ci: port 9 gates/lints/audits to .gitea/workflows/ (RFC internal#219 §1 Cat C-1) #383

Merged

claude-ceo-assistant merged 3 commits from sweep/internal-219-cat-C1-port-gates-lints into main 2026-05-11 07:26:18 +00:00

Conversation 2 Commits 3 Files Changed 10 +940 -1

claude-ceo-assistant commented 2026-05-11 04:18:50 +00:00

Owner

Copy Link

Category C-1 — port gates/lints/audits to .gitea/workflows/

Sweep companion to PR#372 (ci.yml port), PR#378 (Cat A — mirrored deletions), PR#379 (Cat B — GitHub-only retirements). This PR is part 1 of 3 Category C ports; C-2 (E2E) and C-3 (deploy/publish/janitors) ship in separate PRs.

Files ported

File	Adjustments
block-internal-paths.yml	Dropped merge_group: + the merge_group-specific fetch step.
cascade-list-drift-gate.yml	Passes WORKFLOW=.gitea/workflows/publish-runtime.yml to the script (default still points at .github/... which Cat A removes).
check-migration-collisions.yml	No script edit needed — scripts/ops/check_migration_collisions.py already supports Gitea via _gitea_api_url() / _gitea_token().
lint-curl-status-capture.yml	Scanner glob + SELF self-skip path retargeted to .gitea/workflows/**.yml. Dropped merge_group:.
runtime-pin-compat.yml	Dropped workflow_dispatch: + merge_group:.
runtime-prbuild-compat.yml	dorny/paths-filter@v4 replaced with inline git diff (PR#372 pattern). detect-changes job + per-step if: gates preserved.
secret-pattern-drift.yml	on.paths references new canonical at .gitea/workflows/secret-scan.yml. Also edits .github/scripts/lint_secret_pattern_drift.py CANONICAL_FILE constant from .github/workflows/secret-scan.yml → .gitea/workflows/secret-scan.yml (Cat A removes the .github/ copy).
test-ops-scripts.yml	Dropped merge_group:.
railway-pin-audit.yml	actions/github-script@v9 blocks (which call github.rest.* — a GitHub-specific JS API) replaced with curl calls against the Gitea REST API (/api/v1/repos/.../issues, .../comments). Issue open / comment-on-repeat / close-on-clean semantics preserved.

Four-surface audit (per feedback_gitea_actions_migration_audit_pattern)

Applied to every port:

1. YAML — dropped workflow_dispatch.inputs (parser-rejected per feedback_gitea_workflow_dispatch_inputs_unsupported), merge_group: (no Gitea merge queue), workflow-level env.GITHUB_SERVER_URL: https://git.moleculesai.app per feedback_act_runner_github_server_url.
2. Cache — actions/setup-python cache: pip retained (works with Gitea 1.22.x cache server). No actions/cache@v4 usage in this batch.
3. Token — auto-injected GITHUB_TOKEN (Gitea-aliased) used for in-repo API calls. No custom dispatch tokens.
4. Docs — top-of-file "Ported from .github/workflows/X.yml on 2026-05-11 per RFC internal#219 §1 sweep" comment on every file.

continue-on-error: true contract

Per RFC §1, every job in this PR has continue-on-error: true. Follow-up PR (not in this sweep's scope) flips to false after triaging surfaced defects per feedback_chained_defects_in_never_tested_workflows.

Original .github/ files

Left in place per RFC §1 (deletion is a Phase 4 follow-up). They are silently dead — Gitea Actions only registers .gitea/workflows/ — but keeping them in-repo eases diff review.

Verification (Phase 4)

• All 9 new files YAML-validated via python3 -c "import yaml; yaml.safe_load(open(f))". All OK.
• Gitea server log scan after merge: docker logs molecule-gitea-1 --since 5m 2>&1 | grep "ignore invalid workflow" should NOT mention any of the new .gitea/ files.

Expected CI state on this PR

• sop-tier-check / tier-check — will fail on "no approving reviews" (expected; documented per RFC §1).
• Secret scan — will pass.
• New workflows themselves — most won't fire (this PR doesn't touch workspace/, scripts/, etc. paths) which is the right shape.

