From 00351b4551eda7d17e9edad309333f54dd04b0f0 Mon Sep 17 00:00:00 2001
From: claude-ceo-assistant <claude-ceo-assistant@moleculesai.app>
Date: Mon, 18 May 2026 19:50:13 -0700
Subject: [PATCH] fix(ci): repair docker-host guardrail follow-up

---
 .gitea/workflows/ci.yml                       |  2 +-
 .gitea/workflows/e2e-peer-visibility.yml      |  2 +-
 ...-required-workflows-docker-host-pinned.yml | 34 +++++++++++--------
 .github/workflows/ci.yml                      |  3 +-
 .github/workflows/e2e-api.yml                 |  2 +-
 .../handlers-postgres-integration.yml         |  3 +-
 .github/workflows/harness-replays.yml         |  2 +-
 .github/workflows/publish-canvas-image.yml    |  2 +-
 tests/e2e/lib/peer_visibility_assert.sh       |  2 ++
 tests/e2e/test_peer_visibility_mcp_local.sh   |  2 ++
 10 files changed, 30 insertions(+), 24 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 442eb0486..fb8adaa85 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -401,7 +401,7 @@ jobs:
 
   canvas-deploy-reminder:
     name: Canvas Deploy Reminder
-    runs-on: ubuntu-latest
+    runs-on: docker-host
     # mc#774 root-fix: added job-level `if:` so ci-required-drift.py's
     # ci_job_names() detects this as github.ref-gated and skips it from F1.
     # The step-level exit 0 handles the "not main push" case; the job-level
diff --git a/.gitea/workflows/e2e-peer-visibility.yml b/.gitea/workflows/e2e-peer-visibility.yml
index 55318f7cb..bb7e10085 100644
--- a/.gitea/workflows/e2e-peer-visibility.yml
+++ b/.gitea/workflows/e2e-peer-visibility.yml
@@ -164,7 +164,7 @@ jobs:
   # bp-required: pending #1296
   peer-visibility-local:
     name: E2E Peer Visibility (local)
-    runs-on: ubuntu-latest
+    runs-on: docker-host
     timeout-minutes: 30
     env:
       # Per-run names + ephemeral ports — same collision-avoidance as
diff --git a/.gitea/workflows/lint-required-workflows-docker-host-pinned.yml b/.gitea/workflows/lint-required-workflows-docker-host-pinned.yml
index eba5ddd04..957740f1b 100644
--- a/.gitea/workflows/lint-required-workflows-docker-host-pinned.yml
+++ b/.gitea/workflows/lint-required-workflows-docker-host-pinned.yml
@@ -88,17 +88,6 @@ jobs:
                   with open(path) as f:
                       raw_lines = f.readlines()
 
-                  # Strip pure-comment lines for docker-exec detection so that
-                  # documentation comments don't trigger the lint.
-                  scan_text = ''.join(
-                      l for l in raw_lines
-                      if not re.match(r'^\s*#', l)
-                  )
-
-                  has_docker = bool(DOCKER_EXEC.search(scan_text)) or bool(DOCKER_ACTION.search(scan_text))
-                  if not has_docker:
-                      continue
-
                   # Parse job headers + their runs-on. Simple line scan; relies on
                   # 2-space job indent + 4-space runs-on indent under `jobs:`.
                   jobs = []
@@ -113,8 +102,9 @@ jobs:
                       mh = JOB_HEADER.match(line)
                       if mh:
                           if current:
+                              current['end'] = i - 1
                               jobs.append(current)
-                          current = {'name': mh.group(2), 'line': i, 'runs_on': None}
+                          current = {'name': mh.group(2), 'line': i, 'end': len(raw_lines), 'runs_on': None}
                           continue
                       mr = RUNS_ON.match(line)
                       if mr and current and current['runs_on'] is None:
@@ -123,6 +113,18 @@ jobs:
                       jobs.append(current)
 
                   for j in jobs:
+                      # Strip pure-comment lines for docker-exec detection so
+                      # documentation comments don't trigger the lint. Scan the
+                      # current job body only: a workflow may contain one
+                      # docker-bound job and several harmless metadata jobs.
+                      job_lines = raw_lines[j['line'] - 1:j['end']]
+                      scan_text = ''.join(
+                          l for l in job_lines
+                          if not re.match(r'^\s*#', l)
+                      )
+                      has_docker = bool(DOCKER_EXEC.search(scan_text)) or bool(DOCKER_ACTION.search(scan_text))
+                      if not has_docker:
+                          continue
                       ro = j['runs_on']
                       if ro is None:
                           # Reusable workflow caller (`uses:` instead of `runs-on:`) —
@@ -134,9 +136,11 @@ jobs:
                       labels = [t.strip().strip('"\'') for t in ro_norm.split(',') if t.strip()]
                       if any(lbl in ALLOWED_LABELS for lbl in labels):
                           continue
-                      # Allow caller-supplied label expression `${{ ... }}` — caller
-                      # is responsible.
-                      if any('${{' in lbl for lbl in labels):
+                      # Allow caller-supplied label expressions; spell the
+                      # marker indirectly so Gitea's expression parser does
+                      # not try to parse this Python heredoc.
+                      expression_marker = '$' + '{{'
+                      if any(expression_marker in lbl for lbl in labels):
                           continue
                       fails.append(
                           f"{path}:{j['line']}: job `{j['name']}` uses docker but runs-on={ro!r} "
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 550e1d30e..b295ff38d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -300,7 +300,7 @@ jobs:
 
   canvas-deploy-reminder:
     name: Canvas Deploy Reminder
-    runs-on: ubuntu-latest
+    runs-on: docker-host
     needs: [changes, canvas-build]
     # Only fires on direct pushes to main (i.e. after staging→main promotion).
     if: needs.changes.outputs.canvas == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main'
@@ -440,4 +440,3 @@ jobs:
 
