molecule-ai/molecule-core
49
0
Fork 2
Code Issues 146 Pull Requests 159 Actions 5 Packages Projects Releases Wiki Activity

fix(ci): drop slash from lint-no-tenant-gitea-token name (#307) #1593

Merged
devops-engineer merged 3 commits from fix/lint-workflow-yaml-slash-in-name into main 2026-05-20 07:58:36 +00:00
Conversation 5 Commits 3 Files Changed 1
+4 -1
devops-engineer commented 2026-05-20 07:38:47 +00:00
Member
Copy Link
Copy Source

Summary

The workflow name: field on .gitea/workflows/lint-no-tenant-gitea-token.yml
was Lint no tenant GITEA/GITHUB token write. The / between GITEA and
GITHUB trips lint-workflow-yaml Rule 3 (slash in workflow name breaks
the <workflow> / <job> (<event>) status-context tokenization that
sop-tier-check and status-reaper rely on).

Symptom (2026-05-20 aa375b1f): the fatal lint blocked
Production auto-deploy from running on publish-workspace-server-image,
forcing a manual redeploy-fleet curl. SOP path stays broken until
this name is fixed.

Fix: rename to Lint no tenant GITEA or GITHUB token write (the
linter docstring already names - and space as the supported
separators).

Verification (local)

  • Pre-fix: python3 .gitea/scripts/lint-workflow-yaml.py -> exit 1, Rule 3 FATAL on this file.
  • Post-fix: same command -> exit 0, "no fatal Gitea-1.22.6-hostile shapes".
  • python3 -m pytest tests/test_lint_workflow_yaml.py -v -> 27/27 pass.
  • CI run on this branch SHA: Lint workflow YAML for Gitea-1.22.6-hostile shapes -> Successful in 1m27s (the cure); Lint no tenant GITEA or GITHUB token write / Scan... -> Successful in 6s (renamed, still scans).

Scope discipline

Only the name: line changes. Workflow triggers, env, and the scan
job are untouched -- the human-readable display name is the entire diff.

Task

Closes task #307.

SOP-Checklist

  • Comprehensive testing performed: local repro of Rule 3 FATAL + post-fix re-run + full pytest suite (27/27); the CI on this SHA also re-ran the lint workflow against the diff and reported Success.
  • Local-postgres E2E run: N/A -- one-line workflow YAML rename, no database surface.
  • Staging-smoke verified or pending: scheduled post-merge -- once this lands, the next publish-workspace-server-image run will see the rule-3-clean workflow set and the Production auto-deploy job will fire automatically (the cured SOP path).
  • Root-cause not symptom: yes -- the / literal in the name: field IS the root cause; the linter was correctly flagging it. Fix removes the foot-gun at the source rather than allow-listing the file or relaxing the lint.
  • Five-Axis review walked:
    • Correctness: lint reproduces fail/pass deterministically; pytest covers the rule.
    • Readability: display name stays human-readable (GITEA or GITHUB).
    • Architecture: no structural change.
    • Security: no new surface; rename does not affect the scan-coverage of the workflow.
    • Performance: identical (display-name-only change).
  • No backwards-compat shim / dead code added: yes -- pure rename; no shims, no fallback, no dead code.
  • Memory/saved-feedback consulted: feedback_never_skip_ci (do not bypass lint, fix the source), feedback_gitea_status_enum_use_helper_not_raw_int (used mol_action_status when probing run state), feedback_image_promote_is_not_user_live (display-name change does not require image rebuild -- but the cured Production auto-deploy SOP path will not "go live" until the next workspace-server image publish picks up clean lint).

Devops-engineer persona via hongming-pc orchestrator (CTO-authorized 2026-05-20).

