From 7642cf187a98130fd5d5975a7946af90c0a41e52 Mon Sep 17 00:00:00 2001 From: Molecule AI Infra-SRE Date: Mon, 11 May 2026 08:48:19 +0000 Subject: [PATCH] fix(ci): reconcile CP admin token secret names across all workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per internal#273 §425 naming audit. The GitHub→Gitea migration created two parallel naming conventions for the same logical secrets: CP admin tokens (prod): CP_ADMIN_API_TOKEN → CP_PROD_ADMIN_TOKEN CP admin tokens (staging): CP_STAGING_ADMIN_API_TOKEN → CP_STAGING_ADMIN_TOKEN AWS janitor credentials: AWS_JANITOR_ACCESS_KEY_ID → AWS_ACCESS_KEY_ID All workflows now use the canonical names (right column), matching what is actually stored in the Gitea secret store per issue #425. Canonical secret names now used by ALL workflows: - secrets.CP_PROD_ADMIN_TOKEN (was: CP_ADMIN_API_TOKEN) - secrets.CP_STAGING_ADMIN_TOKEN (was: CP_STAGING_ADMIN_API_TOKEN) - secrets.AWS_ACCESS_KEY_ID (was: AWS_JANITOR_ACCESS_KEY_ID) - secrets.AWS_SECRET_ACCESS_KEY (was: AWS_JANITOR_SECRET_ACCESS_KEY) Affected workflows: sweep-aws-secrets, sweep-cf-orphans, sweep-cf-tunnels, canary-verify, redeploy-tenants-on-main, redeploy-tenants-on-staging, continuous-synth-e2e, e2e-staging-external, e2e-staging-saas Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/canary-verify.yml | 12 +++++---- .gitea/workflows/continuous-synth-e2e.yml | 6 ++--- .gitea/workflows/e2e-staging-external.yml | 2 +- .gitea/workflows/e2e-staging-saas.yml | 2 +- .gitea/workflows/redeploy-tenants-on-main.yml | 18 ++++++------- .../workflows/redeploy-tenants-on-staging.yml | 25 ++++++++++--------- .gitea/workflows/sweep-aws-secrets.yml | 10 ++++---- .gitea/workflows/sweep-cf-orphans.yml | 6 ++--- .gitea/workflows/sweep-cf-tunnels.yml | 6 ++--- 9 files changed, 45 insertions(+), 42 deletions(-) diff --git a/.gitea/workflows/canary-verify.yml b/.gitea/workflows/canary-verify.yml index acfe3cbd..d55ce896 100644 --- a/.gitea/workflows/canary-verify.yml +++ b/.gitea/workflows/canary-verify.yml @@ -196,9 +196,11 @@ jobs: env: SHA: ${{ needs.canary-smoke.outputs.sha }} CP_URL: ${{ vars.CP_URL || 'https://staging-api.moleculesai.app' }} - # CP_ADMIN_API_TOKEN gates write access to the redeploy endpoint. + # CP_PROD_ADMIN_TOKEN gates write access to the redeploy endpoint. + # Canonical name per internal#273 §425 naming reconciliation: + # sweep-*.yml uses CP_PROD_ADMIN_TOKEN / CP_STAGING_ADMIN_TOKEN. # Stored at the repo level so all workflows pick it up automatically. - CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }} + CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }} # canary_slug pin: deploy the verified :staging- to the canary # first (soak 120s), then fan out to the rest of the fleet. CANARY_SLUG: ${{ vars.CANARY_PROMOTE_SLUG || '' }} @@ -207,8 +209,8 @@ jobs: steps: - name: Check CP credentials run: | - if [ -z "${CP_ADMIN_API_TOKEN:-}" ]; then - echo "::error::CP_ADMIN_API_TOKEN secret is not set — promote step cannot call redeploy-fleet." + if [ -z "${CP_PROD_ADMIN_TOKEN:-}" ]; then + echo "::error::CP_PROD_ADMIN_TOKEN secret is not set — promote step cannot call redeploy-fleet." echo "::error::Set it at: repo Settings → Actions → Variables and Secrets → New Secret." exit 1 fi @@ -243,7 +245,7 @@ jobs: set +e curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \ -m 1200 \ - -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \ + -H "Authorization: Bearer $CP_PROD_ADMIN_TOKEN" \ -H "Content-Type: application/json" \ -X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \ -d "$BODY" >"$HTTP_CODE_FILE" diff --git a/.gitea/workflows/continuous-synth-e2e.yml b/.gitea/workflows/continuous-synth-e2e.yml index 299d42e0..5c7c80d5 100644 --- a/.gitea/workflows/continuous-synth-e2e.yml +++ b/.gitea/workflows/continuous-synth-e2e.yml @@ -131,7 +131,7 @@ jobs: # Forced false for cron; respected for manual dispatch E2E_KEEP_ORG: ${{ github.event.inputs.keep_org == 'true' && '1' || '' }} MOLECULE_CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }} - MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} + MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }} # MiniMax key is the canary's PRIMARY auth path. claude-code # template's `minimax` provider routes ANTHROPIC_BASE_URL to # api.minimax.io/anthropic and reads MINIMAX_API_KEY at boot. @@ -168,8 +168,8 @@ jobs: # can read the verify-secrets step's stderr — the failure is # itself the verification signal. if [ -z "${MOLECULE_ADMIN_TOKEN:-}" ]; then - echo "::error::CP_STAGING_ADMIN_API_TOKEN secret missing — synth E2E cannot run" - echo "::error::Set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway." + echo "::error::CP_STAGING_ADMIN_TOKEN secret missing — synth E2E cannot run" + echo "::error::Set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_TOKEN env in Railway." exit 1 fi diff --git a/.gitea/workflows/e2e-staging-external.yml b/.gitea/workflows/e2e-staging-external.yml index 7479d8da..39fe67a0 100644 --- a/.gitea/workflows/e2e-staging-external.yml +++ b/.gitea/workflows/e2e-staging-external.yml @@ -104,7 +104,7 @@ jobs: # missing — silent skip would mask infra rot. Manual dispatch # gets the same hard-fail; an operator running this on a fork # without secrets configured needs to know up-front. - echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)" + echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_STAGING_ADMIN_TOKEN)" exit 2 fi echo "Admin token present ✓" diff --git a/.gitea/workflows/e2e-staging-saas.yml b/.gitea/workflows/e2e-staging-saas.yml index 7b6c093b..799dfd05 100644 --- a/.gitea/workflows/e2e-staging-saas.yml +++ b/.gitea/workflows/e2e-staging-saas.yml @@ -122,7 +122,7 @@ jobs: - name: Verify admin token present run: | if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then - echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)" + echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_STAGING_ADMIN_TOKEN)" exit 2 fi echo "Admin token present ✓" diff --git a/.gitea/workflows/redeploy-tenants-on-main.yml b/.gitea/workflows/redeploy-tenants-on-main.yml index be7cc68d..5cec55fe 100644 --- a/.gitea/workflows/redeploy-tenants-on-main.yml +++ b/.gitea/workflows/redeploy-tenants-on-main.yml @@ -124,13 +124,13 @@ jobs: fi - name: Call CP redeploy-fleet - # CP_ADMIN_API_TOKEN must be set as a repo/org secret on - # molecule-ai/molecule-core, matching the staging/prod CP's - # CP_ADMIN_API_TOKEN env. Stored in Railway, mirrored to this - # repo's secrets for CI. + # CP_PROD_ADMIN_TOKEN must be set as a repo/org secret on + # molecule-ai/molecule-core, matching the prod CP's CP_PROD_ADMIN_TOKEN + # env. Stored in Railway, mirrored to this repo's secrets for CI. + # Canonical name per internal#273 §425 naming reconciliation. env: CP_URL: ${{ vars.CP_URL || 'https://api.moleculesai.app' }} - CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }} + CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }} TARGET_TAG: ${{ steps.tag.outputs.target_tag }} CANARY_SLUG: ${{ inputs.canary_slug || 'hongming' }} SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }} @@ -139,9 +139,9 @@ jobs: run: | set -euo pipefail - if [ -z "${CP_ADMIN_API_TOKEN:-}" ]; then - echo "::error::CP_ADMIN_API_TOKEN secret not set — skipping redeploy" - echo "::notice::Set CP_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy." + if [ -z "${CP_PROD_ADMIN_TOKEN:-}" ]; then + echo "::error::CP_PROD_ADMIN_TOKEN secret not set — skipping redeploy" + echo "::notice::Set CP_PROD_ADMIN_TOKEN in repo secrets to enable auto-redeploy." exit 1 fi @@ -176,7 +176,7 @@ jobs: set +e curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \ -m 1200 \ - -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \ + -H "Authorization: Bearer $CP_PROD_ADMIN_TOKEN" \ -H "Content-Type: application/json" \ -X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \ -d "$BODY" >"$HTTP_CODE_FILE" diff --git a/.gitea/workflows/redeploy-tenants-on-staging.yml b/.gitea/workflows/redeploy-tenants-on-staging.yml index 6243d3f9..be003942 100644 --- a/.gitea/workflows/redeploy-tenants-on-staging.yml +++ b/.gitea/workflows/redeploy-tenants-on-staging.yml @@ -90,14 +90,15 @@ jobs: run: sleep 30 - name: Call staging-CP redeploy-fleet - # CP_STAGING_ADMIN_API_TOKEN must be set as a repo/org secret + # CP_STAGING_ADMIN_TOKEN must be set as a repo/org secret # on molecule-ai/molecule-core, matching staging-CP's - # CP_ADMIN_API_TOKEN env var (visible in Railway controlplane - # / staging environment). Stored separately from the prod - # CP_ADMIN_API_TOKEN so a leak of one doesn't auth the other. + # CP_ADMIN_TOKEN env var (visible in Railway controlplane + # / staging environment). Canonical name per internal#273 §425. + # Stored separately from the prod CP_PROD_ADMIN_TOKEN so a + # leak of one doesn't auth the other. env: CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }} - CP_STAGING_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} + CP_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }} TARGET_TAG: ${{ inputs.target_tag || 'staging-latest' }} CANARY_SLUG: ${{ inputs.canary_slug || '' }} SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }} @@ -110,15 +111,15 @@ jobs: # and sweep-cf-tunnels): hard-fail on auto-trigger when the # secret is