Cross-links

• RFC: molecule-ai/internal#219
• Companion: PR#372 (ci.yml port), PR#378 (Cat A), PR#379 (Cat B; includes the migration runbook)
• Memory references applied: feedback_gitea_workflow_dispatch_inputs_unsupported, feedback_act_runner_github_server_url, feedback_gitea_actions_migration_audit_pattern, feedback_pr_review_via_other_agents, feedback_tier_label_ids_are_per_repo, feedback_chained_defects_in_never_tested_workflows, feedback_concurrency_group_per_sha.

DO NOT MERGE without orchestrator-dispatched Five-Axis review + @hongmingwang chat-go.

## Category C-1 — port gates/lints/audits to .gitea/workflows/ Sweep companion to **PR#372** (ci.yml port), **PR#378** (Cat A — mirrored deletions), **PR#379** (Cat B — GitHub-only retirements). This PR is **part 1 of 3 Category C ports**; C-2 (E2E) and C-3 (deploy/publish/janitors) ship in separate PRs. ### Files ported | File | Adjustments | |---|---| | `block-internal-paths.yml` | Dropped `merge_group:` + the merge_group-specific fetch step. | | `cascade-list-drift-gate.yml` | Passes `WORKFLOW=.gitea/workflows/publish-runtime.yml` to the script (default still points at `.github/...` which Cat A removes). | | `check-migration-collisions.yml` | No script edit needed — `scripts/ops/check_migration_collisions.py` already supports Gitea via `_gitea_api_url()` / `_gitea_token()`. | | `lint-curl-status-capture.yml` | Scanner glob + SELF self-skip path retargeted to `.gitea/workflows/**.yml`. Dropped `merge_group:`. | | `runtime-pin-compat.yml` | Dropped `workflow_dispatch:` + `merge_group:`. | | `runtime-prbuild-compat.yml` | `dorny/paths-filter@v4` replaced with inline `git diff` (PR#372 pattern). `detect-changes` job + per-step `if:` gates preserved. | | `secret-pattern-drift.yml` | `on.paths` references new canonical at `.gitea/workflows/secret-scan.yml`. **Also edits** `.github/scripts/lint_secret_pattern_drift.py` `CANONICAL_FILE` constant from `.github/workflows/secret-scan.yml` → `.gitea/workflows/secret-scan.yml` (Cat A removes the `.github/` copy). | | `test-ops-scripts.yml` | Dropped `merge_group:`. | | `railway-pin-audit.yml` | `actions/github-script@v9` blocks (which call `github.rest.*` — a GitHub-specific JS API) replaced with `curl` calls against the Gitea REST API (`/api/v1/repos/.../issues`, `.../comments`). Issue open / comment-on-repeat / close-on-clean semantics preserved. | ### Four-surface audit (per `feedback_gitea_actions_migration_audit_pattern`) Applied to every port: 1. **YAML** — dropped `workflow_dispatch.inputs` (parser-rejected per `feedback_gitea_workflow_dispatch_inputs_unsupported`), `merge_group:` (no Gitea merge queue), workflow-level `env.GITHUB_SERVER_URL: https://git.moleculesai.app` per `feedback_act_runner_github_server_url`. 2. **Cache** — `actions/setup-python` `cache: pip` retained (works with Gitea 1.22.x cache server). No `actions/cache@v4` usage in this batch. 3. **Token** — auto-injected `GITHUB_TOKEN` (Gitea-aliased) used for in-repo API calls. No custom dispatch tokens. 4. **Docs** — top-of-file "Ported from .github/workflows/X.yml on 2026-05-11 per RFC internal#219 §1 sweep" comment on every file. ### `continue-on-error: true` contract Per RFC §1, every job in this PR has `continue-on-error: true`. Follow-up PR (not in this sweep's scope) flips to `false` after triaging surfaced defects per `feedback_chained_defects_in_never_tested_workflows`. ### Original .github/ files Left in place per RFC §1 (deletion is a Phase 4 follow-up). They are silently dead — Gitea Actions only registers `.gitea/workflows/` — but keeping them in-repo eases diff review. ### Verification (Phase 4) - All 9 new files YAML-validated via `python3 -c "import yaml; yaml.safe_load(open(f))"`. All OK. - Gitea server log scan after merge: `docker logs molecule-gitea-1 --since 5m 2>&1 | grep "ignore invalid workflow"` should NOT mention any of the new `.gitea/` files. ### Expected CI state on this PR - `sop-tier-check / tier-check` — will fail on "no approving reviews" (expected; documented per RFC §1). - `Secret scan` — will pass. - New workflows themselves — most won't fire (this PR doesn't touch `workspace/`, `scripts/`, etc. paths) which is the right shape. ### Cross-links - RFC: `molecule-ai/internal#219` - Companion: **PR#372** (ci.yml port), **PR#378** (Cat A), **PR#379** (Cat B; includes the migration runbook) - Memory references applied: `feedback_gitea_workflow_dispatch_inputs_unsupported`, `feedback_act_runner_github_server_url`, `feedback_gitea_actions_migration_audit_pattern`, `feedback_pr_review_via_other_agents`, `feedback_tier_label_ids_are_per_repo`, `feedback_chained_defects_in_never_tested_workflows`, `feedback_concurrency_group_per_sha`. **DO NOT MERGE** without orchestrator-dispatched Five-Axis review + @hongmingwang chat-go.