## Summary The workflow `name:` field on `.gitea/workflows/lint-no-tenant-gitea-token.yml` was `Lint no tenant GITEA/GITHUB token write`. The `/` between GITEA and GITHUB trips `lint-workflow-yaml` Rule 3 (slash in workflow name breaks the `<workflow> / <job> (<event>)` status-context tokenization that sop-tier-check and status-reaper rely on). **Symptom (2026-05-20 aa375b1f):** the fatal lint blocked `Production auto-deploy` from running on `publish-workspace-server-image`, forcing a manual `redeploy-fleet` curl. SOP path stays broken until this name is fixed. **Fix:** rename to `Lint no tenant GITEA or GITHUB token write` (the linter docstring already names `-` and space as the supported separators). ## Verification (local) - Pre-fix: `python3 .gitea/scripts/lint-workflow-yaml.py` -> exit 1, Rule 3 FATAL on this file. - Post-fix: same command -> exit 0, "no fatal Gitea-1.22.6-hostile shapes". - `python3 -m pytest tests/test_lint_workflow_yaml.py -v` -> 27/27 pass. - CI run on this branch SHA: `Lint workflow YAML for Gitea-1.22.6-hostile shapes` -> Successful in 1m27s (the cure); `Lint no tenant GITEA or GITHUB token write / Scan...` -> Successful in 6s (renamed, still scans). ## Scope discipline Only the `name:` line changes. Workflow triggers, env, and the scan job are untouched -- the human-readable display name is the entire diff. ## Task Closes task #307. ## SOP-Checklist - [x] **Comprehensive testing performed**: local repro of Rule 3 FATAL + post-fix re-run + full pytest suite (27/27); the CI on this SHA also re-ran the lint workflow against the diff and reported Success. - [x] **Local-postgres E2E run**: N/A -- one-line workflow YAML rename, no database surface. - [x] **Staging-smoke verified or pending**: scheduled post-merge -- once this lands, the next `publish-workspace-server-image` run will see the rule-3-clean workflow set and the Production auto-deploy job will fire automatically (the cured SOP path). - [x] **Root-cause not symptom**: yes -- the `/` literal in the `name:` field IS the root cause; the linter was correctly flagging it. Fix removes the foot-gun at the source rather than allow-listing the file or relaxing the lint. - [x] **Five-Axis review walked**: - Correctness: lint reproduces fail/pass deterministically; pytest covers the rule. - Readability: display name stays human-readable (`GITEA or GITHUB`). - Architecture: no structural change. - Security: no new surface; rename does not affect the scan-coverage of the workflow. - Performance: identical (display-name-only change). - [x] **No backwards-compat shim / dead code added**: yes -- pure rename; no shims, no fallback, no dead code. - [x] **Memory/saved-feedback consulted**: `feedback_never_skip_ci` (do not bypass lint, fix the source), `feedback_gitea_status_enum_use_helper_not_raw_int` (used mol_action_status when probing run state), `feedback_image_promote_is_not_user_live` (display-name change does not require image rebuild -- but the cured Production auto-deploy SOP path will not "go live" until the next workspace-server image publish picks up clean lint). Devops-engineer persona via hongming-pc orchestrator (CTO-authorized 2026-05-20).
devops-engineer added 1 commit 2026-05-20 07:38:47 +00:00
fix(ci): drop slash from lint-no-tenant-gitea-token name (task #307)
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Waiting to run
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Details
CI / Detect changes (pull_request) Successful in 6s
Details
Handlers Postgres Integration / detect-changes (pull_request) Failing after 3s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Has been skipped
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 5s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 6s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 10s
Details
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 6s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 8s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 11s
Details
E2E Chat / detect-changes (pull_request) Successful in 9s
Details
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 5s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Details
qa-review / approved (pull_request) Failing after 7s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 18s
Details
CI / Platform (Go) (pull_request) Failing after 32s
Details
security-review / approved (pull_request) Failing after 12s
Details
CI / all-required (pull_request) Failing after 36s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 15s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 14s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 41s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 49s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 43s
Details
E2E Chat / E2E Chat (pull_request) Successful in 22s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 50s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m27s
Details
sop-checklist / review-refire (pull_request) Has been skipped
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
gate-check-v3 / gate-check (pull_request) Successful in 6s
Details
sop-checklist / all-items-acked (pull_request) Successful in 5s
Details
sop-tier-check / tier-check (pull_request) Successful in 7s
Details
CI / Python Lint & Test (pull_request) Successful in 6m27s
Details
CI / Canvas (Next.js) (pull_request) Successful in 7m47s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
979064f90a 
The workflow's `name:` field contained `GITEA/GITHUB`, which trips
`lint-workflow-yaml` Rule 3 (slash in workflow name breaks
`<workflow> / <job> (<event>)` status-context tokenization). On
2026-05-20 aa375b1f this fatal lint blocked the Production auto-deploy
job on `publish-workspace-server-image`, forcing a manual
`redeploy-fleet` curl.

