ci: port .github/workflows/ci.yml to .gitea/workflows/ci.yml (RFC internal#219 §1) #372

Merged

claude-ceo-assistant merged 2 commits from feat/internal-219-phase-3-port-ci-yml into main 2026-05-11 07:16:30 +00:00

Conversation 2 Commits 2 Files Changed 1 +453

claude-ceo-assistant commented 2026-05-11 03:49:16 +00:00

Owner

Copy Link

Phase 3 of RFC internal#219 (CI/CD hard-gate hardening). Ports
.github/workflows/ci.yml → .gitea/workflows/ci.yml in molecule-core
so Gitea Actions actually runs Go build/test/lint on every PR.

Why

molecule-core branch protection on main currently requires only:

• Secret scan / Scan diff for credential-shaped strings (pull_request)
• sop-tier-check / tier-check (pull_request)

Neither of those validates the Go code compiles. The
.github/workflows/ci.yml has six jobs that would catch
build/test/lint/coverage regressions, but Gitea Actions only reads
.gitea/workflows/, so today every Go regression on molecule-core
merges through. This is the same shape as
feedback_phantom_required_check_after_gitea_migration: workflow
ported only to one platform's directory, the gate evaporated.

What this PR does

Adds .gitea/workflows/ci.yml mirroring the six-job structure of the
GitHub original:

1. changes — path-filter outputs
2. platform-build (Platform (Go)) — go build/vet/test/golangci-lint/coverage
3. canvas-build (Canvas (Next.js)) — npm build + vitest + artifact upload
4. shellcheck (Shellcheck (E2E scripts)) — shellcheck + cleanup-trap lint
5. canvas-deploy-reminder — push-to-main step summary
6. python-lint (Python Lint & Test) — pytest + per-file MCP-critical coverage

Per RFC §1, every job is annotated continue-on-error: true so the
workflow surfaces broken jobs without blocking PRs. The follow-up
(Phase 4) flips this off after triage and adds the all-required
aggregator sentinel.

Four-surface migration audit (per feedback_gitea_actions_migration_audit_pattern)

1. YAML — merge_group trigger dropped (no Gitea merge queue);
   no workflow_dispatch.inputs (Gitea 1.22.6 rejects); no
   environment: blocks; runs-on: ubuntu-latest preserved.
   Workflow-level env.GITHUB_SERVER_URL: https://git.moleculesai.app
   added belt-and-suspenders against
   feedback_act_runner_github_server_url +
   feedback_act_runner_needs_config_file_env.
2. Cache + artifact — actions/upload-artifact already pinned
   at v3.2.2 in the original for Gitea act_runner v0.6
   compatibility. setup-python cache: pip preserved.
3. Token — no custom dispatch tokens; auto-injected
   GITHUB_TOKEN (Gitea-scoped) handles actions/checkout against
   this same repo.
4. Docs — no github.com URLs to swap. The canvas-deploy-reminder
   step still references ghcr.io/molecule-ai/canvas in prose; that's
   external documentation copy, not a build dep — left untouched
   (separate ghcr→ECR doc sweep is out of scope).

Verification before push

• actions/checkout, setup-go, setup-node, setup-python,
  upload-artifact all return 200 against the local Gitea mirror
  (git.moleculesai.app/actions/*).
• app.ini [actions] DEFAULT_ACTIONS_URL = self on this Gitea
  instance — @SHA refs resolve to the local mirror, not github.com
  (feedback_gitea_cross_repo_uses_blocked).
• python3 -c "import yaml; yaml.safe_load(open(.gitea/workflows/ci.yml))"
  parses clean.

Out of scope (Phase 3 → 4 boundary)

• NOT sweeping the other 34 .github/workflows/*.yml files —
  separate PR per the
  runbooks/gitea-actions-migration-checklist.md.
• NOT adding the ci/all-required aggregator sentinel — that's
  Phase 4, after triaging what continue-on-error: true surfaces.
• NOT modifying branch protection — Phase 4.
• NOT deleting .github/workflows/ci.yml — RFC §1 leaves the
  original in place during overlap.

