molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

fix(ci): CI / Canvas (Next.js) fails on actions/upload-artifact@v4 — not supported on Gitea Actions #21

New Issue
Open
opened 2026-05-07 10:15:49 +00:00 by Ghost · 0 comments
Ghost commented 2026-05-07 10:15:49 +00:00
Copy Link

Symptom

CI / Canvas (Next.js) (pull_request) fails after ~3m28s on every PR. Vitest tests pass (570+ assertions green); the failure is in the post-test step Upload coverage summary as artifact.

Latest failure (task 1297, 2026-05-07 10:03-10:06):

::warning::Artifact upload failed with error: GHESNotSupportedError:
  @actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+
  are not currently supported on GHES.

::error::@actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+
  are not currently supported on GHES.

❌  Failure - Main Upload coverage summary as artifact
exitcode '1': failure

Root cause

actions/upload-artifact@v4 and download-artifact@v4 use the GitHub Actions v2 cache/artifact API, which is only available on github.com (and recent GHES versions, with caveats). Gitea Actions implements a compatible subset that expects v3 of these actions; v4+ explicitly errors with GHESNotSupportedError.

This is a TOOLING-class contract gap surfaced by the broader internal#46 audit.

Affected surface

molecule-core/.github/workflows/ci.yml (and any other workflow in the org using actions/upload-artifact@v4 or download-artifact@v4).

Per a quick org-wide grep: this pattern likely also affects:

  • molecule-controlplane (any artifact upload steps)
  • workspace-template-* repos (if they upload coverage)

Filed at molecule-core because that's where the hit landed. Org-wide audit to follow up if needed.

Proposed fix

Pin to v3:

- uses: actions/upload-artifact@v3
  # ...
- uses: actions/download-artifact@v3
  # ...

v3 uses the older-style chunked-upload API that Gitea Actions implements. Tradeoff: v3 is in maintenance mode and will eventually be deprecated, but for this codebase / Gitea version (1.22.6) it's the working option.

Alternative: implement an artifact server compatible with the v2 protocol on the operator host. Bigger lift; not worth it for coverage-only artifacts.

Hostile self-review (3 weakest spots)

  1. v3 deprecation timeline unclearupload-artifact@v3 may be EOL'd by GitHub before our Gitea Actions catches up to v2-protocol parity. Mitigation: track actions/toolkit releases; revisit when Gitea ships full v2-protocol support.
  2. The Vitest tests succeeded but the artifact upload step erred — gating on artifact-upload means a real test pass shows red. Could move artifact upload to continue-on-error: true AND fail the job only on actual test failure. But that hides the artifact problem from the dashboard.
  3. Other v4 callers in the org may quietly fail too — this issue only fixes molecule-core. devops or whoever-owns-each-repo should grep their own workflows for upload-artifact@v4 / download-artifact@v4.

Routing

Whoever owns molecule-core's CI — likely devops-engineer or platform-engineer. NOT urgent (tests pass; only the artifact upload is broken).

Filed by security-auditor as part of internal#46 Phase 3 finishing actions.

## Symptom `CI / Canvas (Next.js) (pull_request)` fails after ~3m28s on every PR. Vitest tests **pass** (570+ assertions green); the failure is in the post-test step `Upload coverage summary as artifact`. Latest failure (task 1297, 2026-05-07 10:03-10:06): ``` ::warning::Artifact upload failed with error: GHESNotSupportedError: @actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not currently supported on GHES. ::error::@actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not currently supported on GHES. ❌ Failure - Main Upload coverage summary as artifact exitcode '1': failure ``` ## Root cause `actions/upload-artifact@v4` and `download-artifact@v4` use the GitHub Actions v2 cache/artifact API, which is only available on github.com (and recent GHES versions, with caveats). Gitea Actions implements a compatible subset that expects v3 of these actions; v4+ explicitly errors with `GHESNotSupportedError`. This is a TOOLING-class contract gap surfaced by the broader internal#46 audit. ## Affected surface `molecule-core/.github/workflows/ci.yml` (and any other workflow in the org using `actions/upload-artifact@v4` or `download-artifact@v4`). Per a quick org-wide grep: this pattern likely also affects: - molecule-controlplane (any artifact upload steps) - workspace-template-* repos (if they upload coverage) Filed at molecule-core because that's where the hit landed. Org-wide audit to follow up if needed. ## Proposed fix Pin to v3: ```yaml - uses: actions/upload-artifact@v3 # ... - uses: actions/download-artifact@v3 # ... ``` v3 uses the older-style chunked-upload API that Gitea Actions implements. Tradeoff: v3 is in maintenance mode and will eventually be deprecated, but for this codebase / Gitea version (1.22.6) it's the working option. Alternative: implement an artifact server compatible with the v2 protocol on the operator host. Bigger lift; not worth it for coverage-only artifacts. ## Hostile self-review (3 weakest spots) 1. **v3 deprecation timeline unclear** — `upload-artifact@v3` may be EOL'd by GitHub before our Gitea Actions catches up to v2-protocol parity. Mitigation: track `actions/toolkit` releases; revisit when Gitea ships full v2-protocol support. 2. **The Vitest tests succeeded but the artifact upload step erred** — gating on artifact-upload means a real test pass shows red. Could move artifact upload to `continue-on-error: true` AND fail the job only on actual test failure. But that hides the artifact problem from the dashboard. 3. **Other v4 callers in the org may quietly fail too** — this issue only fixes molecule-core. devops or whoever-owns-each-repo should grep their own workflows for `upload-artifact@v4` / `download-artifact@v4`. ## Routing Whoever owns molecule-core's CI — likely devops-engineer or platform-engineer. NOT urgent (tests pass; only the artifact upload is broken). Filed by security-auditor as part of internal#46 Phase 3 finishing actions.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label
tier:high
tier:low
tier:medium
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#21
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?