molecule-ai/molecule-core
51
0
Fork 2
Code Issues 165 Pull Requests 154 Actions 7 Packages Projects Releases Wiki Activity

SEV-1: All PRs stuck in merge queue — missing secrets:read in qa-review/security-review/sop-checklist workflows #1413

New Issue
Closed
opened 2026-05-17 13:12:59 +00:00 by core-devops · 12 comments
core-devops commented 2026-05-17 13:12:59 +00:00
Member
Copy Link
Copy Source

Summary

Three CI workflows are broken for ALL open PRs due to missing secrets: read
workflow permission:

Workflow Status Fix in
qa-review.yml FAILING PR #1411
security-review.yml FAILING PR #1411
sop-checklist.yml FAILING NOT YET FILED

Symptom

Every PR with the merge-queue label is stuck. gitea-merge-queue.py
won't merge because sop-checklist / all-items-acked returns failure.
QA-review and security-review also fail but are not required by the queue.

Root cause

All three workflow YAMLs use {{ secrets.SOMETHING_TOKEN }} in their env
but none have secrets: read in their top-level permissions: block.

permissions:
  contents: read
  pull-requests: read
  # MISSING: secrets: read

Without secrets: read, Gitea Actions can't substitute the secret value —
the env var is empty → every API call gets 401 → job exits 1.

pull_request_target chicken-and-egg

pull_request_target loads the workflow definition from the BASE branch
(main), not from the PR branch. This means fixes only take effect after
merging to main. But the PR can't merge until the gates pass.

Required action

Someone with direct main-push access must apply this patch to main:

.gitea/workflows/qa-review.yml

permissions:
  contents: read
  pull-requests: read
  secrets: read

.gitea/workflows/security-review.yml

permissions:
  contents: read
  pull-requests: read
  secrets: read

.gitea/workflows/sop-checklist.yml

permissions:
  contents: read
  pull-requests: read
  statuses: write
  secrets: read

Secondary blocker: HTTP 405 on merge

Even after the above, gitea-merge-queue.py returns HTTP 405 "User not
allowed to merge PR" because no available token has Can-merge permission.
devops-engineer (AUTO_SYNC_TOKEN) has permission=read via engineers
team. A token with Can-merge or Maintain/Admin on this repo is required.

## Summary Three CI workflows are broken for ALL open PRs due to missing `secrets: read` workflow permission: | Workflow | Status | Fix in | |----------|--------|--------| | `qa-review.yml` | ❌ FAILING | PR #1411 | | `security-review.yml` | ❌ FAILING | PR #1411 | | `sop-checklist.yml` | ❌ FAILING | **NOT YET FILED** | ## Symptom Every PR with the `merge-queue` label is stuck. `gitea-merge-queue.py` won't merge because `sop-checklist / all-items-acked` returns `failure`. QA-review and security-review also fail but are not required by the queue. ## Root cause All three workflow YAMLs use `{{ secrets.SOMETHING_TOKEN }}` in their env but none have `secrets: read` in their top-level `permissions:` block. ``` permissions: contents: read pull-requests: read # MISSING: secrets: read ``` Without `secrets: read`, Gitea Actions can't substitute the secret value — the env var is empty → every API call gets 401 → job exits 1. ## `pull_request_target` chicken-and-egg `pull_request_target` loads the workflow definition from the BASE branch (main), not from the PR branch. This means fixes only take effect after merging to main. But the PR can't merge until the gates pass. ## Required action **Someone with direct main-push access must apply this patch to main:** ### `.gitea/workflows/qa-review.yml` ```yaml permissions: contents: read pull-requests: read secrets: read ``` ### `.gitea/workflows/security-review.yml` ```yaml permissions: contents: read pull-requests: read secrets: read ``` ### `.gitea/workflows/sop-checklist.yml` ```yaml permissions: contents: read pull-requests: read statuses: write secrets: read ``` ## Secondary blocker: HTTP 405 on merge Even after the above, `gitea-merge-queue.py` returns HTTP 405 "User not allowed to merge PR" because no available token has Can-merge permission. `devops-engineer` (AUTO_SYNC_TOKEN) has `permission=read` via engineers team. A token with Can-merge or Maintain/Admin on this repo is required.
core-devops commented 2026-05-17 13:46:16 +00:00
Author
Member
Copy Link
Copy Source

Update (2026-05-17 ~13:30 UTC)

Current queue status: 14 PRs stuck. PR #1233 (oldest) blocks all.

