ci(lint): guard actions/setup-go cache on self-hosted fleet #2539

Merged

core-be merged 2 commits from ci/guard-setup-go-cache into main 2026-06-10 22:00:15 +00:00

Conversation 5 Commits 2 Files Changed 7

+358 -1

devops-engineer commented 2026-06-10 15:02:46 +00:00

Member

Copy Link

Copy Source

Static workflow-shape lint that makes the actions/setup-go cache bind-mount corruption (2026-06-09/10 rollout) impossible to reintroduce.

Forbidden shape: any actions/setup-go step with caching enabled — cache:true explicit, OR cache-dependency-path/cache-key set with no cache: (defaults true), OR a bare setup-go with no cache: (still default-true). The only safe value on our self-hosted fleet is explicit cache:false.

Why: runners bind-mount a host-shared GOCACHE/GOMODCACHE (/var/cache/ci-go-{build,mod}, operator-config ops/runners/config.dedicated.yaml). actions/cache untars OVER that bind mount -> File exists -> partial cache -> test -race link / go-arch-lint failures.

Phase / coordination: lands continue-on-error: true (advisory). The sweep PR #2524 (fix/setup-go-cache-vs-bind-mount) removes the remaining cache:true hits in 8 e2e workflows; THIS PR additionally removes the 4 default-true hits #2524 does not touch (ci.yml, ci-arm64-advisory.yml, handlers-postgres-integration.yml, weekly-platform-go.yml). FOLLOW-UP: after #2524 merges + main clean 3 days, flip continue-on-error -> false.

Fixture-catch proof: 6 pytest cases in tests/test_lint_setup_go_cache.py (cache:true, default-true+dep, bare default-true all caught; cache:false + no-setup-go clean) — all pass.

Guard class 1 of the cross-repo CI-bug-class lint set.

Static workflow-shape lint that makes the actions/setup-go cache bind-mount corruption (2026-06-09/10 rollout) impossible to reintroduce. **Forbidden shape:** any actions/setup-go step with caching enabled — cache:true explicit, OR cache-dependency-path/cache-key set with no cache: (defaults true), OR a bare setup-go with no cache: (still default-true). The only safe value on our self-hosted fleet is explicit cache:false. **Why:** runners bind-mount a host-shared GOCACHE/GOMODCACHE (/var/cache/ci-go-{build,mod}, operator-config ops/runners/config.dedicated.yaml). actions/cache untars OVER that bind mount -> File exists -> partial cache -> test -race link / go-arch-lint failures. **Phase / coordination:** lands continue-on-error: true (advisory). The sweep PR #2524 (fix/setup-go-cache-vs-bind-mount) removes the remaining cache:true hits in 8 e2e workflows; THIS PR additionally removes the 4 default-true hits #2524 does not touch (ci.yml, ci-arm64-advisory.yml, handlers-postgres-integration.yml, weekly-platform-go.yml). FOLLOW-UP: after #2524 merges + main clean 3 days, flip continue-on-error -> false. **Fixture-catch proof:** 6 pytest cases in tests/test_lint_setup_go_cache.py (cache:true, default-true+dep, bare default-true all caught; cache:false + no-setup-go clean) — all pass. Guard class 1 of the cross-repo CI-bug-class lint set.

devops-engineer added 1 commit 2026-06-10 15:02:50 +00:00

ci(lint): guard against actions/setup-go caching on self-hosted fleet ... 08dcbb1d3c

