From bbc6f5c28749eea5f00cf11eb97a065164594718 Mon Sep 17 00:00:00 2001 From: hongming-codex-laptop Date: Wed, 13 May 2026 11:54:06 -0700 Subject: [PATCH] fix(ci): annotate workflow status emitters --- .gitea/workflows/cascade-list-drift-gate.yml | 1 + .gitea/workflows/gate-check-v3.yml | 1 + .gitea/workflows/harness-replays.yml | 11 ++++++++++- .gitea/workflows/lint-continue-on-error-tracking.yml | 1 + .gitea/workflows/lint-mask-pr-atomicity.yml | 1 + .gitea/workflows/lint-required-no-paths.yml | 1 + .gitea/workflows/publish-canvas-image.yml | 1 + .gitea/workflows/publish-runtime-autobump.yml | 2 ++ .gitea/workflows/qa-review.yml | 1 + .gitea/workflows/redeploy-tenants-on-staging.yml | 1 + .gitea/workflows/review-check-tests.yml | 1 + .gitea/workflows/security-review.yml | 1 + .gitea/workflows/staging-verify.yml | 2 ++ 13 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/cascade-list-drift-gate.yml b/.gitea/workflows/cascade-list-drift-gate.yml index e6f6ca46..a7230fa7 100644 --- a/.gitea/workflows/cascade-list-drift-gate.yml +++ b/.gitea/workflows/cascade-list-drift-gate.yml @@ -43,6 +43,7 @@ permissions: contents: read jobs: + # bp-exempt: drift visibility gate; CI / all-required remains the required aggregate. check: runs-on: ubuntu-latest # Phase 3 (RFC #219 §1): surface broken workflows without blocking diff --git a/.gitea/workflows/gate-check-v3.yml b/.gitea/workflows/gate-check-v3.yml index ae615d36..71641320 100644 --- a/.gitea/workflows/gate-check-v3.yml +++ b/.gitea/workflows/gate-check-v3.yml @@ -44,6 +44,7 @@ env: GITHUB_SERVER_URL: https://git.moleculesai.app jobs: + # bp-exempt: PR advisory bot; merge blocking is enforced by CI status and branch protection. gate-check: runs-on: ubuntu-latest # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently. diff --git a/.gitea/workflows/harness-replays.yml b/.gitea/workflows/harness-replays.yml index c570af88..e1c78f2f 100644 --- a/.gitea/workflows/harness-replays.yml +++ b/.gitea/workflows/harness-replays.yml @@ -60,6 +60,7 @@ env: GITHUB_SERVER_URL: https://git.moleculesai.app jobs: + # bp-exempt: change detector only; downstream Harness Replays is the meaningful gate. detect-changes: runs-on: ubuntu-latest # Phase 3 (RFC #219 §1): surface broken workflows without blocking. @@ -132,7 +133,14 @@ jobs: RESP=$(curl -sS --fail --max-time 30 \ -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ -H "Accept: application/json" \ - "$GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/compare/$BASE...$HEAD") + "$GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/compare/$BASE...$HEAD") || { + # If Gitea's Compare API is slow/unavailable, choose the conservative + # behavior: run the harness instead of failing the detector and polluting + # main with a red non-gate context. + echo "run=true" >> "$GITHUB_OUTPUT" + echo "debug=compare-api-unavailable base=$BASE head=$HEAD" >> "$GITHUB_OUTPUT" + exit 0 + } DIFF_FILES=$(echo "$RESP" | bash .gitea/scripts/compare-api-diff-files.py 2>/dev/null || true) echo "debug=diff-base=$BASE diff-files=$DIFF_FILES" >> "$GITHUB_OUTPUT" @@ -150,6 +158,7 @@ jobs: # matches e2e-api.yml — see that workflow's comment for why a # job-level `if: false` would block branch protection via the # SKIPPED-in-set bug. + # bp-exempt: path-filtered replay suite; CI / all-required is the branch-protection aggregate. harness-replays: needs: detect-changes name: Harness Replays diff --git a/.gitea/workflows/lint-continue-on-error-tracking.yml b/.gitea/workflows/lint-continue-on-error-tracking.yml index 4228466c..cc06bca7 100644 --- a/.gitea/workflows/lint-continue-on-error-tracking.yml +++ b/.gitea/workflows/lint-continue-on-error-tracking.yml @@ -89,6 +89,7 @@ concurrency: cancel-in-progress: true jobs: + # bp-exempt: meta-lint for masked jobs; tracked separately until masks are burned down. lint: name: lint-continue-on-error-tracking runs-on: ubuntu-latest diff --git a/.gitea/workflows/lint-mask-pr-atomicity.yml b/.gitea/workflows/lint-mask-pr-atomicity.yml index a32cda5d..758d62b5 100644 --- a/.gitea/workflows/lint-mask-pr-atomicity.yml +++ b/.gitea/workflows/lint-mask-pr-atomicity.yml @@ -84,6 +84,7 @@ concurrency: cancel-in-progress: true jobs: + # bp-exempt: meta-lint advisory during mask burn-down; CI / all-required gates merges. scan: name: lint-mask-pr-atomicity runs-on: ubuntu-latest diff --git a/.gitea/workflows/lint-required-no-paths.yml b/.gitea/workflows/lint-required-no-paths.yml index b994c7ef..08f045a8 100644 --- a/.gitea/workflows/lint-required-no-paths.yml +++ b/.gitea/workflows/lint-required-no-paths.yml @@ -69,6 +69,7 @@ concurrency: cancel-in-progress: true jobs: + # bp-exempt: meta-lint advisory; CI / all-required is the required aggregate. lint: name: lint-required-no-paths runs-on: ubuntu-latest diff --git a/.gitea/workflows/publish-canvas-image.yml b/.gitea/workflows/publish-canvas-image.yml index 62aac9cf..9aedadd6 100644 --- a/.gitea/workflows/publish-canvas-image.yml +++ b/.gitea/workflows/publish-canvas-image.yml @@ -46,6 +46,7 @@ env: GITHUB_SERVER_URL: https://git.moleculesai.app jobs: + # bp-exempt: post-merge image publication side effect; CI / all-required gates source changes. build-and-push: name: Build & push canvas image # REVERTED (infra/revert-docker-runner-label): `runs-on: ubuntu-latest` restored. diff --git a/.gitea/workflows/publish-runtime-autobump.yml b/.gitea/workflows/publish-runtime-autobump.yml index ecdd9cad..5bd0814a 100644 --- a/.gitea/workflows/publish-runtime-autobump.yml +++ b/.gitea/workflows/publish-runtime-autobump.yml @@ -53,6 +53,7 @@ jobs: # Operational failures (PyPI unreachable, missing DISPATCH_TOKEN) are # surfaced via continue-on-error: true rather than blocking the merge. # The actual bump work happens on the main/staging push after merge. + # bp-exempt: advisory validation for runtime publication; not a branch-protection gate. pr-validate: runs-on: ubuntu-latest # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently. @@ -79,6 +80,7 @@ jobs: # Actual bump-and-tag: runs on main/staging pushes, posts real success/failure. # No continue-on-error — operational failures here trip the main-red # watchdog, which is the desired signal for infrastructure degradation. + # bp-exempt: post-merge tag publication side effect; CI / all-required gates source changes. bump-and-tag: runs-on: ubuntu-latest # Only fire on push events (main/staging after PR merge). Pull_request diff --git a/.gitea/workflows/qa-review.yml b/.gitea/workflows/qa-review.yml index 427fe03b..005b7474 100644 --- a/.gitea/workflows/qa-review.yml +++ b/.gitea/workflows/qa-review.yml @@ -93,6 +93,7 @@ permissions: pull-requests: read jobs: + # bp-exempt: PR review bot signal; required merge state is enforced by CI / all-required. approved: # Gate the job: # - On pull_request_target events: always run. diff --git a/.gitea/workflows/redeploy-tenants-on-staging.yml b/.gitea/workflows/redeploy-tenants-on-staging.yml index 534d6ba8..98f6b227 100644 --- a/.gitea/workflows/redeploy-tenants-on-staging.yml +++ b/.gitea/workflows/redeploy-tenants-on-staging.yml @@ -73,6 +73,7 @@ env: GITHUB_SERVER_URL: https://git.moleculesai.app jobs: + # bp-exempt: post-merge staging redeploy side effect; CI / all-required gates source changes. redeploy: runs-on: ubuntu-latest # Phase 3 (RFC #219 §1): surface broken workflows without blocking. diff --git a/.gitea/workflows/review-check-tests.yml b/.gitea/workflows/review-check-tests.yml index 62369014..b60515ed 100644 --- a/.gitea/workflows/review-check-tests.yml +++ b/.gitea/workflows/review-check-tests.yml @@ -41,6 +41,7 @@ concurrency: cancel-in-progress: true jobs: + # bp-exempt: review tooling regression suite; CI / all-required is the required aggregate. test: name: review-check.sh regression tests runs-on: ubuntu-latest diff --git a/.gitea/workflows/security-review.yml b/.gitea/workflows/security-review.yml index 0c4c87c8..3b893cb0 100644 --- a/.gitea/workflows/security-review.yml +++ b/.gitea/workflows/security-review.yml @@ -20,6 +20,7 @@ permissions: pull-requests: read jobs: + # bp-exempt: PR security review bot signal; required merge state is enforced by CI / all-required. approved: # See qa-review.yml header for full A1-α / A1.1 (v1.3 — informational # log only, NOT a gate) / A4 / A5 design rationale. diff --git a/.gitea/workflows/staging-verify.yml b/.gitea/workflows/staging-verify.yml index a02f5f79..752d30de 100644 --- a/.gitea/workflows/staging-verify.yml +++ b/.gitea/workflows/staging-verify.yml @@ -82,6 +82,7 @@ env: GITHUB_SERVER_URL: https://git.moleculesai.app jobs: + # bp-exempt: post-merge staging verification side effect; CI / all-required gates merges. staging-smoke: runs-on: ubuntu-latest # Phase 3 (RFC #219 §1): surface broken workflows without blocking. @@ -190,6 +191,7 @@ jobs: echo "assertions in the staging-smoke step log above." } >> "$GITHUB_STEP_SUMMARY" + # bp-exempt: post-merge image promotion side effect; staging-smoke controls promotion. promote-to-latest: # On green, calls the CP redeploy-fleet endpoint with target_tag= # staging- to promote the verified ECR image. This is the same