molecule-ai/molecule-core
41
0
Fork 2
Code Issues 43 Pull Requests 14 Actions 20 Packages Projects Releases Wiki Activity

fix(ci): avoid failing canvas publish on gha cache export #777

Merged
hongming-codex-laptop merged 1 commits from fix/publish-canvas-disable-gha-cache-20260512 into main 2026-05-13 02:41:06 +00:00
Conversation 9 Commits 1 Files Changed 1 +3 -2
hongming-codex-laptop commented 2026-05-13 02:37:12 +00:00
Member
Copy Link

Summary

  • remove type=gha Buildx cache import/export from publish-canvas-image.yml
  • keep the successful ECR build/push path as the source of truth for the publish job
  • document why Gitea artifact-cache reachability must not fail an already-pushed image

Root cause

After PR #776 merged, the main publish-canvas-image job got past the Docker probe, built the canvas image, and pushed both ECR tags. It then failed during Buildx cache export to the Gitea Actions artifact-cache endpoint (172.18.0.6:46663) with an I/O timeout. The cache is an optimization; treating cache export as required made main red after the publish had already succeeded.

Verification

  • python3 -m pytest tests/test_lint_workflow_yaml.py tests/test_lint_continue_on_error_tracking.py -q
  • git diff --check
  • live main action log task 48813 inspected: ECR manifests for latest and sha-e487b20 pushed successfully before the type=gha cache export timeout failed the job

SOP-Checklist

  • Comprehensive testing performed: Workflow lint suite and whitespace check passed locally; live main action log was inspected directly.
  • Local-postgres E2E run: Not applicable; this is a workflow cache-configuration fix with no DB/runtime handler behavior.
  • Staging-smoke verified or pending: Pending on PR/main CI rerun; the prior main run already pushed the canvas image before cache export failed.
  • Root-cause not symptom: Removed the required type=gha cache export that failed after a successful ECR push instead of overriding the failed status.
  • Five-Axis review walked: Correctness, readability, architecture, security, and operations reviewed; no credential handling changed.
  • No backwards-compat shim / dead code added: Removed the fragile cache optimization from this publish path rather than adding retry/fallback branches.
  • Memory/saved-feedback consulted: Used current Gitea CI context and validated the live action log before patching.
## Summary - remove `type=gha` Buildx cache import/export from `publish-canvas-image.yml` - keep the successful ECR build/push path as the source of truth for the publish job - document why Gitea artifact-cache reachability must not fail an already-pushed image ## Root cause After PR #776 merged, the main `publish-canvas-image` job got past the Docker probe, built the canvas image, and pushed both ECR tags. It then failed during Buildx cache export to the Gitea Actions artifact-cache endpoint (`172.18.0.6:46663`) with an I/O timeout. The cache is an optimization; treating cache export as required made main red after the publish had already succeeded. ## Verification - `python3 -m pytest tests/test_lint_workflow_yaml.py tests/test_lint_continue_on_error_tracking.py -q` - `git diff --check` - live main action log task `48813` inspected: ECR manifests for `latest` and `sha-e487b20` pushed successfully before the `type=gha` cache export timeout failed the job ## SOP-Checklist - [x] **Comprehensive testing performed**: Workflow lint suite and whitespace check passed locally; live main action log was inspected directly. - [x] **Local-postgres E2E run**: Not applicable; this is a workflow cache-configuration fix with no DB/runtime handler behavior. - [x] **Staging-smoke verified or pending**: Pending on PR/main CI rerun; the prior main run already pushed the canvas image before cache export failed. - [x] **Root-cause not symptom**: Removed the required `type=gha` cache export that failed after a successful ECR push instead of overriding the failed status. - [x] **Five-Axis review walked**: Correctness, readability, architecture, security, and operations reviewed; no credential handling changed. - [x] **No backwards-compat shim / dead code added**: Removed the fragile cache optimization from this publish path rather than adding retry/fallback branches. - [x] **Memory/saved-feedback consulted**: Used current Gitea CI context and validated the live action log before patching.
hongming-codex-laptop added 1 commit 2026-05-13 02:37:13 +00:00
fix(ci): avoid failing canvas publish on gha cache export
All checks were successful
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 3s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 7s
Details
CI / Detect changes (pull_request) Successful in 14s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 11s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 16s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 15s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 22s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 23s
Details
gate-check-v3 / gate-check (pull_request) Successful in 18s
Details
sop-checklist-gate / gate (pull_request) Successful in 12s
Details
CI / Platform (Go) (pull_request) Successful in 5s
Details
sop-tier-check / tier-check (pull_request) Successful in 13s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 4s
Details
CI / Canvas (Next.js) (pull_request) Successful in 4s
Details
CI / Python Lint & Test (pull_request) Successful in 4s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 6s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 7s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 7s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 5s
Details
CI / all-required (pull_request) Successful in 3s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m9s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m22s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m24s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m25s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m34s
Details
qa-review / approved (pull_request) verified: fresh QA approval; recheck succeeded on issue-comment run
Details
security-review / approved (pull_request) verified: fresh security approval; recheck succeeded on issue-comment run
Details
sop-checklist / all-items-acked (pull_request) acked: 7/7
Details
audit-force-merge / audit (pull_request) Successful in 5s
Details
cefbc26005
hongming-codex-laptop added the
tier:medium
 label 2026-05-13 02:37:35 +00:00
core-qa approved these changes 2026-05-13 02:38:08 +00:00
core-qa left a comment
Member
Copy Link

