fix(ci): writable HOME in Production auto-deploy — unblock fleet-wide deploys (#2193) #2196

Merged

cp-lead merged 1 commits from sre/fix-auto-deploy-writable-home-2193 into main 2026-06-04 02:54:11 +00:00

Conversation 4 Commits 1 Files Changed 1

+13

hongming commented 2026-06-04 02:51:41 +00:00

Owner

Copy Link

Copy Source

Fix #2193 — Production auto-deploy fails fleet-wide on unwritable HOME

The Production auto-deploy job's git/docker credential saves fail with:

Error saving credentials: mkdir /home/hongming: permission denied
##[error]Process completed with exit code 1

because the publish runner's default $HOME (/home/hongming) isn't writable. This halts the production rollout on every core main commit — blocking all merged changes from deploying.

build-and-push already dodges this for buildx (DOCKER_CONFIG="$RUNNER_TEMP/docker-config"); the auto-deploy job was missing the equivalent. This adds a first step that points HOME + DOCKER_CONFIG at the writable $RUNNER_TEMP, mirroring that proven pattern. Narrow, env-only; deploy logic untouched.

Closes #2193. Unblocks cp#511/core#2182 (google-adk SSOT) + all other stuck deploys.

## Fix #2193 — Production auto-deploy fails fleet-wide on unwritable HOME The `Production auto-deploy` job's git/docker credential saves fail with: ``` Error saving credentials: mkdir /home/hongming: permission denied ##[error]Process completed with exit code 1 ``` because the publish runner's default `$HOME` (`/home/hongming`) isn't writable. This halts the production rollout on **every** core main commit — blocking all merged changes from deploying. `build-and-push` already dodges this for buildx (`DOCKER_CONFIG="$RUNNER_TEMP/docker-config"`); the auto-deploy job was missing the equivalent. This adds a first step that points `HOME` + `DOCKER_CONFIG` at the writable `$RUNNER_TEMP`, mirroring that proven pattern. Narrow, env-only; deploy logic untouched. Closes #2193. Unblocks cp#511/core#2182 (google-adk SSOT) + all other stuck deploys.

hongming added 1 commit 2026-06-04 02:51:43 +00:00

fix(ci): writable HOME+DOCKER_CONFIG in Production auto-deploy (fixes #2193 — mkdir /home/hongming perm denied halting prod rollout) 1e4ed28023

core-qa approved these changes 2026-06-04 02:52:43 +00:00

core-qa left a comment

Member

Copy Link

Copy Source

qa: narrow env-only fix mirroring build-and-push's writable-config pattern; YAML-validated; deploy already broken so can only help. P1 unblock.

qa: narrow env-only fix mirroring build-and-push's writable-config pattern; YAML-validated; deploy already broken so can only help. P1 unblock.

cp-be added the tier:low label 2026-06-04 02:52:44 +00:00

cp-be commented 2026-06-04 02:52:46 +00:00

Member

Copy Link

Copy Source

/qa-recheck /security-recheck

/qa-recheck /security-recheck

core-security approved these changes 2026-06-04 02:53:16 +00:00

core-security left a comment

Member

Copy Link

Copy Source

security: env-only (HOME/DOCKER_CONFIG -> RUNNER_TEMP); no secrets, no new perms, removes a host-path dependency. Approving.

security: env-only (HOME/DOCKER_CONFIG -> RUNNER_TEMP); no secrets, no new perms, removes a host-path dependency. Approving.

hongming commented 2026-06-04 02:53:20 +00:00

Author

Owner

Copy Link

Copy Source

/qa-recheck /security-recheck

/qa-recheck /security-recheck

cp-lead merged commit 619258cd23 into main 2026-06-04 02:54:11 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

core-qa

core-security

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label tier:low

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2196