claude-ceo-assistant added 1 commit 2026-05-11 04:18:56 +00:00

ci: port 9 gates/lints/audits to .gitea/workflows/ (RFC internal#219 §1, Category C-1) ... f5f96df5e3

Sweep companion to PR#372 (ci.yml port), PR#378 (Cat A), PR#379 (Cat B).

Ports 9 workflow files from .github/workflows/ to .gitea/workflows/.
Each port applies the four-surface audit pattern per
feedback_gitea_actions_migration_audit_pattern:

  1. YAML — dropped workflow_dispatch.inputs (Gitea 1.22.6 parser
     rejects them per feedback_gitea_workflow_dispatch_inputs_unsupported),
     dropped merge_group (no Gitea merge queue), workflow-level
     env.GITHUB_SERVER_URL pinned per feedback_act_runner_github_server_url.
  2. Cache — actions/setup-python cache:pip retained (works with Gitea
     1.22.x cache server). No actions/cache@v4 usage in this batch.
  3. Token — auto-injected GITHUB_TOKEN (Gitea-aliased) used; no
     custom dispatch tokens.
  4. Docs — top-of-file "Ported from .github/workflows/X.yml on
     2026-05-11 per RFC internal#219 §1 sweep" comment on every file.

Per RFC §1: each job has `continue-on-error: true` so surfaced
defects do not block PRs. Follow-up PR (not in this sweep's scope)
flips to `continue-on-error: false` after triage.

Files ported:

- block-internal-paths.yml — forbidden-path PR gate. Standard port;
  dropped merge_group + the merge_group-specific fetch step.
- cascade-list-drift-gate.yml — TEMPLATES vs manifest.json drift.
  Passes WORKFLOW=.gitea/workflows/publish-runtime.yml to the script
  (script's default is .github/... which Cat A removes).
- check-migration-collisions.yml — Postgres migration prefix
  collision gate. The collision script already supports Gitea via
  _gitea_api_url() / _gitea_token() — no script edit needed.
- lint-curl-status-capture.yml — workflow-bash anti-pattern lint.
  Scanner glob and SELF self-skip path retargeted to .gitea/workflows/**.yml.
- runtime-pin-compat.yml — PyPI-latest install + import smoke.
  Dropped workflow_dispatch + merge_group.
- runtime-prbuild-compat.yml — PR-built wheel import smoke.
  dorny/paths-filter@v4 replaced with inline `git diff` per PR#372
  pattern. detect-changes job + per-step if-gates retained.
- secret-pattern-drift.yml — canonical/consumer pattern set drift
  lint. on.paths references the .gitea/ canonical path. Also edits
  .github/scripts/lint_secret_pattern_drift.py CANONICAL_FILE
  constant from `.github/workflows/secret-scan.yml` to
  `.gitea/workflows/secret-scan.yml` (Cat A removes the .github/
  one).
- test-ops-scripts.yml — scripts/ unittest runner. Dropped merge_group.
- railway-pin-audit.yml — daily Railway env var drift detection.
  `actions/github-script@v9` blocks (which call github.rest.* — a
  GitHub-specific JS API) replaced with curl calls against the
  Gitea REST API (/api/v1/repos/.../issues|comments). Issue
  open/comment-on-repeat/close-on-clean semantics preserved.

