLECULE_STAGING_ADMIN_TOKEN in repo secrets to enable auto-redeploy."
-              echo "::notice::This secret is shared with canary-staging.yml and all e2e-staging workflows."
+              echo "::warning::CP_STAGING_ADMIN_API_TOKEN secret not set — skipping redeploy"
+              echo "::warning::Set CP_STAGING_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy."
+              echo "::notice::Pull the value from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
               exit 0
             fi
-            echo "::error::staging redeploy cannot run — MOLECULE_STAGING_ADMIN_TOKEN secret missing"
-            echo "::error::set it at Settings → Secrets and Variables → Actions (same secret used by canary-staging.yml)."
+            echo "::error::staging redeploy cannot run — CP_STAGING_ADMIN_API_TOKEN secret missing"
+            echo "::error::set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
             exit 1
           fi