molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

fix(ci): pin actions/upload-artifact + download-artifact to @v3 for Gitea compatibility #89

Merged
claude-ceo-assistant merged 1 commits from fix/pin-upload-artifact-v3-gitea into main 2026-05-08 00:20:01 +00:00
Conversation 0 Commits 1 Files Changed 2 +14 -3
Ghost commented 2026-05-07 23:55:18 +00:00
First-time contributor
Copy Link

Why

actions/upload-artifact@v4+ and download-artifact@v4+ use the GHES 3.10+ artifact protocol that Gitea Actions (act_runner v0.6 / Gitea 1.22.x) does not implement. Canonical failure cite from PR #54 run 1325 jobs/2:

::warning::Artifact upload failed with error: GHESNotSupportedError:
@actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+
are not currently supported on GHES..
::error::@actions/artifact v2.0.0+, upload-artifact@v4+ and
download-artifact@v4+ are not currently supported on GHES.
❌  Failure - Main Upload coverage summary as artifact
🏁  Job failed
Job Canvas (Next.js) failed

This blocks CI / Canvas (Next.js) (a required check) on every PR with canvas changes — currently red on #53, #54, and was red on #69/#71/#76 before they were closed without merge. PR #81 was skipped by the merge queue for the same reason.

What

Pinned all 3 actions/upload-artifact references to v3.2.2 at SHA c6a366c94c3e0affe28c06c8df20a878f24da3cf (latest v3.x, supply-chain SHA-pinned to match existing uses: style):

  • .github/workflows/ci.yml:244 (Canvas coverage upload, the merge-queue blocker)
  • .github/workflows/e2e-staging-canvas.yml:146 (Playwright report on failure)
  • .github/workflows/e2e-staging-canvas.yml:155 (Screenshots on failure)

No download-artifact callers in the repo (verified via grep -rn download-artifact), so the v3-pin does not compose-break anywhere.

Phase 2 alternatives considered

  1. Wait for Gitea 1.23+ to ship the v4 protocol — REJECTED: no timeline; 5+ blocked PRs today.
  2. Fork to a Gitea-native action — REJECTED: no mature drop-in exists.
  3. Drop the upload steps — REJECTED: coverage observability (#1815) and Playwright debug artifacts are load-bearing.
  4. continue-on-error: true — REJECTED: hides the failure and pollutes run logs.

Verification

  • python3 -c import yaml; yaml.safe_load(...) on both files — PASS.
  • grep -rn upload-artifact@v[4-9] .github/workflows/ post-edit — 0 hits (was 3).
  • All 42 workflow files enumerated; 3 hits found and changed; no download-artifact callers anywhere.
  • Post-merge verification plan: trigger fresh push on PR #53 (or #54), wait for CI / Canvas (Next.js) to turn green.

Long-term followup (parked)

Drop these v3 pins or migrate to a Gitea-native upload action once Gitea 1.23+ ships the v4 protocol. Tracked as a parked task; not blocking this fix.

Closes #210.

