From 7b4f691ea8b70d9007cd8f916abc46ff385394d3 Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Sun, 19 Apr 2026 05:19:31 -0700 Subject: [PATCH] fix(ci): clone sibling plugin repo so publish-workspace-server-image builds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Publish has been failing since the 2026-04-18 open-source restructure (#964's merge) because workspace-server/Dockerfile still COPYs ./molecule-ai-plugin-github-app-auth/ but the restructure moved that code out to its own repo. Every main merge since has produced a "failed to compute cache key: /molecule-ai-plugin-github-app-auth: not found" error — prod images haven't moved. Fix: add an actions/checkout step that fetches the plugin repo into the build context before docker build runs. Private-repo safe: uses PLUGIN_REPO_PAT secret (fine-grained PAT with Contents:Read on Molecule-AI/molecule-ai-plugin-github-app-auth). Falls back to the default GITHUB_TOKEN if the plugin repo is public. Ops: set repo secret PLUGIN_REPO_PAT before the next main merge, or publish will fail with a 404 on the checkout step. Also gitignores the cloned dir so local dev builds don't accidentally commit it. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../publish-workspace-server-image.yml | 19 +++++++++++++++++++ .gitignore | 3 +++ 2 files changed, 22 insertions(+) diff --git a/.github/workflows/publish-workspace-server-image.yml b/.github/workflows/publish-workspace-server-image.yml index b76681c4..5f7d6bd4 100644 --- a/.github/workflows/publish-workspace-server-image.yml +++ b/.github/workflows/publish-workspace-server-image.yml @@ -29,6 +29,25 @@ jobs: - name: Checkout uses: actions/checkout@v4 + - name: Checkout sibling plugin repo + # workspace-server/Dockerfile expects + # ./molecule-ai-plugin-github-app-auth at build-context root because + # the Go module has a `replace` directive pointing at /plugin inside + # the image. Pre-repo-split the plugin lived in the monorepo; the + # 2026-04-18 restructure moved it out but didn't add this clone step + # — which is why publish has been failing since then. + # + # Uses a fine-grained PAT (PLUGIN_REPO_PAT) because the plugin repo + # is private and the default GITHUB_TOKEN is scoped to THIS repo. + # The PAT needs Contents:Read on Molecule-AI/molecule-ai-plugin- + # github-app-auth. Falls back to the default token for the (rare) + # case where an operator made the plugin repo public. + uses: actions/checkout@v4 + with: + repository: Molecule-AI/molecule-ai-plugin-github-app-auth + path: molecule-ai-plugin-github-app-auth + token: ${{ secrets.PLUGIN_REPO_PAT || secrets.GITHUB_TOKEN }} + - name: Configure GHCR auth shell: bash env: diff --git a/.gitignore b/.gitignore index 0230afcd..bb612ab1 100644 --- a/.gitignore +++ b/.gitignore @@ -120,3 +120,6 @@ backups/ /org-templates/ /plugins/ /workspace-configs-templates/ +# Cloned by publish-workspace-server-image.yml so the Dockerfile's +# replace-directive path resolves. Lives in its own repo. +/molecule-ai-plugin-github-app-auth/