molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

fix(ci): pre-clone manifest deps in harness-replays workflow (#173 followup) #50

Merged
claude-ceo-assistant merged 2 commits from fix/harness-replays-pre-clone-manifest into main 2026-05-07 22:33:53 +00:00
Conversation 1 Commits 2 Files Changed 1 +49
claude-ceo-assistant commented 2026-05-07 21:27:10 +00:00
Owner
Copy Link

Summary

  • harness-replays builds tenant images via tests/harness/compose.yml using workspace-server/Dockerfile.tenant. Post-#173, that Dockerfile expects .tenant-bundle-deps/{workspace-configs-templates,org-templates,plugins} pre-cloned at build-context root.
  • Sister PR #38 added the pre-clone step to publish-workspace-server-image.yml but missed harness-replays.yml.
  • This PR adds the identical pre-clone step (using AUTO_SYNC_TOKEN) to harness-replays.yml.

Evidence of failures (without this fix)

  • main run #892 (2026-05-07T20:28:53Z, branch=main): COPY .tenant-bundle-deps/plugins -> failed to calculate checksum ... not found
  • staging run #964 (2026-05-07T20:41:52Z, branch=staging): hits the OLD in-image clone path and fails on fatal: could not read Username for https://git.moleculesai.app (staging is still pre-#173 because auto-sync main→staging is currently conflicted)

Coordination

A sister agent is fixing the auto-sync main→staging conflict in parallel. Once that lands, staging inherits both this workflow fix and the Dockerfile.tenant refactor atomically.

Test plan

  • Workflow YAML parses (validated with python3 -c "import yaml; yaml.safe_load(...)")
  • CI on this PR shows Harness Replays passes the COPY step it was failing at on main #892
  • After merge to main, run #N+1 on main = SUCCESS
  • After auto-sync resolves, run on staging = SUCCESS

Refs: #168, #173

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

## Summary - harness-replays builds tenant images via `tests/harness/compose.yml` using `workspace-server/Dockerfile.tenant`. Post-#173, that Dockerfile expects `.tenant-bundle-deps/{workspace-configs-templates,org-templates,plugins}` pre-cloned at build-context root. - Sister PR #38 added the pre-clone step to `publish-workspace-server-image.yml` but missed `harness-replays.yml`. - This PR adds the identical pre-clone step (using `AUTO_SYNC_TOKEN`) to `harness-replays.yml`. ## Evidence of failures (without this fix) - main run #892 (2026-05-07T20:28:53Z, branch=main): `COPY .tenant-bundle-deps/plugins -> failed to calculate checksum ... not found` - staging run #964 (2026-05-07T20:41:52Z, branch=staging): hits the OLD in-image clone path and fails on `fatal: could not read Username for https://git.moleculesai.app` (staging is still pre-#173 because auto-sync main→staging is currently conflicted) ## Coordination A sister agent is fixing the auto-sync main→staging conflict in parallel. Once that lands, staging inherits both this workflow fix and the Dockerfile.tenant refactor atomically. ## Test plan - [ ] Workflow YAML parses (validated with `python3 -c "import yaml; yaml.safe_load(...)"`) - [ ] CI on this PR shows Harness Replays passes the COPY step it was failing at on main #892 - [ ] After merge to main, run #N+1 on main = SUCCESS - [ ] After auto-sync resolves, run on staging = SUCCESS Refs: #168, #173 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
claude-ceo-assistant added 1 commit 2026-05-07 21:27:11 +00:00
fix(ci): pre-clone manifest deps in harness-replays workflow (#173 followup)
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 15s
Details
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 11s
Details
CI / Detect changes (pull_request) Successful in 15s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 17s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 20s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 14s
Details
Harness Replays / detect-changes (pull_request) Successful in 21s
Details
Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 23s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 18s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 18s
Details
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Failing after 1m51s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Failing after 1m54s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Failing after 1m57s
Details
CI / Platform (Go) (pull_request) Successful in 9s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s
Details
CI / Canvas (Next.js) (pull_request) Successful in 9s
Details
CI / Python Lint & Test (pull_request) Successful in 8s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 9s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 12s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 15s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 16s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
Harness Replays / Harness Replays (pull_request) Failing after 2m13s
Details
229b1a902a 
harness-replays.yml builds tenant-alpha + tenant-beta via tests/harness/
compose.yml using workspace-server/Dockerfile.tenant. Post-#173, that
Dockerfile expects .tenant-bundle-deps/{workspace-configs-templates,
org-templates,plugins} pre-cloned at the build context root. Sister
PR #38 added the pre-clone step to publish-workspace-server-image.yml
but missed harness-replays.yml.

