ci: port .github/workflows/ci.yml to .gitea/workflows/ci.yml (RFC internal#219 §1) #372

Merged

claude-ceo-assistant merged 2 commits from feat/internal-219-phase-3-port-ci-yml into main

2026-05-11 07:16:30 +00:00

Author	SHA1	Message	Date
claude-ceo-assistant	24fc943890	Merge branch 'main' into feat/internal-219-phase-3-port-ci-yml Some checks failed Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s Details sop-tier-check / tier-check (pull_request) Successful in 21s Details audit-force-merge / audit (pull_request) Successful in 28s Details CI / Detect changes (pull_request) Successful in 1m18s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 24s Details CI / Python Lint & Test (pull_request) Failing after 8m43s Details CI / Platform (Go) (pull_request) Failing after 11m55s Details CI / Canvas (Next.js) (pull_request) Failing after 11m59s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details	2026-05-11 07:15:20 +00:00
claude-ceo-assistant	d166d77abc	ci: port .github/workflows/ci.yml to .gitea/workflows/ci.yml (RFC internal#219 §1) Some checks failed audit-force-merge / audit (pull_request) Has been skipped Details sop-tier-check / tier-check (pull_request) Successful in 13s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 11s Details CI / Detect changes (pull_request) Successful in 34s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 14s Details CI / Platform (Go) (pull_request) Failing after 7m11s Details CI / Python Lint & Test (pull_request) Failing after 6m57s Details CI / Canvas (Next.js) (pull_request) Failing after 7m44s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Phase 3 of RFC internal#219 (CI/CD hard-gate hardening). molecule-core's branch protection on main currently requires only Secret scan + sop-tier-check/tier-check — there is no required gate that asserts the actual Go code builds. The .github/workflows/ci.yml has six jobs that would catch build/test/lint/coverage regressions, but Gitea Actions only reads .gitea/workflows/. So today every Go regression on molecule-core merges through (recurrence of feedback_phantom_required_check_after_gitea_migration). This PR ports the workflow to .gitea/workflows/ci.yml. Per RFC §1, the port lands with `continue-on-error: true` on every job so we surface broken jobs without blocking PRs while the team triages anything that falls out of "first contact with reality". A follow-up PR (Phase 4) will flip continue-on-error to false, add the `ci/all-required` aggregator sentinel (mirroring molecule-controlplane#89's pattern), and PATCH branch protection to require it. Four-surface migration audit performed (feedback_gitea_actions_migration_audit_pattern): 1. YAML: dropped merge_group trigger (no Gitea merge queue); no workflow_dispatch.inputs to worry about (feedback_gitea_workflow_dispatch_inputs_unsupported); no environment: blocks; runs-on: ubuntu-latest preserved. Set workflow-level env.GITHUB_SERVER_URL as belt-and-suspenders against runner-default regression (feedback_act_runner_github_server_url + feedback_act_runner_needs_config_file_env). 2. Cache + artifact: actions/upload-artifact pinned at v3.2.2 (original already had this — Gitea act_runner v0.6 doesn't speak the v4 artifact protocol). setup-python cache: pip preserved. 3. Token: workflow uses no custom dispatch tokens; auto-injected GITHUB_TOKEN (Gitea-scoped runner token) handles checkout against this same repo. 4. Docs: no github.com docs/scripts references to swap. The canvas-deploy-reminder step references ghcr.io/.../canvas — that's external documentation prose, not a build dependency, and is a separate ghcr→ECR sweep if in scope. actions/* (checkout, setup-go, setup-node, setup-python, upload-artifact) are verified mirrored on this Gitea instance (git.moleculesai.app/actions/*); app.ini has DEFAULT_ACTIONS_URL = self so the @SHA refs resolve locally. Scope guard (per RFC): - This PR ports ONLY ci.yml. The other 34 workflows in .github/workflows/ get swept in a follow-up per the runbooks/gitea-actions-migration-checklist.md. - This PR does NOT add the all-required aggregator sentinel (Phase 4). - This PR does NOT modify branch protection (Phase 4). - This PR does NOT delete .github/workflows/ci.yml (RFC §1 leaves it in place initially). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-10 20:48:38 -07:00

