molecule-ai/molecule-core
52
0
Fork 2
Code Issues 189 Pull Requests 19 Actions Packages Projects Releases Wiki Activity

[ci-drift] molecule-ai/molecule-core/main: required-checks divergence detected #1738

New Issue
Closed
opened 2026-05-23 20:24:04 +00:00 by mc-drift-bot · 1 comment
mc-drift-bot commented 2026-05-23 20:24:04 +00:00
Owner
Copy Link
Copy Source

Drift detected on molecule-ai/molecule-core/main

Auto-filed by .gitea/workflows/ci-required-drift.yml (RFC internal#219 §4 + §6).

Findings

F3a — audit-force-merge.yml REQUIRED_CHECKS env has contexts NOT in branch_protections/main.status_check_contexts (audit would flag non-force-merges as force):

  • sop-checklist / all-items-acked (pull_request)
    F3b — branch_protections/main.status_check_contexts has contexts NOT in audit-force-merge.yml REQUIRED_CHECKS env (real force-merges would be missed):
  • E2E API Smoke Test / E2E API Smoke Test (pull_request)
  • Handlers Postgres Integration / Handlers Postgres Integration (pull_request)

Resolution

  • F1 / F1b: if the sentinel job has a needs: block, add the missing job to it in .gitea/workflows/ci.yml, or remove the stale entry. If the sentinel deliberately has no needs: (path-aware polling sentinel per post-#1766 contract), this finding is expected and F1 is skipped.
  • F2: rename the protection context to match an emitter, or remove it from status_check_contexts (PATCH /api/v1/repos/{owner}/{repo}/branch_protections/{branch}).
  • F3a / F3b: bring REQUIRED_CHECKS env in .gitea/workflows/audit-force-merge.yml into set-equality with status_check_contexts (single PR, both files).

Debug

{
  "audit_env_checks": [
    "CI / all-required (pull_request)",
    "sop-checklist / all-items-acked (pull_request)"
  ],
  "branch": "main",
  "ci_jobs": [
    "canvas-build",
    "changes",
    "platform-build",
    "python-lint",
    "shellcheck"
  ],
  "expected_contexts": [
    "ci / all-required (pull_request)",
    "ci / canvas-build (pull_request)",
    "ci / changes (pull_request)",
    "ci / platform-build (pull_request)",
    "ci / python-lint (pull_request)",
    "ci / shellcheck (pull_request)"
  ],
  "protection_contexts": [
    "CI / all-required (pull_request)",
    "E2E API Smoke Test / E2E API Smoke Test (pull_request)",
    "Handlers Postgres Integration / Handlers Postgres Integration (pull_request)"
  ],
  "sentinel_needs": []
}

This issue is idempotent: drift-detect runs hourly at :17 and edits this body in place. Close the issue once the drift is fixed; the next hourly run will reopen if drift returns.

# Drift detected on `molecule-ai/molecule-core/main` Auto-filed by `.gitea/workflows/ci-required-drift.yml` (RFC [internal#219](https://git.moleculesai.app/molecule-ai/internal/issues/219) §4 + §6). ## Findings F3a — audit-force-merge.yml `REQUIRED_CHECKS` env has contexts NOT in branch_protections/main.status_check_contexts (audit would flag non-force-merges as force): - sop-checklist / all-items-acked (pull_request) F3b — branch_protections/main.status_check_contexts has contexts NOT in audit-force-merge.yml `REQUIRED_CHECKS` env (real force-merges would be missed): - E2E API Smoke Test / E2E API Smoke Test (pull_request) - Handlers Postgres Integration / Handlers Postgres Integration (pull_request) ## Resolution - **F1 / F1b**: if the sentinel job has a `needs:` block, add the missing job to it in `.gitea/workflows/ci.yml`, or remove the stale entry. If the sentinel deliberately has no `needs:` (path-aware polling sentinel per post-#1766 contract), this finding is expected and F1 is skipped. - **F2**: rename the protection context to match an emitter, or remove it from `status_check_contexts` (PATCH `/api/v1/repos/{owner}/{repo}/branch_protections/{branch}`). - **F3a / F3b**: bring `REQUIRED_CHECKS` env in `.gitea/workflows/audit-force-merge.yml` into set-equality with `status_check_contexts` (single PR, both files). ## Debug ```json { "audit_env_checks": [ "CI / all-required (pull_request)", "sop-checklist / all-items-acked (pull_request)" ], "branch": "main", "ci_jobs": [ "canvas-build", "changes", "platform-build", "python-lint", "shellcheck" ], "expected_contexts": [ "ci / all-required (pull_request)", "ci / canvas-build (pull_request)", "ci / changes (pull_request)", "ci / platform-build (pull_request)", "ci / python-lint (pull_request)", "ci / shellcheck (pull_request)" ], "protection_contexts": [ "CI / all-required (pull_request)", "E2E API Smoke Test / E2E API Smoke Test (pull_request)", "Handlers Postgres Integration / Handlers Postgres Integration (pull_request)" ], "sentinel_needs": [] } ``` _This issue is idempotent: drift-detect runs hourly at `:17` and edits this body in place. Close the issue once the drift is fixed; the next hourly run will reopen if drift returns._
mc-drift-bot added the tier:high label 2026-05-23 20:24:05 +00:00
agent-researcher commented 2026-05-26 01:13:45 +00:00
Member
Copy Link
Copy Source

