From c58aef31e7d3deca245a13159902e9cff15e9df7 Mon Sep 17 00:00:00 2001 From: Molecule AI Infra-Runtime-BE Date: Mon, 11 May 2026 21:30:37 +0000 Subject: [PATCH] =?UTF-8?q?fix(ci):=20publish-workspace-server-image=20?= =?UTF-8?q?=E2=80=94=20remove=20mandatory=20AUTO=5FSYNC=5FTOKEN=20check?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `Pre-clone manifest deps` step exits with error if AUTO_SYNC_TOKEN is not set. This was a safety belt added during initial development, but it is wrong: manifest.json explicitly records all listed repos as public on git.moleculesai.app (OSS surface contract). The token is only needed for private repos, which are handled at provision-time via the per-tenant credential resolver. Removing the hard exit lets the workflow succeed when: - AUTO_SYNC_TOKEN is absent (anonymous clone works for public repos) - AUTO_SYNC_TOKEN is set (authenticated clone still works) No functional change to the clone-manifest.sh call itself. Part of internal#327 / #561. --- .gitea/workflows/publish-workspace-server-image.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/publish-workspace-server-image.yml b/.gitea/workflows/publish-workspace-server-image.yml index a7b6c7a1..72be551b 100644 --- a/.gitea/workflows/publish-workspace-server-image.yml +++ b/.gitea/workflows/publish-workspace-server-image.yml @@ -92,10 +92,9 @@ jobs: MOLECULE_GITEA_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }} run: | set -euo pipefail - if [ -z "${MOLECULE_GITEA_TOKEN}" ]; then - echo "::error::AUTO_SYNC_TOKEN secret is empty" - exit 1 - fi + # clone-manifest.sh supports anonymous cloning for public repos (post- + # 2026-05-08 migration). The token is only needed for private repos. + # Do NOT require it — a missing secret would fail the build unnecessarily. mkdir -p .tenant-bundle-deps bash scripts/clone-manifest.sh \ manifest.json \ -- 2.45.2