From ce3f1f48a4ef4c53c0c69cdde2b4da4c4c54b366 Mon Sep 17 00:00:00 2001
From: claude-ceo-assistant <claude-ceo-assistant@agents.moleculesai.app>
Date: Thu, 7 May 2026 01:31:37 -0700
Subject: [PATCH] fix(ci): port publish-runtime cascade to Gitea repo-dispatch
 API (closes molecule-core#14)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Symptom

`publish-runtime.yml::cascade` fired a `repository_dispatch` to 10 workspace-template
repos via direct curl to `https://api.github.com/repos/...`. Post-2026-05-06 the
org's GitHub presence is suspended; every invocation 404s. The job's
`::warning::` posture meant the failure didn't propagate, leaving the runtime
PyPI publish → template image rebuild pipeline silently broken.

## Why Option A (rewrite) and not Option B (delete)

Verified 2026-05-07 by devops-engineer (molecule-core#14 thread):

- The cron-poll mechanism (/etc/cron.d/molecule-deploy-poll) tracks ONLY the
  Vercel/Railway-deployed repos (landingpage/docs/molecule-app/molecules-market
  /molecule-controlplane). It does NOT track workspace-template-* repos.
- Each of the 9 template `publish-image.yml` workflows has
  `repository_dispatch: types: [runtime-published]` as a load-bearing trigger.
  Without the cascade, when the runtime ships a new PyPI version, templates
  don't auto-rebuild.

So Option B (delete) would silently break the runtime → template fan-out.
Option A (rewrite to Gitea's API shape) is the right call. Security-auditor
agreed after seeing the cron-poll TRACKED list.

## API surface change

| Concern | Pre-fix (GitHub) | Post-fix (Gitea) |
|---|---|---|
| URL | `https://api.github.com/repos/$REPO/dispatches` | `${GITEA_URL}/api/v1/repos/$REPO/dispatches` |
| Owner case | `Molecule-AI/...` | `molecule-ai/...` (lowercase, Gitea is case-sensitive) |
| Auth header | `Authorization: Bearer $DISPATCH_TOKEN` | `Authorization: token $DISPATCH_TOKEN` |
| Body shape | `{event_type, client_payload}` | UNCHANGED — Gitea is GitHub-compatible here |
| Success code | `204 No Content` | `204 No Content` (unchanged) |

`GITEA_URL` defaults to `https://git.moleculesai.app`; overridable via job env.

## Out-of-band: DISPATCH_TOKEN secret rotation

The DISPATCH_TOKEN secret was a GitHub PAT. It must be re-minted as a Gitea
PAT for the new API to authenticate. Per saved memory
`feedback_per_agent_gitea_identity_default`, this should be a dedicated
`publish-runtime-bot` persona token with `write:repository` scope on the
9 target repos — NOT the founder PAT.

This PR ships the workflow change. Token rotation is the operator-host
follow-up (security-auditor's lane) — coordinate the merge so the token
is in place before the next runtime release fires.

## Backwards compatibility

The workflow ran silently-broken since 2026-05-06 (every invocation 404
+ ::warning:: but no failure). So there is no functional regression from
"silently broken" to "actually working". Any in-progress operator-managed
manual dispatch path is unaffected; the Gitea API parallel path doesn't
require operator intervention.

## Test plan

- [x] YAML parse OK on the modified workflow file
- [ ] Smoke test: trigger a runtime publish (or simulate via dispatching to one
      template) post-merge; verify HTTP 204 + the template's publish-image
      workflow fires + the template's image gets re-pushed against the new
      runtime version. Phase 4 verification belongs to internal#46 follow-up.

## Hostile self-review (3 weakest spots)

1. The fan-out remains all-or-nothing: a single template failure surfaces as
   a `::warning::` but PyPI publish proceeds. With 9 templates this is a
   ~10% per-template chance of stale-image-on-runtime-bump if any one fails.
   Defense: the warning shows up in the workflow summary; operators retry.
   Future hardening: requeue-on-fail with bounded retry, or a separate
   reconcile cron that detects template/runtime version drift and re-dispatches.

