From 5373b5e7f697a36209dae645071bc605027a5a8c Mon Sep 17 00:00:00 2001 From: hongming-pc2 Date: Mon, 11 May 2026 01:32:26 -0700 Subject: [PATCH] fix(ci): extend class-E rename to scripts/ops/sweep-*.sh (chained-defect from #430 review) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit core-devops lens review (review 1075) caught the chained defect: the 3 sweep workflows shell out to `bash scripts/ops/sweep-{aws-secrets,cf-orphans,cf-tunnels}.sh`, and those scripts still consume the OLD env-var names — `need CP_PROD_ADMIN_TOKEN`, `need CP_STAGING_ADMIN_TOKEN`, and `Bearer $CP_PROD_ADMIN_TOKEN` / `Bearer $CP_STAGING_ADMIN_TOKEN` in the CP-admin curl calls. The workflow- level presence-check loop (renamed in the first commit) would pass, then the shell script would `exit 1` at the `need CP_PROD_ADMIN_TOKEN` line. Classic `feedback_chained_defects_in_never_tested_workflows` — the YAML- surface rename looked complete; the actual consumer is one layer deeper. This commit completes the rename in the scripts: - `CP_PROD_ADMIN_TOKEN` -> `CP_ADMIN_API_TOKEN` - `CP_STAGING_ADMIN_TOKEN` -> `CP_STAGING_ADMIN_API_TOKEN` (6 occurrences total per script — comments, `need` checks, `Bearer $...` curl headers — across all 3). The .gitea/workflows/sweep-*.yml files (first commit) export `CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}` etc., so the scripts now read `$CP_ADMIN_API_TOKEN` — consistent end-to-end. Per core-devops's other (non-blocking) note: `workflow_dispatch` each sweep in dry-run after this lands + after the #425 class-A PUT, to confirm the path beyond the presence-check actually works (the `MINIMAX_TOKEN`-grade shape-match isn't enough — exercise the real CP-admin call). Co-Authored-By: Claude Opus 4.7 (1M context) --- scripts/ops/sweep-aws-secrets.sh | 12 ++++++------ scripts/ops/sweep-cf-orphans.sh | 12 ++++++------ scripts/ops/sweep-cf-tunnels.sh | 12 ++++++------ 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/scripts/ops/sweep-aws-secrets.sh b/scripts/ops/sweep-aws-secrets.sh index 55db0a11..20450026 100755 --- a/scripts/ops/sweep-aws-secrets.sh +++ b/scripts/ops/sweep-aws-secrets.sh @@ -40,8 +40,8 @@ # # Env vars required: # AWS_REGION — region the secrets live in (default: us-east-1) -# CP_PROD_ADMIN_TOKEN — CP admin bearer for api.moleculesai.app -# CP_STAGING_ADMIN_TOKEN — CP admin bearer for staging-api.moleculesai.app +# CP_ADMIN_API_TOKEN — CP admin bearer for api.moleculesai.app +# CP_STAGING_ADMIN_API_TOKEN — CP admin bearer for staging-api.moleculesai.app # AWS_ACCESS_KEY_ID, — IAM principal with secretsmanager:ListSecrets # AWS_SECRET_ACCESS_KEY and secretsmanager:DeleteSecret. Note: the # prod molecule-cp principal does NOT have @@ -88,8 +88,8 @@ need() { exit 1 fi } -need CP_PROD_ADMIN_TOKEN -need CP_STAGING_ADMIN_TOKEN +need CP_ADMIN_API_TOKEN +need CP_STAGING_ADMIN_API_TOKEN need AWS_ACCESS_KEY_ID need AWS_SECRET_ACCESS_KEY @@ -107,13 +107,13 @@ log() { echo "[$(date -u +%H:%M:%S)] $*"; } # response includes both `id` and `slug`; we extract `id` here. log "Fetching CP prod org ids..." -PROD_IDS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_PROD_ADMIN_TOKEN" \ +PROD_IDS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \ "https://api.moleculesai.app/cp/admin/orgs?limit=500" \ | python3 -c "import json,sys; print(' '.join(o['id'] for o in json.load(sys.stdin).get('orgs',[])))") log " prod orgs: $(echo "$PROD_IDS" | wc -w | tr -d ' ')" log "Fetching CP staging org ids..." -STAGING_IDS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_STAGING_ADMIN_TOKEN" \ +STAGING_IDS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_STAGING_ADMIN_API_TOKEN" \ "https://staging-api.moleculesai.app/cp/admin/orgs?limit=500" \ | python3 -c "import json,sys; print(' '.join(o['id'] for o in