QA approval for current head cefbc26: verified workflow lint and live main log task 48813 showing ECR push succeeded before Gitea gha cache export timed out.

QA approval for current head cefbc26: verified workflow lint and live main log task 48813 showing ECR push succeeded before Gitea gha cache export timed out.
core-security approved these changes 2026-05-13 02:38:09 +00:00
core-security left a comment
Member
Copy Link

Security approval for current head cefbc26: no credential path changes; removing Buildx gha cache does not expose secrets and keeps ECR auth unchanged.

Security approval for current head cefbc26: no credential path changes; removing Buildx gha cache does not expose secrets and keeps ECR auth unchanged.
core-qa commented 2026-05-13 02:38:10 +00:00
Member
Copy Link

/sop-ack comprehensive-testing — workflow lint suite and diff check passed; live main task 48813 validated the cache-export-only failure.

/sop-ack comprehensive-testing — workflow lint suite and diff check passed; live main task 48813 validated the cache-export-only failure.
core-devops commented 2026-05-13 02:38:10 +00:00
Member
Copy Link

/sop-ack local-postgres-e2e — N/A is valid for workflow cache configuration; no DB/runtime handler path changed.

/sop-ack local-postgres-e2e — N/A is valid for workflow cache configuration; no DB/runtime handler path changed.
core-devops commented 2026-05-13 02:38:11 +00:00
Member
Copy Link

/sop-ack staging-smoke — pending on PR/main CI rerun; prior run already pushed the ECR image before cache export failed.

/sop-ack staging-smoke — pending on PR/main CI rerun; prior run already pushed the ECR image before cache export failed.
core-lead commented 2026-05-13 02:38:11 +00:00
Member
Copy Link

/sop-ack root-cause — root is required type=gha cache export timing out after successful ECR push, so the fragile cache optimization was removed.

/sop-ack root-cause — root is required type=gha cache export timing out after successful ECR push, so the fragile cache optimization was removed.
core-devops commented 2026-05-13 02:38:12 +00:00
Member
Copy Link

/sop-ack five-axis-review — correctness/readability/architecture/security/ops reviewed; no credential handling changed.

/sop-ack five-axis-review — correctness/readability/architecture/security/ops reviewed; no credential handling changed.
core-lead commented 2026-05-13 02:38:13 +00:00
Member
Copy Link

/sop-ack no-backwards-compat — removed brittle cache optimization directly; no retry shim or dead branch added.

/sop-ack no-backwards-compat — removed brittle cache optimization directly; no retry shim or dead branch added.
core-devops commented 2026-05-13 02:38:14 +00:00
Member
Copy Link

/sop-ack memory-consulted — current Gitea CI context used and live logs were validated before patching.

/sop-ack memory-consulted — current Gitea CI context used and live logs were validated before patching.
hongming-codex-laptop commented 2026-05-13 02:38:16 +00:00
Author
Member
Copy Link

/qa-recheck

/qa-recheck
hongming-codex-laptop commented 2026-05-13 02:38:18 +00:00
Author
Member
Copy Link

/security-recheck

/security-recheck
hongming-codex-laptop merged commit bc9c61ff47 into main 2026-05-13 02:41:06 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
core-qa
core-security
Labels
Clear labels   
merge-queue

Ready for serialized Gitea merge queue

  
merge-queue-hold

Temporarily hold PR in merge queue

  
release-blocker

Blocks the staging→main promotion / a release

  
security

   
test-label-sre

   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

  
triage-test

test

No Label
merge-queue
merge-queue-hold
release-blocker
security
test-label-sre
tier:high
tier:low
tier:medium
triage-test
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
5 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#777
No description provided.
Delete Branch "fix/publish-canvas-disable-gha-cache-20260512"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?