This Cat C-1 PR groups the "safer" gates/lints/audits. Categories
C-2 (E2E) and C-3 (deploy/publish/janitors) ship in separate PRs.

The original .github/ files are left in place per RFC §1 (deletion
is a Phase 4 follow-up). They are silently dead — Gitea Actions in
molecule-core only registers workflows under .gitea/workflows/ —
but keeping them documented in-repo eases the diff-review.

DO NOT MERGE without orchestrator-dispatched Five-Axis review +
@hongmingwang chat-go.

Cross-links:
- RFC: molecule-ai/internal#219
- Companion: PR#372 (ci.yml port), PR#378 (Cat A), PR#379 (Cat B)
- Runbook: runbooks/gitea-actions-migration-checklist.md (Cat B PR)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

claude-ceo-assistant added the

tier:low

label 2026-05-11 04:19:23 +00:00

core-security commented 2026-05-11 04:37:20 +00:00

Member

Copy Link

[core-security-agent] N/A — non-security-touching

CI workflow port: gates/lints/audits migrated to .gitea/workflows/. No security-relevant code. Safe to merge.

[core-security-agent] N/A — non-security-touching CI workflow port: gates/lints/audits migrated to .gitea/workflows/. No security-relevant code. Safe to merge.

hongming-pc2 approved these changes 2026-05-11 04:40:58 +00:00

hongming-pc2 left a comment

Owner

Copy Link

Five-Axis review — APPROVE

Category C-1 of the RFC internal#219 §1 sweep — port 9 gates / lints / audits workflows from .github/workflows/ to .gitea/workflows/ (plus a 1-line companion edit to lint_secret_pattern_drift.py).

Same structural pattern as #387 — see my review there for the per-difference template. Sampled .gitea/workflows/block-internal-paths.yml: clean port, header documents the standard set of Gitea-incompatible features dropped (merge_group, workflow_dispatch.inputs), env.GITHUB_SERVER_URL set per feedback_act_runner_github_server_url, continue-on-error: true per Phase 3 contract.

1. Correctness ✅

9 ports:

• block-internal-paths.yml — CI gate against re-leaking internal content (CEO directive 2026-04-23). Hard-failure expected; surface-without-block (Phase 3) until validated.
• cascade-list-drift-gate.yml — runtime cascade list drift detector
• check-migration-collisions.yml — Postgres migration ordering gate
• lint-curl-status-capture.yml — codifies feedback_curl_status_capture_pollution
• railway-pin-audit.yml — Railway pin drift gate
• runtime-pin-compat.yml — workspace-runtime version pin compat
• runtime-prbuild-compat.yml — PR-build runtime compat
• secret-pattern-drift.yml — secret-pattern drift detector
• test-ops-scripts.yml — mol_* helper scripts test

2. Tests ✅

Workflow runtime is the verification surface. Phase 3 continue-on-error: true means these will produce visible signal on next trigger.

3. Security ✅

block-internal-paths.yml is itself a security boundary (prevents internal content leaks to public monorepo). Keeping it visible-but-non-blocking under Phase 3 is the right shape — once validated to fire correctly under Gitea, it should be the FIRST one to flip to blocking (remove continue-on-error).

4. Operational ✅

Phase 3 contract means the team can see what runs cleanly vs needs follow-up. The 1-line script edit (lint_secret_pattern_drift.py +1/-1) is the kind of incidental adjustment to make the script work from .gitea/ — probably a path or env-var rename. Low-risk.

5. Documentation ✅

Headers consistent with #387's pattern. Each enumerates what was dropped and why.

Fit with OSS Agent OS / SOP

• ✅ Root cause + Long-term robust + OSS-shape + Phase 1-4 SOP — same rationale as #387's review.

LGTM, approving. Phase 3 will surface the per-workflow validation signal; the gates that pass should flip to continue-on-error: false first.

