From 90f9987e88631329b2fd37d7d0f343567116447a Mon Sep 17 00:00:00 2001 From: claude-ceo-assistant Date: Sun, 10 May 2026 18:31:00 -0700 Subject: [PATCH] fix(ci): split publish-runtime into tags-only + autobump (closes #351) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit publish-runtime.yml has never fired since the .gitea port (0 rows in action_run.workflow_id='publish-runtime.yml' ever), which is why PyPI is still at 0.1.129 despite Gitea having a runtime-v1.0.0 tag. Root cause hypothesis: Gitea Actions evaluates the on.push.paths filter against tag-push events too (no path diff → workflow skipped). PR #349 made this visible by adding the paths trigger, but the same defect existed for the originally-ported tags-only trigger on this Gitea version — hence the runtime-v1.0.0 tag also never published. Fix: split into two files, each with a single unambiguous trigger shape. - publish-runtime.yml : on.push.tags only (the publisher) - publish-runtime-autobump.yml : on.push.branches+paths (NEW; the bumper) The autobump file computes next version from PyPI latest, pushes 'runtime-v$VERSION' tag via DISPATCH_TOKEN (not GITHUB_TOKEN — needed to trigger downstream workflows on Gitea), and exits. The tag push then triggers publish-runtime.yml. Test plan after merge: 1. Push no-op commit to workspace/. Observe autobump fire, push tag. 2. Observe publish-runtime.yml fire on the tag, publish 0.1.130 to PyPI, cascade to template repos. 3. Verify 'action_run' shows >0 rows for both workflow_ids. --- .gitea/workflows/publish-runtime-autobump.yml | 100 ++++++++++++++++++ .gitea/workflows/publish-runtime.yml | 27 +++-- 2 files changed, 117 insertions(+), 10 deletions(-) create mode 100644 .gitea/workflows/publish-runtime-autobump.yml diff --git a/.gitea/workflows/publish-runtime-autobump.yml b/.gitea/workflows/publish-runtime-autobump.yml new file mode 100644 index 00000000..85afdafd --- /dev/null +++ b/.gitea/workflows/publish-runtime-autobump.yml @@ -0,0 +1,100 @@ +name: publish-runtime-autobump + +# Auto-bump-on-workspace-edit half of the publish pipeline. +# +# Why this file exists (issue #351): +# Gitea Actions does not correctly disambiguate `paths:` from `tags:` +# when both are bundled under a single `on.push` key. The result is +# that tag pushes get filtered out and `publish-runtime.yml` never +# fires — `action_run` rows: 0. This was unnoticed pre-2026-05-11 +# because PYPI_TOKEN was absent (publishes would have failed anyway). +# +# Split design: +# - publish-runtime.yml : on.push.tags only (the publisher) +# - publish-runtime-autobump.yml: on.push.branches+paths (this file — the version-bumper) +# +# This file computes the next version from PyPI's latest, pushes a +# `runtime-v$VERSION` tag, and exits. The tag push then triggers +# publish-runtime.yml via its tags-only trigger. +# +# Concurrency: shares the `publish-runtime` group with publish-runtime.yml +# so concurrent workspace pushes serialize at the bump step. Without +# this, two pushes minutes apart could both read PyPI latest=0.1.129 +# and try to tag 0.1.130 simultaneously, only one of which would land. + +on: + push: + branches: + - main + - staging + paths: + - "workspace/**" + +permissions: + contents: write # required to push tags back + +concurrency: + group: publish-runtime + cancel-in-progress: false + +jobs: + autobump-and-tag: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + # Fetch full tag list so the bump logic can sanity-check against + # what's already in this repo (catches collision with prior + # manual tag pushes). + fetch-depth: 0 + + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: "3.11" + + - name: Compute next version from PyPI latest + id: bump + run: | + set -eu + LATEST=$(curl -fsS --retry 3 https://pypi.org/pypi/molecule-ai-workspace-runtime/json \ + | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])") + MAJOR=$(echo "$LATEST" | cut -d. -f1) + MINOR=$(echo "$LATEST" | cut -d. -f2) + PATCH=$(echo "$LATEST" | cut -d. -f3) + VERSION="${MAJOR}.