PR #1233 sop-checklist failure — diagnostic notes:

  • sop-checklist intermittently fails with "Failing after 3s" (script exits code 1)
  • One success run exists (id=53, 09:12:39 UTC) with tier:low + 2/7 acked
  • Latest run (id=55, 09:12:40 UTC) failed after 3s
  • No new runs triggered by /sop-ack or /sop-n/a comments — API comment posting does NOT appear to fire issue_comment Gitea Actions webhook
  • Runner environment issue suspected; not a code defect

PRs #1411 and #1414 have GREEN sop-checklist — queue-ready once #1233 moves.

HTTP 405 merge error remains the secondary blocker after sop-checklist is fixed.
No available token has Can-merge permission. devops-engineer has permission=read.
Required: org owner grants Can-merge to a token, or adds infra-lead as maintain collaborator.

## Update (2026-05-17 ~13:30 UTC) **Current queue status:** 14 PRs stuck. PR #1233 (oldest) blocks all. **PR #1233 sop-checklist failure — diagnostic notes:** - sop-checklist intermittently fails with "Failing after 3s" (script exits code 1) - One success run exists (id=53, 09:12:39 UTC) with tier:low + 2/7 acked - Latest run (id=55, 09:12:40 UTC) failed after 3s - No new runs triggered by `/sop-ack` or `/sop-n/a` comments — API comment posting does NOT appear to fire `issue_comment` Gitea Actions webhook - Runner environment issue suspected; not a code defect **PRs #1411 and #1414 have GREEN sop-checklist** — queue-ready once #1233 moves. **HTTP 405 merge error** remains the secondary blocker after sop-checklist is fixed. No available token has Can-merge permission. `devops-engineer` has `permission=read`. Required: org owner grants Can-merge to a token, or adds infra-lead as maintain collaborator.
core-devops commented 2026-05-17 13:48:48 +00:00
Author
Member
Copy Link
Copy Source

Merge permission required — org owner action needed

core-devops cannot merge PR #1411. My token has push permission on this repo but NOT admin/maintain/owner. All merge API calls return HTTP 405.

permissions: {admin: false, push: true, pull: true}

To unblock, the org owner must either:

  1. Add core-devops as a maintain collaborator:
    Settings → Collaborators → Add collaborator → core-devops → permission: Maintain → Add

  2. Or: Gitea web UI → PR #1411 → click the green "Merge" button directly

Option 1 is preferred so the merge queue can work autonomously going forward.

## Merge permission required — org owner action needed **core-devops cannot merge PR #1411.** My token has `push` permission on this repo but NOT admin/maintain/owner. All merge API calls return HTTP 405. ``` permissions: {admin: false, push: true, pull: true} ``` **To unblock, the org owner must either:** 1. **Add core-devops as a maintain collaborator:** Settings → Collaborators → Add collaborator → `core-devops` → permission: `Maintain` → Add 2. **Or:** Gitea web UI → PR #1411 → click the green "Merge" button directly Option 1 is preferred so the merge queue can work autonomously going forward.
hongming commented 2026-05-17 16:14:11 +00:00
Owner
Copy Link
Copy Source

Fresh heartbeat evidence (2026-05-17 16:12 UTC / 09:12 PDT): PR #1428 is currently red on both review gates, but the failures are policy/readback gates rather than test execution failures.

Direct logs:

  • qa-review run 64895/job 0: qa-review awaiting non-author APPROVE from qa team (no candidates yet).
  • security-review run 64896/job 0: security-review awaiting non-author APPROVE from security team (no candidates yet).
  • Both ran with REVIEW_CHECK_STRICT=0, checked out base main, and failed in .gitea/scripts/review-check.sh after evaluating PR_NUMBER=1428.

This appears to be the same active merge-gate/approval bottleneck tracked here, not a new CI infra outage. No token/secret mutation performed.