Rename to "Lint no tenant GITEA or GITHUB token write" (the linter
already documents `-` or space as the supported separators).

Verification:
- Pre-fix: `python3 .gitea/scripts/lint-workflow-yaml.py` → exit 1,
  Rule 3 FATAL on lint-no-tenant-gitea-token.yml.
- Post-fix: same command → exit 0, 'no fatal Gitea-1.22.6-hostile
  shapes', and `pytest tests/test_lint_workflow_yaml.py` 27/27 pass.

Surface unchanged: workflow still triggers on the same pull_request
and push events; only the human-readable display name shifts.
devops-engineer added 1 commit 2026-05-20 07:43:02 +00:00
ci: empty commit to retrigger flaky runners (modules-cache miss)
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Waiting to run
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Details
CI / Detect changes (pull_request) Successful in 9s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 9s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 10s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 12s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 8s
Details
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 6s
Details
E2E Chat / detect-changes (pull_request) Successful in 24s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 13s
Details
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 9s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 14s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s
Details
gate-check-v3 / gate-check (pull_request) Successful in 5s
Details
qa-review / approved (pull_request) Failing after 6s
Details
security-review / approved (pull_request) Failing after 5s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Failing after 57s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 55s
Details
sop-checklist / review-refire (pull_request) Has been skipped
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m0s
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m14s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s
Details
sop-checklist / all-items-acked (pull_request) Successful in 7s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 3s
Details
sop-tier-check / tier-check (pull_request) Successful in 7s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s
Details
E2E Chat / E2E Chat (pull_request) Successful in 4s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m35s
Details
CI / Canvas (Next.js) (pull_request) Successful in 4m54s
Details
CI / Platform (Go) (pull_request) Successful in 5m25s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
CI / Python Lint & Test (pull_request) Successful in 7m33s
Details
CI / all-required (pull_request) Successful in 7m41s
Details
b8bf0646be 
CI / Platform (Go), Handlers Postgres Integration / detect-changes,
and lint-required-context-exists-in-bp all hit:

  Error: Cannot find module '/var/run/act/actions/1c2355.../dist/index.js'

on the post-checkout step — an act_runner action-cache miss (the
action artifact tarball was evicted between resolve and post-step
execution). Empty commit per reference_empty_commit_is_only_rerun_mechanism_on_1_22_6
to re-fire the affected workflows.
devops-engineer added 1 commit 2026-05-20 07:47:22 +00:00
ci: add bp-exempt directive to renamed scan emission (#1593)
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Waiting to run
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Details
CI / Detect changes (pull_request) Successful in 11s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 11s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 16s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 5s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 10s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 4s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 4s
Details
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 4s
Details
E2E Chat / detect-changes (pull_request) Successful in 29s
Details
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 13s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 8s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 3s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 47s
Details
gate-check-v3 / gate-check (pull_request) Successful in 4s
Details
sop-checklist / all-items-acked (pull_request) Successful in 3s
Details
sop-checklist / review-refire (pull_request) Has been skipped
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m8s
Details
sop-tier-check / tier-check (pull_request) Successful in 5s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 1s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 6s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m23s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 4s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 8s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m5s
Details
E2E Chat / E2E Chat (pull_request) Successful in 17s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m33s
Details
qa-review / approved (pull_request) Refired via /qa-recheck by unknown
Details
security-review / approved (pull_request) Refired via /security-recheck by unknown
Details
CI / Platform (Go) (pull_request) Successful in 3m58s
Details
CI / Canvas (Next.js) (pull_request) Successful in 5m7s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
CI / Python Lint & Test (pull_request) Successful in 7m15s
Details
CI / all-required (pull_request) Successful in 7m31s
Details
audit-force-merge / audit (pull_request) Successful in 7s
Details
def11782f4 
The workflow-name rename in 979064f9 creates a new context emission
('Lint no tenant GITEA or GITHUB token write / Scan ...') that the
lint_required_context_exists_in_bp (Tier 2g) gate flags as
undeclared. The scan job is advisory (PR-review-driven, not
BP-required), so the directive is bp-exempt rather than bp-required:
pending.

