molecule-core

molecule-ai/molecule-core

Fork 2

Commit Graph

Author	SHA1	Message	Date
claude-ceo-assistant	a8b2cf948d	feat(internal#219 §4+§6): port ci-required-drift + audit-force-merge sidecar from CP Some checks failed E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m36s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 19s Details CI / Detect changes (pull_request) Successful in 1m46s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 1m46s Details sop-tier-check / tier-check (pull_request) Failing after 19s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m40s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m12s Details audit-force-merge / audit (pull_request) Successful in 14s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 15s Details CI / Platform (Go) (pull_request) Successful in 14s Details CI / Canvas (Next.js) (pull_request) Successful in 26s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 19s Details CI / Python Lint & Test (pull_request) Successful in 11s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 12s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 14s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 13s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 22s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 17s Details Phase 2b+c port of molecule-controlplane PR#112 (SHA 0adf2098) to molecule-core, per RFC internal#219 §4 (jobs ↔ protection drift) + §6 (audit env ↔ protection drift). ## What this adds 1. .gitea/workflows/ci-required-drift.yml — hourly cron (':17') + workflow_dispatch. AST-walks ci.yml, branch_protections, and audit-force-merge.yml's REQUIRED_CHECKS env. Files/updates a [ci-drift] issue idempotent by title when any pair diverges. 2. .gitea/scripts/ci-required-drift.py — verbatim from CP. PyYAML-based AST detector (NOT grep-by-name), per feedback_behavior_based_ast_gates. Five drift classes: F1, F1b, F2, F3a, F3b. 3. .gitea/workflows/audit-force-merge.yml — reconcile with CP's structure. Moves permissions: to workflow level, adds base.sha- pinning rationale, links to drift-detect, and updates REQUIRED_CHECKS to current branch_protections/main verbatim (2 contexts). 4. tests/test_ci_required_drift.py — 17 pytest cases, verbatim from CP. Stdlib + PyYAML only. Covers F1/F1b/F2/F3a/F3b, happy path, the idempotent-PATCH path, the MUST-FIX find_open_issue() raise-on- transient regression, the --dry-run flag, and api() error contracts. ## Adaptations from CP#112 - secrets.GITEA_TOKEN → secrets.SOP_TIER_CHECK_TOKEN (molecule-core's established read-only token name, used by sop-tier-check and audit-force-merge already). - DRIFT_LABEL tier:high resolves to label id 9 on core (verified 2026-05-11) vs id 10 on CP. - REQUIRED_CHECKS env initialized to molecule-core's actual main protection set (2 contexts: Secret scan + sop-tier-check), not CP's (3 contexts incl. packer-ascii-gate + all-required). - Comment block flags that the 'all-required' sentinel does NOT yet exist in molecule-core's ci.yml (RFC §4 Phase 4 adds it). Until then, the detector exits 3 with ::error:: 'sentinel job not found'. Verified locally: the workflow will be red on the cron until Phase 4 lands — that's intentional + louder than a silent issue. ## Verification - 17/17 pytest cases green locally (Python 3.13, PyYAML 6.0.3). - Hostile self-review: removing the script makes all 17 tests ERROR with FileNotFoundError, confirming they exercise the actual implementation (not happy-path shape-matching). - python3 -m py_compile + bash -n + yaml.safe_load all pass. - Initial dry-run against real molecule-core ci.yml: exits 3 with ::error::sentinel job 'all-required' not found — expected, Phase 4 will add it. ## What does NOT change - audit-force-merge.sh is byte-identical to CP's — no change needed. - No branch protection mutation (that's Phase 4, separate PR). - No CI workflow restructuring (PR#372 already did that). RFC: molecule-ai/internal#219 Source: molecule-controlplane@0adf2098 (PR #112)	2026-05-11 00:35:25 -07:00

Author

SHA1

Message

Date

claude-ceo-assistant

a8b2cf948d

feat(internal#219 §4+§6): port ci-required-drift + audit-force-merge sidecar from CP