MECHANISM: #1738 combines one stale detector assumption with one real drift. The F1 finding is now a false positive: .gitea/workflows/ci.yml deliberately removed all-required.needs and made the sentinel independently poll path-relevant statuses on the ci-meta lane, because Gitea/act_runner can leave a needs-based sentinel skipped or pending before upstream jobs settle. ci-required-drift.py still assumes every CI job must appear under all-required.needs, so it flags changes, platform-build, canvas-build, shellcheck, and python-lint even though ci.yml now gates them through runtime status polling. The real remaining main-branch drift is F3: audit-force-merge.yml and branch_protections/main.status_check_contexts are not set-equal.

EVIDENCE: .gitea/workflows/ci.yml:474-483 explicitly states all-required has no needs and polls required commit-status contexts instead. .gitea/workflows/ci.yml:534-543 builds the required context set dynamically from detect-changes outputs. .gitea/scripts/ci-required-drift.py:386-392 still computes F1 as jobs - needs, which necessarily fails when the sentinel intentionally has no needs. The #1738 debug body shows branch protection requires CI / all-required, E2E API Smoke Test, and Handlers Postgres Integration, while audit-force-merge.yml:55-57 lists only CI / all-required and sop-checklist / all-items-acked.

RECOMMENDED FIX SHAPE: Update .gitea/scripts/ci-required-drift.py to understand the post-#1766 polling sentinel: validate that all-required polls the canonical required contexts/path-detector outputs instead of requiring needs: membership. Separately, align .gitea/workflows/audit-force-merge.yml REQUIRED_CHECKS with main branch protection: either add the E2E/API + Handlers contexts to the audit env, or remove those contexts from branch protection if CI / all-required is the sole authoritative umbrella. Do not reintroduce needs: just to satisfy F1; that would re-open the skipped/pending sentinel class.

MECHANISM: #1738 combines one stale detector assumption with one real drift. The F1 finding is now a false positive: `.gitea/workflows/ci.yml` deliberately removed `all-required.needs` and made the sentinel independently poll path-relevant statuses on the `ci-meta` lane, because Gitea/act_runner can leave a needs-based sentinel skipped or pending before upstream jobs settle. `ci-required-drift.py` still assumes every CI job must appear under `all-required.needs`, so it flags `changes`, `platform-build`, `canvas-build`, `shellcheck`, and `python-lint` even though `ci.yml` now gates them through runtime status polling. The real remaining main-branch drift is F3: `audit-force-merge.yml` and `branch_protections/main.status_check_contexts` are not set-equal. EVIDENCE: `.gitea/workflows/ci.yml:474-483` explicitly states `all-required` has no `needs` and polls required commit-status contexts instead. `.gitea/workflows/ci.yml:534-543` builds the required context set dynamically from `detect-changes` outputs. `.gitea/scripts/ci-required-drift.py:386-392` still computes F1 as `jobs - needs`, which necessarily fails when the sentinel intentionally has no needs. The #1738 debug body shows branch protection requires `CI / all-required`, `E2E API Smoke Test`, and `Handlers Postgres Integration`, while `audit-force-merge.yml:55-57` lists only `CI / all-required` and `sop-checklist / all-items-acked`. RECOMMENDED FIX SHAPE: Update `.gitea/scripts/ci-required-drift.py` to understand the post-#1766 polling sentinel: validate that `all-required` polls the canonical required contexts/path-detector outputs instead of requiring `needs:` membership. Separately, align `.gitea/workflows/audit-force-merge.yml` `REQUIRED_CHECKS` with main branch protection: either add the E2E/API + Handlers contexts to the audit env, or remove those contexts from branch protection if `CI / all-required` is the sole authoritative umbrella. Do not reintroduce `needs:` just to satisfy F1; that would re-open the skipped/pending sentinel class.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label tier:high
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1738
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?