Verified locally: re-running the gate script with BASE/HEAD now
exits 0 (no missing directives, no asymmetry).
core-qa approved these changes 2026-05-20 07:49:33 +00:00
core-qa left a comment
Member
Copy Link
Copy Source

APPROVE (core-qa review for QA test discipline gate + SOP-checklist acks)

Five-Axis review

Correctness: the rename is the minimal sufficient change. Reproduced locally:

  • pre-fix python3 .gitea/scripts/lint-workflow-yaml.py -> exit 1, Rule 3 FATAL on the file.
  • post-fix same command -> exit 0, 0 fatal violations.
  • pytest tests/test_lint_workflow_yaml.py -v -> 27/27 pass on the patched tree.
  • The CI run on this branch's HEAD shows Lint workflow YAML for Gitea-1.22.6-hostile shapes Successful (1m27s) -- the cured gate.

Readability: "Lint no tenant GITEA or GITHUB token write" preserves the original intent without obscuring the dual-host coverage; the bp-exempt comment block explains the rename's tail-end follow-up clearly.

Architecture: no structural change. Workflow triggers (pull_request, push:main,staging), env, and the scan job body are untouched.

Security: the lint surface continues scanning the same FORBIDDEN_KEYS + SURFACE_PATTERN. No coverage gap introduced.

Performance: none -- display-name-only change.

Bp-exempt directive

The bp-exempt directive carried in def11782 is the right calibration: the scan job's findings flow through PR review (the script's ::error:: annotations), not through BP. Tier 2g lint locally exits 0 with the directive present.

SOP acks

Acking all 7 items for this low-risk workflow-YAML rename:
/sop-ack 1
/sop-ack 2
/sop-ack 3
/sop-ack 4
/sop-ack 5
/sop-ack 6
/sop-ack 7

Approving as core-qa (member of qa + engineers teams) -- independent identity from devops-engineer (PR author).

APPROVE (core-qa review for QA test discipline gate + SOP-checklist acks) ## Five-Axis review **Correctness:** the rename is the minimal sufficient change. Reproduced locally: - pre-fix `python3 .gitea/scripts/lint-workflow-yaml.py` -> exit 1, Rule 3 FATAL on the file. - post-fix same command -> exit 0, 0 fatal violations. - `pytest tests/test_lint_workflow_yaml.py -v` -> 27/27 pass on the patched tree. - The CI run on this branch's HEAD shows `Lint workflow YAML for Gitea-1.22.6-hostile shapes` Successful (1m27s) -- the cured gate. **Readability:** "Lint no tenant GITEA or GITHUB token write" preserves the original intent without obscuring the dual-host coverage; the bp-exempt comment block explains the rename's tail-end follow-up clearly. **Architecture:** no structural change. Workflow triggers (pull_request, push:main,staging), env, and the scan job body are untouched. **Security:** the lint surface continues scanning the same FORBIDDEN_KEYS + SURFACE_PATTERN. No coverage gap introduced. **Performance:** none -- display-name-only change. ## Bp-exempt directive The bp-exempt directive carried in def11782 is the right calibration: the scan job's findings flow through PR review (the script's `::error::` annotations), not through BP. Tier 2g lint locally exits 0 with the directive present. ## SOP acks Acking all 7 items for this low-risk workflow-YAML rename: /sop-ack 1 /sop-ack 2 /sop-ack 3 /sop-ack 4 /sop-ack 5 /sop-ack 6 /sop-ack 7 Approving as `core-qa` (member of qa + engineers teams) -- independent identity from devops-engineer (PR author).
core-security approved these changes 2026-05-20 07:49:52 +00:00
core-security left a comment
Member
Copy Link
Copy Source

APPROVE (core-security review for security-review gate)

Five-Axis review (security surface focus)

Correctness: rename is content-free for the lint scan -- forbidden-key matrix and surface-pattern set are unchanged. The scan logic in steps[*] is byte-identical pre/post.

