molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

fix(ci): cherry-pick PR#23 — drop github-app-auth plugin checkout (unblocks workspace-server publish) #28

Merged
claude-ceo-assistant merged 1 commits from chore/cherry-pick-pr23-into-main into main 2026-05-07 14:52:47 +00:00
Conversation 0 Commits 1 Files Changed 8 +44 -88
claude-ceo-assistant commented 2026-05-07 14:49:13 +00:00
Owner
Copy Link

Cherry-pick of staging commit 1d8c101c (PR#23 main payload) onto core/main. Unblocks publish-workspace-server-image.yml on every push to core/main.

Why

Prod-latest audit (this dispatch) found:

  • ECR molecule-ai/platform repo doesn't exist (workspace-server platform image never published)
  • ECR molecule-ai/platform-tenant:latest is yesterday's staging-120b848 (2026-05-06 22:40)

Root cause: publish-workspace-server-image.yml on core/main HEAD 6fac24e3de fails at Run Main Checkout sibling plugin repo because it tries to clone molecule-ai/molecule-ai-plugin-github-app-auth which was removed/unreachable post-2026-05-06 suspension.

The fix landed on staging in PR#23 (commit 1d8c101c). main never received it because the back-sync (core#27) is blocked behind CI.

What this PR does

Cherry-picks 1d8c101c onto main directly. 8 files changed, all 1d8c101c-only:

  • .github/workflows/codeql.yml
  • .github/workflows/harness-replays.yml
  • .github/workflows/publish-workspace-server-image.yml (the urgent one)
  • workspace-server/Dockerfile + Dockerfile.tenant
  • workspace-server/cmd/server/main.go
  • workspace-server/go.mod + go.sum

Local verify: all YAML files parse, plugin checkout step is removed, diff stat matches PR#23 exactly.

CI expectation

After merge:

  • publish-workspace-server-image.yml on the new main HEAD will succeed → ECR molecule-ai/platform:staging-<sha> + :staging-latest get fresh push.
  • Same for molecule-ai/platform-tenant.
  • Production tenants pull fresh on next deploy/restart.

Any CI red on this PR for unrelated stuff (Class H test bleed, CodeQL ×3 parked, Harness Replays Class G parked) is expected per the orchestrator-acked CI freeze and not a blocker per Hongming directive.

Orchestrator decision-locked option (b) cherry-pick path 2026-05-07 14:45.

Merge with merge commit (NOT squash) per saved memory feedback_use_merge_commits_not_squash.

Cherry-pick of staging commit `1d8c101c` (PR#23 main payload) onto core/main. Unblocks `publish-workspace-server-image.yml` on every push to core/main. ## Why Prod-latest audit (this dispatch) found: - ECR `molecule-ai/platform` repo doesn't exist (workspace-server platform image never published) - ECR `molecule-ai/platform-tenant:latest` is yesterday's `staging-120b848` (2026-05-06 22:40) Root cause: `publish-workspace-server-image.yml` on core/main HEAD 6fac24e3de fails at `Run Main Checkout sibling plugin repo` because it tries to clone `molecule-ai/molecule-ai-plugin-github-app-auth` which was removed/unreachable post-2026-05-06 suspension. The fix landed on staging in PR#23 (commit 1d8c101c). main never received it because the back-sync (core#27) is blocked behind CI. ## What this PR does Cherry-picks 1d8c101c onto main directly. 8 files changed, all 1d8c101c-only: - `.github/workflows/codeql.yml` - `.github/workflows/harness-replays.yml` - `.github/workflows/publish-workspace-server-image.yml` (the urgent one) - `workspace-server/Dockerfile` + `Dockerfile.tenant` - `workspace-server/cmd/server/main.go` - `workspace-server/go.mod` + `go.sum` Local verify: all YAML files parse, plugin checkout step is removed, diff stat matches PR#23 exactly. ## CI expectation After merge: - `publish-workspace-server-image.yml` on the new main HEAD will succeed → ECR `molecule-ai/platform:staging-<sha>` + `:staging-latest` get fresh push. - Same for `molecule-ai/platform-tenant`. - Production tenants pull fresh on next deploy/restart. Any CI red on this PR for unrelated stuff (Class H test bleed, CodeQL ×3 parked, Harness Replays Class G parked) is expected per the orchestrator-acked CI freeze and not a blocker per Hongming directive. Orchestrator decision-locked option (b) cherry-pick path 2026-05-07 14:45. Merge with merge commit (NOT squash) per saved memory feedback_use_merge_commits_not_squash.
claude-ceo-assistant added 1 commit 2026-05-07 14:49:13 +00:00
chore: drop github-app-auth + swap GHCR→ECR (closes #157, #161)
Some checks failed
Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Details
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 5s
Details
CI / Detect changes (pull_request) Successful in 8s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 8s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 8s
Details
Harness Replays / detect-changes (pull_request) Successful in 9s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 9s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 8s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 9s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
Details
CI / Python Lint & Test (pull_request) Successful in 4s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 5s
Details
CI / Canvas (Next.js) (pull_request) Successful in 17s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 30s
Details
Harness Replays / Harness Replays (pull_request) Failing after 32s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Failing after 1m26s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m21s
Details
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Failing after 1m36s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Failing after 1m36s
Details
CI / Platform (Go) (pull_request) Successful in 2m18s
Details
10e510f50c 
Two coupled cleanups for the post-2026-05-06 stack:

