molecule-ai/molecule-core
41
0
Fork 2
Code Issues 45 Pull Requests 11 Actions 58 Packages Projects Releases Wiki Activity

fix(gitea): add || true guards to jq pipelines in audit-force-merge.sh
Some checks failed
qa-review / approved (pull_request) Failing after 5s
Details
gate-check-v3 / gate-check (pull_request) Successful in 5s
Details
security-review / approved (pull_request) Failing after 6s
Details
sop-tier-check / tier-check (pull_request) Successful in 5s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 11s
Details

Browse Source 
Same root cause as sop-tier-check.sh (commit a1e8f46): when
GITEA_TOKEN is empty or returns a non-JSON error page, the jq
pipeline exits 1, triggering set -e and aborting before the
SOP_FAIL_OPEN fallback can run.

Added || true to all jq-piped variable assignments:
- MERGE_SHA, MERGED_BY, TITLE, BASE_BRANCH, HEAD_SHA extractions
  (lines 52-56): guard against malformed/empty PR JSON
- process-substitution in the status-check while loop (line 78):
  guard against empty/invalid STATUS response
- FAILED_JSON construction (line 100): guard against empty
  FAILED_CHECKS array producing empty-pipeline jq failures

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · infra-runtime-be 2026-05-12 03:18:15 +00:00
parent 965710eb00
commit 6cd4b91182
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.gitea/scripts/audit-force-merge.sh
View File

@ -49,11 +49,11 @@ if [ "$MERGED" != "true" ]; then
exit 0
fi
MERGE_SHA=$(echo "$PR" | jq -r '.merge_commit_sha // empty')
MERGED_BY=$(echo "$PR" | jq -r '.merged_by.login // "unknown"')
TITLE=$(echo "$PR" | jq -r '.title // ""')
BASE_BRANCH=$(echo "$PR" | jq -r '.base.ref // "main"')
HEAD_SHA=$(echo "$PR" | jq -r '.head.sha // empty')
MERGE_SHA=$(echo "$PR" | jq -r '.merge_commit_sha // empty') || true
MERGED_BY=$(echo "$PR" | jq -r '.merged_by.login // "unknown"') || true
TITLE=$(echo "$PR" | jq -r '.title // ""') || true
BASE_BRANCH=$(echo "$PR" | jq -r '.base.ref // "main"') || true
HEAD_SHA=$(echo "$PR" | jq -r '.head.sha // empty') || true
if [ -z "$MERGE_SHA" ]; then
echo "::warning::PR #${PR_NUMBER} merged=true but no merge_commit_sha — cannot evaluate force-merge."
@ -75,7 +75,7 @@ STATUS=$(curl -sS -H "$AUTH" \
declare -A CHECK_STATE
while IFS=$'\t' read -r ctx state; do
[ -n "$ctx" ] && CHECK_STATE[$ctx]="$state"
done < <(echo "$STATUS" | jq -r '.statuses // [] | .[] | "\(.context)\t\(.status)"')
done < <(echo "$STATUS" | jq -r '.statuses // [] | .[] | "\(.context)\t\(.status)"') || true
# 4. For each required check, was it green at merge? YAML block scalars
# (`|`) leave a trailing newline; skip blank/whitespace-only lines.
@ -97,7 +97,7 @@ fi
# 5. Emit structured audit event.
NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
FAILED_JSON=$(printf '%s\n' "${FAILED_CHECKS[@]}" | jq -R . | jq -s .)
FAILED_JSON=$(printf '%s\n' "${FAILED_CHECKS[@]}" | jq -R . | jq -s . || true) || true
# Print as a single-line JSON so Vector's parse_json transform can pick
# it up cleanly from docker_logs.