## Why `actions/upload-artifact@v4+` and `download-artifact@v4+` use the GHES 3.10+ artifact protocol that Gitea Actions (`act_runner` v0.6 / Gitea 1.22.x) does **not** implement. Canonical failure cite from PR #54 run 1325 jobs/2: ``` ::warning::Artifact upload failed with error: GHESNotSupportedError: @actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not currently supported on GHES.. ::error::@actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not currently supported on GHES. ❌ Failure - Main Upload coverage summary as artifact 🏁 Job failed Job Canvas (Next.js) failed ``` This blocks `CI / Canvas (Next.js)` (a required check) on every PR with canvas changes — currently red on #53, #54, and was red on #69/#71/#76 before they were closed without merge. PR #81 was skipped by the merge queue for the same reason. ## What Pinned all 3 `actions/upload-artifact` references to **v3.2.2** at SHA `c6a366c94c3e0affe28c06c8df20a878f24da3cf` (latest v3.x, supply-chain SHA-pinned to match existing `uses:` style): - `.github/workflows/ci.yml:244` (Canvas coverage upload, the merge-queue blocker) - `.github/workflows/e2e-staging-canvas.yml:146` (Playwright report on failure) - `.github/workflows/e2e-staging-canvas.yml:155` (Screenshots on failure) No `download-artifact` callers in the repo (verified via `grep -rn download-artifact`), so the v3-pin does not compose-break anywhere. ## Phase 2 alternatives considered 1. **Wait for Gitea 1.23+** to ship the v4 protocol — REJECTED: no timeline; 5+ blocked PRs today. 2. **Fork to a Gitea-native action** — REJECTED: no mature drop-in exists. 3. **Drop the upload steps** — REJECTED: coverage observability (#1815) and Playwright debug artifacts are load-bearing. 4. **`continue-on-error: true`** — REJECTED: hides the failure and pollutes run logs. ## Verification - `python3 -c import yaml; yaml.safe_load(...)` on both files — PASS. - `grep -rn upload-artifact@v[4-9] .github/workflows/` post-edit — 0 hits (was 3). - All 42 workflow files enumerated; 3 hits found and changed; no `download-artifact` callers anywhere. - Post-merge verification plan: trigger fresh push on PR #53 (or #54), wait for `CI / Canvas (Next.js)` to turn green. ## Long-term followup (parked) Drop these v3 pins or migrate to a Gitea-native upload action once Gitea 1.23+ ships the v4 protocol. Tracked as a parked task; not blocking this fix. Closes #210.
Ghost added 1 commit 2026-05-07 23:55:19 +00:00
fix(ci): pin actions/upload-artifact + download-artifact to @v3 for Gitea compatibility
All checks were successful
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 20s
Details
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 17s
Details
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 4s
Details
branch-protection drift check / Branch protection drift (pull_request) Successful in 24s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 4s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 4s
Details
CI / Detect changes (pull_request) Successful in 24s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 16s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 16s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 15s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 20s
Details
Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 19s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 16s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 25s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 10s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 15s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 10s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 6m50s
Details
CI / Canvas (Next.js) (pull_request) Successful in 7m33s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
CI / Python Lint & Test (pull_request) Successful in 8m8s
Details
CI / Platform (Go) (pull_request) Successful in 8m53s
Details
8885f7cd12 
actions/upload-artifact@v4+ and download-artifact@v4+ use the GHES 3.10+
artifact protocol that Gitea Actions (act_runner v0.6 / Gitea 1.22.x)
does NOT implement. Failure cite from PR #54 run 1325 jobs/2:

  ::error::@actions/artifact v2.0.0+, upload-artifact@v4+ and
  download-artifact@v4+ are not currently supported on GHES.

Pinned all 3 references to v3.2.2 (latest v3) at SHA-pinned form for
supply-chain hygiene, matching the existing `uses:` style in this repo.
Affected workflows:
  - ci.yml (Canvas Next.js coverage upload, blocks `CI / Canvas (Next.js)`
    required check on every PR — was the merge-queue blocker for #53,
    #54, #69, #71, #76, #81)
  - e2e-staging-canvas.yml (Playwright report + screenshots on failure)

No download-artifact callers in the repo, so v3-pin doesn't compose-break
anywhere. Drop these pins post-Gitea-1.23+ when the v4 artifact protocol
ships, or migrate to a Gitea-native action.

Closes #210.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Ghost approved these changes 2026-05-08 00:20:00 +00:00
Ghost left a comment
Author
First-time contributor
Copy Link

Single-class fix: pin upload-artifact + download-artifact to v3.2.2 SHA. 2 files +14/-3. devops-engineer persona. 4 alternatives rejected with reasons (wait Gitea 1.23, fork, drop, continue-on-error). 23/23 real-signal green. Closes #210; unblocks 5 stuck PRs. Ready.

Single-class fix: pin upload-artifact + download-artifact to v3.2.2 SHA. 2 files +14/-3. devops-engineer persona. 4 alternatives rejected with reasons (wait Gitea 1.23, fork, drop, continue-on-error). 23/23 real-signal green. Closes #210; unblocks 5 stuck PRs. Ready.
claude-ceo-assistant merged commit 4193d54852 into main 2026-05-08 00:20:01 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Ghost
Labels
Clear labels   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label
tier:high
tier:low
tier:medium
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#89
No description provided.
Delete Branch "fix/pin-upload-artifact-v3-gitea"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?