============================================
The plugin injected GITHUB_TOKEN/GH_TOKEN via the App's
installation-access flow (~hourly rotation). Per-agent Gitea
identities replaced this approach after the 2026-05-06 suspension —
workspaces now provision with a per-persona Gitea PAT from .env
instead of an App-rotated token. The plugin code itself lived on
github.com/Molecule-AI/molecule-ai-plugin-github-app-auth which is
also unreachable post-suspension; checking it out at CI build time
was already failing.

Removed:
- workspace-server/cmd/server/main.go: githubappauth import + the
  `if os.Getenv("GITHUB_APP_ID") != ""` block that called
  BuildRegistry. gh-identity remains as the active mutator.
- workspace-server/Dockerfile + Dockerfile.tenant: COPY of the
  sibling repo + the `replace github.com/Molecule-AI/molecule-ai-
  plugin-github-app-auth => /plugin` directive injection.
- workspace-server/go.mod + go.sum: github-app-auth dep entry
  (cleaned up by `go mod tidy`).
- 3 workflows: actions/checkout steps for the sibling plugin repo:
    - .github/workflows/codeql.yml (Go matrix path)
    - .github/workflows/harness-replays.yml
    - .github/workflows/publish-workspace-server-image.yml

Verified `go build ./cmd/server` + `go vet ./...` pass post-removal.

=======================================================
Same workflow used to push to ghcr.io/molecule-ai/platform +
platform-tenant. ghcr.io/molecule-ai is gone post-suspension. The
operator's ECR org (153263036946.dkr.ecr.us-east-2.amazonaws.com/
molecule-ai/) already hosts platform-tenant + workspace-template-*
+ runner-base images and is the post-suspension SSOT for container
images. This PR aligns publish-workspace-server-image with that
stack.

- env.IMAGE_NAME + env.TENANT_IMAGE_NAME repointed to ECR URL.
- docker/login-action swapped for aws-actions/configure-aws-
  credentials@v4 + aws-actions/amazon-ecr-login@v2 chain (the
  standard ECR auth pattern; uses AWS_ACCESS_KEY_ID/SECRET secrets
  bound to the molecule-cp IAM user).

The :staging-<sha> + :staging-latest tag policy is unchanged —
staging-CP's TENANT_IMAGE pin still points at :staging-latest, just
with the new registry prefix.

Refs molecule-core#157, #161; parallel to org-wide CI-green sweep.
claude-ceo-assistant merged commit 52e61d4704 into main 2026-05-07 14:52:47 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label
tier:high
tier:low
tier:medium
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#28
No description provided.
Delete Branch "chore/cherry-pick-pr23-into-main"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?