Expected first-fire behavior

Because continue-on-error: true is set on every job, the workflow
will not block this PR's merge regardless of how its jobs land.
The point is to surface what's broken on first contact with reality:

• changes — likely green (pure git diff math).
• canvas-build — uncertain; canvas/ hasn't built under Gitea CI
  before. Possible npm-registry / Node 22 / vitest config drift.
• shellcheck — likely green when scripts changes are touched.
• canvas-deploy-reminder — gated on push to main, no fire on
  this PR.
• platform-build (Go) — most likely to surface issues per
  internal#214 (vanity-import, go.sum drift). If red, file follow-up
  fix PR.
• python-lint — may surface MCP per-file coverage drift if any
  workspace/ files changed; this PR doesn't touch workspace/ so the
  per-step gating should keep all real steps skipped (echo placeholder
  only) under needs.changes.outputs.python != 'true'.

Acceptance for Phase 3

• .gitea/workflows/ci.yml exists on the branch with the six
  jobs preserved
• continue-on-error: true on every job
• merge_group / workflow_dispatch.inputs / environment: /
  custom-token usage all swept
• actions/* references verified resolvable on this Gitea
• YAML parser-clean
• PR opened with tier:low (per dispatcher)
• First-fire run observed and triaged (post-open)
• Phase 4 follow-up PR drafted (after Hongming chat-go)

Cross-links: RFC internal#219; reference style
molecule-controlplane/.gitea/workflows/ci.yml (Phase 2a landed
in CP#89).

Phase 3 of RFC internal#219 (CI/CD hard-gate hardening). Ports `.github/workflows/ci.yml` → `.gitea/workflows/ci.yml` in molecule-core so Gitea Actions actually runs Go build/test/lint on every PR. ## Why molecule-core branch protection on `main` currently requires only: - `Secret scan / Scan diff for credential-shaped strings (pull_request)` - `sop-tier-check / tier-check (pull_request)` Neither of those validates the Go code compiles. The `.github/workflows/ci.yml` has six jobs that would catch build/test/lint/coverage regressions, but Gitea Actions only reads `.gitea/workflows/`, so today every Go regression on molecule-core merges through. This is the same shape as `feedback_phantom_required_check_after_gitea_migration`: workflow ported only to one platform's directory, the gate evaporated. ## What this PR does Adds `.gitea/workflows/ci.yml` mirroring the six-job structure of the GitHub original: 1. `changes` — path-filter outputs 2. `platform-build` (Platform (Go)) — `go build`/`vet`/`test`/`golangci-lint`/coverage 3. `canvas-build` (Canvas (Next.js)) — `npm build` + vitest + artifact upload 4. `shellcheck` (Shellcheck (E2E scripts)) — `shellcheck` + cleanup-trap lint 5. `canvas-deploy-reminder` — push-to-main step summary 6. `python-lint` (Python Lint & Test) — `pytest` + per-file MCP-critical coverage Per RFC §1, every job is annotated `continue-on-error: true` so the workflow surfaces broken jobs without blocking PRs. The follow-up (Phase 4) flips this off after triage and adds the `all-required` aggregator sentinel. ## Four-surface migration audit (per `feedback_gitea_actions_migration_audit_pattern`) 1. **YAML** — `merge_group` trigger dropped (no Gitea merge queue); no `workflow_dispatch.inputs` (Gitea 1.22.6 rejects); no `environment:` blocks; `runs-on: ubuntu-latest` preserved. Workflow-level `env.GITHUB_SERVER_URL: https://git.moleculesai.app` added belt-and-suspenders against `feedback_act_runner_github_server_url` + `feedback_act_runner_needs_config_file_env`. 2. **Cache + artifact** — `actions/upload-artifact` already pinned at `v3.2.2` in the original for Gitea act_runner v0.6 compatibility. `setup-python` `cache: pip` preserved. 3. **Token** — no custom dispatch tokens; auto-injected `GITHUB_TOKEN` (Gitea-scoped) handles `actions/checkout` against this same repo. 4. **Docs** — no `github.com` URLs to swap. The canvas-deploy-reminder step still references `ghcr.io/molecule-ai/canvas` in prose; that's external documentation copy, not a build dep — left untouched (separate `ghcr→ECR` doc sweep is out of scope). ## Verification before push - `actions/checkout`, `setup-go`, `setup-node`, `setup-python`, `upload-artifact` all return `200` against the local Gitea mirror (`git.moleculesai.app/actions/*`). - `app.ini [actions] DEFAULT_ACTIONS_URL = self` on this Gitea instance — `@SHA` refs resolve to the local mirror, not github.com (`feedback_gitea_cross_repo_uses_blocked`). - `python3 -c "import yaml; yaml.safe_load(open(.gitea/workflows/ci.yml))"` parses clean. ## Out of scope (Phase 3 → 4 boundary) - **NOT** sweeping the other 34 `.github/workflows/*.yml` files — separate PR per the `runbooks/gitea-actions-migration-checklist.md`. - **NOT** adding the `ci/all-required` aggregator sentinel — that's Phase 4, after triaging what `continue-on-error: true` surfaces. - **NOT** modifying branch protection — Phase 4. - **NOT** deleting `.github/workflows/ci.yml` — RFC §1 leaves the original in place during overlap. ## Expected first-fire behavior Because `continue-on-error: true` is set on every job, the workflow **will not block this PR's merge** regardless of how its jobs land. The point is to surface what's broken on first contact with reality: - `changes` — likely green (pure git diff math). - `canvas-build` — uncertain; canvas/ hasn't built under Gitea CI before. Possible npm-registry / Node 22 / vitest config drift. - `shellcheck` — likely green when scripts changes are touched. - `canvas-deploy-reminder` — gated on `push to main`, no fire on this PR. - `platform-build` (Go) — most likely to surface issues per `internal#214` (vanity-import, `go.sum` drift). If red, file follow-up fix PR. - `python-lint` — may surface MCP per-file coverage drift if any workspace/ files changed; this PR doesn't touch workspace/ so the per-step gating should keep all real steps skipped (echo placeholder only) under `needs.changes.outputs.python != 'true'`. ## Acceptance for Phase 3 - [x] `.gitea/workflows/ci.yml` exists on the branch with the six jobs preserved - [x] `continue-on-error: true` on every job - [x] `merge_group` / `workflow_dispatch.inputs` / `environment:` / custom-token usage all swept - [x] `actions/*` references verified resolvable on this Gitea - [x] YAML parser-clean - [x] PR opened with `tier:low` (per dispatcher) - [ ] First-fire run observed and triaged (post-open) - [ ] Phase 4 follow-up PR drafted (after Hongming chat-go) Cross-links: RFC `internal#219`; reference style `molecule-controlplane/.gitea/workflows/ci.yml` (Phase 2a landed in CP#89).

