molecule-ai/molecule-core
38
0
Fork 2
Code Issues 25 Pull Requests 3 Actions 17 Packages Projects Releases Wiki Activity

Merge pull request 'fix(ci): gate-check-v3 — 3 bug fixes (self-loop, base ref, 403 comment)' (#547) from sre/fix-gate-check-v3-bugs into main
Some checks failed
Block internal-flavored paths / Block forbidden paths (push) Successful in 5s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (push) Successful in 6s
Details
Secret scan / Scan diff for credential-shaped strings (push) Successful in 6s
Details
E2E API Smoke Test / detect-changes (push) Successful in 13s
Details
CI / Detect changes (push) Successful in 14s
Details
Handlers Postgres Integration / detect-changes (push) Successful in 14s
Details
E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 15s
Details
CI / Shellcheck (E2E scripts) (push) Successful in 3s
Details
CI / Platform (Go) (push) Successful in 3s
Details
Runtime PR-Built Compatibility / detect-changes (push) Successful in 14s
Details
E2E API Smoke Test / E2E API Smoke Test (push) Successful in 4s
Details
CI / Canvas (Next.js) (push) Successful in 4s
Details
CI / Python Lint & Test (push) Successful in 3s
Details
Handlers Postgres Integration / Handlers Postgres Integration (push) Successful in 4s
Details
CI / Canvas Deploy Reminder (push) Has been skipped
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 3s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 1s
Details
Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Successful in 6s
Details
Sweep stale AWS Secrets Manager secrets / Sweep AWS Secrets Manager (push) Failing after 12s
Details
Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Failing after 4m40s
Details

Browse Source
This commit is contained in:
Molecule AI · core-lead 2026-05-11 19:26:55 +00:00
commit ba6ddd3c19
2 changed files with 43 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitea/workflows/gate-check-v3.yml
View File

@ -40,10 +40,16 @@ jobs:
runs-on: ubuntu-latest
continue-on-error: true # Never block on our own detector failing
steps:
- name: Check out base branch (for the script)
- name: Check out PR branch (head) for the script
# NOTE: we intentionally check out the HEAD/PR branch here — not the base.
# This is required so that script fixes in PR branches (e.g. the self-loop
# exclusion in signal_6_ci) are actually used when evaluating that PR.
# Security: this job runs with continue-on-error: true and does not
# execute arbitrary PR code — it only runs the gate-check script which
# is read-only (API reads + JSON stdout).
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.base.sha || github.ref_name }}
ref: ${{ github.event.pull_request.head.sha }}
- name: Run gate-check-v3 (single PR mode)
if: github.event_name == 'pull_request_target' || github.event.inputs.pr_number != ''

57
tools/gate-check-v3/gate_check.py
View File

@ -316,7 +316,7 @@ def signal_3_staleness(pr_number: int, repo: str) -> dict:
# ── Signal 6: CI required-checks awareness ───────────────────────────────────
def signal_6_ci(pr_number: int, repo: str, branch: str = "main") -> dict:
def signal_6_ci(pr_number: int, repo: str, branch: str | None = None, pr_data: dict | None = None) -> dict:
"""
Query combined CI status for PR head commit.
Find required status checks on target branch.
@ -324,8 +324,12 @@ def signal_6_ci(pr_number: int, repo: str, branch: str = "main") -> dict:
"""
owner, name = repo.split("/", 1)
pr = api_get(f"/repos/{owner}/{name}/pulls/{pr_number}")
head_sha = pr["head"]["sha"]
# Re-use PR data if already fetched by caller; otherwise fetch once.
if pr_data is None:
pr_data = api_get(f"/repos/{owner}/{name}/pulls/{pr_number}")
head_sha = pr_data["head"]["sha"]
# Fall back to PR's actual base branch when no explicit branch is given
branch = branch or pr_data.get("base", {}).get("ref", "main")
# Combined status of PR head
combined = api_get(f"/repos/{owner}/{name}/commits/{head_sha}/status")
@ -334,9 +338,12 @@ def signal_6_ci(pr_number: int, repo: str, branch: str = "main") -> dict:
# Individual check statuses
# Gitea Actions uses "status" (pending/success/failure) not "state" for
# individual check entries. "state" is null for pending runs.
# Exclude our own prior status to prevent self-referential failure loops.
check_statuses = {}
for s in combined.get("statuses") or []:
check_statuses[s["context"]] = s.get("status", "pending")
ctx = s["context"]
if "gate-check" not in ctx.lower():
check_statuses[ctx] = s.get("status", "pending")
# Try to get branch protection for required checks
required_checks = []
@ -459,21 +466,21 @@ def format_comment(repo: str, pr_number: int, verdict: str, gates: list[dict], b
lines.append(f"_gate-check-v3 · repo={repo} · pr={pr_number}_")
return "\n".join(lines)
lines.append("")
lines.append(f"_gate-check-v3 · repo={repo} · pr={pr_number}_")
return "\n".join(lines)
# ── Main ─────────────────────────────────────────────────────────────────────
def run(repo: str, pr_number: int, post_comment: bool = False) -> dict:
try:
# Fetch PR once to get base ref for signal_6_ci
owner, name = repo.split("/", 1)
pr = api_get(f"/repos/{owner}/{name}/pulls/{pr_number}")
base_ref = pr.get("base", {}).get("ref", "main")
gates = [
signal_1_comment_scan(pr_number, repo),
signal_2_reviews(pr_number, repo),
signal_3_staleness(pr_number, repo),
signal_6_ci(pr_number, repo),
signal_6_ci(pr_number, repo, branch=base_ref, pr_data=pr),
]
verdict, blockers = compute_verdict(gates)
@ -501,18 +508,24 @@ def run(repo: str, pr_number: int, post_comment: bool = False) -> dict:
# Check if a gate-check comment already exists to avoid spamming
existing = api_list(f"/repos/{owner}/{name}/issues/{pr_number}/comments")
our_comments = [c for c in existing if "[gate-check-v3]" in (c.get("body") or "")]
if our_comments:
# Update latest
comment_id = our_comments[-1]["id"]
url = f"{API_BASE}/repos/{owner}/{name}/issues/comments/{comment_id}"
req = urllib.request.Request(url, data=json.dumps({"body": comment_body}).encode(), headers=headers, method="PATCH")
with urllib.request.urlopen(req) as r:
r.read()
else:
url = f"{API_BASE}/repos/{owner}/{name}/issues/{pr_number}/comments"
req = urllib.request.Request(url, data=json.dumps({"body": comment_body}).encode(), headers=headers, method="POST")
with urllib.request.urlopen(req) as r:
r.read()
try:
if our_comments:
# Update latest
comment_id = our_comments[-1]["id"]
url = f"{API_BASE}/repos/{owner}/{name}/issues/comments/{comment_id}"
req = urllib.request.Request(url, data=json.dumps({"body": comment_body}).encode(), headers=headers, method="PATCH")
with urllib.request.urlopen(req) as r:
r.read()
else:
url = f"{API_BASE}/repos/{owner}/{name}/issues/{pr_number}/comments"
req = urllib.request.Request(url, data=json.dumps({"body": comment_body}).encode(), headers=headers, method="POST")
with urllib.request.urlopen(req) as r:
r.read()
except urllib.error.HTTPError as e:
if e.code == 403:
print(f"WARN: --post-comment 403 (token scope) — verdict={verdict}; skipping comment-post", file=sys.stderr)
else:
raise
return result