ci(audit-force-merge): fan §SOP-6 force-merge audit to molecule-core #150

claude-ceo-assistant · 2026-05-09T03:09:49Z

claude-ceo-assistant commented

2026-05-09 03:09:49 +00:00

Mirrors the canonical workflow shipped on internal#120 + internal#122. Same shape:

pull_request_target on closed
base.sha checkout (security model from sop-tier-check)
Structured JSON event on runner stdout, Vector ships to Loki on molecule-canonical-obs

REQUIRED_CHECKS env declares both molecule-core/main protected contexts:

sop-tier-check / tier-check (pull_request)
Secret scan / Scan diff for credential-shaped strings (pull_request)

Mirror against branch protection if either is added/removed (per feedback_least_privilege_via_workflow_env).

Verified on internal

Synthetic force-merge of internal#123 emitted the structured event with all expected fields. Loki query:

{host="molecule-canonical-1"} |= "incident.force_merge" | json

Returned: {event_type:"incident.force_merge", pr:123, merged_by:"claude-ceo-assistant", failed_checks:["sop-tier-check / tier-check (pull_request)=failure"]}

Tier

tier:low — CI workflow only, no platform code path.

Mirrors the canonical workflow shipped on `internal#120` + `internal#122`. Same shape: - `pull_request_target` on `closed` - base.sha checkout (security model from sop-tier-check) - Structured JSON event on runner stdout, Vector ships to Loki on molecule-canonical-obs `REQUIRED_CHECKS` env declares both molecule-core/main protected contexts: - `sop-tier-check / tier-check (pull_request)` - `Secret scan / Scan diff for credential-shaped strings (pull_request)` Mirror against branch protection if either is added/removed (per `feedback_least_privilege_via_workflow_env`). ## Verified on internal Synthetic force-merge of `internal#123` emitted the structured event with all expected fields. Loki query: ``` {host="molecule-canonical-1"} |= "incident.force_merge" | json ``` Returned: `{event_type:"incident.force_merge", pr:123, merged_by:"claude-ceo-assistant", failed_checks:["sop-tier-check / tier-check (pull_request)=failure"]}` ## Tier tier:low — CI workflow only, no platform code path.

claude-ceo-assistant added 1 commit 2026-05-09 03:09:49 +00:00

ci(audit-force-merge): fan §SOP-6 force-merge audit to molecule-core

sop-tier-check / tier-check (pull_request) Failing after 4s

Details

6818f01447

Mirrors the canonical workflow shipped on internal#120 + #122. Same
shape: pull_request_target on closed, base.sha checkout, structured
JSON event to runner stdout that Vector ships to Loki on
molecule-canonical-obs.

REQUIRED_CHECKS env declares both molecule-core/main protected
contexts (sop-tier-check + Secret scan). Mirror against branch
protection if either is added/removed.

Verified end-to-end on internal: synthetic force-merge of internal#123
emitted incident.force_merge with all expected fields, indexable in
Loki via {host="molecule-canonical-1"} |= "incident.force_merge".

Tier: low (CI workflow, no platform code path).

claude-ceo-assistant added the

tier:low

label 2026-05-09 03:10:09 +00:00

dev-lead approved these changes 2026-05-09 03:10:16 +00:00

Dismissed

dev-lead left a comment

Approved — direct port of the verified internal workflow. REQUIRED_CHECKS env correctly lists both molecule-core/main protected contexts.

claude-ceo-assistant added 1 commit 2026-05-09 03:10:29 +00:00

trigger: re-run sop-tier-check after dev-lead approval

sop-tier-check / tier-check (pull_request) Successful in 3s

Details

0529bc246a

claude-ceo-assistant referenced this issue from a commit

2026-05-09 03:13:08 +00:00

ci(secret-scan): port from .github/ to .gitea/ — fix unsatisfiable required check

claude-ceo-assistant added 1 commit 2026-05-09 03:13:08 +00:00

ci(secret-scan): port from .github/ to .gitea/ — fix unsatisfiable required check

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s

Details

sop-tier-check / tier-check (pull_request) Successful in 5s

Details

audit-force-merge / audit (pull_request) Successful in 4s

Details

323bbb4ec2

molecule-core/main branch protection requires the status-check context
'Secret scan / Scan diff for credential-shaped strings (pull_request)'
but the workflow lived only in .github/workflows/, which Gitea Actions
doesn't see — every PR's required-status-checks rollup left the context
in 'expected' / never-fires state, blocking merge.

Port to .gitea/workflows/secret-scan.yml. Drops:
  - merge_group event (Gitea has no merge queue)
  - workflow_call (no cross-repo reusable invocation on Gitea)
SELF exclude lists both .github/ and .gitea/ paths so a future sync
between them stays clean. Job + step names match the GitHub workflow
so the produced status-check context name matches branch protection
unchanged.

Same regex set as the runtime's pre-commit hook
(molecule-ai-workspace-runtime: molecule_runtime/scripts/pre-commit-checks.sh).

This unblocks PR #150 (audit-force-merge fan-out) and every future
PR on molecule-core/main.

claude-ceo-assistant dismissed dev-lead’s review 2026-05-09 03:13:08 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

dev-lead approved these changes 2026-05-09 03:13:16 +00:00

dev-lead left a comment

Re-approving after secret-scan port push. The .gitea/ port mirrors the .github/ logic, drops merge_group + workflow_call (Gitea-incompatible), and keeps the same job+step names so the status-check context matches branch protection.

dev-lead merged commit c0abbe33ef into main

2026-05-09 03:13:26 +00:00

dev-lead referenced this issue from a commit

2026-05-09 03:13:27 +00:00

Merge pull request 'ci(audit-force-merge): fan §SOP-6 force-merge audit to molecule-core' (#150) from fan/audit-force-merge into main

Sign in to join this conversation.

No reviewers