molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
249dbc6ac9
molecule-core/tools/check-template-parity.sh
documentation-specialist 5d4184f4a3
Some checks failed
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 7s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 5s
Details
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Failing after 54s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Details
CI / Detect changes (pull_request) Successful in 5s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 6s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 6s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 6s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 6s
Details
CI / Platform (Go) (pull_request) Successful in 3s
Details
CI / Python Lint & Test (pull_request) Successful in 3s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 3s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 4s
Details
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Failing after 13s
Details
CI / Canvas (Next.js) (pull_request) Successful in 42s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Failing after 1m18s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Failing after 1m20s
Details
fix(scripts): migrate ghcr.io→ECR + raw.githubusercontent.com→Gitea (#46) 
Per documentation-specialist's grep agent (2026-05-07T07:30, see
internal#46): runtime-breaking ghcr.io references in shell scripts +
docker-compose + the slip-past-workflow lint_secret_pattern_drift.py
all need migration. These were missed by security-auditor's
workflow-only audit.

Files (6):

- .github/scripts/lint_secret_pattern_drift.py:40 — workspace-runtime
  pre-commit-checks.sh consumer URL: raw.githubusercontent.com →
  Gitea raw URL (https://git.moleculesai.app/molecule-ai/.../raw/
  branch/main/...). The lint job runs in CI and would 404 today.

- scripts/refresh-workspace-images.sh:54 — workspace-template image
  pull URL: ghcr.io → ECR (153263036946.dkr.ecr.us-east-2.amazonaws.com).

- scripts/rollback-latest.sh — full rewrite of header + auth flow:
  * ghcr.io/molecule-ai/{platform,platform-tenant} → ECR
  * GITHUB_TOKEN with write:packages → AWS ECR auth
    (aws ecr get-login-password). Per saved memory
    reference_post_suspension_pipeline, prod cutover is to ECR.
  * Updated header docs to match new auth flow + prereqs.

- scripts/demo-freeze.sh:13,17 — comment-only ghcr → ECR
  (the script doesn't currently exec these URLs, but the comments
  describe the cascade and need to match reality).

- docker-compose.yml:215-216 — canvas image: ghcr.io → ECR + updated
  the auth comment to describe `aws ecr get-login-password` flow.

- tools/check-template-parity.sh:21 — inline curl install instructions:
  raw.githubusercontent.com → Gitea raw URL.

Hostile self-review:

1. rollback-latest.sh's GITHUB_TOKEN→aws-cli auth swap is a behavior
   change. Operators using this script now need aws CLI
   authenticated for region us-east-2 with ECR pull/push perms.
   Documented in updated header. Operators who don't have aws CLI
   will get 'aws: command not installed' which is a clear failure
   mode (not silent).
2. The Gitea raw URL shape (/raw/branch/main/) differs from GitHub's
   raw.githubusercontent.com structure. Verified pattern by
   inspecting other Gitea raw URLs in the codebase. If Gitea's URL
   changes (1.23+), update via the same one-line edit.
3. Doesn't touch packer/scripts/install-base.sh which has a similar
   ghcr.io ref per the grep agent's findings — that's bigger-scope
   (packer build pipeline) and lives in molecule-controlplane-ish
   territory; filing as parked follow-up under #46 if not already.

Refs: molecule-ai/internal#46, molecule-ai/internal#37,
molecule-ai/internal#38, saved memory reference_post_suspension_pipeline
2026-05-07 00:56:23 -07:00

81 lines
2.8 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# check-template-parity.sh — enforce parity between a workspace template's
# install.sh (bare-host / EC2 path) and start.sh (Docker path). Both scripts
# must forward the same set of provider API keys to the agent's .env so that
# a workspace built on one backend behaves identically to a workspace built
# on the other.
#
# Drift this catches:
# - Someone adds HERMES_API_KEY to start.sh but forgets install.sh.
# EC2 workspaces using Nous fail silently; Docker works.
# - Someone adds a HERMES_CUSTOM_BASE_URL branch to install.sh only.
# Docker can't use a custom OpenAI-compat endpoint; EC2 can.
#
# Invocation (from template-hermes repo's CI):
#
# bash /path/to/molecule-monorepo/tools/check-template-parity.sh \
# install.sh start.sh
#
# Or inline via curl:
#
# bash <(curl -fsSL https://git.moleculesai.app/molecule-ai/molecule-core/raw/branch/main/tools/check-template-parity.sh) \
# install.sh start.sh
#
# Exit codes:
# 0 — parity ok (or both files declare the same set of ${VAR:+VAR=...} exports)
# 1 — drift detected (emits a diff to stderr)
# 2 — usage / missing files
#
# What "parity" means here: the SET of environment-variable forwarders
# (lines of the form `${VAR:+VAR=${VAR}}`) in each file must be equal.
# The ordering, surrounding comments, and non-forwarder lines are free to
# differ — that's where the two paths legitimately diverge (bare-host vs
# Docker-entrypoint structure).
set -euo pipefail
if [ "$#" -ne 2 ]; then
echo "usage: $0 install.sh start.sh" >&2
exit 2
fi
INSTALL_SH="$1"
START_SH="$2"
for f in "$INSTALL_SH" "$START_SH"; do
if [ ! -f "$f" ]; then
echo "missing file: $f" >&2
exit 2
fi
done
# Extract the set of ${VAR:+VAR=...} forwarder lines, stripped of
# surrounding whitespace. sort -u gives us the set to compare.
extract_forwarders() {
grep -oE '\$\{[A-Z_]+:\+[A-Z_]+=\$\{[A-Z_]+\}\}' "$1" 2>/dev/null | sort -u
}
TMP_INSTALL=$(mktemp)
TMP_START=$(mktemp)
trap 'rm -f "$TMP_INSTALL" "$TMP_START"' EXIT
extract_forwarders "$INSTALL_SH" > "$TMP_INSTALL"
extract_forwarders "$START_SH" > "$TMP_START"
if diff -q "$TMP_INSTALL" "$TMP_START" > /dev/null; then
COUNT=$(wc -l < "$TMP_INSTALL" | tr -d ' ')
echo "template-parity: ok ($COUNT provider forwarders in both files)"
exit 0
fi
echo "template-parity: DRIFT detected between $INSTALL_SH and $START_SH" >&2
echo >&2
echo "--- forwarders only in $INSTALL_SH ---" >&2
comm -23 "$TMP_INSTALL" "$TMP_START" | sed 's/^/ /' >&2
echo "--- forwarders only in $START_SH ---" >&2
comm -13 "$TMP_INSTALL" "$TMP_START" | sed 's/^/ /' >&2
echo >&2
echo "Fix: copy the missing forwarder lines so both files carry the same set." >&2
echo "Rationale: workspace-backend parity — see docs/architecture/backends.md" >&2
exit 1
Reference in New Issue View Git Blame Copy Permalink