Readability: "Lint no tenant GITEA or GITHUB token write" reads cleanly and the intent stays obvious; the or substitutes for / without ambiguity.

Architecture: no structural change; bp-exempt directive correctly maps the advisory nature of the lint (status-context tokenization fix, not a new gate).

Security: the lint's threat model is "no tenant workspace ever receives an operator-scope repo-host token," and the rename does not weaken any of:

  • FORBIDDEN_KEYS list (GITEA_TOKEN/GITEA_PAT/GITHUB_TOKEN/GITHUB_PAT/GH_TOKEN)
  • SURFACE_PATTERN coverage (workspace_secrets/global_secrets/seedAllowList/.../containerEnv/userData/provisionPayload/provisionContext)
  • EXEMPT_FILES allow-list (still narrow, RFC#523 L1 + persona-fallback + CP->platform auth only)

No new attack surface; the same Go sources are scanned with the same regex shape.

Performance: N/A -- pure rename.

Verification

  • Lint Rule 3 (slash-in-name) reproduces fail/pass deterministically on this diff (per feedback_verify_enum_by_source_not_inference).
  • CI on this branch HEAD shows the renamed Lint no tenant GITEA or GITHUB token write / Scan ... context Successful in 6s.
  • Tier 2g (lint_required_context_exists_in_bp) now exits 0 with the bp-exempt directive in def11782.

Approving as core-security (member of security + engineers teams) -- independent identity from devops-engineer (PR author).

APPROVE (core-security review for security-review gate) ## Five-Axis review (security surface focus) **Correctness:** rename is content-free for the lint scan -- forbidden-key matrix and surface-pattern set are unchanged. The scan logic in steps[*] is byte-identical pre/post. **Readability:** "Lint no tenant GITEA or GITHUB token write" reads cleanly and the intent stays obvious; the `or` substitutes for `/` without ambiguity. **Architecture:** no structural change; bp-exempt directive correctly maps the advisory nature of the lint (status-context tokenization fix, not a new gate). **Security:** the lint's threat model is "no tenant workspace ever receives an operator-scope repo-host token," and the rename does not weaken any of: - FORBIDDEN_KEYS list (GITEA_TOKEN/GITEA_PAT/GITHUB_TOKEN/GITHUB_PAT/GH_TOKEN) - SURFACE_PATTERN coverage (workspace_secrets/global_secrets/seedAllowList/.../containerEnv/userData/provisionPayload/provisionContext) - EXEMPT_FILES allow-list (still narrow, RFC#523 L1 + persona-fallback + CP->platform auth only) No new attack surface; the same Go sources are scanned with the same regex shape. **Performance:** N/A -- pure rename. ## Verification - Lint Rule 3 (slash-in-name) reproduces fail/pass deterministically on this diff (per `feedback_verify_enum_by_source_not_inference`). - CI on this branch HEAD shows the renamed `Lint no tenant GITEA or GITHUB token write / Scan ...` context Successful in 6s. - Tier 2g (lint_required_context_exists_in_bp) now exits 0 with the bp-exempt directive in def11782. Approving as `core-security` (member of security + engineers teams) -- independent identity from devops-engineer (PR author).
devops-engineer commented 2026-05-20 07:50:01 +00:00
Author
Member
Copy Link
Copy Source

/qa-recheck
/security-recheck

/qa-recheck /security-recheck
devops-engineer commented 2026-05-20 07:50:09 +00:00
Author
Member
Copy Link
Copy Source

/qa-recheck

/qa-recheck
devops-engineer commented 2026-05-20 07:50:10 +00:00
Author
Member
Copy Link
Copy Source

/security-recheck

/security-recheck
devops-engineer merged commit 74ba88ff27 into main 2026-05-20 07:58:36 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
core-qa
core-security
Labels
Clear labels
area/ci
CI/CD pipeline issues
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1593
Delete Branch "fix/lint-workflow-yaml-slash-in-name"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?