       # SDK + plugin validation moved to standalone repo:
       # github.com/molecule-ai/molecule-sdk-python
-
diff --git a/.github/workflows/e2e-api.yml b/.github/workflows/e2e-api.yml
index 7e7834826..fe855d2d2 100644
--- a/.github/workflows/e2e-api.yml
+++ b/.github/workflows/e2e-api.yml
@@ -128,7 +128,7 @@ jobs:
   e2e-api:
     needs: detect-changes
     name: E2E API Smoke Test
-    runs-on: ubuntu-latest
+    runs-on: docker-host
     timeout-minutes: 15
     env:
       # Unique per-run container names so concurrent runs on the host-
diff --git a/.github/workflows/handlers-postgres-integration.yml b/.github/workflows/handlers-postgres-integration.yml
index 3ef51ee33..b08799080 100644
--- a/.github/workflows/handlers-postgres-integration.yml
+++ b/.github/workflows/handlers-postgres-integration.yml
@@ -88,7 +88,7 @@ jobs:
   integration:
     name: Handlers Postgres Integration
     needs: detect-changes
-    runs-on: ubuntu-latest
+    runs-on: docker-host
     env:
       # Unique name per run so concurrent jobs don't collide on the
       # bridge network. ${RUN_ID}-${RUN_ATTEMPT} is unique even across
@@ -249,4 +249,3 @@ jobs:
           # already gone (e.g. concurrent rerun race), don't fail the job.
           docker rm -f "${PG_NAME}" >/dev/null 2>&1 || true
           echo "Cleaned up ${PG_NAME}"
-
diff --git a/.github/workflows/harness-replays.yml b/.github/workflows/harness-replays.yml
index ab247f7e6..3bb342ec2 100644
--- a/.github/workflows/harness-replays.yml
+++ b/.github/workflows/harness-replays.yml
@@ -102,7 +102,7 @@ jobs:
   harness-replays:
     needs: detect-changes
     name: Harness Replays
-    runs-on: ubuntu-latest
+    runs-on: docker-host
     timeout-minutes: 30
     steps:
       - name: No-op pass (paths filter excluded this commit)
diff --git a/.github/workflows/publish-canvas-image.yml b/.github/workflows/publish-canvas-image.yml
index 6d345978d..5d085ff0c 100644
--- a/.github/workflows/publish-canvas-image.yml
+++ b/.github/workflows/publish-canvas-image.yml
@@ -39,7 +39,7 @@ env:
 jobs:
   build-and-push:
     name: Build & push canvas image
-    runs-on: ubuntu-latest
+    runs-on: publish
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/tests/e2e/lib/peer_visibility_assert.sh b/tests/e2e/lib/peer_visibility_assert.sh
index 9c21fbbfd..f69e506c2 100644
--- a/tests/e2e/lib/peer_visibility_assert.sh
+++ b/tests/e2e/lib/peer_visibility_assert.sh
@@ -153,11 +153,13 @@ print('OK:found=%d/%d' % (len(found), len(expect)))
       # Caller bug, not a runtime regression — surface loudly so a
       # mis-wired backend can't mint a false green.
       echo "  ✗ $rt: no expected peers were configured for this caller"
+      # shellcheck disable=SC2034 # exported verdict is read by the caller's map plumbing.
       PV_VERDICT="FAIL(rpc=NO_EXPECTED_PEERS_CONFIGURED)"
       return 1
       ;;
     *)
       echo "  ✗ $rt: unexpected verdict '$parse'"
+      # shellcheck disable=SC2034 # exported verdict is read by the caller's map plumbing.
       PV_VERDICT="FAIL(unknown)"
       return 1
       ;;
diff --git a/tests/e2e/test_peer_visibility_mcp_local.sh b/tests/e2e/test_peer_visibility_mcp_local.sh
index 6fc454a3b..c895f2148 100755
--- a/tests/e2e/test_peer_visibility_mcp_local.sh
+++ b/tests/e2e/test_peer_visibility_mcp_local.sh
@@ -208,7 +208,9 @@ log "    PARENT_ID=$PARENT_ID"
 # box (bash 3.2, no associative arrays) per feedback_local_must_mimic_
 # production. WS_IDS / VERDICT are kept as newline-delimited "rt<TAB>val"
 # maps with tiny get/set helpers (portable to bash 3.2+ AND ubuntu CI).
+# shellcheck disable=SC2034 # map values are updated through portable eval-based helpers.
 WS_IDS_MAP=""
+# shellcheck disable=SC2034 # map values are updated through portable eval-based helpers.
 VERDICT_MAP=""
 _map_set() { # _map_set <mapvarname> <key> <value>
   local __m="$1" __k="$2" __v="$3" __cur
-- 
2.52.0