From 2851b132d1b4bf31ee373bb1716bcf2107fcb359 Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Thu, 4 Jun 2026 23:19:37 +0000
Subject: [PATCH] ci(handlers-postgres): restrict runs-on to runners with
 molecule-core-net label (internal#797)

Handlers Postgres Integration was pinned to docker-host, but some
docker-host runners were provisioned without the molecule-core-net
bridge network. This caused ~30% hard-fail rate on the bridge-inspect
step.

Fix: change runs-on from docker-host to [docker-host, molecule-core-net]
in both detect-changes and integration jobs. Gitea Actions uses
label-AND semantics for arrays, so the runner must satisfy both labels.

This unblocks PR #2166 by ensuring Postgres Integration only lands on
runners that are confirmed to carry the required bridge network.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../handlers-postgres-integration.yml         | 23 ++++++++-----------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/.gitea/workflows/handlers-postgres-integration.yml b/.gitea/workflows/handlers-postgres-integration.yml
index 93a9fd91f..eee3fcee9 100644
--- a/.gitea/workflows/handlers-postgres-integration.yml
+++ b/.gitea/workflows/handlers-postgres-integration.yml
@@ -77,16 +77,12 @@ env:
 jobs:
   detect-changes:
     name: detect-changes
-    # mc#1529 §1: pin to `docker-host` so the integration job runs on the
-    # operator-host runners (molecule-runner-*), which carry the
-    # `molecule-core-net` bridge network this workflow depends on. PC2
-    # runners (hongming-pc-runner-*) also advertise ubuntu-latest but
-    # don't have that network — the previous `runs-on: ubuntu-latest`
-    # rolled the dice and hard-failed the bridge-inspect step ~30% of
-    # the time. detect-changes itself doesn't need the bridge, but keeping
-    # both jobs on the same label avoids workspace-volume cross-host
-    # surprises and keeps the routing rule discoverable in one place.
-    runs-on: docker-host
+    # mc#1529 §1 + internal#797: pin to `docker-host` runners that ALSO
+    # advertise the `molecule-core-net` label. This bridges the gap where
+    # some `docker-host` runners were provisioned without the network.
+    # The array means the runner must satisfy BOTH labels (Gitea Actions
+    # label-AND semantics). See status-reaper.yml for the same pattern.
+    runs-on: [docker-host, molecule-core-net]
     # mc#1982 Phase 3 (RFC §1): surface broken workflows without blocking.
     # mc#1982: mask removed. If regressions appear, root-fix the underlying
     # test — do NOT renew the mask silently.
@@ -123,9 +119,10 @@ jobs:
   integration:
     name: Handlers Postgres Integration
     needs: detect-changes
-    # mc#1529 §1: must run on operator-host (where `molecule-core-net`
-    # exists). See detect-changes for the full routing rationale.
-    runs-on: docker-host
+    # mc#1529 §1 + internal#797: must run on operator-host where
+    # `molecule-core-net` exists. See detect-changes for the full
+    # routing rationale.
+    runs-on: [docker-host, molecule-core-net]
     # mc#1982 Phase 3 (RFC §1): surface broken workflows without blocking.
     # mc#1982: mask removed. If regressions appear, root-fix the underlying
     # test — do NOT renew the mask silently.
-- 
2.52.0