molecule-ai/molecule-core
53
0
Fork 2
Code Issues 184 Pull Requests 40 Actions 3 Packages Projects Releases Wiki Activity

[ci-drift] molecule-ai/molecule-core/main: required-checks divergence detected #1533

New Issue
Closed
opened 2026-05-18 22:18:15 +00:00 by mc-drift-bot · 1 comment
mc-drift-bot commented 2026-05-18 22:18:15 +00:00
Owner
Copy Link
Copy Source

Drift detected on molecule-ai/molecule-core/main

Auto-filed by .gitea/workflows/ci-required-drift.yml (RFC internal#219 §4 + §6).

Findings

F1 — jobs in ci.yml NOT under sentinel needs: (sentinel doesn't gate them):

  • canvas-build
  • changes
  • platform-build
  • python-lint
  • shellcheck
    F3a — audit-force-merge.yml REQUIRED_CHECKS env has contexts NOT in branch_protections/main.status_check_contexts (audit would flag non-force-merges as force):
  • sop-checklist / all-items-acked (pull_request)

Resolution

  • F1 / F1b: add the missing job to all-required.needs: in .gitea/workflows/ci.yml, or remove the stale entry.
  • F2: rename the protection context to match an emitter, or remove it from status_check_contexts (PATCH /api/v1/repos/{owner}/{repo}/branch_protections/{branch}).
  • F3a / F3b: bring REQUIRED_CHECKS env in .gitea/workflows/audit-force-merge.yml into set-equality with status_check_contexts (single PR, both files).

Debug

{
  "audit_env_checks": [
    "CI / all-required (pull_request)",
    "sop-checklist / all-items-acked (pull_request)"
  ],
  "branch": "main",
  "ci_jobs": [
    "canvas-build",
    "changes",
    "platform-build",
    "python-lint",
    "shellcheck"
  ],
  "expected_contexts": [
    "ci / all-required (pull_request)",
    "ci / canvas-build (pull_request)",
    "ci / changes (pull_request)",
    "ci / platform-build (pull_request)",
    "ci / python-lint (pull_request)",
    "ci / shellcheck (pull_request)"
  ],
  "protection_contexts": [
    "CI / all-required (pull_request)"
  ],
  "sentinel_needs": []
}

This issue is idempotent: drift-detect runs hourly at :17 and edits this body in place. Close the issue once the drift is fixed; the next hourly run will reopen if drift returns.

# Drift detected on `molecule-ai/molecule-core/main` Auto-filed by `.gitea/workflows/ci-required-drift.yml` (RFC [internal#219](https://git.moleculesai.app/molecule-ai/internal/issues/219) §4 + §6). ## Findings F1 — jobs in ci.yml NOT under sentinel `needs:` (sentinel doesn't gate them): - canvas-build - changes - platform-build - python-lint - shellcheck F3a — audit-force-merge.yml `REQUIRED_CHECKS` env has contexts NOT in branch_protections/main.status_check_contexts (audit would flag non-force-merges as force): - sop-checklist / all-items-acked (pull_request) ## Resolution - **F1 / F1b**: add the missing job to `all-required.needs:` in `.gitea/workflows/ci.yml`, or remove the stale entry. - **F2**: rename the protection context to match an emitter, or remove it from `status_check_contexts` (PATCH `/api/v1/repos/{owner}/{repo}/branch_protections/{branch}`). - **F3a / F3b**: bring `REQUIRED_CHECKS` env in `.gitea/workflows/audit-force-merge.yml` into set-equality with `status_check_contexts` (single PR, both files). ## Debug ```json { "audit_env_checks": [ "CI / all-required (pull_request)", "sop-checklist / all-items-acked (pull_request)" ], "branch": "main", "ci_jobs": [ "canvas-build", "changes", "platform-build", "python-lint", "shellcheck" ], "expected_contexts": [ "ci / all-required (pull_request)", "ci / canvas-build (pull_request)", "ci / changes (pull_request)", "ci / platform-build (pull_request)", "ci / python-lint (pull_request)", "ci / shellcheck (pull_request)" ], "protection_contexts": [ "CI / all-required (pull_request)" ], "sentinel_needs": [] } ``` _This issue is idempotent: drift-detect runs hourly at `:17` and edits this body in place. Close the issue once the drift is fixed; the next hourly run will reopen if drift returns._
mc-drift-bot added the tier:high label 2026-05-18 22:18:15 +00:00
agent-researcher commented 2026-05-26 16:11:28 +00:00
Member
Copy Link
Copy Source

RCA — root cause

The open main-branch drift body is stale relative to the current detector and workflow contract. all-required now deliberately has no needs: and .gitea/scripts/ci-required-drift.py suppresses F1 when needs is empty; the current blocker is that the detector cannot read branch protection with this token, so the issue cannot self-refresh/close accurately.

Evidence

  • .gitea/workflows/ci.yml:474 — documents that all-required deliberately has no needs:.
  • .gitea/scripts/ci-required-drift.py:388 — post-#1766 contract says empty needs: may be intentional.
  • .gitea/scripts/ci-required-drift.py:393 — F1 is only emitted when missing_from_needs and needs.
  • Dry-run on current main returned HTTP 403 for /branch_protections/main, so protection drift was not actually determined.

Suggested fix

Treat this as a drift-bot scope/stale-issue cleanup, not a ci.yml wiring bug. Give the drift detector token the branch-protection read scope it needs, rerun .gitea/workflows/ci-required-drift.yml, and then close or let the bot update #1533 based on fresh branch-protection data.

Confidence

High — current code intentionally suppresses the F1 condition shown in this issue body; the only unverified piece is actual branch-protection state because the API read returns 403.

## RCA — root cause The open main-branch drift body is stale relative to the current detector and workflow contract. `all-required` now deliberately has no `needs:` and `.gitea/scripts/ci-required-drift.py` suppresses F1 when `needs` is empty; the current blocker is that the detector cannot read branch protection with this token, so the issue cannot self-refresh/close accurately. ## Evidence - `.gitea/workflows/ci.yml:474` — documents that `all-required` deliberately has no `needs:`. - `.gitea/scripts/ci-required-drift.py:388` — post-#1766 contract says empty `needs:` may be intentional. - `.gitea/scripts/ci-required-drift.py:393` — F1 is only emitted when `missing_from_needs and needs`. - Dry-run on current main returned HTTP 403 for `/branch_protections/main`, so protection drift was not actually determined. ## Suggested fix Treat this as a drift-bot scope/stale-issue cleanup, not a ci.yml wiring bug. Give the drift detector token the branch-protection read scope it needs, rerun `.gitea/workflows/ci-required-drift.yml`, and then close or let the bot update #1533 based on fresh branch-protection data. ## Confidence High — current code intentionally suppresses the F1 condition shown in this issue body; the only unverified piece is actual branch-protection state because the API read returns 403.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label tier:high
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1533
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?