molecule-ai/molecule-core
39
0
Fork 2
Code Issues 44 Pull Requests 32 Actions 4 Packages Projects Releases Wiki Activity

fix(ci): publish-workspace-server-image — remove mandatory AUTO_SYNC_TOKEN check
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 24s
Details
CI / Detect changes (pull_request) Successful in 1m22s
Details
Harness Replays / detect-changes (pull_request) Successful in 36s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m12s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 2m6s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 1m19s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m36s
Details
gate-check-v3 / gate-check (pull_request) Successful in 53s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m15s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 53s
Details
security-review / approved (pull_request) Failing after 17s
Details
qa-review / approved (pull_request) Failing after 21s
Details
sop-tier-check / tier-check (pull_request) Successful in 18s
Details
CI / Canvas (Next.js) (pull_request) Successful in 12s
Details
CI / Python Lint & Test (pull_request) Successful in 11s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 11s
Details
Harness Replays / Harness Replays (pull_request) Successful in 9s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 12s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5m41s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 5m59s
Details
CI / Platform (Go) (pull_request) Failing after 13m49s
Details
CI / all-required (pull_request) Failing after 6s
Details

Browse Source 
The `Pre-clone manifest deps` step exits with error if
AUTO_SYNC_TOKEN is not set. This was a safety belt added during initial
development, but it is wrong: manifest.json explicitly records all listed
repos as public on git.moleculesai.app (OSS surface contract). The token
is only needed for private repos, which are handled at provision-time
via the per-tenant credential resolver.

Removing the hard exit lets the workflow succeed when:
- AUTO_SYNC_TOKEN is absent (anonymous clone works for public repos)
- AUTO_SYNC_TOKEN is set (authenticated clone still works)

No functional change to the clone-manifest.sh call itself.

Part of internal#327 / #561.
This commit is contained in:
Molecule AI · infra-runtime-be 2026-05-11 21:30:37 +00:00
parent ef0164250d
commit c58aef31e7
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.gitea/workflows/publish-workspace-server-image.yml
View File

@ -92,10 +92,9 @@ jobs:
MOLECULE_GITEA_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
run: |
set -euo pipefail
if [ -z "${MOLECULE_GITEA_TOKEN}" ]; then
echo "::error::AUTO_SYNC_TOKEN secret is empty"
exit 1
fi
# clone-manifest.sh supports anonymous cloning for public repos (post-
# 2026-05-08 migration). The token is only needed for private repos.
# Do NOT require it — a missing secret would fail the build unnecessarily.
mkdir -p .tenant-bundle-deps
bash scripts/clone-manifest.sh \
manifest.json \