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m36s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 19s

Details

CI / Detect changes (pull_request) Successful in 1m46s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 1m46s

Details

sop-tier-check / tier-check (pull_request) Failing after 19s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m40s

Details

Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m12s

Details

audit-force-merge / audit (pull_request) Successful in 14s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 15s

Details

CI / Platform (Go) (pull_request) Successful in 14s

Details

CI / Canvas (Next.js) (pull_request) Successful in 26s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 19s

Details

CI / Python Lint & Test (pull_request) Successful in 11s

Details

Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 12s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 14s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 13s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 22s

Details

CI / Canvas Deploy Reminder (pull_request) Has been skipped

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 17s

Details

Phase 2b+c port of molecule-controlplane PR#112 (SHA 0adf2098) to
molecule-core, per RFC internal#219 §4 (jobs ↔ protection drift) + §6
(audit env ↔ protection drift).

## What this adds

1. .gitea/workflows/ci-required-drift.yml — hourly cron (':17') +
   workflow_dispatch. AST-walks ci.yml, branch_protections, and
   audit-force-merge.yml's REQUIRED_CHECKS env. Files/updates a
   [ci-drift] issue idempotent by title when any pair diverges.

2. .gitea/scripts/ci-required-drift.py — verbatim from CP. PyYAML-based
   AST detector (NOT grep-by-name), per feedback_behavior_based_ast_gates.
   Five drift classes: F1, F1b, F2, F3a, F3b.

3. .gitea/workflows/audit-force-merge.yml — reconcile with CP's
   structure. Moves permissions: to workflow level, adds base.sha-
   pinning rationale, links to drift-detect, and updates REQUIRED_CHECKS
   to current branch_protections/main verbatim (2 contexts).

4. tests/test_ci_required_drift.py — 17 pytest cases, verbatim from CP.
   Stdlib + PyYAML only. Covers F1/F1b/F2/F3a/F3b, happy path, the
   idempotent-PATCH path, the MUST-FIX find_open_issue() raise-on-
   transient regression, the --dry-run flag, and api() error contracts.

## Adaptations from CP#112

- secrets.GITEA_TOKEN → secrets.SOP_TIER_CHECK_TOKEN (molecule-core's
  established read-only token name, used by sop-tier-check and
  audit-force-merge already).
- DRIFT_LABEL tier:high resolves to label id 9 on core (verified
  2026-05-11) vs id 10 on CP.
- REQUIRED_CHECKS env initialized to molecule-core's actual main
  protection set (2 contexts: Secret scan + sop-tier-check), not CP's
  (3 contexts incl. packer-ascii-gate + all-required).
- Comment block flags that the 'all-required' sentinel does NOT yet
  exist in molecule-core's ci.yml (RFC §4 Phase 4 adds it). Until
  then, the detector exits 3 with ::error:: 'sentinel job not found'.
  Verified locally: the workflow will be red on the cron until Phase 4
  lands — that's intentional + louder than a silent issue.

## Verification

- 17/17 pytest cases green locally (Python 3.13, PyYAML 6.0.3).
- Hostile self-review: removing the script makes all 17 tests ERROR
  with FileNotFoundError, confirming they exercise the actual
  implementation (not happy-path shape-matching).
- python3 -m py_compile + bash -n + yaml.safe_load all pass.
- Initial dry-run against real molecule-core ci.yml: exits 3 with
  ::error::sentinel job 'all-required' not found — expected, Phase 4
  will add it.

## What does NOT change

- audit-force-merge.sh is byte-identical to CP's — no change needed.
- No branch protection mutation (that's Phase 4, separate PR).
- No CI workflow restructuring (PR#372 already did that).

RFC: molecule-ai/internal#219
Source: molecule-controlplane@0adf2098 (PR #112)

2026-05-11 00:35:25 -07:00

1 Commits