molecule-ai/molecule-core

feat(ci)(hard-gate): lint-pre-flip catches continue-on-error true→false without run-log proof #673

Merged

core-devops merged 2 commits from infra/lint-pre-flip-continue-on-error into main

2026-05-12 08:05:01 +00:00

Author	SHA1	Message	Date
Molecule AI Core-DevOps	ebeea0a9c1	fix(workflows): add mc#664 tracker to lint-pre-flip CoE directive Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 21s Details CI / Detect changes (pull_request) Successful in 45s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 52s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 58s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 50s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 19s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 22s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 44s Details lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Failing after 1m37s Details qa-review / approved (pull_request) Failing after 23s Details gate-check-v3 / gate-check (pull_request) Successful in 38s Details security-review / approved (pull_request) Failing after 20s Details sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: 7 Details sop-checklist-gate / gate (pull_request) Successful in 22s Details sop-tier-check / tier-check (pull_request) Successful in 23s Details Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m47s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 2m9s Details Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 2m20s Details CI / Canvas (Next.js) (pull_request) Successful in 14s Details CI / Platform (Go) (pull_request) Successful in 14s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s Details CI / Python Lint & Test (pull_request) Successful in 11s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 18s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 20s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 15s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 14s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / all-required (pull_request) Successful in 5s Details audit-force-merge / audit (pull_request) Successful in 22s Details lint-continue-on-error-tracking (Tier 2e) requires a tracker within ±2 lines of every `continue-on-error: true`. The inline comment was 3 lines above the directive, outside the scan window. Move mc#664 to an inline comment on the directive line so it is within ±2 lines (WINDOW=2 per lint_continue_on_error_tracking.py). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-12 07:38:13 +00:00
Molecule AI Core-DevOps	0970feef70	feat(ci)(hard-gate): lint-pre-flip catches continue-on-error true→false without run-log proof Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 23s Details CI / Detect changes (pull_request) Successful in 56s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 15s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 42s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 44s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 46s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 35s Details gate-check-v3 / gate-check (pull_request) Failing after 22s Details lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Failing after 1m17s Details qa-review / approved (pull_request) Failing after 19s Details sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: 7 Details security-review / approved (pull_request) Failing after 21s Details sop-checklist-gate / gate (pull_request) Successful in 19s Details lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m16s Details sop-tier-check / tier-check (pull_request) Successful in 25s Details Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m32s Details Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m52s Details CI / Platform (Go) (pull_request) Successful in 11s Details CI / Canvas (Next.js) (pull_request) Successful in 8s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 5s Details CI / Python Lint & Test (pull_request) Successful in 9s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 10s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 9s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 11s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 9s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / all-required (pull_request) Successful in 9s Details Empirical class — PR #656 / mc#664: PR #656 (RFC internal#219 Phase 4) flipped 5 platform-build-class jobs `continue-on-error: true → false` on the basis of a "verified green on main via combined-status check". But that "green" was the LIE the prior `continue-on-error: true` produced: Gitea Quirk #10 (internal#342 + dup #287) — a failed step inside a CoE:true job rolls up to a success job-level status. The precondition the PR claimed to verify was structurally fooled by the bug being flipped. mc#664 captured the surfaced defects (2 mutually-masked regressions): - Class 1: sqlmock helper drift since `2f36bb9a` (24 days old) - Class 2: OFFSEC-001 contract collision since `7d1a189f` (1 day old) Codified 04:35Z as hongming-pc2 charter §SOP-N rule (e) "run-log-grep-before-flip": pull the actual run log + grep for --- FAIL / FAIL\s BEFORE flipping; don't trust the masked combined-status. This commit structurally enforces that rule. What this PR adds: .gitea/workflows/lint-pre-flip-continue-on-error.yml — pre-merge pull_request gate, path-scoped to .gitea/workflows/*. Lands at continue-on-error:true (Phase 3 dogfood — flip to false in a follow-up only after this workflow has clean recent runs on main). .gitea/scripts/lint_pre_flip_continue_on_error.py — the lint: 1. Reads every .gitea/workflows/.yml at the PR base SHA AND head SHA via git show <sha>:<path>. No checkout needed. 2. Parses both sides via PyYAML AST (per feedback_behavior_based_ast_gates — NOT grep, so comment churn and key-order changes don't false-positive). 3. For each flipped job (base=true, head=false), renders the commit-status context as "{workflow.name} / {job.name or job.key} (push)" and pulls combined commit-status for the last 5 commits on the PR base branch. 4. Fetches each matching run's log via the web-UI route {server_url}/{repo}/actions/runs/{run_id}/jobs/{job_idx}/logs (per reference_gitea_actions_log_fetch — Gitea 1.22.6 lacks REST /actions/runs/*; web-UI is the only working path, see reference_gitea_1_22_6_lacks_rest_rerun_endpoints). 5. Greps for --- FAIL / FAIL\s / ::error::. If status==success AND log shows fail markers, the job was masked. Emit ::error::file=... naming the failing test + offending run URL. .gitea/scripts/tests/test_lint_pre_flip_continue_on_error.py — 35 unittest cases covering the 5 acceptance tests from the spec + CoE coercion (truthy/falsy/quoted/absent) + context-name rendering + multi-flip aggregation + dry-run semantics + 3 graceful-degrade halt conditions (log-unavailable, zero-runs- history, zero-commits-on-branch). Live empirical confirmation: Ran the script against the PR#656 base→merge diff with RECENT_COMMITS_N=3 on main. Result: - platform-build flip BLOCKED — masked --- FAIL on TestExecuteDelegation_DeliveryConfirmedProxyError_TreatsAsSuccess + 4 more on action_run 13353. - canvas-build / shellcheck / python-lint flips PASS — no FAIL markers in their recent logs. Exactly the diagnosis hongming-pc2 charter §SOP-N rule (e) requires. Halt-condition graceful-degrade contract: - Log fetch 404 (act_runner pruned, transient outage): warn-not-block. - Zero recent runs of the flipped context (newly-added workflow): chicken-and-egg exemption — warn and allow. - YAML parse error in one workflow file: warn-not-block (the YAML lint workflows catch this separately). Cross-links: PR#656, mc#664, PR#665 (interim re-mask), Quirk #10 (internal#342 + dup #287), hongming-pc2 charter §SOP-N rule (e), feedback_strict_root_only_after_class_a, feedback_no_shared_persona_token_use. Refs: internal#342, internal#287, molecule-core#664, molecule-core#665	2026-05-12 07:27:19 +00:00