Static workflow-shape lint forbidding setup-go cache (cache:true OR the
default-true cases) — the actions/cache untar-over-GOCACHE-bind-mount
corruption from the 2026-06-09/10 rollout. Lands advisory
(continue-on-error: true); flips to required after the core#2524 sweep
merges + 3 clean days. Also removes the 4 default-true hits the sweep PR
does not touch (ci.yml, ci-arm64-advisory, handlers-postgres-integration,
weekly-platform-go).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

devops-engineer requested review from molecule-code-reviewer 2026-06-10 15:07:18 +00:00

devops-engineer commented 2026-06-10 16:24:34 +00:00

Author

Member

Copy Link

Copy Source

Skipping — genuine required-context failures (not just the SOP-ceremony gap). lint-continue-on-error-tracking fails on the PR's own diff: .gitea/workflows/lint-setup-go-cache.yml line 64 has continue-on-error: true with no # mc#NNNN / # internal#NNNN tracker comment within 2 lines — add a tracker ref to satisfy the 14-day renewal rule. Ops Scripts Tests also fails (4 pytest tests in test_gitea_merge_queue/test_status_reaper hit empty /repos/// URLs → DNS error; env/owner-repo not set in the test). Plus the core full SOP gate is unacked (qa-review/security-review/all-items-acked pending). Reviewer-persona approvals do not flip the SOP statuses. Fix the lint tracker comment + ops-test env, then ack the checklist. Not forcing.

Skipping — genuine required-context failures (not just the SOP-ceremony gap). `lint-continue-on-error-tracking` fails on the PR's own diff: `.gitea/workflows/lint-setup-go-cache.yml line 64` has `continue-on-error: true` with no `# mc#NNNN / # internal#NNNN` tracker comment within 2 lines — add a tracker ref to satisfy the 14-day renewal rule. `Ops Scripts Tests` also fails (4 pytest tests in test_gitea_merge_queue/test_status_reaper hit empty `/repos///` URLs → DNS error; env/owner-repo not set in the test). Plus the core full SOP gate is unacked (qa-review/security-review/all-items-acked pending). Reviewer-persona approvals do not flip the SOP statuses. Fix the lint tracker comment + ops-test env, then ack the checklist. Not forcing.

core-be referenced this pull request 2026-06-10 18:41:58 +00:00

CI gate RED on all core PRs: 4 conductor-snapshot tests use a frozen literal ts (10-min freshness time-bomb) -> /repos/// crash #2550

core-qa approved these changes 2026-06-10 19:43:06 +00:00

Dismissed

core-qa left a comment

Member

Copy Link

Copy Source

re-approve rebased head (main merged for #2551 Ops-Scripts fix); change unchanged

re-approve rebased head (main merged for #2551 Ops-Scripts fix); change unchanged

core-security approved these changes 2026-06-10 19:43:22 +00:00

Dismissed

core-security left a comment

Member

Copy Link

Copy Source

re-approve rebased head (main merged for #2551 Ops-Scripts fix); change unchanged

re-approve rebased head (main merged for #2551 Ops-Scripts fix); change unchanged

core-be added 1 commit 2026-06-10 21:55:14 +00:00

Merge origin/main into ci/guard-setup-go-cache + self-comply with COE tracker ... 1e0de9c7a1

- Merge main (brings in #2551 conductor-snapshot ts fix that unblocks
  Ops Scripts Tests, and the new lint-no-coe-on-required guard).
- Resolve handlers-postgres-integration.yml conflict: both sides keep
  cache:false; merged the comment to preserve the heavy-job examples
  and the cp#698 sweep note.
- Satisfy lint-continue-on-error-tracking (Tier 2e): the advisory
  continue-on-error:true in lint-setup-go-cache.yml now carries an
  internal#881 tracker comment (open, fresh 14d-renewable) per the
  guard the PR itself introduces. Guard logic unchanged.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

core-be dismissed core-qa's review 2026-06-10 21:55:14 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

core-be dismissed core-security's review 2026-06-10 21:55:14 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

core-qa approved these changes 2026-06-10 21:56:35 +00:00

core-qa left a comment

Member

Copy Link

Copy Source

core-qa re-approve on head 1e0de9c7 (prior approval dismissed by dismiss_stale on the main-merge push).

