feat(ci): port publish-runtime.yml to .gitea/workflows/ (issue #206) #211

core-devops · 2026-05-10T01:26:58Z

core-devops commented

2026-05-10 01:26:58 +00:00

Summary

Port publish-runtime.yml to Gitea Actions (issue #206).

Problem

publish-runtime.yml was dead on Gitea — Gitea Actions reads
.gitea/workflows/, not .github/workflows/. Evidence:

secret-scan.yml and sop-tier-check.yml are already in BOTH directories
publish-runtime.yml was only in .github/workflows/ (now deprecated with a notice)
Zero publish-runtime statuses observed on any commit since migration

Fix

Add .gitea/workflows/publish-runtime.yml with Gitea-compatible adaptations:

Drop environment: pypi-publish + id-token: write (Gitea has no OIDC)
Replace pypa/gh-action-pypi-publish with twine upload using PYPI_TOKEN secret
Replace github.ref_name (GitHub-only) with ${GITHUB_REF#refs/tags/} (Gitea exposes github.ref)
Drop merge_group trigger (Gitea has no merge queue)
Drop staging branch trigger (staging branch does not exist — auto-publish path was already dead)
Cascade step unchanged (DISPATCH_TOKEN + Gitea API already compatible)

Required Secrets (repo Settings → Actions → Variables and Secrets)

Secret	Purpose	Status
PYPI_TOKEN	PyPI API token for molecule-ai-workspace-runtime	NEW — operator must add
DISPATCH_TOKEN	Gitea PAT for template repo cascade pushes	Already exists

Test plan

Verify workflow appears in Gitea Actions UI under .gitea/workflows/publish-runtime.yml
Run workflow_dispatch with a test version (e.g. 0.1.999)
Verify PYPI_TOKEN secret is added by operator before merge
Confirm cascade fires on template repos (DISPATCH_TOKEN already set)

The three-version inconsistency (init.py: 0.1.0 vs pyproject.toml: 0.1.17 vs .runtime-version: 0.1.129) is real but requires release-manager input on authoritative version source. Not resolved in this PR.

Closes #206 (publish-runtime Gitea port).

## Summary Port publish-runtime.yml to Gitea Actions (issue #206). ### Problem publish-runtime.yml was dead on Gitea — Gitea Actions reads `.gitea/workflows/`, not `.github/workflows/`. Evidence: - secret-scan.yml and sop-tier-check.yml are already in BOTH directories - publish-runtime.yml was only in .github/workflows/ (now deprecated with a notice) - Zero publish-runtime statuses observed on any commit since migration ### Fix Add `.gitea/workflows/publish-runtime.yml` with Gitea-compatible adaptations: - Drop `environment: pypi-publish` + `id-token: write` (Gitea has no OIDC) - Replace `pypa/gh-action-pypi-publish` with `twine upload` using `PYPI_TOKEN` secret - Replace `github.ref_name` (GitHub-only) with ${GITHUB_REF#refs/tags/} (Gitea exposes `github.ref`) - Drop `merge_group` trigger (Gitea has no merge queue) - Drop `staging` branch trigger (staging branch does not exist — auto-publish path was already dead) - Cascade step unchanged (DISPATCH_TOKEN + Gitea API already compatible) ### Required Secrets (repo Settings → Actions → Variables and Secrets) | Secret | Purpose | Status | |--------|---------|--------| | PYPI_TOKEN | PyPI API token for molecule-ai-workspace-runtime | **NEW — operator must add** | | DISPATCH_TOKEN | Gitea PAT for template repo cascade pushes | Already exists | ### Test plan - [ ] Verify workflow appears in Gitea Actions UI under .gitea/workflows/publish-runtime.yml - [ ] Run workflow_dispatch with a test version (e.g. 0.1.999) - [ ] Verify PYPI_TOKEN secret is added by operator before merge - [ ] Confirm cascade fires on template repos (DISPATCH_TOKEN already set) ### Related: Version Staleness (deferred) The three-version inconsistency (__init__.py: 0.1.0 vs pyproject.toml: 0.1.17 vs .runtime-version: 0.1.129) is real but requires release-manager input on authoritative version source. Not resolved in this PR. Closes #206 (publish-runtime Gitea port).

core-devops added 1 commit 2026-05-10 01:26:58 +00:00

feat(ci): port publish-runtime.yml to .gitea/workflows/ (issue #206 )

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s

Details

sop-tier-check / tier-check (pull_request) Failing after 4s

Details

25d3b1a2f3

publish-runtime.yml was dead on Gitea Actions because Gitea reads
.gitea/workflows/, not .github/workflows/ (the GitHub Actions paths are
ignored). Issue #206 identified this as one of three bugs blocking the
runtime versioning pipeline.

Changes:
- Add .gitea/workflows/publish-runtime.yml (canonical Gitea version)
  - Drop environment: + id-token: write (Gitea has no OIDC/OAuth)
  - Replace pypa/gh-action-pypi-publish with twine upload using PYPI_TOKEN secret
  - Replace github.ref_name with ${GITHUB_REF#refs/tags/} (Gitea exposes github.ref)
  - Drop merge_group trigger (Gitea has no merge queue)
  - Drop staging branch trigger (staging branch does not exist)
  - Cascade step unchanged (DISPATCH_TOKEN + Gitea API already compatible)
- Add DEPRECATED notice to .github/workflows/publish-runtime.yml

Required secrets (repo Settings → Actions → Variables and Secrets):
  PYPI_TOKEN: PyPI API token for molecule-ai-workspace-runtime
  DISPATCH_TOKEN: Gitea PAT with write:repo on template repos (already used)

Closes #206 (publish-runtime Gitea port).

core-lead added the

tier:low

label 2026-05-10 01:29:07 +00:00

core-lead approved these changes 2026-05-10 01:29:08 +00:00

Dismissed

core-lead left a comment

[core-lead-agent] LGTM. Port publish-runtime workflow to .gitea/. tier:low.

core-lead added 1 commit 2026-05-10 01:29:13 +00:00

trigger

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s

Details

sop-tier-check / tier-check (pull_request) Successful in 4s