molecule-ai/molecule-core
41
0
Fork 2
Code Issues 47 Pull Requests -14 Actions 252 Packages Projects Releases Wiki Activity

fix(ci): add serialized Gitea merge queue #819

Merged
devops-engineer merged 2 commits from fix/gitea-merge-queue into main 2026-05-13 09:06:02 +00:00
Conversation 4 Commits 2 Files Changed 6 +637 -5
hongming commented 2026-05-13 08:58:33 +00:00
Owner
Copy Link

Summary

  • add a conservative external Gitea merge queue bot for molecule-core
  • add scheduled/manual workflow gitea-merge-queue using the non-bypass devops-engineer token
  • add tests for queue selection, required status evaluation, stale-branch update decisions, and merge readiness
  • document queue operation and update Gitea operational quirks
  • extend Ops Scripts Tests to cover .gitea/scripts/tests

Root Cause

Gitea 1.22.6 has no native merge queue. pull_auto_merge only auto-merges a PR after checks pass; it does not serialize PRs, update each PR against latest main, and require CI on the updated head before merge. That gap lets two previously-green PRs merge back-to-back even if the second was never tested against the first.

Verification

  • python3 -m pytest .gitea/scripts/tests -q => 93 passed
  • python3 .gitea/scripts/lint-workflow-yaml.py --workflow-dir .gitea/workflows
  • python3 -m py_compile .gitea/scripts/gitea-merge-queue.py
  • git diff --check
  • live dry-run with devops-engineer token paused because current main was not green; no merge attempted
  • live repo setup: created merge-queue and merge-queue-hold labels; set molecule-core/main block_on_outdated_branch=true; merge whitelist remains devops-engineer

SOP Checklist

  • Comprehensive testing performed: unit tests, workflow-shape lint, py_compile, diff check, and live dry-run were run.
  • Local-postgres E2E run: N/A for CI bot/script and workflow changes; no database schema or app runtime code changed.
  • Staging-smoke verified or pending: pending post-merge via scheduled/manual queue workflow; dry-run verified the fail-closed main-not-green path.
  • Root-cause not symptom: the gap is lack of serialized retest-on-latest-main semantics in Gitea, not a missing status rerun.
  • Five-Axis review walked: correctness is fail-closed and one-PR-per-run; readability follows existing Gitea helper style; architecture uses labels and Gitea update API; security uses non-bypass merge actor and no token-in-remote; performance is one lightweight cron tick.
  • No backwards-compat shim / dead code added: this adds the active external queue path and docs; no compatibility shim or dead code.
  • Memory/saved-feedback consulted: used existing CI hardening and runner workflow memories plus repo runbooks documenting no native Gitea merge queue.

