molecule-ai/molecule-core

Fork 2

fix(ci): rewrite auto-sync main→staging for Gitea direct push (closes #65) #66

Merged

Ghost merged 1 commits from fix/auto-sync-direct-push-gitea into main

2026-05-07 22:07:01 +00:00

Author	SHA1	Message	Date
devops-engineer	6235ef7461	fix(ci): rewrite auto-sync main→staging for Gitea direct push All checks were successful CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 1s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 1s Details Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped Details Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 4s Details CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 0s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s Details CI / Detect changes (pull_request) Successful in 8s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 8s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 6s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 8s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 7s Details CI / Platform (Go) (pull_request) Successful in 3s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 8s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s Details CI / Python Lint & Test (pull_request) Successful in 3s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s Details CI / Canvas (Next.js) (pull_request) Successful in 5s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Root cause of `Auto-sync main → staging / sync-staging (push)` failing every push to main since the GitHub→Gitea migration: The workflow assumed a GitHub `merge_queue` ruleset on staging (blocking direct push) and used `gh pr create` + `gh pr merge --auto` to land sync via the queue. On Gitea this fails at the `gh pr create` step with `HTTP 405 Method Not Allowed (https://git.moleculesai.app/api/graphql)` — Gitea exposes no GraphQL endpoint, and the GitHub-CLI cannot ship PRs against Gitea. Verified failure mode in run 1117/job 0 (token logs at /tmp/log2.txt, run target /molecule-ai/molecule-core/actions/ runs/1117/jobs/0). The merge step succeeded and pushed auto-sync/main-1e1f4d63; the PR step failed with the 405. So every main push left an orphan auto-sync/* branch and a red CI status, with no PR to land it. Fix: the staging branch protection on Gitea (`enable_push: true`, `push_whitelist_usernames: [devops-engineer]`) already permits direct push from the devops-engineer persona. Drop the entire merge-queue PR architecture and replace with: 1. Checkout staging with secrets.AUTO_SYNC_TOKEN (devops-engineer persona token, NOT founder PAT — `feedback_per_agent_gitea_identity_default`). 2. `git fetch origin main` + ff-merge or no-ff merge. 3. `git push origin staging` directly. The AUTO_SYNC_TOKEN repo secret already exists (created 2026-05-07 14:00 alongside the staging push_whitelist update). Workflow name + job name unchanged → required-check name `Auto-sync main → staging / sync-staging (push)` keeps the same context, no branch-protection edits needed. Rejected alternatives (documented in workflow header): - Reuse PR architecture via Gitea REST: ~80 LOC of API plumbing for no benefit; direct push works. - GH_HOST=git.moleculesai.app: still calls /api/graphql, same 405; doesn't fix the root issue. - Custom JS action: external dep for a 5-line `git push`. Header comment in the workflow now documents: - What this workflow does (SSOT for staging advancing). - Why direct push (GitHub merge_queue → Gitea push_whitelist). - Identity and token (anti-bot-ring per saved memory). - Failure modes A–D with operator runbook for each. - Loop safety (push to staging doesn't fire push:main → no recursion). Verification plan: this fix-PR's merge to main is itself the trigger; watch the workflow run on the merge commit and on one follow-up trigger commit, expect both green. Refs: failing run https://git.moleculesai.app/molecule-ai/ molecule-core/actions/runs/1117/jobs/0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 15:04:12 -07:00

Author

SHA1

Message

Date

devops-engineer

6235ef7461

fix(ci): rewrite auto-sync main→staging for Gitea direct push

CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 1s

Details

CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 1s

Details

Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped

Details

Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 4s

Details

CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 0s

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s

Details

CI / Detect changes (pull_request) Successful in 8s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 8s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 6s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 8s

Details

Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 7s

Details

CI / Platform (Go) (pull_request) Successful in 3s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 8s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 3s

Details

CI / Python Lint & Test (pull_request) Successful in 3s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s

Details

CI / Canvas (Next.js) (pull_request) Successful in 5s

Details

Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4s

Details

CI / Canvas Deploy Reminder (pull_request) Has been skipped

Details

Root cause of `Auto-sync main → staging / sync-staging (push)`
failing every push to main since the GitHub→Gitea migration:

The workflow assumed a GitHub `merge_queue` ruleset on staging
(blocking direct push) and used `gh pr create` + `gh pr merge
--auto` to land sync via the queue. On Gitea this fails at the
`gh pr create` step with `HTTP 405 Method Not Allowed
(https://git.moleculesai.app/api/graphql)` — Gitea exposes no
GraphQL endpoint, and the GitHub-CLI cannot ship PRs against
Gitea.

Verified failure mode in run 1117/job 0 (token logs at
/tmp/log2.txt, run target /molecule-ai/molecule-core/actions/
runs/1117/jobs/0). The merge step succeeded and pushed
auto-sync/main-1e1f4d63; the PR step failed with the 405. So
every main push left an orphan auto-sync/* branch and a red CI
status, with no PR to land it.

Fix: the staging branch protection on Gitea
(`enable_push: true`, `push_whitelist_usernames:
[devops-engineer]`) already permits direct push from the
devops-engineer persona. Drop the entire merge-queue PR
architecture and replace with:

  1. Checkout staging with secrets.AUTO_SYNC_TOKEN
     (devops-engineer persona token, NOT founder PAT —
     `feedback_per_agent_gitea_identity_default`).
  2. `git fetch origin main` + ff-merge or no-ff merge.
  3. `git push origin staging` directly.

The AUTO_SYNC_TOKEN repo secret already exists (created
2026-05-07 14:00 alongside the staging push_whitelist update).
Workflow name + job name unchanged → required-check name
`Auto-sync main → staging / sync-staging (push)` keeps the
same context, no branch-protection edits needed.

Rejected alternatives (documented in workflow header):
- Reuse PR architecture via Gitea REST: ~80 LOC of API
  plumbing for no benefit; direct push works.
- GH_HOST=git.moleculesai.app: still calls /api/graphql,
  same 405; doesn't fix the root issue.
- Custom JS action: external dep for a 5-line `git push`.

Header comment in the workflow now documents:
- What this workflow does (SSOT for staging advancing).
- Why direct push (GitHub merge_queue → Gitea push_whitelist).
- Identity and token (anti-bot-ring per saved memory).
- Failure modes A–D with operator runbook for each.
- Loop safety (push to staging doesn't fire push:main → no
  recursion).

Verification plan: this fix-PR's merge to main is itself the
trigger; watch the workflow run on the merge commit and on
one follow-up trigger commit, expect both green.

Refs: failing run https://git.moleculesai.app/molecule-ai/
molecule-core/actions/runs/1117/jobs/0

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-07 15:04:12 -07:00

fix(ci): rewrite auto-sync main→staging for Gitea direct push (closes #65) #66

1 Commits