molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

fix(ci): convert CodeQL workflow to no-op stub on Gitea (#156) #51

Merged
claude-ceo-assistant merged 1 commits from fix/codeql-stub-on-gitea-156 into main 2026-05-07 21:37:04 +00:00
Conversation 0 Commits 1 Files Changed 1 +99 -85
claude-ceo-assistant commented 2026-05-07 21:27:28 +00:00
Owner
Copy Link

Summary

  • Converts .github/workflows/codeql.yml to a no-op stub that emits success per matrix language (go, javascript-typescript, python).
  • Workflow name (CodeQL), job name template (Analyze (${{ matrix.language }})), and the 3-leg matrix are preserved exactly so commit-status context names + auto-promote-staging.yml workflow_run gate + branch-protection / #144 required-check parity all stay stable.
  • Drops the codeql-action steps, Autobuild step, SARIF parse step, and upload-artifact step — all four are dead code on Gitea.

Why a stub instead of continue-on-error?

Two independent problems compounded:

  1. Gitea Actions 1.22.6 does NOT propagate continue-on-error: true to the commit-status API. PR #35 placed it at the correct (job) level, but every matrix leg still posts failure — visible right now on 0276b295 (current main HEAD): the three CodeQL contexts show failure despite #35.

  2. The codeql-action is structurally incompatible with Gitea. The Initialize CodeQL step calls api.github.com bundle endpoints (CodeQL CLI download + query-pack registry + telemetry) that Gitea does not proxy. act_runner already has GITHUB_SERVER_URL=https://git.moleculesai.app set correctly (per saved memory feedback_act_runner_github_server_url), but the Gitea API surface simply does not implement these endpoints.

Live-tested log from run 1d/3101 on operator host:

2026-05-07T20:55:17 ::group::Run Initialize CodeQL
  with: languages: ${{ matrix.language }}
        queries: security-extended
2026-05-07T20:55:36 ::error::404 page not found
2026-05-07T20:55:50 ❌ Failure - Main Initialize CodeQL
2026-05-07T20:55:51 skipping Perform CodeQL Analysis (main skipped)
2026-05-07T20:55:51 ::warning::No files were found at sarif-results/go/

So the SARIF artifact upload was already a no-op every run — analyze was being skipped because init failed. Nothing of value is being lost by stubbing this out.

Policy decision

Per Hongming 2026-05-07 (#156): CodeQL is ADVISORY, non-blocking until a Gitea-compatible SAST pipeline lands. The new workflow header documents:

  • 3 re-enable options (self-hosted Semgrep / OpenGrep, Sonatype, GitHub-mirror SAST-only push).
  • 4 compensating controls in place: secret-scan, block-internal-paths, lint-curl-status-capture, branch-protection-drift.
  • Explicit acknowledgement that those compensating controls are not equivalent to CodeQL coverage.

Test plan

  • YAML parses cleanly (python3 -c 'import yaml; yaml.safe_load(...)')
  • Workflow name, job name template, matrix values, and all 4 triggers byte-equal to pre-stub
  • No capital-M Molecule-AI refs in this file (#142 — already lowercase per e01077be)
  • After merge: push to main produces commit-status success for all 3 CodeQL contexts (verified via Gitea statuses API)
  • After merge: workflow conclusion = success so auto-promote-staging.yml workflow_run gate passes
  • After merge: stub run completes in <30s per matrix leg

Closes #156. Touches #142.

