ci: resolve .github vs .gitea triplicate for publish-runtime/publish-workspace-server-image/secret-scan #342

Merged

infra-sre merged 2 commits from ci-resolve-github-gitea-triplicate into main

2026-05-11 02:18:59 +00:00

Author SHA1 Message Date

Author	SHA1	Message	Date
Molecule AI Infra-SRE	3b9f769977	ci: re-trigger sop-tier-check after tier:low label All checks were successful Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 3s Details sop-tier-check / tier-check (pull_request) Successful in 3s Details audit-force-merge / audit (pull_request) Successful in 3s Details Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-11 02:18:02 +00:00
Molecule AI Infra-SRE	4b1ce228ea	ci: remove .github/workflows/publish-workspace-server-image.yml duplicate Gitea Actions reads .gitea/workflows/, not .github/workflows/. The .github/ copy of this workflow has been kept in lockstep with .gitea/ since the post-suspension migration (e.g. `6d94fd30`, `5216e781`, `67b2e488` all touch both files). The functional code is identical between the two; the only differences are comment verbosity and the path-filter self-reference (each version watches its own location). Removing the .github/ copy: - eliminates the dual-edit maintenance tax (two files touched per fix) - prevents accidental drift where one is updated and the other isn't - leaves a single source-of-truth at .gitea/workflows/ Cross-references confirmed safe: - canary-verify.yml + redeploy-tenants-on-{staging,main}.yml all use `workflows: ['publish-workspace-server-image']` (workflow name, not file path) — they trigger off the workflow_run event keyed on `name:`, which is identical in both files. - No other workflow path-watches .github/workflows/publish-workspace- server-image.yml. Other two triplicates from task #287 (publish-runtime.yml and secret-scan.yml) are NOT addressed in this PR — see PR description for the ambiguity report flagging them for human review. Refs: task #287 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-11 02:18:02 +00:00

Molecule AI Infra-SRE

3b9f769977

ci: re-trigger sop-tier-check after tier:low label

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 3s

Details

sop-tier-check / tier-check (pull_request) Successful in 3s

Details

audit-force-merge / audit (pull_request) Successful in 3s

Details

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-11 02:18:02 +00:00

Molecule AI Infra-SRE

4b1ce228ea

ci: remove .github/workflows/publish-workspace-server-image.yml duplicate

Gitea Actions reads .gitea/workflows/, not .github/workflows/. The
.github/ copy of this workflow has been kept in lockstep with .gitea/
since the post-suspension migration (e.g. 6d94fd30, 5216e781, 67b2e488
all touch both files). The functional code is identical between the
two; the only differences are comment verbosity and the path-filter
self-reference (each version watches its own location).

Removing the .github/ copy:
  - eliminates the dual-edit maintenance tax (two files touched per fix)
  - prevents accidental drift where one is updated and the other isn't
  - leaves a single source-of-truth at .gitea/workflows/

Cross-references confirmed safe:
  - canary-verify.yml + redeploy-tenants-on-{staging,main}.yml all use
    `workflows: ['publish-workspace-server-image']` (workflow name,
    not file path) — they trigger off the workflow_run event keyed on
    `name:`, which is identical in both files.
  - No other workflow path-watches .github/workflows/publish-workspace-
    server-image.yml.

Other two triplicates from task #287 (publish-runtime.yml and
secret-scan.yml) are NOT addressed in this PR — see PR description for
the ambiguity report flagging them for human review.

Refs: task #287

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-11 02:18:02 +00:00

ci: resolve .github vs .gitea triplicate for publish-runtime/publish-workspace-server-image/secret-scan #342

2 Commits