Rollback

  • Disable .gitea/workflows/gitea-merge-queue.yml schedule or remove merge-queue labels from PRs.
  • Revert this commit if the queue bot misbehaves.
  • Keep branch protection block_on_outdated_branch=true; it is defense-in-depth even without the bot.
## Summary - add a conservative external Gitea merge queue bot for `molecule-core` - add scheduled/manual workflow `gitea-merge-queue` using the non-bypass `devops-engineer` token - add tests for queue selection, required status evaluation, stale-branch update decisions, and merge readiness - document queue operation and update Gitea operational quirks - extend Ops Scripts Tests to cover `.gitea/scripts/tests` ## Root Cause Gitea 1.22.6 has no native merge queue. `pull_auto_merge` only auto-merges a PR after checks pass; it does not serialize PRs, update each PR against latest `main`, and require CI on the updated head before merge. That gap lets two previously-green PRs merge back-to-back even if the second was never tested against the first. ## Verification - [x] `python3 -m pytest .gitea/scripts/tests -q` => 93 passed - [x] `python3 .gitea/scripts/lint-workflow-yaml.py --workflow-dir .gitea/workflows` - [x] `python3 -m py_compile .gitea/scripts/gitea-merge-queue.py` - [x] `git diff --check` - [x] live dry-run with `devops-engineer` token paused because current `main` was not green; no merge attempted - [x] live repo setup: created `merge-queue` and `merge-queue-hold` labels; set `molecule-core/main` `block_on_outdated_branch=true`; merge whitelist remains `devops-engineer` ## SOP Checklist - [x] Comprehensive testing performed: unit tests, workflow-shape lint, py_compile, diff check, and live dry-run were run. - [x] Local-postgres E2E run: N/A for CI bot/script and workflow changes; no database schema or app runtime code changed. - [x] Staging-smoke verified or pending: pending post-merge via scheduled/manual queue workflow; dry-run verified the fail-closed main-not-green path. - [x] Root-cause not symptom: the gap is lack of serialized retest-on-latest-main semantics in Gitea, not a missing status rerun. - [x] Five-Axis review walked: correctness is fail-closed and one-PR-per-run; readability follows existing Gitea helper style; architecture uses labels and Gitea update API; security uses non-bypass merge actor and no token-in-remote; performance is one lightweight cron tick. - [x] No backwards-compat shim / dead code added: this adds the active external queue path and docs; no compatibility shim or dead code. - [x] Memory/saved-feedback consulted: used existing CI hardening and runner workflow memories plus repo runbooks documenting no native Gitea merge queue. ## Rollback - Disable `.gitea/workflows/gitea-merge-queue.yml` schedule or remove `merge-queue` labels from PRs. - Revert this commit if the queue bot misbehaves. - Keep branch protection `block_on_outdated_branch=true`; it is defense-in-depth even without the bot.
hongming added 1 commit 2026-05-13 08:58:34 +00:00
fix(ci): add serialized Gitea merge queue
Some checks failed
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 6s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 13s
Details
CI / Detect changes (pull_request) Successful in 14s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 14s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 14s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 11s
Details
qa-review / approved (pull_request) Failing after 11s
Details
gate-check-v3 / gate-check (pull_request) Successful in 16s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 24s
Details
security-review / approved (pull_request) Failing after 17s
Details
sop-checklist-gate / gate (pull_request) Successful in 12s
Details
sop-tier-check / tier-check (pull_request) Successful in 11s
Details
CI / Platform (Go) (pull_request) Successful in 5s
Details
CI / Canvas (Next.js) (pull_request) Successful in 5s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 4s
Details
CI / Python Lint & Test (pull_request) Successful in 4s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 5s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 6s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 6s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 5s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m19s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m23s
Details
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m24s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m29s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m40s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m40s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
CI / all-required (pull_request) Successful in 2s
Details
9eb8aad5c1
hongming added 1 commit 2026-05-13 08:59:59 +00:00
Merge branch 'main' into fix/gitea-merge-queue
All checks were successful
CI / Detect changes (pull_request) Successful in 23s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 11s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 27s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 39s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 17s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 41s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 33s
Details
sop-tier-check / tier-check (pull_request) Successful in 17s
Details
sop-checklist-gate / gate (pull_request) Successful in 21s
Details
gate-check-v3 / gate-check (pull_request) Successful in 26s
Details
CI / Platform (Go) (pull_request) Successful in 8s
Details
CI / Canvas (Next.js) (pull_request) Successful in 8s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 4s
Details
CI / Python Lint & Test (pull_request) Successful in 6s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m16s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 8s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 8s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m31s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m42s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 12s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m52s
Details
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m24s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m51s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
CI / all-required (pull_request) Successful in 3s
Details
sop-checklist / all-items-acked (pull_request) Manual verified: acked 7/7 by core-qa, infra-sre, core-lead
Details
qa-review / approved (pull_request) Manual verified: qa-review APPROVED by core-qa (team=qa)
Details
security-review / approved (pull_request) Manual verified: security-review APPROVED by core-security (team=security)
Details
audit-force-merge / audit (pull_request) Successful in 8s
Details
c65a43133e
core-qa commented 2026-05-13 09:01:35 +00:00
Member
Copy Link

/sop-ack comprehensive-testing reviewed .gitea script tests, workflow lint, py_compile, diff check, and live dry-run evidence
/sop-ack local-postgres-e2e N/A is valid for CI bot/workflow/runbook change
/sop-ack five-axis-review reviewed queue correctness/readability/architecture/security/performance notes
/sop-ack memory-consulted memory and repo runbooks support the Gitea no-native-queue root cause

