Merge pull request 'fix(ci): ci-required-drift uses scoped mc-drift-bot token (mirrors controlplane)' (#557) from infra/drift-bot-token into main
Some checks failed
CI / Canvas Deploy Reminder (push) Blocked by required conditions
CI / all-required (push) Blocked by required conditions
Block internal-flavored paths / Block forbidden paths (push) Successful in 15s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (push) Successful in 22s
Secret scan / Scan diff for credential-shaped strings (push) Successful in 16s
CI / Detect changes (push) Successful in 1m21s
E2E API Smoke Test / detect-changes (push) Successful in 1m18s
E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 1m18s
Handlers Postgres Integration / detect-changes (push) Successful in 1m17s
Runtime PR-Built Compatibility / detect-changes (push) Successful in 1m15s
Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Failing after 4m45s
CI / Platform (Go) (push) Successful in 10s
CI / Canvas (Next.js) (push) Successful in 11s
E2E API Smoke Test / E2E API Smoke Test (push) Successful in 12s
CI / Shellcheck (E2E scripts) (push) Successful in 9s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 15s
main-red-watchdog / watchdog (push) Successful in 1m16s
Handlers Postgres Integration / Handlers Postgres Integration (push) Successful in 14s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 11s
CI / Python Lint & Test (push) Successful in 18s
gate-check-v3 / gate-check (push) Failing after 15s
Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Successful in 8s
Sweep stale Cloudflare DNS records / Sweep CF orphans (push) Failing after 17s
Continuous synthetic E2E (staging) / Synthetic E2E against staging (push) Failing after 4m55s
Some checks failed
CI / Canvas Deploy Reminder (push) Blocked by required conditions
CI / all-required (push) Blocked by required conditions
Block internal-flavored paths / Block forbidden paths (push) Successful in 15s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (push) Successful in 22s
Secret scan / Scan diff for credential-shaped strings (push) Successful in 16s
CI / Detect changes (push) Successful in 1m21s
E2E API Smoke Test / detect-changes (push) Successful in 1m18s
E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 1m18s
Handlers Postgres Integration / detect-changes (push) Successful in 1m17s
Runtime PR-Built Compatibility / detect-changes (push) Successful in 1m15s
Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Failing after 4m45s
CI / Platform (Go) (push) Successful in 10s
CI / Canvas (Next.js) (push) Successful in 11s
E2E API Smoke Test / E2E API Smoke Test (push) Successful in 12s
CI / Shellcheck (E2E scripts) (push) Successful in 9s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 15s
main-red-watchdog / watchdog (push) Successful in 1m16s
Handlers Postgres Integration / Handlers Postgres Integration (push) Successful in 14s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 11s
CI / Python Lint & Test (push) Successful in 18s
gate-check-v3 / gate-check (push) Failing after 15s
Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Successful in 8s
Sweep stale Cloudflare DNS records / Sweep CF orphans (push) Failing after 17s
Continuous synthetic E2E (staging) / Synthetic E2E against staging (push) Failing after 4m55s
This commit is contained in:
commit
982dac0904
@ -77,13 +77,18 @@ jobs:
|
||||
run: python -m pip install --quiet 'PyYAML==6.0.2'
|
||||
- name: Run drift detector
|
||||
env:
|
||||
# GITEA_TOKEN reads protection + writes issues. molecule-core
|
||||
# uses `SOP_TIER_CHECK_TOKEN` as the org-level secret name for
|
||||
# read-only Gitea API access from CI (set by audit-force-merge
|
||||
# and sop-tier-check too). Falls back to the auto-injected
|
||||
# GITHUB_TOKEN if the org-level secret isn't set
|
||||
# (transitional repos).
|
||||
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
# DRIFT_BOT_TOKEN is owned by mc-drift-bot, a least-privilege
|
||||
# Gitea persona whose ONLY job is reading branch_protections
|
||||
# and posting the [ci-drift] tracking issue. The endpoint
|
||||
# `GET /repos/.../branch_protections/{branch}` requires
|
||||
# repo-ADMIN role (Gitea 1.22.6) — SOP_TIER_CHECK_TOKEN and the
|
||||
# auto-injected GITHUB_TOKEN do NOT have it (read-only / write
|
||||
# without admin), so the previous fallback chain 403'd.
|
||||
# Mirrors the controlplane fix landed in CP PR#134.
|
||||
# Provisioning trail: internal#329 (audit) + parent pattern
|
||||
# internal#327 (publish-runtime-bot). Per
|
||||
# `feedback_per_agent_gitea_identity_default`.
|
||||
GITEA_TOKEN: ${{ secrets.DRIFT_BOT_TOKEN }}
|
||||
GITEA_HOST: git.moleculesai.app
|
||||
REPO: ${{ github.repository }}
|
||||
# Branches whose protection we compare against. molecule-core
|
||||
|
||||
Loading…
Reference in New Issue
Block a user