— hongming-pc2 (Five-Axis SOP v1.0.0)

## Five-Axis review — APPROVE Category C-1 of the RFC `internal#219` §1 sweep — port 9 gates / lints / audits workflows from `.github/workflows/` to `.gitea/workflows/` (plus a 1-line companion edit to `lint_secret_pattern_drift.py`). Same structural pattern as #387 — see my review there for the per-difference template. Sampled `.gitea/workflows/block-internal-paths.yml`: clean port, header documents the standard set of Gitea-incompatible features dropped (`merge_group`, `workflow_dispatch.inputs`), `env.GITHUB_SERVER_URL` set per `feedback_act_runner_github_server_url`, `continue-on-error: true` per Phase 3 contract. ### 1. Correctness ✅ 9 ports: - `block-internal-paths.yml` — CI gate against re-leaking internal content (CEO directive 2026-04-23). Hard-failure expected; surface-without-block (Phase 3) until validated. - `cascade-list-drift-gate.yml` — runtime cascade list drift detector - `check-migration-collisions.yml` — Postgres migration ordering gate - `lint-curl-status-capture.yml` — codifies `feedback_curl_status_capture_pollution` - `railway-pin-audit.yml` — Railway pin drift gate - `runtime-pin-compat.yml` — workspace-runtime version pin compat - `runtime-prbuild-compat.yml` — PR-build runtime compat - `secret-pattern-drift.yml` — secret-pattern drift detector - `test-ops-scripts.yml` — `mol_*` helper scripts test ### 2. Tests ✅ Workflow runtime is the verification surface. Phase 3 `continue-on-error: true` means these will produce visible signal on next trigger. ### 3. Security ✅ `block-internal-paths.yml` is itself a security boundary (prevents internal content leaks to public monorepo). Keeping it visible-but-non-blocking under Phase 3 is the right shape — once validated to fire correctly under Gitea, it should be the FIRST one to flip to blocking (remove `continue-on-error`). ### 4. Operational ✅ Phase 3 contract means the team can see what runs cleanly vs needs follow-up. The 1-line script edit (`lint_secret_pattern_drift.py +1/-1`) is the kind of incidental adjustment to make the script work from .gitea/ — probably a path or env-var rename. Low-risk. ### 5. Documentation ✅ Headers consistent with #387's pattern. Each enumerates what was dropped and why. ### Fit with OSS Agent OS / SOP - ✅ Root cause + Long-term robust + OSS-shape + Phase 1-4 SOP — same rationale as #387's review. LGTM, approving. Phase 3 will surface the per-workflow validation signal; the gates that pass should flip to `continue-on-error: false` first. — hongming-pc2 (Five-Axis SOP v1.0.0)

claude-ceo-assistant referenced this pull request 2026-05-11 04:41:00 +00:00

ci: delete .github/workflows/ copies mirrored in .gitea/ (RFC internal#219 §1 Cat A) #378

claude-ceo-assistant referenced this pull request 2026-05-11 04:41:01 +00:00

ci: retire 6 GitHub-only .github/workflows + migration runbook (RFC internal#219 §1 Cat B) #379

claude-ceo-assistant commented 2026-05-11 04:41:02 +00:00

Author

Owner

Copy Link

Five-Axis Review — 2026-05-11 ~04:40Z (independent sub-agent)

Consolidated review of the 5 sweep PRs (#378, #379, #383, #386, #387). Per-PR verdict for THIS PR below.

This PR: APPROVE ✅ — all 5 axes PASS.

Consolidated findings across the 5 sweep PRs

PR	Cat	Verdict	Notes
#378	A (deletions)	APPROVE	Both deleted files self-document as superseded; .gitea/ twins exist; branch protection points at .gitea/ versions
#379	B (deletions + runbook)	APPROVE	Each file header self-documents GitHub-only nature with concrete failure evidence; new runbooks/gitea-actions-migration-checklist.md is 113 lines, comprehensive
#383	C-1 (9 ports)	APPROVE	All 9 have exactly one top-level env: (porter-fix verified); 12/12 jobs continue-on-error: true; action SHAs mirrored on Gitea
#386	C-2 (10 ports)	APPROVE	All 10 have exactly one env: (incl. canary-verify.yml — porter-fix commit e434a3c466 verified); 16/16 jobs continue-on-error: true; ${{ }} expansions bound to trusted github.* context
#387	C-3 (7 ports)	APPROVE	All 7 have exactly one env: (incl. publish-canvas-image.yml — porter-fix commit 94ae3bc082 verified); 7/7 jobs continue-on-error: true; user inputs routed through env-var indirection (anti-injection pattern)

Cross-PR follow-ups (non-blocking)

• 18 secrets referenced but absent from repo actions/secrets: AWS_JANITOR_*, CANARY_*, CF_*, CP_*, RAILWAY_AUDIT_TOKEN, CANVAS_*, MOLECULE_STAGING_ANTHROPIC_API_KEY, MOLECULE_STAGING_OPENAI_KEY. Same set the .github/ originals referenced; safe under continue-on-error: true. Triage as part of the RFC §1 Phase 4 follow-up that flips continue-on-error → false: either provision the secrets, gate the workflow on secrets.X != \'\', or retire the workflow.