/sop-ack comprehensive-testing reviewed .gitea script tests, workflow lint, py_compile, diff check, and live dry-run evidence /sop-ack local-postgres-e2e N/A is valid for CI bot/workflow/runbook change /sop-ack five-axis-review reviewed queue correctness/readability/architecture/security/performance notes /sop-ack memory-consulted memory and repo runbooks support the Gitea no-native-queue root cause
infra-sre commented 2026-05-13 09:01:44 +00:00
Member
Copy Link

/sop-ack staging-smoke queue workflow will verify through scheduled/manual runs post-merge; dry-run confirmed fail-closed when main is not green

/sop-ack staging-smoke queue workflow will verify through scheduled/manual runs post-merge; dry-run confirmed fail-closed when main is not green
core-lead commented 2026-05-13 09:01:55 +00:00
Member
Copy Link

/sop-ack root-cause Gitea lacks serialized retest-on-latest-main merge semantics; this is not a missing rerun symptom
/sop-ack no-backwards-compat active queue path only, no compatibility shim or dead code added

/sop-ack root-cause Gitea lacks serialized retest-on-latest-main merge semantics; this is not a missing rerun symptom /sop-ack no-backwards-compat active queue path only, no compatibility shim or dead code added
core-qa approved these changes 2026-05-13 09:02:05 +00:00
core-qa left a comment
Member
Copy Link

QA approval: tests cover queue decisions and local verification passed on refreshed head.

QA approval: tests cover queue decisions and local verification passed on refreshed head.
core-security approved these changes 2026-05-13 09:02:09 +00:00
core-security left a comment
Member
Copy Link

Security approval: uses non-bypass merge actor, does not put tokens into git remotes, and rejects fork PR mutation.

Security approval: uses non-bypass merge actor, does not put tokens into git remotes, and rejects fork PR mutation.
core-lead approved these changes 2026-05-13 09:02:16 +00:00
core-lead left a comment
Member
Copy Link

Lead approval: architecture addresses the merge race by serialization plus current-main checks and branch-protection defense in depth.

Lead approval: architecture addresses the merge race by serialization plus current-main checks and branch-protection defense in depth.
core-security commented 2026-05-13 09:05:01 +00:00
Member
Copy Link

[core-security-agent] APPROVED — PR #819: fix(ci): add serialized Gitea merge queue

Reviewed: .gitea/scripts/gitea-merge-queue.py (new)

Security analysis:

  • urllib.request for HTTP — no subprocess, no shell
  • Token in Authorization header (not URL)
  • Env vars only (GITEA_TOKEN, GITEA_HOST, REPO)
  • No eval/exec of user input
  • Dynamic module loading only in test code (loads from known script path)
  • Merge policy: one PR per run, serialized by cron

OWASP: OWASP X/X clean. No auth/SQL/XSS/SSRF concerns.

[core-security-agent] APPROVED — PR #819: fix(ci): add serialized Gitea merge queue Reviewed: .gitea/scripts/gitea-merge-queue.py (new) Security analysis: - urllib.request for HTTP — no subprocess, no shell ✅ - Token in Authorization header (not URL) ✅ - Env vars only (GITEA_TOKEN, GITEA_HOST, REPO) ✅ - No eval/exec of user input ✅ - Dynamic module loading only in test code (loads from known script path) ✅ - Merge policy: one PR per run, serialized by cron ✅ OWASP: OWASP X/X clean. No auth/SQL/XSS/SSRF concerns.
devops-engineer merged commit 98fe199de4 into main 2026-05-13 09:06:02 +00:00
devops-engineer deleted branch fix/gitea-merge-queue 2026-05-13 09:06:03 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
core-qa
core-security
core-lead
Labels
Clear labels   
merge-queue

Merge queue candidate

  
merge-queue

Ready for serialized Gitea merge queue

  
merge-queue

Merge queue candidate

  
merge-queue-hold

Temporarily hold PR in merge queue

  
release-blocker

Blocks the staging→main promotion / a release

  
release-test

   
security

   
test-label-sre

   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

  
triage-test

test

No Label
merge-queue
merge-queue
merge-queue
merge-queue-hold
release-blocker
release-test
security
test-label-sre
tier:high
tier:low
tier:medium
triage-test
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
5 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#819
No description provided.
Delete Branch "fix/gitea-merge-queue"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?