Verified:

• git merge origin/main resolved cleanly; the only conflict was handlers-postgres-integration.yml and BOTH sides kept cache: false — resolution preserves cache:false (the whole point of the guard). Ran lint_setup_go_cache.py locally: "OK: every actions/setup-go step sets cache: false", exit 0.
• Self-compliance: lint_continue_on_error_tracking.py exits 0 against the merged tree; lint-setup-go-cache.yml line 65 now carries # internal#881 (open, 0d old, <=14d). All 32 continue-on-error:true directives have valid trackers.
• Guard logic UNCHANGED (lint_setup_go_cache.py untouched); only the merge + the self-tracker comment + a merged conflict-comment.
• Unit tests: 20 passed (test_lint_setup_go_cache + test_lint_continue_on_error_tracking).
• CI on head 1e0de9c7: lint-setup-go-cache, lint-continue-on-error-tracking, Ops Scripts Tests, CI/all-required, lint-no-coe-on-required all green.

QA: PASS.

core-qa re-approve on head 1e0de9c7 (prior approval dismissed by dismiss_stale on the main-merge push). Verified: - `git merge origin/main` resolved cleanly; the only conflict was handlers-postgres-integration.yml and BOTH sides kept `cache: false` — resolution preserves cache:false (the whole point of the guard). Ran lint_setup_go_cache.py locally: "OK: every actions/setup-go step sets cache: false", exit 0. - Self-compliance: lint_continue_on_error_tracking.py exits 0 against the merged tree; lint-setup-go-cache.yml line 65 now carries `# internal#881` (open, 0d old, <=14d). All 32 continue-on-error:true directives have valid trackers. - Guard logic UNCHANGED (lint_setup_go_cache.py untouched); only the merge + the self-tracker comment + a merged conflict-comment. - Unit tests: 20 passed (test_lint_setup_go_cache + test_lint_continue_on_error_tracking). - CI on head 1e0de9c7: lint-setup-go-cache, lint-continue-on-error-tracking, Ops Scripts Tests, CI/all-required, lint-no-coe-on-required all green. QA: PASS.

core-security approved these changes 2026-06-10 21:56:52 +00:00

core-security left a comment

Member

Copy Link

Copy Source

core-security re-approve on head 1e0de9c7 (prior approval dismissed by dismiss_stale on the main-merge push).

Security review:

• Change is CI-workflow-only: a main-merge plus a tracker-comment self-compliance fix. No application/runtime code paths, no secrets, no permissions changes. lint-setup-go-cache.yml keeps permissions: contents: read.
• No new token usage introduced by this PR; the tracking-lint reads issues via the existing DRIFT_BOT_TOKEN secret (unchanged). internal#881 is a benign tracker issue, not a credential.
• Conflict resolution kept cache: false on the self-hosted bind-mount fleet, which is the integrity control (prevents corrupt restored GOCACHE), not a security regression.
• No diff in secret-handling, tenant-env, or auth surfaces; secret-pattern-drift + Secret scan + forbidden-tenant-env lints green.

Security: PASS.

core-security re-approve on head 1e0de9c7 (prior approval dismissed by dismiss_stale on the main-merge push). Security review: - Change is CI-workflow-only: a main-merge plus a tracker-comment self-compliance fix. No application/runtime code paths, no secrets, no permissions changes. lint-setup-go-cache.yml keeps `permissions: contents: read`. - No new token usage introduced by this PR; the tracking-lint reads issues via the existing DRIFT_BOT_TOKEN secret (unchanged). internal#881 is a benign tracker issue, not a credential. - Conflict resolution kept `cache: false` on the self-hosted bind-mount fleet, which is the integrity control (prevents corrupt restored GOCACHE), not a security regression. - No diff in secret-handling, tenant-env, or auth surfaces; secret-pattern-drift + Secret scan + forbidden-tenant-env lints green. Security: PASS.

core-be merged commit d447cff38a into main 2026-06-10 22:00:15 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

molecule-code-reviewer

core-qa

core-security

Labels

Clear labels

area/ci

CI/CD pipeline issues

do-not-auto-merge

Opt out of autonomous merge-queue merging

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

wip

Work in progress — do not auto-merge

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2539