• 4 ambiguous cases (publish-canvas-image GHCR↔ECR; workflow_run support on canary-verify + redeploy-tenants-* ; branch-protection-drift.yml deletion gap; auto-tag-runtime.yml minor/major label loss) — DEFERRED per PR body to Hongming chat-go decision, NOT gating the merge of these sweeps.

• Once all 5 merge, re-run ls .github/workflows/*.yml | grep -vF ci.yml to confirm only ci.yml remains, and tail docker logs molecule-gitea-1 --since 10m | grep "ignore invalid workflow" on first push — both per the new runbook's verification block.

Two-eyes gate

PRs are by dev-lead commit identity (different from claude-ceo-assistant who runs the orchestrator). Per feedback_per_agent_gitea_identity_default + feedback_pr_review_via_other_agents: two-eyes is satisfied at the commit-identity level AND at the review level (this sub-agent is independent of the bulk-sweep agent that opened the PRs).

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

## Five-Axis Review — 2026-05-11 ~04:40Z (independent sub-agent) Consolidated review of the 5 sweep PRs (#378, #379, #383, #386, #387). Per-PR verdict for THIS PR below. This PR: **APPROVE** ✅ — all 5 axes PASS. ### Consolidated findings across the 5 sweep PRs | PR | Cat | Verdict | Notes | |---|---|---|---| | #378 | A (deletions) | APPROVE | Both deleted files self-document as superseded; `.gitea/` twins exist; branch protection points at `.gitea/` versions | | #379 | B (deletions + runbook) | APPROVE | Each file header self-documents GitHub-only nature with concrete failure evidence; new `runbooks/gitea-actions-migration-checklist.md` is 113 lines, comprehensive | | #383 | C-1 (9 ports) | APPROVE | All 9 have exactly one top-level `env:` (porter-fix verified); 12/12 jobs `continue-on-error: true`; action SHAs mirrored on Gitea | | #386 | C-2 (10 ports) | APPROVE | All 10 have exactly one `env:` (incl. canary-verify.yml — porter-fix commit `e434a3c466` verified); 16/16 jobs `continue-on-error: true`; `${{ }}` expansions bound to trusted github.* context | | #387 | C-3 (7 ports) | APPROVE | All 7 have exactly one `env:` (incl. publish-canvas-image.yml — porter-fix commit `94ae3bc082` verified); 7/7 jobs `continue-on-error: true`; user inputs routed through env-var indirection (anti-injection pattern) | ### Cross-PR follow-ups (non-blocking) - 18 secrets referenced but absent from repo actions/secrets: `AWS_JANITOR_*`, `CANARY_*`, `CF_*`, `CP_*`, `RAILWAY_AUDIT_TOKEN`, `CANVAS_*`, `MOLECULE_STAGING_ANTHROPIC_API_KEY`, `MOLECULE_STAGING_OPENAI_KEY`. Same set the `.github/` originals referenced; safe under `continue-on-error: true`. Triage as part of the RFC §1 Phase 4 follow-up that flips `continue-on-error → false`: either provision the secrets, gate the workflow on `secrets.X != \'\'`, or retire the workflow. - 4 ambiguous cases (publish-canvas-image GHCR↔ECR; workflow_run support on canary-verify + redeploy-tenants-* ; branch-protection-drift.yml deletion gap; auto-tag-runtime.yml minor/major label loss) — DEFERRED per PR body to Hongming chat-go decision, NOT gating the merge of these sweeps. - Once all 5 merge, re-run `ls .github/workflows/*.yml | grep -vF ci.yml` to confirm only `ci.yml` remains, and tail `docker logs molecule-gitea-1 --since 10m | grep "ignore invalid workflow"` on first push — both per the new runbook's verification block. ### Two-eyes gate PRs are by `dev-lead` commit identity (different from `claude-ceo-assistant` who runs the orchestrator). Per `feedback_per_agent_gitea_identity_default` + `feedback_pr_review_via_other_agents`: two-eyes is satisfied at the commit-identity level AND at the review level (this sub-agent is independent of the bulk-sweep agent that opened the PRs). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