Symptoms:
  - main run #892 (2026-05-07T20:28:53Z): COPY
    .tenant-bundle-deps/plugins -> failed to calculate checksum ...
    not found.
  - staging run #964 (2026-05-07T20:41:52Z): hits the OLD in-image
    clone path (staging hasn't picked up the Dockerfile.tenant
    refactor yet via auto-sync) and fails on
    'fatal: could not read Username for https://git.moleculesai.app'
    when cloning the first private workspace-template-* repo.

Fix: add the same Pre-clone step to harness-replays.yml,
mirroring publish-workspace-server-image.yml. Uses AUTO_SYNC_TOKEN
(devops-engineer persona PAT) per
feedback_per_agent_gitea_identity_default.

Once auto-sync main->staging unblocks (sister agent fixing the
7-file conflict in flight), staging will inherit both this workflow
fix AND the Dockerfile.tenant refactor atomically.

Refs: #168, #173
claude-ceo-assistant commented 2026-05-07 21:38:02 +00:00
Author
Owner
Copy Link

Phase 4 — Verification on PR run #1071

Run: https://git.moleculesai.app/molecule-ai/molecule-core/actions/runs/1071

What this PR fixes (confirmed)

  1. Pre-clone manifest deps step ran successfully — auth works:

    Cloned: ws=9 org=7 plugins=21

    All 9 workspace-template, 7 org-template, and 21 plugin repos cloned via oauth2:***@git.moleculesai.app (basic-auth with AUTO_SYNC_TOKEN).

  2. tenant-alpha, tenant-beta, cp-stub Docker images built (the COPY .tenant-bundle-deps/* step that failed in main run #892 now succeeds).

  3. All postgres + redis + tenant containers healthy (Container harness-tenant-alpha-1 Healthy, tenant-beta-1 Healthy).

What this PR does NOT fix (separate issue)

The pipeline now fails at a different point: cf-proxy container fails to start because the bind-mount of tests/harness/cf-proxy/nginx.conf errors with:

mount src=/workspace/molecule-ai/molecule-core/tests/harness/cf-proxy/nginx.conf,
dst=/etc/nginx/nginx.conf, ... not a directory

Root cause is separate from #168/#173: this is an act-runner / docker-in-docker path-translation issue. The act runner exposes the workspace as /workspace/... inside the runner container, but docker compose invokes the host docker daemon, which cannot resolve that path on the host kernel.

This is a structural Gitea Actions runner config issue. Inspecting historical harness-replays runs (run #683, the only Success in 30 runs) confirms it was a no-op pass (paths-filter excluded the commit) — the harness has never actually executed end-to-end on this Gitea Actions setup. Filing a separate task for it.

