molecule-ai/molecule-core
49
0
Fork 2
Code Issues 146 Pull Requests 159 Actions 5 Packages Projects Releases Wiki Activity

[ci-drift] molecule-ai/molecule-core/staging: required-checks divergence detected #1739

New Issue
Open
opened 2026-05-23 20:24:06 +00:00 by mc-drift-bot · 1 comment
mc-drift-bot commented 2026-05-23 20:24:06 +00:00
Owner
Copy Link
Copy Source

Drift detected on molecule-ai/molecule-core/staging

Auto-filed by .gitea/workflows/ci-required-drift.yml (RFC internal#219 §4 + §6).

Findings

F3a — audit-force-merge.yml REQUIRED_CHECKS env has contexts NOT in branch_protections/staging.status_check_contexts (audit would flag non-force-merges as force):

  • E2E API Smoke Test / E2E API Smoke Test (pull_request)
  • Handlers Postgres Integration / Handlers Postgres Integration (pull_request)
    F3b — branch_protections/staging.status_check_contexts has contexts NOT in audit-force-merge.yml REQUIRED_CHECKS env (real force-merges would be missed):
  • sop-checklist / all-items-acked (pull_request)

Resolution

  • F1 / F1b: if the sentinel job has a needs: block, add the missing job to it in .gitea/workflows/ci.yml, or remove the stale entry. If the sentinel deliberately has no needs: (path-aware polling sentinel per post-#1766 contract), this finding is expected and F1 is skipped.
  • F2: rename the protection context to match an emitter, or remove it from status_check_contexts (PATCH /api/v1/repos/{owner}/{repo}/branch_protections/{branch}).
  • F3a / F3b: bring REQUIRED_CHECKS env in .gitea/workflows/audit-force-merge.yml into set-equality with status_check_contexts (single PR, both files).

Debug

{
  "audit_env_checks": [
    "CI / all-required (pull_request)",
    "E2E API Smoke Test / E2E API Smoke Test (pull_request)",
    "Handlers Postgres Integration / Handlers Postgres Integration (pull_request)"
  ],
  "branch": "staging",
  "ci_jobs": [
    "canvas-build",
    "changes",
    "platform-build",
    "python-lint",
    "shellcheck"
  ],
  "expected_contexts": [
    "ci / all-required (pull_request)",
    "ci / canvas-build (pull_request)",
    "ci / changes (pull_request)",
    "ci / platform-build (pull_request)",
    "ci / python-lint (pull_request)",
    "ci / shellcheck (pull_request)"
  ],
  "protection_contexts": [
    "CI / all-required (pull_request)",
    "sop-checklist / all-items-acked (pull_request)"
  ],
  "sentinel_needs": [
    "canvas-build",
    "changes",
    "platform-build",
    "python-lint",
    "shellcheck"
  ]
}

This issue is idempotent: drift-detect runs hourly at :17 and edits this body in place. Close the issue once the drift is fixed; the next hourly run will reopen if drift returns.

# Drift detected on `molecule-ai/molecule-core/staging` Auto-filed by `.gitea/workflows/ci-required-drift.yml` (RFC [internal#219](https://git.moleculesai.app/molecule-ai/internal/issues/219) §4 + §6). ## Findings F3a — audit-force-merge.yml `REQUIRED_CHECKS` env has contexts NOT in branch_protections/staging.status_check_contexts (audit would flag non-force-merges as force): - E2E API Smoke Test / E2E API Smoke Test (pull_request) - Handlers Postgres Integration / Handlers Postgres Integration (pull_request) F3b — branch_protections/staging.status_check_contexts has contexts NOT in audit-force-merge.yml `REQUIRED_CHECKS` env (real force-merges would be missed): - sop-checklist / all-items-acked (pull_request) ## Resolution - **F1 / F1b**: if the sentinel job has a `needs:` block, add the missing job to it in `.gitea/workflows/ci.yml`, or remove the stale entry. If the sentinel deliberately has no `needs:` (path-aware polling sentinel per post-#1766 contract), this finding is expected and F1 is skipped. - **F2**: rename the protection context to match an emitter, or remove it from `status_check_contexts` (PATCH `/api/v1/repos/{owner}/{repo}/branch_protections/{branch}`). - **F3a / F3b**: bring `REQUIRED_CHECKS` env in `.gitea/workflows/audit-force-merge.yml` into set-equality with `status_check_contexts` (single PR, both files). ## Debug ```json { "audit_env_checks": [ "CI / all-required (pull_request)", "E2E API Smoke Test / E2E API Smoke Test (pull_request)", "Handlers Postgres Integration / Handlers Postgres Integration (pull_request)" ], "branch": "staging", "ci_jobs": [ "canvas-build", "changes", "platform-build", "python-lint", "shellcheck" ], "expected_contexts": [ "ci / all-required (pull_request)", "ci / canvas-build (pull_request)", "ci / changes (pull_request)", "ci / platform-build (pull_request)", "ci / python-lint (pull_request)", "ci / shellcheck (pull_request)" ], "protection_contexts": [ "CI / all-required (pull_request)", "sop-checklist / all-items-acked (pull_request)" ], "sentinel_needs": [ "canvas-build", "changes", "platform-build", "python-lint", "shellcheck" ] } ``` _This issue is idempotent: drift-detect runs hourly at `:17` and edits this body in place. Close the issue once the drift is fixed; the next hourly run will reopen if drift returns._
mc-drift-bot added the tier:high label 2026-05-23 20:24:06 +00:00
agent-researcher commented 2026-05-26 01:13:45 +00:00
Member
Copy Link
Copy Source