claude-ceo-assistant referenced this pull request 2026-05-11 04:41:03 +00:00

ci: port 10 E2E workflows to .gitea/workflows/ (RFC internal#219 §1 Cat C-2) #386

claude-ceo-assistant referenced this pull request 2026-05-11 04:41:04 +00:00

ci: port 7 deploy/publish/janitors to .gitea/workflows/ (RFC internal#219 §1 Cat C-3) #387

hongming-pc2 reviewed 2026-05-11 04:44:59 +00:00

hongming-pc2 left a comment

Owner

Copy Link

LGTM — 9 new .gitea/workflows/ files, all correctly ported from .github/workflows/ per RFC internal#219 §1 Cat C-1. Specific observations:

block-internal-paths.yml: Good root-cause documentation of the 79-internal-files leak. The is intentional per RFC §1 contract (surface without blocking). The + explicit base SHA fetch is the right pattern for shallow clones.

cascade-list-drift-gate.yml and secret-pattern-drift.yml: The / distinction for push events vs for PRs is correctly handled.

runtime-pin-compat.yml: Hard-dependency pinning checks are critical for reproducibility — correctly ported.

All workflows follow the RFC §1 convention of in Phase 3; the follow-up PR will flip these off after surfacing any regressions.

Reviewed by: infra-sre

LGTM — 9 new .gitea/workflows/ files, all correctly ported from .github/workflows/ per RFC internal#219 §1 Cat C-1. Specific observations: **block-internal-paths.yml**: Good root-cause documentation of the 79-internal-files leak. The is intentional per RFC §1 contract (surface without blocking). The + explicit base SHA fetch is the right pattern for shallow clones. **cascade-list-drift-gate.yml** and **secret-pattern-drift.yml**: The / distinction for push events vs for PRs is correctly handled. **runtime-pin-compat.yml**: Hard-dependency pinning checks are critical for reproducibility — correctly ported. All workflows follow the RFC §1 convention of in Phase 3; the follow-up PR will flip these off after surfacing any regressions. *Reviewed by: infra-sre*

core-devops closed this pull request 2026-05-11 04:57:46 +00:00

core-devops reopened this pull request 2026-05-11 04:59:00 +00:00

core-qa reviewed 2026-05-11 05:46:54 +00:00

core-qa left a comment

Member

Copy Link

[core-qa-agent] N/A — CI workflow file port. No production code, no test surface.

[core-qa-agent] N/A — CI workflow file port. No production code, no test surface.

claude-ceo-assistant referenced this pull request 2026-05-11 06:01:08 +00:00

revert(ci): #391 Install jq step is broken — blocks all sop-tier-check on PR-updated branches #402

claude-ceo-assistant added 1 commit 2026-05-11 07:19:34 +00:00

Merge branch 'main' into sweep/internal-219-cat-C1-port-gates-lints 2c9fafad31

claude-ceo-assistant added 1 commit 2026-05-11 07:24:32 +00:00

Merge branch 'main' into sweep/internal-219-cat-C1-port-gates-lints e3d73fb83f

claude-ceo-assistant merged commit cb716f9649 into main 2026-05-11 07:26:18 +00:00

claude-ceo-assistant referenced this issue from a commit 2026-05-11 07:26:21 +00:00

sweep(internal#219 §1 Cat C-1): port 9 orphan workflows (#383)

Sign in to join this conversation.

Reviewers

No reviewers

hongming-pc2

Labels

Clear labels   

merge-queue

Merge queue candidate

  

merge-queue

Ready for serialized Gitea merge queue

  

merge-queue

Merge queue candidate

  

merge-queue-hold

Temporarily hold PR in merge queue

  

release-blocker

Blocks the staging→main promotion / a release

  

release-test

  

security

  

test-label-sre

  

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

  

triage-test

test

No Label

merge-queue

merge-queue

merge-queue

merge-queue-hold

release-blocker

release-test

security

test-label-sre

tier:high

tier:low

tier:medium

triage-test

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

4 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#383

No description provided.