From 4f1ad1d07ee0ad0f44b5ea8d065988981ef8cddd Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Tue, 2 Jun 2026 22:46:32 +0000
Subject: [PATCH] ci(gate): make shellcheck-arm64 pilot resilient to
 mislabelled runners (#2146)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The arm64-pilot workflow was failing the 'Identify runner' step when a
runner with label 'arm64-darwin' was not actually arm64. Because the
step lacked continue-on-error, the job failed → posted failure status
→ triggered main-red watchdog.

Changes:
- Identify runner: add id + continue-on-error; emit GITHUB_OUTPUT flag
  'arm64' so subsequent steps can conditional-skip gracefully.
- Checkout, Install, Run steps: gate on steps.identify.outputs.arm64.
- Install step: detect Darwin vs Linux and download the correct
  shellcheck binary (darwin.aarch64 vs linux.aarch64). Previously
  always downloaded the Linux binary, which won't run on macOS.
- Run step: verify shellcheck is actually executable (not just in
  PATH) before attempting to lint.

Fixes #2146

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../workflows/lint-shellcheck-arm64-pilot.yml | 34 +++++++++++++++----
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/.gitea/workflows/lint-shellcheck-arm64-pilot.yml b/.gitea/workflows/lint-shellcheck-arm64-pilot.yml
index 2b157a346..744344e4e 100644
--- a/.gitea/workflows/lint-shellcheck-arm64-pilot.yml
+++ b/.gitea/workflows/lint-shellcheck-arm64-pilot.yml
@@ -49,37 +49,56 @@ jobs:
       GITHUB_SERVER_URL: https://git.moleculesai.app
     steps:
       - name: Identify runner
+        id: identify
+        continue-on-error: true
         run: |
           set -eu
           echo "arch=$(uname -m)"
           echo "kernel=$(uname -sr)"
           echo "shell=$BASH_VERSION"
           # Sanity: must actually be arm64. If amd64 sneaks in here,
-          # fail fast — that means the label routing is wrong.
+          # the job skips gracefully rather than hard-failing, because
+          # a mislabelled runner is an ops concern, not a code defect.
+          # Pilot lane must not make main red (#2146).
           case "$(uname -m)" in
-            aarch64|arm64) echo "arm64 confirmed" ;;
-            *) echo "ERROR: expected arm64, got $(uname -m)"; exit 1 ;;
+            aarch64|arm64)
+              echo "arm64 confirmed"
+              echo "arm64=true" >> "$GITHUB_OUTPUT"
+              ;;
+            *)
+              echo "ERROR: expected arm64, got $(uname -m) — label routing may be wrong"
+              echo "arm64=false" >> "$GITHUB_OUTPUT"
+              exit 1
+              ;;
           esac
 
       - name: Checkout
+        if: steps.identify.outputs.arm64 == 'true'
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
       - name: Install shellcheck (arm64)
+        if: steps.identify.outputs.arm64 == 'true'
         continue-on-error: true
         run: |
           set -eu
           if command -v shellcheck >/dev/null 2>&1; then
             echo "shellcheck already present: $(shellcheck --version | head -1)"
           else
-            # Prefer apt if the runner base ships it; else download arm64 binary.
+            # Prefer apt if the runner base ships it; else download the
+            # correct platform binary (darwin vs linux).
             if command -v apt-get >/dev/null 2>&1; then
               sudo apt-get update -qq
               sudo apt-get install -y --no-install-recommends shellcheck
             else
               SC_VER=v0.10.0
-              curl -fsSL "https://github.com/koalaman/shellcheck/releases/download/${SC_VER}/shellcheck-${SC_VER}.linux.aarch64.tar.xz" \
+              if [ "$(uname -s)" = "Darwin" ]; then
+                SC_PKG="shellcheck-${SC_VER}.darwin.aarch64.tar.xz"
+              else
+                SC_PKG="shellcheck-${SC_VER}.linux.aarch64.tar.xz"
+              fi
+              curl -fsSL "https://github.com/koalaman/shellcheck/releases/download/${SC_VER}/${SC_PKG}" \
                 | tar -xJf - --strip-components=1
               sudo mv shellcheck /usr/local/bin/
             fi
@@ -87,14 +106,15 @@ jobs:
           shellcheck --version | head -2
 
       - name: Run shellcheck on .gitea/scripts/*.sh
+        if: steps.identify.outputs.arm64 == 'true'
         continue-on-error: true
         run: |
           set -eu
           # Only the scripts we control under .gitea/scripts. Pilot
           # scope is intentionally narrow — broaden in a follow-up
           # once the lane is proven.
-          if ! command -v shellcheck >/dev/null 2>&1; then
-            echo "WARN: shellcheck binary not found — skipping (pilot mode)"
+          if ! command -v shellcheck >/dev/null 2>&1 || ! shellcheck --version >/dev/null 2>&1; then
+            echo "WARN: shellcheck not functional — skipping (pilot mode)"
             exit 0
           fi
           # NOTE: macOS ships Bash 3.2 (Apple license), no `mapfile`
-- 
2.52.0