fix(ci): reconcile drifted secret names per #425 audit (Section D / class-E) #430
Merged
claude-ceo-assistant
merged 2 commits from 2026-05-11 08:36:30 +00:00
fix/class-e-secret-name-reconciliation into main
2 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
hongming-pc2
|
5373b5e7f6 |
fix(ci): extend class-E rename to scripts/ops/sweep-*.sh (chained-defect from #430 review)
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 18s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 13s
CI / Detect changes (pull_request) Successful in 50s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s
sop-tier-check / tier-check (pull_request) Successful in 19s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 55s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 50s
E2E API Smoke Test / detect-changes (pull_request) Successful in 59s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 41s
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 55s
CI / Platform (Go) (pull_request) Successful in 9s
CI / Canvas (Next.js) (pull_request) Successful in 10s
CI / Python Lint & Test (pull_request) Successful in 9s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 23s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 13s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 11s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 12s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
audit-force-merge / audit (pull_request) Successful in 23s
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 4m53s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 5m15s
core-devops lens review (review 1075) caught the chained defect: the 3
sweep workflows shell out to `bash scripts/ops/sweep-{aws-secrets,cf-orphans,cf-tunnels}.sh`,
and those scripts still consume the OLD env-var names — `need CP_PROD_ADMIN_TOKEN`,
`need CP_STAGING_ADMIN_TOKEN`, and `Bearer $CP_PROD_ADMIN_TOKEN` /
`Bearer $CP_STAGING_ADMIN_TOKEN` in the CP-admin curl calls. The workflow-
level presence-check loop (renamed in the first commit) would pass, then
the shell script would `exit 1` at the `need CP_PROD_ADMIN_TOKEN` line.
Classic `feedback_chained_defects_in_never_tested_workflows` — the YAML-
surface rename looked complete; the actual consumer is one layer deeper.
This commit completes the rename in the scripts:
- `CP_PROD_ADMIN_TOKEN` -> `CP_ADMIN_API_TOKEN`
- `CP_STAGING_ADMIN_TOKEN` -> `CP_STAGING_ADMIN_API_TOKEN`
(6 occurrences total per script — comments, `need` checks, `Bearer $...`
curl headers — across all 3). The .gitea/workflows/sweep-*.yml files (first
commit) export `CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}` etc.,
so the scripts now read `$CP_ADMIN_API_TOKEN` — consistent end-to-end.
Per core-devops's other (non-blocking) note: `workflow_dispatch` each
sweep in dry-run after this lands + after the #425 class-A PUT, to confirm
the path beyond the presence-check actually works (the `MINIMAX_TOKEN`-grade
shape-match isn't enough — exercise the real CP-admin call).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
hongming-pc2
|
2afcf5ab99 |
fix(ci): reconcile drifted secret names per #425 audit (Section D / class-E)
The .github→.gitea migration left 3 secret-name drifts that mean the ported workflows reference secret-store names that don't match the canonical names. Renaming the workflow refs so the upcoming secret-store PUT (#425 class-A) lands under the names the workflows actually look up: - CP_STAGING_ADMIN_TOKEN -> CP_STAGING_ADMIN_API_TOKEN (sweep-aws-secrets, sweep-cf-orphans, sweep-cf-tunnels — peers in redeploy-tenants-on-staging + continuous-synth-e2e already use the _API_TOKEN form; semantic precision wins, 3v2 caller split) - CP_PROD_ADMIN_TOKEN -> CP_ADMIN_API_TOKEN (same 3 sweep workflows — CP_ADMIN_API_TOKEN is already the canonical name for the prod variant on molecule-controlplane, and matches ops.sh's `mol_tenants` reading `CP_ADMIN_API_TOKEN` from Railway) - MOLECULE_STAGING_OPENAI_KEY -> MOLECULE_STAGING_OPENAI_API_KEY (canary-staging, continuous-synth-e2e, e2e-staging-saas — the `_KEY` vs `_API_KEY` drift; peers are MOLECULE_STAGING_ANTHROPIC_API_KEY / MOLECULE_STAGING_MINIMAX_API_KEY. Confirmed CONSUMED — langgraph + hermes runtime tests use openai/gpt-4o and check the env presence — so renamed, not deleted.) KEPT as-is (no rename): CF_ACCOUNT_ID / CF_API_TOKEN / CF_ZONE_ID — these are the documented CI-scoped duplicates of the operator-host CLOUDFLARE_* admin names; renaming would touch 3 sweep workflows for zero functional gain. Documented as CI-scoped-dup in the secrets-map follow-up. Also updated the inline `for var in ...` presence-check loops + the `required_secret_name="..."` error strings so the workflows' diagnostics match the renamed names. Sequence: this PR merges → #425 class-A PUT populates the secret store under the canonical names → the 3 schedule-only reds (canary-staging, sweep-aws-secrets, continuous-synth-e2e) go green within ~30 min → watchdog #423 auto-closes their [main-red] issues. Refs: molecule-core#425 (secret-store audit, Section D), internal#297. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |