4 Commits

Author	SHA1	Message	Date
dev-lead	f5f96df5e3	ci: port 9 gates/lints/audits to .gitea/workflows/ (RFC internal#219 §1, Category C-1) ... Sweep companion to PR#372 (ci.yml port), PR#378 (Cat A), PR#379 (Cat B). Ports 9 workflow files from .github/workflows/ to .gitea/workflows/. Each port applies the four-surface audit pattern per feedback_gitea_actions_migration_audit_pattern: 1. YAML — dropped workflow_dispatch.inputs (Gitea 1.22.6 parser rejects them per feedback_gitea_workflow_dispatch_inputs_unsupported), dropped merge_group (no Gitea merge queue), workflow-level env.GITHUB_SERVER_URL pinned per feedback_act_runner_github_server_url. 2. Cache — actions/setup-python cache:pip retained (works with Gitea 1.22.x cache server). No actions/cache@v4 usage in this batch. 3. Token — auto-injected GITHUB_TOKEN (Gitea-aliased) used; no custom dispatch tokens. 4. Docs — top-of-file "Ported from .github/workflows/X.yml on 2026-05-11 per RFC internal#219 §1 sweep" comment on every file. Per RFC §1: each job has `continue-on-error: true` so surfaced defects do not block PRs. Follow-up PR (not in this sweep's scope) flips to `continue-on-error: false` after triage. Files ported: - block-internal-paths.yml — forbidden-path PR gate. Standard port; dropped merge_group + the merge_group-specific fetch step. - cascade-list-drift-gate.yml — TEMPLATES vs manifest.json drift. Passes WORKFLOW=.gitea/workflows/publish-runtime.yml to the script (script's default is .github/... which Cat A removes). - check-migration-collisions.yml — Postgres migration prefix collision gate. The collision script already supports Gitea via _gitea_api_url() / _gitea_token() — no script edit needed. - lint-curl-status-capture.yml — workflow-bash anti-pattern lint. Scanner glob and SELF self-skip path retargeted to .gitea/workflows/**.yml. - runtime-pin-compat.yml — PyPI-latest install + import smoke. Dropped workflow_dispatch + merge_group. - runtime-prbuild-compat.yml — PR-built wheel import smoke. dorny/paths-filter@v4 replaced with inline `git diff` per PR#372 pattern. detect-changes job + per-step if-gates retained. - secret-pattern-drift.yml — canonical/consumer pattern set drift lint. on.paths references the .gitea/ canonical path. Also edits .github/scripts/lint_secret_pattern_drift.py CANONICAL_FILE constant from `.github/workflows/secret-scan.yml` to `.gitea/workflows/secret-scan.yml` (Cat A removes the .github/ one). - test-ops-scripts.yml — scripts/ unittest runner. Dropped merge_group. - railway-pin-audit.yml — daily Railway env var drift detection. `actions/github-script@v9` blocks (which call github.rest.* — a GitHub-specific JS API) replaced with curl calls against the Gitea REST API (/api/v1/repos/.../issues|comments). Issue open/comment-on-repeat/close-on-clean semantics preserved. This Cat C-1 PR groups the "safer" gates/lints/audits. Categories C-2 (E2E) and C-3 (deploy/publish/janitors) ship in separate PRs. The original .github/ files are left in place per RFC §1 (deletion is a Phase 4 follow-up). They are silently dead — Gitea Actions in molecule-core only registers workflows under .gitea/workflows/ — but keeping them documented in-repo eases the diff-review. DO NOT MERGE without orchestrator-dispatched Five-Axis review + @hongmingwang chat-go. Cross-links: - RFC: molecule-ai/internal#219 - Companion: PR#372 (ci.yml port), PR#378 (Cat A), PR#379 (Cat B) - Runbook: runbooks/gitea-actions-migration-checklist.md (Cat B PR) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-10 21:18:11 -07:00
documentation-specialist	5d4184f4a3	fix(scripts): migrate ghcr.io→ECR + raw.githubusercontent.com→Gitea (#46) ... Per documentation-specialist's grep agent (2026-05-07T07:30, see internal#46): runtime-breaking ghcr.io references in shell scripts + docker-compose + the slip-past-workflow lint_secret_pattern_drift.py all need migration. These were missed by security-auditor's workflow-only audit. Files (6): - .github/scripts/lint_secret_pattern_drift.py:40 — workspace-runtime pre-commit-checks.sh consumer URL: raw.githubusercontent.com → Gitea raw URL (https://git.moleculesai.app/molecule-ai/.../raw/ branch/main/...). The lint job runs in CI and would 404 today. - scripts/refresh-workspace-images.sh:54 — workspace-template image pull URL: ghcr.io → ECR (153263036946.dkr.ecr.us-east-2.amazonaws.com). - scripts/rollback-latest.sh — full rewrite of header + auth flow: * ghcr.io/molecule-ai/{platform,platform-tenant} → ECR * GITHUB_TOKEN with write:packages → AWS ECR auth (aws ecr get-login-password). Per saved memory reference_post_suspension_pipeline, prod cutover is to ECR. * Updated header docs to match new auth flow + prereqs. - scripts/demo-freeze.sh:13,17 — comment-only ghcr → ECR (the script doesn't currently exec these URLs, but the comments describe the cascade and need to match reality). - docker-compose.yml:215-216 — canvas image: ghcr.io → ECR + updated the auth comment to describe `aws ecr get-login-password` flow. - tools/check-template-parity.sh:21 — inline curl install instructions: raw.githubusercontent.com → Gitea raw URL. Hostile self-review: 1. rollback-latest.sh's GITHUB_TOKEN→aws-cli auth swap is a behavior change. Operators using this script now need aws CLI authenticated for region us-east-2 with ECR pull/push perms. Documented in updated header. Operators who don't have aws CLI will get 'aws: command not installed' which is a clear failure mode (not silent). 