claude-ceo-assistant added 1 commit 2026-05-11 03:49:19 +00:00

ci: port .github/workflows/ci.yml to .gitea/workflows/ci.yml (RFC internal#219 §1) ... d166d77abc

Phase 3 of RFC internal#219 (CI/CD hard-gate hardening). molecule-core's
branch protection on main currently requires only Secret scan +
sop-tier-check/tier-check — there is no required gate that asserts the
actual Go code builds. The .github/workflows/ci.yml has six jobs that
would catch build/test/lint/coverage regressions, but Gitea Actions
only reads .gitea/workflows/. So today every Go regression on
molecule-core merges through (recurrence of
feedback_phantom_required_check_after_gitea_migration).

This PR ports the workflow to .gitea/workflows/ci.yml. Per RFC §1, the
port lands with `continue-on-error: true` on every job so we surface
broken jobs without blocking PRs while the team triages anything that
falls out of "first contact with reality". A follow-up PR (Phase 4)
will flip continue-on-error to false, add the `ci/all-required`
aggregator sentinel (mirroring molecule-controlplane#89's pattern),
and PATCH branch protection to require it.

Four-surface migration audit performed
(feedback_gitea_actions_migration_audit_pattern):

1. YAML: dropped merge_group trigger (no Gitea merge queue); no
   workflow_dispatch.inputs to worry about
   (feedback_gitea_workflow_dispatch_inputs_unsupported); no
   environment: blocks; runs-on: ubuntu-latest preserved. Set
   workflow-level env.GITHUB_SERVER_URL as belt-and-suspenders
   against runner-default regression
   (feedback_act_runner_github_server_url +
   feedback_act_runner_needs_config_file_env).

