molecule-ai/molecule-core
41
0
Fork 2
Code Issues 36 Pull Requests 4 Actions 402 Packages Projects Releases Wiki Activity

fix(ci): harden Cloudflare sweep API errors #811

Merged
devops-engineer merged 1 commits from fix/cf-sweep-api-error into main 2026-05-13 07:47:12 +00:00
Conversation 7 Commits 1 Files Changed 2 +36 -5
2 changed files with 36 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.gitea/workflows/sweep-aws-secrets.yml
View File

@ -40,11 +40,15 @@ name: Sweep stale AWS Secrets Manager secrets
# the mostly-orphan tunnels) refuses to nuke past the threshold.
on:
schedule:
# Hourly at :30 — offsets from sweep-cf-orphans (:15) and
# sweep-cf-tunnels (:45) so the three janitors don't burst the
# CP admin endpoints at the same minute.
- cron: '30 * * * *'
# Disabled as an hourly schedule until the dedicated
# AWS_SECRETS_JANITOR_* key exists in the key-management SSOT and is
# mirrored into Gitea. Falling back to the molecule-cp app principal is
# intentionally not allowed: it lacks account-wide ListSecrets, and
# granting that to an application credential would weaken least privilege.
#
# Keep the manual trigger so operators can validate the workflow immediately
# after provisioning the janitor key, then restore the hourly :30 schedule.
workflow_dispatch:
# Don't let two sweeps race the same AWS account.
concurrency:
group: sweep-aws-secrets

27
scripts/ops/sweep-cf-orphans.sh
View File

@ -97,6 +97,33 @@ log " live EC2s: $(echo "$EC2_NAMES" | wc -w | tr -d ' ')"
log "Fetching Cloudflare DNS records..."
CF_JSON=$(curl -sS -m 15 -H "Authorization: Bearer $CF_API_TOKEN" \
"https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/dns_records?per_page=500")
if ! echo "$CF_JSON" | python3 -c '
import json, sys
try:
payload = json.load(sys.stdin)
except Exception as exc:
print(f"ERROR: Cloudflare returned non-JSON response: {exc}", file=sys.stderr)
raise SystemExit(1)
if not payload.get("success", False) or not isinstance(payload.get("result"), list):
errors = payload.get("errors") or []
if errors:
detail = "; ".join(
"{code}: {message}".format(
code=err.get("code", "unknown"),
message=err.get("message", "unknown error"),
)
for err in errors
)
else:
detail = "unexpected result type {}".format(type(payload.get("result")).__name__)
print(f"ERROR: Cloudflare DNS list failed: {detail}", file=sys.stderr)
raise SystemExit(1)
'; then
log "Cloudflare DNS list failed; verify CF_API_TOKEN has Zone:DNS:Edit and CF_ZONE_ID is the moleculesai.app zone."
exit 1
fi
TOTAL_CF=$(echo "$CF_JSON" | python3 -c "import json,sys; print(len(json.load(sys.stdin)['result']))")
log " CF records: $TOTAL_CF"