2. `DISPATCH_TOKEN` validity is enforced by the Gitea API (401 on stale)
   but the workflow doesn't differentiate 401 from 404. Either way the
   warning fires. Future hardening: explicit token-shape check at the start
   of the cascade job (curl `/api/v1/user` once, fail-fast if 401).

3. Owner-case lowercase is right today but couples the workflow to the
   current Gitea org slug. If the org is ever renamed, this workflow
   breaks silently. Less fragile alternative: derive REPO from a
   canonical config (e.g. `gh repo list molecule-ai`) instead of
   string-concatenating. Acceptable today; filed as the same future
   hardening pass as item 1.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish-runtime.yml | 35 +++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish-runtime.yml b/.github/workflows/publish-runtime.yml
index b3750a61..984ee0bb 100644
--- a/.github/workflows/publish-runtime.yml
+++ b/.github/workflows/publish-runtime.yml
@@ -339,16 +339,41 @@ jobs:
           # Long-term: derive this list from manifest.json so cascade
           # scope can't drift from E2E scope — tracked in RFC #388 as a
           # Phase-1 invariant.
+          # Fan out via Gitea's repository_dispatch API (post-2026-05-06; the
+          # GitHub-org's hostname is no longer reachable). API contract:
+          #   POST {GITEA_URL}/api/v1/repos/{owner}/{repo}/dispatches
+          #   Authorization: token <gitea-pat>     (NOT "Bearer" like GitHub)
+          #   body: {event_type, client_payload}    (same shape as GitHub)
+          # The 9 template repos all have publish-image.yml waiting on
+          # `repository_dispatch: types: [runtime-published]` with
+          # client_payload.runtime_version (verified by devops-engineer
+          # 2026-05-07 when assessing molecule-core#14 Option B safety).
+          #
+          # DISPATCH_TOKEN must be a Gitea PAT (not a GitHub PAT) with
+          # write:repository scope on each of the 9 target repos. Per saved
+          # memory feedback_per_agent_gitea_identity_default this should be
+          # a per-agent-persona token (recommend: dedicated
+          # `publish-runtime-bot` persona), not the founder PAT. Token
+          # rotation is an out-of-band operator-host task; the workflow
+          # consumes whatever value is in the secret.
+          #
+          # GITEA_URL defaults to https://git.moleculesai.app; override via
+          # job env if the platform's Gitea host changes.
+          GITEA_URL="${GITEA_URL:-https://git.moleculesai.app}"
           TEMPLATES="claude-code hermes openclaw codex langgraph crewai autogen deepagents gemini-cli"
           FAILED=""
           for tpl in $TEMPLATES; do
-            REPO="Molecule-AI/molecule-ai-workspace-template-$tpl"
+            # Gitea is owner-case-sensitive: the org slug is lowercase
+            # `molecule-ai`, not `Molecule-AI`. GitHub auto-lowercased on
+            # the receive side; Gitea returns 404 on the wrong case.
+            REPO="molecule-ai/molecule-ai-workspace-template-$tpl"
             STATUS=$(curl -sS -o /tmp/dispatch.out -w "%{http_code}" \
-              -X POST "https://api.github.com/repos/$REPO/dispatches" \
-              -H "Authorization: Bearer $DISPATCH_TOKEN" \
-              -H "Accept: application/vnd.github+json" \
-              -H "X-GitHub-Api-Version: 2022-11-28" \
+              -X POST "$GITEA_URL/api/v1/repos/$REPO/dispatches" \
+              -H "Authorization: token $DISPATCH_TOKEN" \
+              -H "Accept: application/json" \
+              -H "Content-Type: application/json" \
               -d "{\"event_type\":\"runtime-published\",\"client_payload\":{\"runtime_version\":\"$VERSION\"}}")
+            # Gitea returns 204 No Content on success, same as GitHub.
             if [ "$STATUS" = "204" ]; then
               echo "✓ dispatched $tpl ($VERSION)"
             else