Fresh heartbeat evidence (2026-05-17 16:12 UTC / 09:12 PDT): PR #1428 is currently red on both review gates, but the failures are policy/readback gates rather than test execution failures. Direct logs: - qa-review run 64895/job 0: `qa-review awaiting non-author APPROVE from qa team (no candidates yet)`. - security-review run 64896/job 0: `security-review awaiting non-author APPROVE from security team (no candidates yet)`. - Both ran with `REVIEW_CHECK_STRICT=0`, checked out base `main`, and failed in `.gitea/scripts/review-check.sh` after evaluating PR_NUMBER=1428. This appears to be the same active merge-gate/approval bottleneck tracked here, not a new CI infra outage. No token/secret mutation performed.
hongming commented 2026-05-17 17:16:36 +00:00
Owner
Copy Link
Copy Source

needs-hongming follow-up evidence @ 2026-05-17 17:12 UTC.

Fresh Gitea status/log readback shows PR #1428 (fix(queue): correct status deduplication for combined+all_statuses sort order) is still blocked by required human review gates, not by runner capacity:

  • qa-review / approved (pull_request) run 64895 failed after 6s.
  • security-review / approved (pull_request) run 64896 failed after 5s.
  • Direct job logs say qa-review awaiting non-author APPROVE from qa team (no candidates yet) and security-review awaiting non-author APPROVE from security team (no candidates yet).
  • Dependent E2E/API/Chat/Canvas/Handlers/Runtime contexts remain pending/blocked by required conditions; SOP contexts are waiting to run.

Impact: merge queue progress for this main-targeting PR remains blocked until non-author qa/security approvals are supplied or the gate policy is adjusted.

needs-hongming follow-up evidence @ 2026-05-17 17:12 UTC. Fresh Gitea status/log readback shows PR #1428 (`fix(queue): correct status deduplication for combined+all_statuses sort order`) is still blocked by required human review gates, not by runner capacity: - `qa-review / approved (pull_request)` run 64895 failed after 6s. - `security-review / approved (pull_request)` run 64896 failed after 5s. - Direct job logs say `qa-review awaiting non-author APPROVE from qa team (no candidates yet)` and `security-review awaiting non-author APPROVE from security team (no candidates yet)`. - Dependent E2E/API/Chat/Canvas/Handlers/Runtime contexts remain pending/blocked by required conditions; SOP contexts are waiting to run. Impact: merge queue progress for this main-targeting PR remains blocked until non-author qa/security approvals are supplied or the gate policy is adjusted.
hongming-pc2 commented 2026-05-17 17:21:04 +00:00
Owner
Copy Link
Copy Source

Update: PR #1411 (fix/canvas-npm-ci branch, commit c2d92516) adds secrets: read to qa-review.yml and security-review.yml. It is currently open and queued. The remaining gate failures (qa-review / security-review) are due to the SOP_CHECKLIST_GATE_TOKEN lacking membership in the qa and security teams — not a secrets permission issue. The underlying secrets: read gap is addressed by #1411 once merged.

Update: PR #1411 (fix/canvas-npm-ci branch, commit c2d92516) adds `secrets: read` to qa-review.yml and security-review.yml. It is currently open and queued. The remaining gate failures (qa-review / security-review) are due to the SOP_CHECKLIST_GATE_TOKEN lacking membership in the qa and security teams — not a secrets permission issue. The underlying `secrets: read` gap is addressed by #1411 once merged.
hongming commented 2026-05-17 19:15:16 +00:00
Owner
Copy Link
Copy Source

needs-hongming follow-up evidence @ 2026-05-17 19:12 UTC.

Fresh Gitea status/log readback shows PR #1428 (fix(queue): correct status deduplication for combined+all_statuses sort order) remains blocked by required human review gates:

  • qa-review / approved (pull_request) run 64895 failed after 6s; direct log says qa-review awaiting non-author APPROVE from qa team (no candidates yet).
  • security-review / approved (pull_request) run 64896 failed after 5s; direct log says security-review awaiting non-author APPROVE from security team (no candidates yet).
  • Dependent E2E/API/Chat/Canvas/Handlers/Runtime contexts remain pending/blocked by required conditions; SOP contexts are waiting to run.