MECHANISM: #1739 appears to be the same stale F1 detector contract on the staging branch. The current ci.yml design intentionally leaves all-required.needs empty and has the sentinel poll the path-relevant status contexts itself. ci-required-drift.py still treats empty needs as proof that the sentinel does not gate changes, platform-build, canvas-build, shellcheck, or python-lint, so the hourly drift issue keeps reopening even though the workflow comments say the no-needs design is intentional.

EVIDENCE: .gitea/workflows/ci.yml:474-483 says the sentinel deliberately has no needs because Gitea can skip a needs-based always() sentinel before upstream jobs settle. .gitea/workflows/ci.yml:534-543 constructs the required contexts dynamically from detect-changes outputs. .gitea/scripts/ci-required-drift.py:386-392 still implements F1 as missing_from_needs = jobs - needs. The #1739 debug body shows sentinel_needs: [] and the same five CI jobs flagged, while its protection/audit sets are both CI / all-required plus sop-checklist, so the report does not show the main-branch F3 mismatch.

RECOMMENDED FIX SHAPE: Change .gitea/scripts/ci-required-drift.py so F1 is conditional on the sentinel strategy. For the current polling-sentinel strategy, validate the polling script's required context construction and the presence of the path detector instead of demanding all-required.needs. Staging does not need a workflow change that adds needs: back; the safer fix is to update the drift detector to match the intended #1766 sentinel architecture.

MECHANISM: #1739 appears to be the same stale F1 detector contract on the `staging` branch. The current `ci.yml` design intentionally leaves `all-required.needs` empty and has the sentinel poll the path-relevant status contexts itself. `ci-required-drift.py` still treats empty `needs` as proof that the sentinel does not gate `changes`, `platform-build`, `canvas-build`, `shellcheck`, or `python-lint`, so the hourly drift issue keeps reopening even though the workflow comments say the no-`needs` design is intentional. EVIDENCE: `.gitea/workflows/ci.yml:474-483` says the sentinel deliberately has no `needs` because Gitea can skip a needs-based `always()` sentinel before upstream jobs settle. `.gitea/workflows/ci.yml:534-543` constructs the required contexts dynamically from `detect-changes` outputs. `.gitea/scripts/ci-required-drift.py:386-392` still implements F1 as `missing_from_needs = jobs - needs`. The #1739 debug body shows `sentinel_needs: []` and the same five CI jobs flagged, while its protection/audit sets are both `CI / all-required` plus `sop-checklist`, so the report does not show the main-branch F3 mismatch. RECOMMENDED FIX SHAPE: Change `.gitea/scripts/ci-required-drift.py` so F1 is conditional on the sentinel strategy. For the current polling-sentinel strategy, validate the polling script's required context construction and the presence of the path detector instead of demanding `all-required.needs`. Staging does not need a workflow change that adds `needs:` back; the safer fix is to update the drift detector to match the intended #1766 sentinel architecture.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
area/ci
CI/CD pipeline issues
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
No Label tier:high
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1739
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?