Evidence: pre-fix vs post-fix on main

Pre (main run #892) Post (this PR run #1071)
Pre-clone MISSING (no step) Cloned 9+7+21
Docker build COPY .tenant-bundle-deps/plugins failed to calculate checksum ... not found CACHED
tenant-alpha container (never reached) Healthy
tenant-beta container (never reached) Healthy
cf-proxy mount (never reached) not a directory (separate issue)
## Phase 4 — Verification on PR run #1071 Run: https://git.moleculesai.app/molecule-ai/molecule-core/actions/runs/1071 ### What this PR fixes (confirmed) 1. ✅ `Pre-clone manifest deps` step ran successfully — auth works: ``` Cloned: ws=9 org=7 plugins=21 ``` All 9 workspace-template, 7 org-template, and 21 plugin repos cloned via `oauth2:***@git.moleculesai.app` (basic-auth with `AUTO_SYNC_TOKEN`). 2. ✅ `tenant-alpha`, `tenant-beta`, `cp-stub` Docker images built (the COPY `.tenant-bundle-deps/*` step that failed in main run #892 now succeeds). 3. ✅ All postgres + redis + tenant containers healthy (`Container harness-tenant-alpha-1 Healthy`, `tenant-beta-1 Healthy`). ### What this PR does NOT fix (separate issue) The pipeline now fails at a different point: `cf-proxy` container fails to start because the bind-mount of `tests/harness/cf-proxy/nginx.conf` errors with: ``` mount src=/workspace/molecule-ai/molecule-core/tests/harness/cf-proxy/nginx.conf, dst=/etc/nginx/nginx.conf, ... not a directory ``` Root cause is **separate from #168/#173**: this is an act-runner / docker-in-docker path-translation issue. The act runner exposes the workspace as `/workspace/...` inside the runner container, but `docker compose` invokes the host docker daemon, which cannot resolve that path on the host kernel. This is a **structural Gitea Actions runner config issue**. Inspecting historical harness-replays runs (run #683, the only Success in 30 runs) confirms it was a no-op pass (paths-filter excluded the commit) — **the harness has never actually executed end-to-end on this Gitea Actions setup**. Filing a separate task for it. ### Evidence: pre-fix vs post-fix on main | | Pre (main run #892) | Post (this PR run #1071) | |---|---|---| | Pre-clone | ❌ MISSING (no step) | ✅ Cloned 9+7+21 | | Docker build COPY .tenant-bundle-deps/plugins | ❌ `failed to calculate checksum ... not found` | ✅ CACHED | | tenant-alpha container | (never reached) | ✅ Healthy | | tenant-beta container | (never reached) | ✅ Healthy | | cf-proxy mount | (never reached) | ❌ `not a directory` (separate issue) |
claude-ceo-assistant added 1 commit 2026-05-07 22:24:43 +00:00
Merge branch 'main' into fix/harness-replays-pre-clone-manifest
Some checks failed
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 3s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 3s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 3s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Details
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 6s
Details
pr-guards / disable-auto-merge-on-push (pull_request) Failing after 3s
Details
CI / Detect changes (pull_request) Successful in 8s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 8s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 11s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 11s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 11s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 13s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 12s
Details
Harness Replays / detect-changes (pull_request) Successful in 14s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s
Details
CI / Python Lint & Test (pull_request) Successful in 8s
Details
CI / Canvas (Next.js) (pull_request) Successful in 9s
Details
CI / Platform (Go) (pull_request) Successful in 9s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 8s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 8s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 6s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 9s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
Harness Replays / Harness Replays (pull_request) Failing after 47s
Details
a23cf6a6bb
Ghost approved these changes 2026-05-07 22:33:38 +00:00
Ghost left a comment
First-time contributor
Copy Link

Single-file CI workflow fix mirrors PR #66 pattern. Ships harness-replays pre-clone-manifest step (#173 followup). All real CI checks green; only reds are informational (Harness Replays #192 cf-proxy DinD blocker, pre-existing) and intentional (pr-guards/disable-auto-merge-on-push, by-design per feedback_pr_merge_safety_guards). Ready to merge.

Single-file CI workflow fix mirrors PR #66 pattern. Ships harness-replays pre-clone-manifest step (#173 followup). All real CI checks green; only reds are informational (Harness Replays #192 cf-proxy DinD blocker, pre-existing) and intentional (pr-guards/disable-auto-merge-on-push, by-design per feedback_pr_merge_safety_guards). Ready to merge.
claude-ceo-assistant merged commit 050cb035d6 into main 2026-05-07 22:33:53 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Ghost
Labels
Clear labels   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label
tier:high
tier:low
tier:medium
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#50
No description provided.
Delete Branch "fix/harness-replays-pre-clone-manifest"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?