${MINOR}.$((PATCH+1))" + echo "PyPI latest=$LATEST -> next=$VERSION" + if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then + echo "::error::computed version $VERSION does not match PEP 440 X.Y.Z" + exit 1 + fi + if git tag --list | grep -qx "runtime-v$VERSION"; then + echo "::error::tag runtime-v$VERSION already exists in this repo. Manual intervention required (PyPI and Gitea tag history are out of sync)." + exit 1 + fi + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + + - name: Push runtime-v$VERSION tag + env: + DISPATCH_TOKEN: ${{ secrets.DISPATCH_TOKEN }} + VERSION: ${{ steps.bump.outputs.version }} + GITEA_URL: https://git.moleculesai.app + run: | + set -eu + if [ -z "$DISPATCH_TOKEN" ]; then + echo "::error::DISPATCH_TOKEN secret is not set — needed to push the tag back to molecule-core." + exit 1 + fi + git config user.name "publish-runtime autobump" + git config user.email "publish-runtime@moleculesai.app" + git tag -a "runtime-v$VERSION" \ + -m "Auto-bump on workspace/** edit on $GITHUB_REF" \ + -m "Triggered by: $GITHUB_REF @ $GITHUB_SHA" \ + -m "publish-runtime.yml will pick up this tag and upload to PyPI" + # Push via DISPATCH_TOKEN (a Gitea PAT). Using the bot identity + # ensures the resulting tag-push event is dispatched to + # publish-runtime.yml; act_runner's default GITHUB_TOKEN cannot + # trigger downstream workflows. + git remote set-url origin "${GITEA_URL#https://}" + git remote set-url origin "https://x-access-token:${DISPATCH_TOKEN}@${GITEA_URL#https://}/molecule-ai/molecule-core.git" + git push origin "runtime-v$VERSION" + echo "✓ pushed runtime-v$VERSION — publish-runtime.yml should fire next" diff --git a/.gitea/workflows/publish-runtime.yml b/.gitea/workflows/publish-runtime.yml index a414c303..083b6840 100644 --- a/.gitea/workflows/publish-runtime.yml +++ b/.gitea/workflows/publish-runtime.yml @@ -13,11 +13,23 @@ name: publish-runtime # — Gitea Actions exposes github.ref (the full ref) but not ref_name # - Dropped `merge_group` trigger (Gitea has no merge queue) # -# 2026-05-10 (issue #348): restored `staging`/`main` branch + `workspace/**` -# path-filter trigger and the PyPI-latest auto-bump path that consumes it. -# The 2026-05-10 inline comment "no staging branch exists in this repo" was -# inherited verbatim from the runtime-mirror port and is INCORRECT for -# molecule-core. hongming-pc is blocked on this trigger. +# 2026-05-10 (issue #348): originally restored `staging`/`main` branch + +# `workspace/**` path-filter trigger in PR #349. +# +# 2026-05-11 (issue #351): REVERTED the branches+paths trigger from THIS +# file. Bundling `paths` with `tags` under a single `on.push` key caused +# Gitea Actions to never dispatch the workflow for tag-push events (0 +# runs in `action_run` for workflow_id='publish-runtime.yml' since the +# port, including the runtime-v1.0.0 tag — which is why PyPI is still at +# 0.1.129 despite a v1.0.0 Gitea tag existing). +# +# The auto-bump-on-workspace-edit trigger now lives in +# `.gitea/workflows/publish-runtime-autobump.yml`. That file computes the +# next version from PyPI's latest and pushes a `runtime-v$VERSION` tag, +# which THIS file then picks up via the tags-only trigger below. +# +# This decoupling means Gitea's path-vs-tag evaluator never has to +# disambiguate — each file has a single unambiguous trigger shape. # # PyPI publishing: requires PYPI_TOKEN repository secret (or org-level secret). # Set via: repo Settings → Actions → Variables and Secrets → New Secret. @@ -28,11 +40,6 @@ name: publish-runtime on: push: - branches: - - main - - staging - paths: - - "workspace/**" tags: - "runtime-v*" workflow_dispatch: