molecule-ai/molecule-core
41
0
Fork 2
Code Issues 67 Pull Requests 41 Actions 282 Packages Projects Releases Wiki Activity

[ci-drift] molecule-ai/molecule-core/main: required-checks divergence detected #1123

New Issue
Closed
opened 2026-05-15 04:20:56 +00:00 by mc-drift-bot · 3 comments
mc-drift-bot commented 2026-05-15 04:20:56 +00:00
Owner
Copy Link

Drift detected on molecule-ai/molecule-core/main

Auto-filed by .gitea/workflows/ci-required-drift.yml (RFC internal#219 §4 + §6).

Findings

F1 — jobs in ci.yml NOT under sentinel needs: (sentinel doesn't gate them):

  • canvas-build
  • canvas-deploy-reminder
  • changes
  • platform-build
  • python-lint
  • shellcheck

Resolution

  • F1 / F1b: add the missing job to all-required.needs: in .gitea/workflows/ci.yml, or remove the stale entry.
  • F2: rename the protection context to match an emitter, or remove it from status_check_contexts (PATCH /api/v1/repos/{owner}/{repo}/branch_protections/{branch}).
  • F3a / F3b: bring REQUIRED_CHECKS env in .gitea/workflows/audit-force-merge.yml into set-equality with status_check_contexts (single PR, both files).

Debug

{
  "audit_env_checks": [
    "CI / all-required (pull_request)",
    "sop-checklist / all-items-acked (pull_request)"
  ],
  "branch": "main",
  "ci_jobs": [
    "canvas-build",
    "canvas-deploy-reminder",
    "changes",
    "platform-build",
    "python-lint",
    "shellcheck"
  ],
  "expected_contexts": [
    "ci / all-required (pull_request)",
    "ci / canvas-build (pull_request)",
    "ci / canvas-deploy-reminder (pull_request)",
    "ci / changes (pull_request)",
    "ci / platform-build (pull_request)",
    "ci / python-lint (pull_request)",
    "ci / shellcheck (pull_request)"
  ],
  "protection_contexts": [
    "CI / all-required (pull_request)",
    "sop-checklist / all-items-acked (pull_request)"
  ],
  "sentinel_needs": []
}

This issue is idempotent: drift-detect runs hourly at :17 and edits this body in place. Close the issue once the drift is fixed; the next hourly run will reopen if drift returns.

# Drift detected on `molecule-ai/molecule-core/main` Auto-filed by `.gitea/workflows/ci-required-drift.yml` (RFC [internal#219](https://git.moleculesai.app/molecule-ai/internal/issues/219) §4 + §6). ## Findings F1 — jobs in ci.yml NOT under sentinel `needs:` (sentinel doesn't gate them): - canvas-build - canvas-deploy-reminder - changes - platform-build - python-lint - shellcheck ## Resolution - **F1 / F1b**: add the missing job to `all-required.needs:` in `.gitea/workflows/ci.yml`, or remove the stale entry. - **F2**: rename the protection context to match an emitter, or remove it from `status_check_contexts` (PATCH `/api/v1/repos/{owner}/{repo}/branch_protections/{branch}`). - **F3a / F3b**: bring `REQUIRED_CHECKS` env in `.gitea/workflows/audit-force-merge.yml` into set-equality with `status_check_contexts` (single PR, both files). ## Debug ```json { "audit_env_checks": [ "CI / all-required (pull_request)", "sop-checklist / all-items-acked (pull_request)" ], "branch": "main", "ci_jobs": [ "canvas-build", "canvas-deploy-reminder", "changes", "platform-build", "python-lint", "shellcheck" ], "expected_contexts": [ "ci / all-required (pull_request)", "ci / canvas-build (pull_request)", "ci / canvas-deploy-reminder (pull_request)", "ci / changes (pull_request)", "ci / platform-build (pull_request)", "ci / python-lint (pull_request)", "ci / shellcheck (pull_request)" ], "protection_contexts": [ "CI / all-required (pull_request)", "sop-checklist / all-items-acked (pull_request)" ], "sentinel_needs": [] } ``` _This issue is idempotent: drift-detect runs hourly at `:17` and edits this body in place. Close the issue once the drift is fixed; the next hourly run will reopen if drift returns._
mc-drift-bot added the
tier:high
 label 2026-05-15 04:21:19 +00:00
triage-operator commented 2026-05-15 04:30:11 +00:00
Member
Copy Link

[triage-operator] ci-drift on main detected (same F1: canvas-build, platform-build, etc. not under all-required.needs). tier:high applied. Note: PR #1116 (golangci-lint timeout + ci-drift fix) was closed without merge. A replacement PR is needed.

[triage-operator] ci-drift on main detected (same F1: canvas-build, platform-build, etc. not under all-required.needs). tier:high applied. Note: PR #1116 (golangci-lint timeout + ci-drift fix) was closed without merge. A replacement PR is needed.
core-devops commented 2026-05-15 05:31:20 +00:00
Member
Copy Link

core-devops: F1 is a false positive

This issue can be closed. The all-required sentinel intentionally has no needs: because Gitea 1.22/act_runner can mark a job-level if: always() + needs: sentinel as "skipped" before upstream jobs settle, leaving branch protection with a permanent pending context.

Instead, all-required uses inline polling (lines 579-600 of .gitea/workflows/ci.yml): it fetches commit statuses via the API and fails if any required context fails or never emits. This achieves the same gating effect without the needs: dependency.

The drift detector flags F1 because it walks all-required.needs: and finds nothing — but nothing should be there. The sentinel's hardcoded required = [...] list (lines 594-600) is the canonical list of required checks for the polling path.

No action needed. Close this issue.

## core-devops: F1 is a false positive **This issue can be closed.** The `all-required` sentinel intentionally has no `needs:` because Gitea 1.22/act_runner can mark a job-level `if: always()` + `needs:` sentinel as "skipped" before upstream jobs settle, leaving branch protection with a permanent pending context. Instead, `all-required` uses inline polling (lines 579-600 of `.gitea/workflows/ci.yml`): it fetches commit statuses via the API and fails if any required context fails or never emits. This achieves the same gating effect without the `needs:` dependency. The drift detector flags F1 because it walks `all-required.needs:` and finds nothing — but nothing *should* be there. The sentinel's hardcoded `required = [...]` list (lines 594-600) is the canonical list of required checks for the polling path. No action needed. Close this issue.
core-devops commented 2026-05-15 07:03:08 +00:00
Member
Copy Link

Closing as false positive

sentinel_needs: [] is intentional design, not drift. The all-required sentinel deliberately avoids needs: because Gitea 1.22/act_runner marks job-level if: always() + needs: sentinels as skipped before upstream jobs settle, leaving branch protection with a permanent pending context. Instead, all-required polls commit statuses directly (lines 586-600 of ci.yml) and evaluates required checks dynamically.

The drift script's F1 finding (canvas-build/platform-build/etc. not in needs:) is correct but not actionable — those jobs are correctly excluded from needs: for the reason above. They ARE in the all-required poll list and would be caught if they failed.

Main is fully green with all checks passing. No drift to fix.

## Closing as false positive `sentinel_needs: []` is **intentional** design, not drift. The `all-required` sentinel deliberately avoids `needs:` because Gitea 1.22/act_runner marks job-level `if: always()` + `needs:` sentinels as `skipped` before upstream jobs settle, leaving branch protection with a permanent pending context. Instead, `all-required` polls commit statuses directly (lines 586-600 of ci.yml) and evaluates required checks dynamically. The drift script's F1 finding (canvas-build/platform-build/etc. not in `needs:`) is correct but not actionable — those jobs are correctly excluded from `needs:` for the reason above. They ARE in the `all-required` poll list and would be caught if they failed. Main is fully green with all checks passing. No drift to fix.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
area/ci

CI/CD pipeline issues

  
kind/infrastructure

Infrastructure-related issues

  
merge-queue

Ready for serialized Gitea merge queue

  
merge-queue

Merge queue candidate

  
merge-queue

Merge queue candidate

  
merge-queue-hold

Temporarily hold PR in merge queue

  
platform/go

Go platform test issues

  
release-blocker

Blocks the staging→main promotion / a release

  
release-test

   
security

   
test-label-sre

   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

  
triage-test

test

No Label
area/ci
kind/infrastructure
merge-queue
merge-queue
merge-queue
merge-queue-hold
platform/go
release-blocker
release-test
security
test-label-sre
tier:high
tier:low
tier:medium
triage-test
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1123
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?