From eacef8f6032d21f4a37e51857355ee943e008e5a Mon Sep 17 00:00:00 2001 From: claude-ceo-assistant Date: Mon, 11 May 2026 04:21:50 -0700 Subject: [PATCH] fix(ci): canonicalize 5 staging-e2e workflows + 1 doc to CP_STAGING_ADMIN_API_TOKEN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Completes the `MOLECULE_STAGING_ADMIN_TOKEN` -> `CP_STAGING_ADMIN_API_TOKEN` rename started in PR#461 (sweep-stale-e2e-orgs). The org secret store holds `CP_STAGING_ADMIN_API_TOKEN` (populated, Class-A); the stale name `MOLECULE_STAGING_ADMIN_TOKEN` does NOT exist there, so every workflow below was exiting 2 at the token-presence check on each run. Files touched (17 refs total): - .gitea/workflows/e2e-staging-saas.yml (3 refs) - .gitea/workflows/e2e-staging-sanity.yml (3 refs) - .gitea/workflows/e2e-staging-external.yml (3 refs) - .gitea/workflows/e2e-staging-canvas.yml (3 refs) - .gitea/workflows/canary-staging.yml (3 refs) - tests/e2e/STAGING_SAAS_E2E.md (2 refs — heading + body) Per-file change shape (identical): - `secrets.MOLECULE_STAGING_ADMIN_TOKEN` -> `secrets.CP_STAGING_ADMIN_API_TOKEN` in both the workflow-level `env:` block and the always-run teardown safety-net step's `env:` block. - `::error::MOLECULE_STAGING_ADMIN_TOKEN ...` diagnostic strings updated so log-tail consumers (Loki SOPRefireRule, orchestrator triage loop) grep for the live secret name. Out of scope (intentional): - .gitea/workflows/sweep-stale-e2e-orgs.yml — covered by PR#461, merge-conflict risk if touched here. - `continue-on-error: true` on these 5 workflows — different scope. PR#461 dropped it on sweep-stale because the janitor is critical and failing silently masked an EC2 leak. These 5 are advisory E2E + canary; their `continue-on-error` is the RFC #219 §1 "surface without blocking" contract and is correct to keep until those gates are promoted to required-checks separately. - .github/workflows/ mirror — repo reads .gitea/ only (per reference_molecule_core_actions_gitea_only); a Category-B/C delete sweep (RFC internal#219 §1) is already in flight in a separate set of branches. Verification performed locally before commit: - `yaml.safe_load` parses cleanly on all 5 modified workflows. - Duplicate-key detector run on every modified workflow — no env-block collisions (cf. feedback_porter_script_env_block_collision). - `grep -rln 'MOLECULE_STAGING_ADMIN_TOKEN' .gitea/ scripts/ tests/ docs/ runbooks/` returns only sweep-stale-e2e-orgs.yml (PR#461 scope) and one historical-rename mention in STAGING_SAAS_E2E.md body. Tier: medium (multi-workflow consistency fix; staging E2E currently red). References: internal#322 (EC2-leak root-fix; PR#461 covered the janitor half), molecule-core#459 (REQUEST_CHANGES on opposite-direction canonicalization — adjudication confirmed `CP_STAGING_ADMIN_API_TOKEN` is the direction). --- .gitea/workflows/canary-staging.yml | 6 +++--- .gitea/workflows/e2e-staging-canvas.yml | 6 +++--- .gitea/workflows/e2e-staging-external.yml | 6 +++--- .gitea/workflows/e2e-staging-saas.yml | 6 +++--- .gitea/workflows/e2e-staging-sanity.yml | 6 +++--- tests/e2e/STAGING_SAAS_E2E.md | 4 ++-- 6 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.gitea/workflows/canary-staging.yml b/.gitea/workflows/canary-staging.yml index d3d6b68e9..d24aaa339 100644 --- a/.gitea/workflows/canary-staging.yml +++ b/.gitea/workflows/canary-staging.yml @@ -63,7 +63,7 @@ jobs: env: MOLECULE_CP_URL: https://staging-api.moleculesai.app - MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} # MiniMax is the canary's PRIMARY LLM auth path post-2026-05-04. # Switched from hermes+OpenAI after #2578 (the staging OpenAI key # account went over quota and stayed dead for 36+ hours, taking @@ -109,7 +109,7 @@ jobs: - name: Verify admin token present run: | if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then - echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set" + echo "::error::CP_STAGING_ADMIN_API_TOKEN not set" exit 2 fi @@ -234,7 +234,7 @@ jobs: - name: Teardown safety net if: always() env: - ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} run: | set +e # Slug prefix matches what test_staging_full_saas.sh emits diff --git a/.gitea/workflows/e2e-staging-canvas.yml b/.gitea/workflows/e2e-staging-canvas.yml index 93eb685e8..c0e1c65d2 100644 --- a/.gitea/workflows/e2e-staging-canvas.yml +++ b/.gitea/workflows/e2e-staging-canvas.yml @@ -124,7 +124,7 @@ jobs: env: CANVAS_E2E_STAGING: '1' MOLECULE_CP_URL: https://staging-api.moleculesai.app - MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} defaults: run: @@ -145,7 +145,7 @@ jobs: if: needs.detect-changes.outputs.canvas == 'true' run: | if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then - echo "::error::Missing MOLECULE_STAGING_ADMIN_TOKEN" + echo "::error::Missing CP_STAGING_ADMIN_API_TOKEN" exit 2 fi @@ -207,7 +207,7 @@ jobs: - name: Teardown safety net if: always() && needs.detect-changes.outputs.canvas == 'true' env: - ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} run: | set +e STATE_FILE=".playwright-staging-state.json" diff --git a/.gitea/workflows/e2e-staging-external.yml b/.gitea/workflows/e2e-staging-external.yml index 7479d8da7..dd174ec80 100644 --- a/.gitea/workflows/e2e-staging-external.yml +++ b/.gitea/workflows/e2e-staging-external.yml @@ -89,7 +89,7 @@ jobs: env: MOLECULE_CP_URL: https://staging-api.moleculesai.app - MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}" E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }} E2E_STALE_WAIT_SECS: ${{ github.event.inputs.stale_wait_secs || '180' }} @@ -104,7 +104,7 @@ jobs: # missing — silent skip would mask infra rot. Manual dispatch # gets the same hard-fail; an operator running this on a fork # without secrets configured needs to know up-front. - echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)" + echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)" exit 2 fi echo "Admin token present ✓" @@ -129,7 +129,7 @@ jobs: - name: Teardown safety net (runs on cancel/failure) if: always() env: - ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} run: | set +e orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \ diff --git a/.gitea/workflows/e2e-staging-saas.yml b/.gitea/workflows/e2e-staging-saas.yml index 7b6c093b5..8dc76f04e 100644 --- a/.gitea/workflows/e2e-staging-saas.yml +++ b/.gitea/workflows/e2e-staging-saas.yml @@ -86,7 +86,7 @@ jobs: # Single admin-bearer secret drives provision + tenant-token # retrieval + teardown. Configure in # Settings → Secrets and variables → Actions → Repository secrets. - MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} # MiniMax is the PRIMARY LLM auth path post-2026-05-04. Switched # from hermes+OpenAI default after #2578 (the staging OpenAI key # account went over quota and stayed dead for 36+ hours, taking @@ -122,7 +122,7 @@ jobs: - name: Verify admin token present run: | if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then - echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)" + echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)" exit 2 fi echo "Admin token present ✓" @@ -189,7 +189,7 @@ jobs: - name: Teardown safety net (runs on cancel/failure) if: always() env: - ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} run: | # Best-effort: find any e2e-YYYYMMDD-* orgs matching this run and # nuke them. Catches the case where the script died before diff --git a/.gitea/workflows/e2e-staging-sanity.yml b/.gitea/workflows/e2e-staging-sanity.yml index 032924cd3..6cac7eadb 100644 --- a/.gitea/workflows/e2e-staging-sanity.yml +++ b/.gitea/workflows/e2e-staging-sanity.yml @@ -42,7 +42,7 @@ jobs: env: MOLECULE_CP_URL: https://staging-api.moleculesai.app - MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} E2E_MODE: canary E2E_RUNTIME: hermes E2E_RUN_ID: "sanity-${{ github.run_id }}" @@ -54,7 +54,7 @@ jobs: - name: Verify admin token present run: | if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then - echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set" + echo "::error::CP_STAGING_ADMIN_API_TOKEN not set" exit 2 fi @@ -118,7 +118,7 @@ jobs: - name: Teardown safety net if: always() env: - ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }} + ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }} run: | set +e orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \ diff --git a/tests/e2e/STAGING_SAAS_E2E.md b/tests/e2e/STAGING_SAAS_E2E.md index 00ab166bf..78970e383 100644 --- a/tests/e2e/STAGING_SAAS_E2E.md +++ b/tests/e2e/STAGING_SAAS_E2E.md @@ -49,9 +49,9 @@ Runs the harness with `E2E_INTENTIONAL_FAILURE=1`, which poisons the tenant admi Set in **Settings → Secrets and variables → Actions → Repository secrets**: -### `MOLECULE_STAGING_ADMIN_TOKEN` +### `CP_STAGING_ADMIN_API_TOKEN` -The `CP_ADMIN_API_TOKEN` env currently set on the Railway staging molecule-platform → controlplane service. +The `CP_ADMIN_API_TOKEN` env currently set on the Railway staging molecule-platform → controlplane service. (Org-store secret name was renamed from `MOLECULE_STAGING_ADMIN_TOKEN` per #430 Class-E canonicalization; PR#461 + the canonicalize-rest follow-up swept the workflows.) ``` railway variables --environment staging --service controlplane --kv | grep CP_ADMIN_API_TOKEN -- 2.52.0