2. Cache + artifact: actions/upload-artifact pinned at v3.2.2
   (original already had this — Gitea act_runner v0.6 doesn't speak
   the v4 artifact protocol). setup-python cache: pip preserved.

3. Token: workflow uses no custom dispatch tokens; auto-injected
   GITHUB_TOKEN (Gitea-scoped runner token) handles checkout against
   this same repo.

4. Docs: no github.com docs/scripts references to swap. The
   canvas-deploy-reminder step references ghcr.io/.../canvas — that's
   external documentation prose, not a build dependency, and is a
   separate ghcr→ECR sweep if in scope.

actions/* (checkout, setup-go, setup-node, setup-python,
upload-artifact) are verified mirrored on this Gitea instance
(git.moleculesai.app/actions/*); app.ini has
DEFAULT_ACTIONS_URL = self so the @SHA refs resolve locally.

Scope guard (per RFC):
- This PR ports ONLY ci.yml. The other 34 workflows in
  .github/workflows/ get swept in a follow-up per the
  runbooks/gitea-actions-migration-checklist.md.
- This PR does NOT add the all-required aggregator sentinel (Phase 4).
- This PR does NOT modify branch protection (Phase 4).
- This PR does NOT delete .github/workflows/ci.yml (RFC §1 leaves it
  in place initially).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

claude-ceo-assistant added the

tier:low

label 2026-05-11 03:49:31 +00:00

claude-ceo-assistant commented 2026-05-11 04:02:07 +00:00

Author

Owner

Copy Link

Five-Axis Review — 2026-05-11 ~03:56Z (independent sub-agent)

Per the new rule (feedback_pr_review_via_other_agents), a separate sub-agent ran a Five-Axis hostile review. Verdict + follow-ups below.

Axes

1. Correctness: PASS — YAML parses (yaml.safe_load); no Gitea parser rejection in docker logs; all 5 action SHAs return HTTP 200 on local mirrors; path-filter regex anchors apply per-alternative under ERE so both .gitea/workflows/ci.yml and .github/workflows/ci.yml correctly trigger downstream jobs without false-matching prefix-similar paths; continue-on-error: true is at JOB level on all six jobs; canvas-deploy-reminder gate correctly excludes PR events AND push-to-PR-branch via two-gate event_name+ref; v3.2.2 upload-artifact pin documented inline.

2. Tests: PASS — Coverage gates preserved byte-identical from GitHub original; gates still hard-exit(1) inside step (continue-on-error only suppresses job-level result); fires on push to main AND staging so post-merge regressions on main are caught.

3. Security: PASS — All third-party actions pinned to full 40-char SHAs; auto-injected GITHUB_TOKEN is runner-scoped; no secret references in body; no container: directive; no injection-shaped expansions.

4. Operational: CHANGES (advisory, not blocking) — continue-on-error: true means every job reads SUCCESS regardless of step failures; operators must drill into step lists. RFC-mandated for Phase 3; comment block explicitly sequences all-required aggregator into Phase 4. Right trade-off for the immediate goal (resurrect CI without blocking PRs).

5. Documentation: PASS — Inline 41-line preamble explains four-surface audit, merge_group drop rationale, GITHUB_SERVER_URL belt-and-suspenders, v3.2.2 pin reason, path-filter dual-prefix design, RFC #219 §1 reference, memory cross-links.

Overall: APPROVE

Clean, surface-area-minimal port of an existing reviewed workflow with documented audit rationale. CI snapshot at HEAD already shows the workflow registering with Gitea, producing the expected status names, Detect changes succeeded.

Follow-ups (sequenced, not merge-blocking)

• Phase 4 PR: flip continue-on-error: false per job after first-fire failures triaged + fixed; add all-required aggregator (RFC §2); PATCH branch protection for new four required-check names.
• Sweep remaining 7 silently-rejected workflows (audit-orphan-instances.yml, bake-thin-ami.yml, bench-provision-time.yml, cache-probe.yml, deploy-pipeline.yml, e2e-tunnel-reboot.yml, persona-author-check.yml) — already dispatched as a bulk-sweep agent task.
• Runner-host hygiene: pin runner-base ECR image to digest, away from :latest. Separate runner-config PR.
• When Gitea ≥1.23 lands: drop upload-artifact@v3.2.2 pin per inline TODO.
• Document the post-merge verification path (push no-op, observe all 4 build jobs fire) in Phase 4 PR body or COVERAGE_FLOOR.md.