2. The Gitea raw URL shape (/raw/branch/main/) differs from GitHub's raw.githubusercontent.com structure. Verified pattern by inspecting other Gitea raw URLs in the codebase. If Gitea's URL changes (1.23+), update via the same one-line edit. 3. Doesn't touch packer/scripts/install-base.sh which has a similar ghcr.io ref per the grep agent's findings — that's bigger-scope (packer build pipeline) and lives in molecule-controlplane-ish territory; filing as parked follow-up under #46 if not already. Refs: molecule-ai/internal#46, molecule-ai/internal#37, molecule-ai/internal#38, saved memory reference_post_suspension_pipeline	2026-05-07 00:56:23 -07:00
Hongming Wang	43c234df35	secret-scan: align local pre-commit + extend drift lint (closes #1569 root) ... #1569 Phase 1 discovery (2026-05-02) found six historical credential exposures in molecule-core git history. All confirmed dead — but the reason they got committed in the first place was that the local pre-commit hook had two gaps that the canonical CI gate (and the runtime's hook) didn't: 1. **Pattern set was incomplete.** Local hook checked `sk-ant-|sk-proj-|ghp_|gho_|AKIA|mol_pk_|cfut_` — missing `ghs_*`, `ghu_*`, `ghr_*`, `github_pat_*`, `sk-svcacct-`, `sk-cp-`, `xox[baprs]-`, `ASIA*`. The historical leaks were 5× `ghs_*` (App installation tokens) + 1× `github_pat_*` — none of which the local hook would have caught even if it ran. 2. **`*.md` and `docs/` were skip-listed.** The leaked tokens lived in `tick-reflections-temp.md`, `qa-audit-2026-04-21.md`, and `docs/incidents/INCIDENT_LOG.md` — exactly the file types the skip-list excluded. The hook ran and silently passed. This commit: - Replaces the local hook's hard-coded inline regex with the canonical 13-pattern array (byte-aligned with `.github/workflows/secret-scan.yml` and the workspace runtime's `pre-commit-checks.sh`). - Removes the `\.md$|docs/` skip — keeps only binary, lockfile, and hook-self exclusions. - Adds the local hook to `lint_secret_pattern_drift.py` as an in-repo consumer (read-from-disk, no network — the hook lives in the same checkout the lint runs against). Drift now fails the lint when canonical changes without the local hook updating in lockstep. - Adds `.githooks/pre-commit` to the drift-lint workflow's path filter so consumer-side edits also trigger the lint. - Adopts the canonical's "don't echo the matched value" defense (the prior version would have round-tripped a leaked credential into scrollback / CI logs). Verified: `python3 .github/scripts/lint_secret_pattern_drift.py` reports both consumers aligned at 13 patterns. The hook's existing six other gates (canvas 'use client', dark theme, SQL injection, go-build, etc.) are untouched. Companion change (already applied via API, no diff here): `Scan diff for credential-shaped strings` is now in the required-checks list on both `staging` and `main` branch protection — was previously a soft gate (workflow ran, exited 1, but didn't block merge). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 23:47:56 -07:00
Hongming Wang	6638d6e1d7	feat(ci): SECRET_PATTERNS drift lint across known consumers ... Adds a lint that diffs the canonical SECRET_PATTERNS array in .github/workflows/secret-scan.yml against every known public consumer mirror, failing on any divergence. Why: every side that scans for credentials carries its own copy of the pattern list. They drift — most recently the workspace-runtime pre-commit hook lagged the canonical by one pattern (sk-cp- / MiniMax F1088 vector), so a developer's local pre-commit would let a sk-cp- token through while the org-wide CI scan would refuse it. Useless friction; automated detection closes the gap. Implementation: .github/scripts/lint_secret_pattern_drift.py — pure stdlib, fetches each consumer's RAW file via urllib, extracts the SECRET_PATTERNS=( ... ) array via anchored regex (the closing `)` is anchored to the start of a line because pattern comments like `# GitHub PAT (classic)` contain their own paren mid-line), diffs against canonical, fails on missing or extra patterns. Fetch failures are warnings, not errors — a consumer whose branch was renamed shouldn't fail the lint until someone updates the URL list. .github/workflows/secret-pattern-drift.yml — daily 05:00 UTC cron + on-push gate (when canonical, the workflow, or the script changes) + workflow_dispatch. Read-only token, 5-minute timeout. Initial consumer set: workspace-runtime's bundled pre-commit hook (the one that drifted on sk-cp-). molecule-controlplane's inlined copy is private so this workflow can't read it; that's tracked separately and the controlplane's own self-monitor is the gap. Verified locally: lint detects drift correctly when the runtime hook is missing sk-cp-, returns clean when aligned. Refs: task #139.	2026-04-28 15:29:09 -07:00