molecule-ai/molecule-core

fix(ci): close 3 chronic Gitea-Actions workflow flakes (closes #88) #92

Merged

claude-ceo-assistant merged 2 commits from fix/gitea-ci-flakes-issue-88 into staging

2026-05-08 00:20:42 +00:00

Author	SHA1	Message	Date
claude-ceo-assistant (Claude Opus 4.7 on Hongming's MacBook)	7eb348536b	fix(harness): bake cf-proxy nginx.conf at build time, not via configs: All checks were successful CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 0s Details CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 0s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 1s Details pr-guards / disable-auto-merge-on-push (pull_request) Successful in 3s Details Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s Details Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 5s Details branch-protection drift check / Branch protection drift (pull_request) Successful in 8s Details CI / Detect changes (pull_request) Successful in 8s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 7s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 7s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 8s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 8s Details Harness Replays / detect-changes (pull_request) Successful in 8s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 9s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s Details CI / Platform (Go) (pull_request) Successful in 4s Details CI / Python Lint & Test (pull_request) Successful in 3s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s Details CI / Canvas (Next.js) (pull_request) Successful in 5s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 4s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 5s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 49s Details Harness Replays / Harness Replays (pull_request) Successful in 50s Details The previous configs:-based fix (`87b971a2`) didn't actually fix the DinD issue — Compose v2 falls back to bind mounts for `configs:` when swarm mode is not active, so the resulting runc invocation still tries to mount /workspace/.../cf-proxy/nginx.conf from the OUTER host filesystem that the act_runner-vs-host-docker socket-mount can't see. Same "not a directory" error returned. Switch to a thin Dockerfile (cf-proxy/Dockerfile) that COPYs nginx.conf into nginx:1.27-alpine. The build context is uploaded to the daemon as a tarball, not bind-mounted from the host filesystem, so the path translation gap doesn't apply. Verified locally: `docker build` + `docker run cf-proxy nginx -T` reproduces the baked config end-to-end. Trade-off: ~2-3s build cost on every harness up. Acceptable for the Gitea CI gate; local-dev re-builds the image only when nginx.conf changes (Docker layer cache). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 17:09:08 -07:00
claude-ceo-assistant (Claude Opus 4.7 on Hongming's MacBook)	87b971a292	fix(ci): close 3 chronic Gitea-Actions workflow flakes (closes #88 ) Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 10s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 9s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 8s Details CI / Detect changes (pull_request) Successful in 9s Details CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 9s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 7s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 9s Details branch-protection drift check / Branch protection drift (pull_request) Successful in 11s Details CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 10s Details Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 11s Details CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 9s Details Harness Replays / detect-changes (pull_request) Successful in 9s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 7s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s Details CI / Platform (Go) (pull_request) Successful in 3s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s Details CI / Python Lint & Test (pull_request) Successful in 4s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s Details CI / Canvas (Next.js) (pull_request) Successful in 5s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 5s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details Harness Replays / Harness Replays (pull_request) Failing after 46s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 49s Details Three workflows have been failing on every push to this Gitea repo for GitHub-shaped reasons that don't translate to act_runner. Surfaced while landing #84; bundled per `feedback_gitea_actions_migration_audit_pattern` ("bundle per-repo, not per-finding") instead of three separate PRs. 1) handlers-postgres-integration: localhost → 127.0.0.1 - lib/pq tries to dial localhost → ::1 first; the postgres service container only listens on IPv4 → ECONNREFUSED → all TestIntegration_* fail. Pin IPv4 to make the job deterministic. 2) pr-guards / disable-auto-merge-on-push: Gitea no-op - The previous reusable-workflow caller invoked `gh pr merge --disable-auto`, which calls GitHub's GraphQL API. Gitea returns HTTP 405 on /api/graphql → step always fails. Inline the step so it can detect Gitea (GITEA_ACTIONS=true OR repo url under moleculesai.app) and no-op with a notice. Auto-merge gating is moot on Gitea anyway: there's no `--auto` primitive being touched. Job stays ALWAYS-RUN so branch protection's required check still lands SUCCESS (avoids the SKIPPED-in-set trap from `feedback_branch_protection_check_name_parity`). 3) Harness Replays: cf-proxy nginx.conf via docker `configs:` (not bind) - act_runner runs the workflow inside a runner container; runc in the docker daemon below resolves bind-mount source paths on the OUTER host, not inside the runner. The path `/workspace/.../cf-proxy/nginx.conf` is invisible there → "not a directory" runc error. Switching to compose `configs:` packages the file as content rather than a host bind, sidestepping the DinD path-translation gap. Local validation: - YAML parsed clean for all 3 files. - cf-proxy nginx.conf: standalone `docker compose run cf-proxy nginx -T` reproduced the configs: mount end-to-end and dumped the config correctly. The full harness compose still renders via `docker compose config`. Real-CI verification will land on this branch's first push. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 17:06:09 -07:00