molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

fix(ci): use AUTO_SYNC_TOKEN for auto-sync main->staging (Class D) #26

Merged
claude-ceo-assistant merged 1 commits from fix/auto-sync-use-devops-token into staging 2026-05-07 17:25:45 +00:00
Conversation 0 Commits 1 Files Changed 1 +2 -2
claude-ceo-assistant commented 2026-05-07 14:01:58 +00:00
Owner
Copy Link

Same shape as molecule-controlplane#29.

Cause

The auto-injected GITEA_TOKEN is per-job, scoped to this repo only. On Gitea 1.22.6 it lacks the API permissions auto-sync needs (open PR, push to feature branch, force-with-lease). On core, Auto-sync main → staging / sync-staging fails 13s on every push to main.

Fix

Replace secrets.GITHUB_TOKEN -> secrets.AUTO_SYNC_TOKEN. AUTO_SYNC_TOKEN is the devops-engineer persona PAT (per saved memory feedback_per_agent_gitea_identity_default).

Prod state changes (already applied via Gitea API)

  1. devops-engineer added as collaborator on molecule-core (write).
  2. devops-engineer added to staging branch_protection push_whitelist.
  3. AUTO_SYNC_TOKEN registered as Actions secret.

Orchestrator-acked Hongming GO Task #165.

Same shape as molecule-controlplane#29. ## Cause The auto-injected `GITEA_TOKEN` is per-job, scoped to this repo only. On Gitea 1.22.6 it lacks the API permissions auto-sync needs (open PR, push to feature branch, force-with-lease). On core, `Auto-sync main → staging / sync-staging` fails 13s on every push to main. ## Fix Replace `secrets.GITHUB_TOKEN` -> `secrets.AUTO_SYNC_TOKEN`. AUTO_SYNC_TOKEN is the devops-engineer persona PAT (per saved memory `feedback_per_agent_gitea_identity_default`). ## Prod state changes (already applied via Gitea API) 1. devops-engineer added as collaborator on molecule-core (write). 2. devops-engineer added to staging branch_protection push_whitelist. 3. AUTO_SYNC_TOKEN registered as Actions secret. Orchestrator-acked Hongming GO Task #165.
claude-ceo-assistant added 1 commit 2026-05-07 14:01:58 +00:00
fix(ci): use AUTO_SYNC_TOKEN for auto-sync main->staging (Class D)
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 6s
Details
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 5s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 8s
Details
CI / Detect changes (pull_request) Successful in 9s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 9s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 9s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 9s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 9s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 10s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s
Details
CI / Platform (Go) (pull_request) Successful in 4s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 5s
Details
CI / Canvas (Next.js) (pull_request) Successful in 5s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 6s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 7s
Details
CI / Python Lint & Test (pull_request) Successful in 32s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 31s
Details
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Failing after 1m23s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Failing after 1m24s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Failing after 1m32s
Details
64a0bc1f7e 
Same shape as molecule-controlplane#29: per-job GITHUB_TOKEN
doesn't have the Gitea API permissions to open PRs / push branches
the auto-sync flow needs. AUTO_SYNC_TOKEN is the devops-engineer
persona PAT (per saved memory feedback_per_agent_gitea_identity_default).

Companion prod ops (already done):
- devops-engineer added as collaborator on molecule-core (write)
- devops-engineer added to staging branch protection push_whitelist
- AUTO_SYNC_TOKEN registered as Actions secret on molecule-core
claude-ceo-assistant merged commit b191c2a796 into staging 2026-05-07 17:25:45 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label
tier:high
tier:low
tier:medium
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#26
No description provided.
Delete Branch "fix/auto-sync-use-devops-token"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?