fix(ci): reconcile sweep workflow secrets — use confirmed-existing names #482
Merged
core-lead
merged 3 commits from 2026-05-11 14:07:56 +00:00
infra/secret-reconciliation-v2 into main
3 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
| d925c163ea |
Merge branch 'main' into infra/secret-reconciliation-v2
All checks were successful
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 15s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 13s
CI / Detect changes (pull_request) Successful in 1m13s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m6s
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m7s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m7s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 53s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 18s
sop-tier-check / tier-check (pull_request) Successful in 16s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 14s
CI / Platform (Go) (pull_request) Successful in 12s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 16s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s
CI / Canvas (Next.js) (pull_request) Successful in 13s
CI / Python Lint & Test (pull_request) Successful in 10s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 9s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 12s
audit-force-merge / audit (pull_request) Successful in 21s
|
|||
| c43eb23295 |
Merge branch 'main' into infra/secret-reconciliation-v2
All checks were successful
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 7s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s
sop-tier-check / tier-check (pull_request) Successful in 8s
CI / Detect changes (pull_request) Successful in 12s
E2E API Smoke Test / detect-changes (pull_request) Successful in 14s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 15s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 14s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 15s
CI / Platform (Go) (pull_request) Successful in 4s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 4s
CI / Python Lint & Test (pull_request) Successful in 4s
CI / Canvas (Next.js) (pull_request) Successful in 5s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s
|
|||
| aa9391d2f7 |
fix(ci): reconcile sweep workflow secrets — use confirmed-existing names
All checks were successful
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 4s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 7s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 9s
sop-tier-check / tier-check (pull_request) Successful in 9s
Harness Replays / Harness Replays (pull_request) Has been skipped
CI / Detect changes (pull_request) Successful in 14s
E2E API Smoke Test / detect-changes (pull_request) Successful in 15s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 16s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 16s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 16s
CI / Platform (Go) (pull_request) Successful in 4s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s
CI / Python Lint & Test (pull_request) Successful in 4s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 5s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 4s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 7m18s
CI / Canvas (Next.js) (pull_request) Bypass — Canvas CI environmental infra failure (systemic, also failing on main). SOP tier:low allows bypass per internal#308 §2.
Harness Replays / detect-changes (pull_request) Bypass — harness detect-changes environmental failure (passing on main). SOP tier:low.
- sweep-aws-secrets.yml: swap AWS_JANITOR_ACCESS_KEY_ID / AWS_JANITOR_SECRET_ACCESS_KEY → AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY. The AWS_JANITOR_* naming was never populated in Gitea; the canonical Gitea secrets are the molecule-cp principal's AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY (per issue #425 audit). - sweep-cf-orphans.yml, sweep-cf-tunnels.yml: add secret-audit comments documenting confirmed vs unconfirmed secrets per #425. Note: redeploy-tenants-on-staging.yml changes from original PR #459 are excluded — infra-sre flagged that swapping the env var name (CP_STAGING_ADMIN_API_TOKEN → MOLECULE_STAGING_ADMIN_TOKEN) breaks the handoff to staging CP which expects CP_STAGING_ADMIN_API_TOKEN. Refs: issue #425 |
