molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

chore(ci): document #192 root cause — workspace-template repos public per OSS-first #133

Merged
claude-ceo-assistant merged 2 commits from chore/192-retrigger-harness-replays-after-public-flip into main 2026-05-08 19:12:54 +00:00
Conversation 0 Commits 2 Files Changed 3 +26 -19

2 Commits

Author SHA1 Message Date
claude-ceo-assistant
15935143c8 chore(manifest): drop reno-stars + 5 org-templates flipped public; document OSS-surface contract
All checks were successful
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 1s
Details
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 1s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 1s
Details
pr-guards / disable-auto-merge-on-push (pull_request) Successful in 4s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 6s
Details
cascade-list-drift-gate / check (pull_request) Successful in 7s
Details
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 7s
Details
branch-protection drift check / Branch protection drift (pull_request) Successful in 11s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 10s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 10s
Details
CI / Detect changes (pull_request) Successful in 11s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 10s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 10s
Details
Harness Replays / detect-changes (pull_request) Successful in 10s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 10s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 10s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s
Details
CI / Platform (Go) (pull_request) Successful in 2s
Details
CI / Python Lint & Test (pull_request) Successful in 4s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 5s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s
Details
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 36s
Details
Harness Replays / Harness Replays (pull_request) Successful in 49s
Details
CI / Canvas (Next.js) (pull_request) Successful in 1m31s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details 
Follow-up to the workspace-template visibility flip in 558e4fee. After
flipping the 5 private workspace-templates public (#192 root cause),
the harness-replays clone moved one step deeper to the org-templates
list, where 6 of 7 were also private. Hongming-confirmed flip plan:

- 5 of 6 (molecule-dev, free-beats-all, medo-smoke, molecule-worker-gemini,
  ux-ab-lab) — flipped public per `feedback_oss_first_repo_visibility_default`.
  These are unambiguously OSS-template-shape: generic README, no
  customer-shaped names, no creds in content.
- 1 of 6 (reno-stars) — name itself is customer-shaped (would expose
  customer/tenant identity). Kept private; removed from manifest.json
  per Hongming. Will be handled at provision-time via the per-tenant
  credential resolver designed in internal#102 (Layer-3 RFC).

Documents the OSS-surface contract in two places:
- manifest.json _comment: every entry MUST be public; Layer-3 lives elsewhere
- clone-manifest.sh comment block: rationale + the explicit ci-readonly
  team-grant escape hatch (review-gated, not default).

Closes the second clone-fail layer of #192. Combined with 558e4fee +
the workspace-template visibility flips, the Pre-clone manifest deps
step should now succeed anonymously for the full registered set.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-08 11:58:09 -07:00
claude-ceo-assistant
558e4fee48 chore(ci): document #192 root cause — workspace-template repos public per OSS-first
Some checks failed
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 1s
Details
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 2s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 2s
Details
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 8s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 9s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 8s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 10s
Details
branch-protection drift check / Branch protection drift (pull_request) Successful in 12s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 10s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 10s
Details
CI / Detect changes (pull_request) Successful in 11s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 10s
Details
Harness Replays / detect-changes (pull_request) Successful in 10s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 10s
Details
CI / Platform (Go) (pull_request) Successful in 4s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 5s
Details
CI / Python Lint & Test (pull_request) Successful in 5s
Details
Harness Replays / Harness Replays (pull_request) Failing after 7s
Details
CI / Canvas (Next.js) (pull_request) Successful in 1m37s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details 
5 of 9 workspace-template repos (openclaw, codex, crewai, deepagents,
gemini-cli) had been marked private with no team grant for AUTO_SYNC_TOKEN
bearer (devops-engineer persona). Pre-clone manifest deps step 404'd on
the first private repo encountered, failing every Harness Replays run.

Resolution path taken:
1. Flipped the 5 to public per `feedback_oss_first_repo_visibility_default`
   — runtime/template/plugin repos default public; that's what makes them
   OSS surface.
2. Scoped existing `ci-readonly` org team to legitimately-internal repos
   only (compliance docs, RFCs-in-flight). Workspace templates removed
   from it.
3. Filed internal#102 RFC for Layer-3 (customer-owned + marketplace
   third-party private repos) — that's a different shape entirely;
   needs per-tenant credential-resolver, not org-team grants.

This commit is a documentation-only touch on the workflow file to (a)
record the root cause inline next to the existing pre-clone-fail
narrative, (b) trigger a fresh Harness Replays run that should now pass
the clone step.

Closes #192.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-08 11:50:55 -07:00