json.load(sys.stdin).get('orgs',[])))") log " staging orgs: $(echo "$STAGING_IDS" | wc -w | tr -d ' ')" diff --git a/scripts/ops/sweep-cf-orphans.sh b/scripts/ops/sweep-cf-orphans.sh index 569bcbcf..8a4da90c 100755 --- a/scripts/ops/sweep-cf-orphans.sh +++ b/scripts/ops/sweep-cf-orphans.sh @@ -20,8 +20,8 @@ # Env vars required: # CF_API_TOKEN — Cloudflare token with zone:dns:edit # CF_ZONE_ID — the zone (moleculesai.app) -# CP_PROD_ADMIN_TOKEN — CP admin bearer for api.moleculesai.app -# CP_STAGING_ADMIN_TOKEN — CP admin bearer for staging-api.moleculesai.app +# CP_ADMIN_API_TOKEN — CP admin bearer for api.moleculesai.app +# CP_STAGING_ADMIN_API_TOKEN — CP admin bearer for staging-api.moleculesai.app # AWS_* — standard AWS creds (default region us-east-2) # # Exit codes: @@ -58,21 +58,21 @@ need() { } need CF_API_TOKEN need CF_ZONE_ID -need CP_PROD_ADMIN_TOKEN -need CP_STAGING_ADMIN_TOKEN +need CP_ADMIN_API_TOKEN +need CP_STAGING_ADMIN_API_TOKEN log() { echo "[$(date -u +%H:%M:%S)] $*"; } # --- Gather live sets ------------------------------------------------------ log "Fetching CP prod org slugs..." -PROD_SLUGS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_PROD_ADMIN_TOKEN" \ +PROD_SLUGS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \ "https://api.moleculesai.app/cp/admin/orgs?limit=500" \ | python3 -c "import json,sys; print(' '.join(o['slug'] for o in json.load(sys.stdin).get('orgs',[])))") log " prod orgs: $(echo "$PROD_SLUGS" | wc -w | tr -d ' ')" log "Fetching CP staging org slugs..." -STAGING_SLUGS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_STAGING_ADMIN_TOKEN" \ +STAGING_SLUGS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_STAGING_ADMIN_API_TOKEN" \ "https://staging-api.moleculesai.app/cp/admin/orgs?limit=500" \ | python3 -c "import json,sys; print(' '.join(o['slug'] for o in json.load(sys.stdin).get('orgs',[])))") log " staging orgs: $(echo "$STAGING_SLUGS" | wc -w | tr -d ' ')" diff --git a/scripts/ops/sweep-cf-tunnels.sh b/scripts/ops/sweep-cf-tunnels.sh index bf948940..13734db3 100755 --- a/scripts/ops/sweep-cf-tunnels.sh +++ b/scripts/ops/sweep-cf-tunnels.sh @@ -31,8 +31,8 @@ # token must include the tunnel scope.) # CF_ACCOUNT_ID — the account that owns the tunnels (visible # in dash.cloudflare.com URL path) -# CP_PROD_ADMIN_TOKEN — CP admin bearer for api.moleculesai.app -# CP_STAGING_ADMIN_TOKEN — CP admin bearer for staging-api.moleculesai.app +# CP_ADMIN_API_TOKEN — CP admin bearer for api.moleculesai.app +# CP_STAGING_ADMIN_API_TOKEN — CP admin bearer for staging-api.moleculesai.app # # Exit codes: # 0 — dry-run completed or sweep executed successfully @@ -72,21 +72,21 @@ need() { } need CF_API_TOKEN need CF_ACCOUNT_ID -need CP_PROD_ADMIN_TOKEN -need CP_STAGING_ADMIN_TOKEN +need CP_ADMIN_API_TOKEN +need CP_STAGING_ADMIN_API_TOKEN log() { echo "[$(date -u +%H:%M:%S)] $*"; } # --- Gather live sets ------------------------------------------------------ log "Fetching CP prod org slugs..." -PROD_SLUGS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_PROD_ADMIN_TOKEN" \ +PROD_SLUGS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \ "https://api.moleculesai.app/cp/admin/orgs?limit=500" \ | python3 -c "import json,sys; print(' '.join(o['slug'] for o in json.load(sys.stdin).get('orgs',[])))") log " prod orgs: $(echo "$PROD_SLUGS" | wc -w | tr -d ' ')" log "Fetching CP staging org slugs..." -STAGING_SLUGS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_STAGING_ADMIN_TOKEN" \ +STAGING_SLUGS=$(curl -sS -m 15 -H "Authorization: Bearer $CP_STAGING_ADMIN_API_TOKEN" \ "https://staging-api.moleculesai.app/cp/admin/orgs?limit=500" \ | python3 -c "import json,sys; print(' '.join(o['slug'] for o in json.load(sys.stdin).get('orgs',[])))") log " staging orgs: $(echo "$STAGING_SLUGS" | wc -w | tr -d ' ')"