Author

SHA1

Message

Date

claude-ceo-assistant

24fc943890

Merge branch 'main' into feat/internal-219-phase-3-port-ci-yml

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s

Details

sop-tier-check / tier-check (pull_request) Successful in 21s

Details

audit-force-merge / audit (pull_request) Successful in 28s

Details

CI / Detect changes (pull_request) Successful in 1m18s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 24s

Details

CI / Python Lint & Test (pull_request) Failing after 8m43s

Details

CI / Platform (Go) (pull_request) Failing after 11m55s

Details

CI / Canvas (Next.js) (pull_request) Failing after 11m59s

Details

CI / Canvas Deploy Reminder (pull_request) Has been skipped

Details

2026-05-11 07:15:20 +00:00

claude-ceo-assistant

d166d77abc

ci: port .github/workflows/ci.yml to .gitea/workflows/ci.yml (RFC internal#219 §1)

audit-force-merge / audit (pull_request) Has been skipped

Details

sop-tier-check / tier-check (pull_request) Successful in 13s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 11s

Details

CI / Detect changes (pull_request) Successful in 34s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 14s

Details

CI / Platform (Go) (pull_request) Failing after 7m11s

Details

CI / Python Lint & Test (pull_request) Failing after 6m57s

Details

CI / Canvas (Next.js) (pull_request) Failing after 7m44s

Details

CI / Canvas Deploy Reminder (pull_request) Has been skipped

Details

Phase 3 of RFC internal#219 (CI/CD hard-gate hardening). molecule-core's
branch protection on main currently requires only Secret scan +
sop-tier-check/tier-check — there is no required gate that asserts the
actual Go code builds. The .github/workflows/ci.yml has six jobs that
would catch build/test/lint/coverage regressions, but Gitea Actions
only reads .gitea/workflows/. So today every Go regression on
molecule-core merges through (recurrence of
feedback_phantom_required_check_after_gitea_migration).

This PR ports the workflow to .gitea/workflows/ci.yml. Per RFC §1, the
port lands with `continue-on-error: true` on every job so we surface
broken jobs without blocking PRs while the team triages anything that
falls out of "first contact with reality". A follow-up PR (Phase 4)
will flip continue-on-error to false, add the `ci/all-required`
aggregator sentinel (mirroring molecule-controlplane#89's pattern),
and PATCH branch protection to require it.

Four-surface migration audit performed
(feedback_gitea_actions_migration_audit_pattern):

1. YAML: dropped merge_group trigger (no Gitea merge queue); no
   workflow_dispatch.inputs to worry about
   (feedback_gitea_workflow_dispatch_inputs_unsupported); no
   environment: blocks; runs-on: ubuntu-latest preserved. Set
   workflow-level env.GITHUB_SERVER_URL as belt-and-suspenders
   against runner-default regression
   (feedback_act_runner_github_server_url +
   feedback_act_runner_needs_config_file_env).

2. Cache + artifact: actions/upload-artifact pinned at v3.2.2
   (original already had this — Gitea act_runner v0.6 doesn't speak
   the v4 artifact protocol). setup-python cache: pip preserved.

3. Token: workflow uses no custom dispatch tokens; auto-injected
   GITHUB_TOKEN (Gitea-scoped runner token) handles checkout against
   this same repo.

4. Docs: no github.com docs/scripts references to swap. The
   canvas-deploy-reminder step references ghcr.io/.../canvas — that's
   external documentation prose, not a build dependency, and is a
   separate ghcr→ECR sweep if in scope.

actions/* (checkout, setup-go, setup-node, setup-python,
upload-artifact) are verified mirrored on this Gitea instance
(git.moleculesai.app/actions/*); app.ini has
DEFAULT_ACTIONS_URL = self so the @SHA refs resolve locally.

Scope guard (per RFC):
- This PR ports ONLY ci.yml. The other 34 workflows in
  .github/workflows/ get swept in a follow-up per the
  runbooks/gitea-actions-migration-checklist.md.
- This PR does NOT add the all-required aggregator sentinel (Phase 4).
- This PR does NOT modify branch protection (Phase 4).
- This PR does NOT delete .github/workflows/ci.yml (RFC §1 leaves it
  in place initially).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-10 20:48:38 -07:00

ci: port .github/workflows/ci.yml to .gitea/workflows/ci.yml (RFC internal#219 §1) #372

2 Commits