🤖 Generated with Claude Code

## Summary - Converts `.github/workflows/codeql.yml` to a no-op stub that emits `success` per matrix language (go, javascript-typescript, python). - Workflow name (`CodeQL`), job name template (`Analyze (${{ matrix.language }})`), and the 3-leg matrix are **preserved exactly** so commit-status context names + auto-promote-staging.yml workflow_run gate + branch-protection / #144 required-check parity all stay stable. - Drops the codeql-action steps, Autobuild step, SARIF parse step, and upload-artifact step — all four are dead code on Gitea. ## Why a stub instead of `continue-on-error`? Two independent problems compounded: 1. **Gitea Actions 1.22.6 does NOT propagate `continue-on-error: true` to the commit-status API.** PR #35 placed it at the correct (job) level, but every matrix leg still posts `failure` — visible right now on `0276b295` (current `main` HEAD): the three CodeQL contexts show `failure` despite #35. 2. **The codeql-action is structurally incompatible with Gitea.** The `Initialize CodeQL` step calls api.github.com bundle endpoints (CodeQL CLI download + query-pack registry + telemetry) that Gitea does not proxy. `act_runner` already has `GITHUB_SERVER_URL=https://git.moleculesai.app` set correctly (per saved memory `feedback_act_runner_github_server_url`), but the Gitea API surface simply does not implement these endpoints. Live-tested log from run `1d/3101` on operator host: ``` 2026-05-07T20:55:17 ::group::Run Initialize CodeQL with: languages: ${{ matrix.language }} queries: security-extended 2026-05-07T20:55:36 ::error::404 page not found 2026-05-07T20:55:50 ❌ Failure - Main Initialize CodeQL 2026-05-07T20:55:51 skipping Perform CodeQL Analysis (main skipped) 2026-05-07T20:55:51 ::warning::No files were found at sarif-results/go/ ``` So the SARIF artifact upload was already a no-op every run — `analyze` was being skipped because `init` failed. **Nothing of value is being lost by stubbing this out.** ## Policy decision Per Hongming 2026-05-07 (#156): CodeQL is **ADVISORY, non-blocking** until a Gitea-compatible SAST pipeline lands. The new workflow header documents: - 3 re-enable options (self-hosted Semgrep / OpenGrep, Sonatype, GitHub-mirror SAST-only push). - 4 compensating controls in place: secret-scan, block-internal-paths, lint-curl-status-capture, branch-protection-drift. - Explicit acknowledgement that those compensating controls are **not equivalent** to CodeQL coverage. ## Test plan - [x] YAML parses cleanly (`python3 -c 'import yaml; yaml.safe_load(...)'`) - [x] Workflow `name`, job `name` template, matrix values, and all 4 triggers byte-equal to pre-stub - [x] No capital-M `Molecule-AI` refs in this file (#142 — already lowercase per `e01077be`) - [ ] After merge: push to `main` produces commit-status `success` for all 3 CodeQL contexts (verified via Gitea statuses API) - [ ] After merge: workflow `conclusion` = `success` so `auto-promote-staging.yml` workflow_run gate passes - [ ] After merge: stub run completes in <30s per matrix leg Closes #156. Touches #142. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
claude-ceo-assistant added 1 commit 2026-05-07 21:27:31 +00:00
fix(ci): convert CodeQL workflow to no-op stub on Gitea (#156)
All checks were successful
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 14s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 14s
Details
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 4s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 4s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 5s
Details
CI / Detect changes (pull_request) Successful in 17s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 15s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 12s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 12s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 11s
Details
Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 14s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 17s
Details
CI / Platform (Go) (pull_request) Successful in 10s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 5s
Details
CI / Python Lint & Test (pull_request) Successful in 6s
Details
CI / Canvas (Next.js) (pull_request) Successful in 9s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 7s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 11s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 10s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 10s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
3a00dd236f 
Why
---
PR #35 marked `continue-on-error: true` at the JOB level (correct YAML),
but Gitea Actions 1.22.6 does NOT propagate job-level continue-on-error
to the commit-status API — every matrix leg still posts `failure`. That
keeps OVERALL=failure on every push to main + staging and blocks the
auto-promote signal even when every other gate is green.

Worse: the underlying CodeQL run never actually worked on Gitea. The
github/codeql-action/init@v4 step calls api.github.com bundle endpoints
(CLI download + query packs + telemetry) that Gitea does NOT proxy.
Confirmed via live-tested run 1d/3101 on operator host:

    2026-05-07T20:55:17 ::group::Run Initialize CodeQL
      with: languages: ${{ matrix.language }}
            queries: security-extended
    2026-05-07T20:55:36 ::error::404 page not found
    2026-05-07T20:55:50 Failure - Main Initialize CodeQL
    2026-05-07T20:55:51 skipping Perform CodeQL Analysis (main skipped)
    2026-05-07T20:55:51 :⚠️:No files were found at sarif-results/go/

The SARIF artifact upload was already a no-op (warning above) — the
analyze step never wrote anything because init failed. So nothing of
value is being lost by stubbing this out.

What
----
- Convert the workflow to a single-step stub that emits success per
  matrix language (go, javascript-typescript, python).
- Keep workflow `name: CodeQL` exactly (auto-promote-staging.yml
  line 67 keys on it as a workflow_run gate).
- Keep job name template `Analyze (${{ matrix.language }})` and the
  3-leg matrix exactly (commit-status context names + branch
  protection + #144 required-check-name parity).
- Keep all four triggers (push / pull_request / merge_group /
  schedule) so merge_group required-checks parity holds.
- Drop the codeql-action steps, the Autobuild step, the SARIF parse
  step, and the upload-artifact step — all four of those are now
  dead code (init can never succeed against Gitea's API surface).

Policy
------
Per Hongming decision 2026-05-07 (#156): CodeQL is ADVISORY, not
blocking, until a Gitea-compatible SAST pipeline lands. The header
of the new workflow file documents this decision + lists the three
re-enable options (self-hosted Semgrep, Sonatype, GitHub mirror)
plus the compensating controls in place (secret-scan, block-internal-
paths, lint-curl-status-capture, branch-protection-drift).

Closes #156. Touches #142 (no capital-M Molecule-AI refs in this
file — already lowercase per e01077be).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Ghost approved these changes 2026-05-07 21:36:54 +00:00
Ghost left a comment
First-time contributor
Copy Link

Approved — investigated structural Gitea/CodeQL incompatibility, stub keeps gating workflow live + commit-status green; security policy delta (advisory) is documented in the workflow header.

Approved — investigated structural Gitea/CodeQL incompatibility, stub keeps gating workflow live + commit-status green; security policy delta (advisory) is documented in the workflow header.
claude-ceo-assistant merged commit 1e1f4d635b into main 2026-05-07 21:37:04 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Ghost
Labels
Clear labels   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label
tier:high
tier:low
tier:medium
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#51
No description provided.
Delete Branch "fix/codeql-stub-on-gitea-156"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?