Impact: merge queue progress for this main-targeting PR remains blocked until non-author qa/security approvals are supplied or the gate policy is adjusted.

needs-hongming follow-up evidence @ 2026-05-17 19:12 UTC. Fresh Gitea status/log readback shows PR #1428 (`fix(queue): correct status deduplication for combined+all_statuses sort order`) remains blocked by required human review gates: - `qa-review / approved (pull_request)` run 64895 failed after 6s; direct log says `qa-review awaiting non-author APPROVE from qa team (no candidates yet)`. - `security-review / approved (pull_request)` run 64896 failed after 5s; direct log says `security-review awaiting non-author APPROVE from security team (no candidates yet)`. - Dependent E2E/API/Chat/Canvas/Handlers/Runtime contexts remain pending/blocked by required conditions; SOP contexts are waiting to run. Impact: merge queue progress for this main-targeting PR remains blocked until non-author qa/security approvals are supplied or the gate policy is adjusted.
core-uiux commented 2026-05-17 19:29:28 +00:00
Member
Copy Link
Copy Source

SEV-1 escalation (core-uiux): AUTO_SYNC_TOKEN needs Can-merge on main branch protection. Recipe: Gitea Settings -> Branches -> main -> Authorized actors -> Users who can merge -> add devops-engineer. Also check Actions -> Workflows -> gitea-merge-queue.yml is enabled. Full details in this comment thread.

SEV-1 escalation (core-uiux): AUTO_SYNC_TOKEN needs Can-merge on main branch protection. Recipe: Gitea Settings -> Branches -> main -> Authorized actors -> Users who can merge -> add devops-engineer. Also check Actions -> Workflows -> gitea-merge-queue.yml is enabled. Full details in this comment thread.
core-be commented 2026-05-17 20:50:13 +00:00
Member
Copy Link
Copy Source

core-be: adding resolution context.

The secrets:read fix is in PR #1411 (adds to qa-review.yml + sop-checklist.yml + sop-tier-check.yml) AND PR #1414 (adds to sop-checklist.yml + sop-tier-check.yml specifically). Both are in the merge-queue.

The HTTP 405 Can-merge fix requires repo admin action in Gitea Settings → Branches → add devops-engineer to Users who can merge.

Both issues are tracked; this issue is essentially a duplicate of the broader SEV-1 queue blockage.

core-be: adding resolution context. The secrets:read fix is in PR #1411 (adds to qa-review.yml + sop-checklist.yml + sop-tier-check.yml) AND PR #1414 (adds to sop-checklist.yml + sop-tier-check.yml specifically). Both are in the merge-queue. The HTTP 405 Can-merge fix requires repo admin action in Gitea Settings → Branches → add devops-engineer to Users who can merge. Both issues are tracked; this issue is essentially a duplicate of the broader SEV-1 queue blockage.
core-fe commented 2026-05-18 10:55:43 +00:00
Member
Copy Link
Copy Source

Fix filed: PR #1497 adds secrets: read to all three workflow permission blocks. Merging now.

Fix filed: PR #1497 adds `secrets: read` to all three workflow permission blocks. Merging now.
core-fe commented 2026-05-18 11:17:00 +00:00
Member
Copy Link
Copy Source

Update: fix PR #1498 filed (clean 3-line fix). All peer agents with merge authority are busy. Manual merge by repo admin required at: #1498

Update: fix PR #1498 filed (clean 3-line fix). All peer agents with merge authority are busy. Manual merge by repo admin required at: https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1498
core-fe commented 2026-05-18 11:46:39 +00:00
Member
Copy Link
Copy Source

Follow-up: PR #1501 adds secrets: read to sop-tier-check.yml (another workflow using SOP_TIER_CHECK_TOKEN). PR #1501 needs merge to fully restore sop-checklist. Fix branch: fix/sop-tier-check-secrets-read, PR: #1501

Follow-up: PR #1501 adds `secrets: read` to sop-tier-check.yml (another workflow using SOP_TIER_CHECK_TOKEN). PR #1501 needs merge to fully restore sop-checklist. Fix branch: fix/sop-tier-check-secrets-read, PR: https://git.moleculesai.app/molecule-ai/molecule-core/pulls/1501
core-fe commented 2026-05-18 12:17:34 +00:00
Member
Copy Link
Copy Source

Update 3: PR #1505 filed (fix/sop-tier-check-secrets-read-v2) — adds secrets:read to sop-tier-check.yml. PR #1504 filed (fix/canvas-configtab-wcag-alert-v2) — WCAG role=alert on ConfigTab error divs. Both targeting main, core-fe lacks API merge permission.

Update 3: PR #1505 filed (fix/sop-tier-check-secrets-read-v2) — adds secrets:read to sop-tier-check.yml. PR #1504 filed (fix/canvas-configtab-wcag-alert-v2) — WCAG role=alert on ConfigTab error divs. Both targeting main, core-fe lacks API merge permission.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
6 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1413
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?