missing so a misconfigured-repo doesn't silently # serve stale staging tenants. Soft-skip on operator dispatch. - if [ -z "${CP_STAGING_ADMIN_API_TOKEN:-}" ]; then + if [ -z "${CP_STAGING_ADMIN_TOKEN:-}" ]; then if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - echo "::warning::CP_STAGING_ADMIN_API_TOKEN secret not set — skipping redeploy" - echo "::warning::Set CP_STAGING_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy." - echo "::notice::Pull the value from staging-CP's CP_ADMIN_API_TOKEN env in Railway." + echo "::warning::CP_STAGING_ADMIN_TOKEN secret not set — skipping redeploy" + echo "::warning::Set CP_STAGING_ADMIN_TOKEN in repo secrets to enable auto-redeploy." + echo "::notice::Pull the value from staging-CP's CP_STAGING_ADMIN_TOKEN env in Railway." exit 0 fi - echo "::error::staging redeploy cannot run — CP_STAGING_ADMIN_API_TOKEN secret missing" - echo "::error::set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway." + echo "::error::staging redeploy cannot run — CP_STAGING_ADMIN_TOKEN secret missing" + echo "::error::set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_STAGING_ADMIN_TOKEN env in Railway." exit 1 fi @@ -151,7 +152,7 @@ jobs: set +e curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \ -m 1200 \ - -H "Authorization: Bearer $CP_STAGING_ADMIN_API_TOKEN" \ + -H "Authorization: Bearer $CP_STAGING_ADMIN_TOKEN" \ -H "Content-Type: application/json" \ -X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \ -d "$BODY" >"$HTTP_CODE_FILE" diff --git a/.gitea/workflows/sweep-aws-secrets.yml b/.gitea/workflows/sweep-aws-secrets.yml index a6572e8e..60a9758b 100644 --- a/.gitea/workflows/sweep-aws-secrets.yml +++ b/.gitea/workflows/sweep-aws-secrets.yml @@ -71,10 +71,10 @@ jobs: timeout-minutes: 30 env: AWS_REGION: ${{ secrets.AWS_REGION || 'us-east-1' }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_JANITOR_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_JANITOR_SECRET_ACCESS_KEY }} - CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }} - CP_STAGING_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }} + CP_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }} MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '50' }} GRACE_HOURS: ${{ github.event.inputs.grace_hours || '24' }} @@ -90,7 +90,7 @@ jobs: # they already accepted the repo state) run: | missing=() - for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY CP_ADMIN_API_TOKEN CP_STAGING_ADMIN_API_TOKEN; do + for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY CP_PROD_ADMIN_TOKEN CP_STAGING_ADMIN_TOKEN; do if [ -z "${!var:-}" ]; then missing+=("$var") fi diff --git a/.gitea/workflows/sweep-cf-orphans.yml b/.gitea/workflows/sweep-cf-orphans.yml index b18630b7..18dc41cb 100644 --- a/.gitea/workflows/sweep-cf-orphans.yml +++ b/.gitea/workflows/sweep-cf-orphans.yml @@ -75,8 +75,8 @@ jobs: env: CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }} CF_ZONE_ID: ${{ secrets.CF_ZONE_ID }} - CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }} - CP_STAGING_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} + CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }} + CP_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_DEFAULT_REGION: us-east-2 @@ -109,7 +109,7 @@ jobs: # so they can rerun after fixing the secret) run: | missing=() - for var in CF_API_TOKEN CF_ZONE_ID CP_ADMIN_API_TOKEN CP_STAGING_ADMIN_API_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do + for var in CF_API_TOKEN CF_ZONE_ID CP_PROD_ADMIN_TOKEN CP_STAGING_ADMIN_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY; do if [ -z "${!var:-}" ]; then missing+=("$var") fi diff --git a/.gitea/workflows/sweep-cf-tunnels.yml b/.gitea/workflows/sweep-cf-tunnels.yml index 1fa12cfd..3fdc06c1 100644 --- a/.gitea/workflows/sweep-cf-tunnels.yml +++ b/.gitea/workflows/sweep-cf-tunnels.yml @@ -70,8 +70,8 @@ jobs: env: CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }} CF_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }} - CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }} - CP_STAGING_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} + CP_PROD_ADMIN_TOKEN: ${{ secrets.CP_PROD_ADMIN_TOKEN }} + CP_STAGING_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_TOKEN }} MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '90' }} steps: @@ -89,7 +89,7 @@ jobs: # they already accepted the repo state) run: | missing=() - for var in CF_API_TOKEN CF_ACCOUNT_ID CP_ADMIN_API_TOKEN CP_STAGING_ADMIN_API_TOKEN; do + for var in CF_API_TOKEN CF_ACCOUNT_ID CP_PROD_ADMIN_TOKEN CP_STAGING_ADMIN_TOKEN; do if [ -z "${!var:-}" ]; then missing+=("$var") fi -- 2.45.2