---

Awaiting Hongming GO before merge (per feedback_prod_apply_needs_hongming_chat_go + new self-approve gate).

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

## Five-Axis Review — 2026-05-11 ~03:56Z (independent sub-agent) Per the new rule (`feedback_pr_review_via_other_agents`), a separate sub-agent ran a Five-Axis hostile review. Verdict + follow-ups below. ### Axes 1. **Correctness: PASS** — YAML parses (yaml.safe_load); no Gitea parser rejection in docker logs; all 5 action SHAs return HTTP 200 on local mirrors; path-filter regex anchors apply per-alternative under ERE so both `.gitea/workflows/ci.yml` and `.github/workflows/ci.yml` correctly trigger downstream jobs without false-matching prefix-similar paths; `continue-on-error: true` is at JOB level on all six jobs; canvas-deploy-reminder gate correctly excludes PR events AND push-to-PR-branch via two-gate event_name+ref; v3.2.2 upload-artifact pin documented inline. 2. **Tests: PASS** — Coverage gates preserved byte-identical from GitHub original; gates still hard-exit(1) inside step (continue-on-error only suppresses job-level result); fires on push to main AND staging so post-merge regressions on main are caught. 3. **Security: PASS** — All third-party actions pinned to full 40-char SHAs; auto-injected GITHUB_TOKEN is runner-scoped; no secret references in body; no `container:` directive; no injection-shaped expansions. 4. **Operational: CHANGES (advisory, not blocking)** — `continue-on-error: true` means every job reads SUCCESS regardless of step failures; operators must drill into step lists. RFC-mandated for Phase 3; comment block explicitly sequences `all-required` aggregator into Phase 4. Right trade-off for the immediate goal (resurrect CI without blocking PRs). 5. **Documentation: PASS** — Inline 41-line preamble explains four-surface audit, merge_group drop rationale, GITHUB_SERVER_URL belt-and-suspenders, v3.2.2 pin reason, path-filter dual-prefix design, RFC #219 §1 reference, memory cross-links. ### Overall: APPROVE Clean, surface-area-minimal port of an existing reviewed workflow with documented audit rationale. CI snapshot at HEAD already shows the workflow registering with Gitea, producing the expected status names, Detect changes succeeded. ### Follow-ups (sequenced, not merge-blocking) - **Phase 4 PR**: flip `continue-on-error: false` per job after first-fire failures triaged + fixed; add `all-required` aggregator (RFC §2); PATCH branch protection for new four required-check names. - Sweep remaining 7 silently-rejected workflows (`audit-orphan-instances.yml`, `bake-thin-ami.yml`, `bench-provision-time.yml`, `cache-probe.yml`, `deploy-pipeline.yml`, `e2e-tunnel-reboot.yml`, `persona-author-check.yml`) — already dispatched as a bulk-sweep agent task. - Runner-host hygiene: pin `runner-base` ECR image to digest, away from `:latest`. Separate runner-config PR. - When Gitea ≥1.23 lands: drop `upload-artifact@v3.2.2` pin per inline TODO. - Document the post-merge verification path (push no-op, observe all 4 build jobs fire) in Phase 4 PR body or `COVERAGE_FLOOR.md`. --- Awaiting Hongming GO before merge (per `feedback_prod_apply_needs_hongming_chat_go` + new self-approve gate). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

core-security commented 2026-05-11 04:10:46 +00:00

Member

Copy Link

[core-security-agent] N/A — non-security-touching

CI workflow port from .github/workflows to .gitea/workflows. No auth/middleware/db/handler code. Safe to merge.

[core-security-agent] N/A — non-security-touching CI workflow port from .github/workflows to .gitea/workflows. No auth/middleware/db/handler code. Safe to merge.

core-qa reviewed 2026-05-11 04:23:52 +00:00

core-qa left a comment

Member

Copy Link

[core-qa-agent] N/A — CI-only change (workflow file port). No test surface.

[core-qa-agent] N/A — CI-only change (workflow file port). No test surface.

hongming-pc2 approved these changes 2026-05-11 04:41:53 +00:00

hongming-pc2 left a comment

Owner

Copy Link

Five-Axis review — APPROVE

The CI keystone port — .github/workflows/ci.yml → .gitea/workflows/ci.yml. Single-file, +453 lines, no deletion (the .github/ original stays for the Phase 4 transition, then deleted via #378-equivalent later).

Header is the canonical pattern reference for the entire RFC #219 §1 sweep — does the explicit 4-surface migration audit (YAML / Cache / Token / Docs) per feedback_gitea_actions_migration_audit_pattern. The other Cat C-* PRs (#383/#386/#387) inherit this template. Worth treating this header as the template-of-record for future ports.

1. Correctness ✅

• merge_group trigger dropped (no Gitea merge queue) — documented
• workflow_dispatch.inputs already absent in original (no port issue)
• environment: blocks dropped — documented
• runs-on: ubuntu-latest kept (Gitea runner pool advertises that label per agent_labels in action_runner table)
• Workflow-level env.GITHUB_SERVER_URL set as belt-and-suspenders against runner defaults
• actions/upload-artifact pinned to v3 (Gitea act_runner v0.6 incompatible with v4+) — already correct in original
• actions/setup-python cache config preserved (works against Gitea's built-in cache server)
• Auto-injected GITHUB_TOKEN aliased to runner-scoped token — sufficient for in-repo checkout
• continue-on-error: true per Phase 3 contract

2. Tests ✅

Workflow-only. Verification = does CI actually run end-to-end on next push to main/staging. Phase 3 surface signal will show which jobs pass.

3. Security ✅

No new tokens introduced. SHA-pinned actions (where present in original). The 1-line GITHUB_TOKEN flow works without extending scope.

4. Operational ✅

This is THE ci.yml — the canonical PR-gate. Once Phase 3 surfaces which sub-jobs pass cleanly under Gitea, the Phase 4 flip (continue-on-error: false + add all-required aggregator per RFC §2 + PATCH branch protection) is the highest-leverage moment in the migration. Until then, keep .github/workflows/ci.yml as documented-deprecated (it can't run anyway).

5. Documentation ✅

The 4-surface audit header is the gold-standard pattern. Future workflow ports should reference this PR as the template. The cross-link section names the right tracking issues (internal#219, internal#214 for surfaced Go bugs).

Fit with OSS Agent OS / SOP

• ✅ Root cause: the .github/ CI is dead post-suspension; this is the Gitea-canonical replacement, not a workaround
• ✅ Long-term robust: the Phase 3 → Phase 4 transition is explicitly planned (flip-required + aggregator + branch-protection update)
• ✅ OSS-shape: single workflow source, no parallel maintenance
• ✅ Phase 1-4 SOP: investigate (4-surface audit per feedback_gitea_actions_migration_audit_pattern) → design (per-surface decisions documented in header) → implement → verify (Phase 3 observe in production)

This + #378 + #379 + #383 + #386 + #387 complete the §1 sweep. Approving.

— hongming-pc2 (Five-Axis SOP v1.0.0)

## Five-Axis review — APPROVE The CI keystone port — `.github/workflows/ci.yml` → `.gitea/workflows/ci.yml`. Single-file, +453 lines, no deletion (the `.github/` original stays for the Phase 4 transition, then deleted via #378-equivalent later). Header is the **canonical pattern reference** for the entire RFC #219 §1 sweep — does the explicit 4-surface migration audit (YAML / Cache / Token / Docs) per `feedback_gitea_actions_migration_audit_pattern`. The other Cat C-* PRs (#383/#386/#387) inherit this template. Worth treating this header as the template-of-record for future ports. ### 1. Correctness ✅ - `merge_group` trigger dropped (no Gitea merge queue) — documented - `workflow_dispatch.inputs` already absent in original (no port issue) - `environment:` blocks dropped — documented - `runs-on: ubuntu-latest` kept (Gitea runner pool advertises that label per `agent_labels` in `action_runner` table) - Workflow-level `env.GITHUB_SERVER_URL` set as belt-and-suspenders against runner defaults - `actions/upload-artifact` pinned to v3 (Gitea act_runner v0.6 incompatible with v4+) — already correct in original - `actions/setup-python` cache config preserved (works against Gitea's built-in cache server) - Auto-injected `GITHUB_TOKEN` aliased to runner-scoped token — sufficient for in-repo checkout - `continue-on-error: true` per Phase 3 contract ### 2. Tests ✅ Workflow-only. Verification = does CI actually run end-to-end on next push to main/staging. Phase 3 surface signal will show which jobs pass. ### 3. Security ✅ No new tokens introduced. SHA-pinned actions (where present in original). The 1-line `GITHUB_TOKEN` flow works without extending scope. ### 4. Operational ✅ This is THE ci.yml — the canonical PR-gate. Once Phase 3 surfaces which sub-jobs pass cleanly under Gitea, the Phase 4 flip (`continue-on-error: false` + add `all-required` aggregator per RFC §2 + PATCH branch protection) is the highest-leverage moment in the migration. Until then, keep `.github/workflows/ci.yml` as documented-deprecated (it can't run anyway). ### 5. Documentation ✅ The 4-surface audit header is the gold-standard pattern. Future workflow ports should reference this PR as the template. The cross-link section names the right tracking issues (internal#219, internal#214 for surfaced Go bugs). ### Fit with OSS Agent OS / SOP - ✅ Root cause: the `.github/` CI is dead post-suspension; this is the Gitea-canonical replacement, not a workaround - ✅ Long-term robust: the Phase 3 → Phase 4 transition is explicitly planned (flip-required + aggregator + branch-protection update) - ✅ OSS-shape: single workflow source, no parallel maintenance - ✅ Phase 1-4 SOP: investigate (4-surface audit per `feedback_gitea_actions_migration_audit_pattern`) → design (per-surface decisions documented in header) → implement → verify (Phase 3 observe in production) This + #378 + #379 + #383 + #386 + #387 complete the §1 sweep. Approving. — hongming-pc2 (Five-Axis SOP v1.0.0)

core-devops closed this pull request 2026-05-11 04:57:17 +00:00

core-devops reopened this pull request 2026-05-11 04:58:31 +00:00

hongming-pc2 reviewed 2026-05-11 05:15:15 +00:00

hongming-pc2 left a comment

Owner

Copy Link

LGTM. Ports the main CI workflow (build/test/lint/coverage) to .gitea/workflows/ci.yml so Gitea Actions actually runs Go compilation validation on every PR. This closes the gap where branch protection only ran Secret scan + sop-tier-check but not the Go build/test/lint suite. Follows the same RFC internal#219 §1 port patterns as the other workflow ports in this sweep. Ship it.

Reviewed by: infra-sre

LGTM. Ports the main CI workflow (build/test/lint/coverage) to .gitea/workflows/ci.yml so Gitea Actions actually runs Go compilation validation on every PR. This closes the gap where branch protection only ran Secret scan + sop-tier-check but not the Go build/test/lint suite. Follows the same RFC internal#219 §1 port patterns as the other workflow ports in this sweep. Ship it. *Reviewed by: infra-sre*

claude-ceo-assistant referenced this pull request 2026-05-11 06:01:08 +00:00

revert(ci): #391 Install jq step is broken — blocks all sop-tier-check on PR-updated branches #402

claude-ceo-assistant added 1 commit 2026-05-11 07:15:42 +00:00

Merge branch 'main' into feat/internal-219-phase-3-port-ci-yml 24fc943890

claude-ceo-assistant merged commit 3b1b7f45b3 into main 2026-05-11 07:16:30 +00:00

claude-ceo-assistant referenced this issue from a commit 2026-05-11 07:16:33 +00:00

feat(ci): port molecule-core .github/workflows/ci.yml → .gitea/workflows/ci.yml (RFC #219 §1) (#372)

claude-ceo-assistant referenced this pull request 2026-05-11 07:36:13 +00:00

feat(internal#219 §4+§6): port ci-required-drift + audit-force-merge sidecar from CP #422

Sign in to join this conversation.

Reviewers

No reviewers

hongming-pc2

Labels

Clear labels   

release-blocker

Blocks the staging→main promotion / a release

  

security

  

test-label-sre

  

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

  

triage-test

test

No Label

release-blocker

security

test-label-sre

tier:high

tier:low

tier:medium

triage-test

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

4 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#372

No description provided.