10e510f50c
Some checks failed
Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 5s
CI / Detect changes (pull_request) Successful in 8s
E2E API Smoke Test / detect-changes (pull_request) Successful in 8s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 8s
Harness Replays / detect-changes (pull_request) Successful in 9s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 9s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 8s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 9s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
CI / Python Lint & Test (pull_request) Successful in 4s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 5s
CI / Canvas (Next.js) (pull_request) Successful in 17s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 30s
Harness Replays / Harness Replays (pull_request) Failing after 32s
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Failing after 1m26s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m21s
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Failing after 1m36s
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Failing after 1m36s
CI / Platform (Go) (pull_request) Successful in 2m18s
Two coupled cleanups for the post-2026-05-06 stack:
============================================
The plugin injected GITHUB_TOKEN/GH_TOKEN via the App's
installation-access flow (~hourly rotation). Per-agent Gitea
identities replaced this approach after the 2026-05-06 suspension —
workspaces now provision with a per-persona Gitea PAT from .env
instead of an App-rotated token. The plugin code itself lived on
github.com/Molecule-AI/molecule-ai-plugin-github-app-auth which is
also unreachable post-suspension; checking it out at CI build time
was already failing.
Removed:
- workspace-server/cmd/server/main.go: githubappauth import + the
`if os.Getenv("GITHUB_APP_ID") != ""` block that called
BuildRegistry. gh-identity remains as the active mutator.
- workspace-server/Dockerfile + Dockerfile.tenant: COPY of the
sibling repo + the `replace github.com/Molecule-AI/molecule-ai-
plugin-github-app-auth => /plugin` directive injection.
- workspace-server/go.mod + go.sum: github-app-auth dep entry
(cleaned up by `go mod tidy`).
- 3 workflows: actions/checkout steps for the sibling plugin repo:
- .github/workflows/codeql.yml (Go matrix path)
- .github/workflows/harness-replays.yml
- .github/workflows/publish-workspace-server-image.yml
Verified `go build ./cmd/server` + `go vet ./...` pass post-removal.
=======================================================
Same workflow used to push to ghcr.io/molecule-ai/platform +
platform-tenant. ghcr.io/molecule-ai is gone post-suspension. The
operator's ECR org (153263036946.dkr.ecr.us-east-2.amazonaws.com/
molecule-ai/) already hosts platform-tenant + workspace-template-*
+ runner-base images and is the post-suspension SSOT for container
images. This PR aligns publish-workspace-server-image with that
stack.
- env.IMAGE_NAME + env.TENANT_IMAGE_NAME repointed to ECR URL.
- docker/login-action swapped for aws-actions/configure-aws-
credentials@v4 + aws-actions/amazon-ecr-login@v2 chain (the
standard ECR auth pattern; uses AWS_ACCESS_KEY_ID/SECRET secrets
bound to the molecule-cp IAM user).
The :staging-<sha> + :staging-latest tag policy is unchanged —
staging-CP's TENANT_IMAGE pin still points at :staging-latest, just
with the new registry prefix.
Refs molecule-core#157, #161; parallel to org-wide CI-green sweep.
120 lines
4.9 KiB
YAML
120 lines
4.9 KiB
YAML
name: CodeQL
|
|
|
|
# Controls CodeQL scan triggers for this repo.
|
|
#
|
|
# GitHub's "Code quality" default setup (the UI-configured one) is
|
|
# hardcoded to only scan the default branch — on this repo that's
|
|
# `staging`, so PRs promoting staging→main would otherwise never be
|
|
# scanned. This workflow fills that gap by explicitly scanning both
|
|
# branches on push and PR.
|
|
#
|
|
# Runs on ubuntu-latest (GHA-hosted — public repo, free). GHAS is NOT
|
|
# enabled on this repo, so results are not uploaded to the Security
|
|
# tab — the scan fails the PR check on findings, and the SARIF is
|
|
# kept as a workflow artifact for triage.
|
|
|
|
on:
|
|
push:
|
|
branches: [main, staging]
|
|
pull_request:
|
|
branches: [main, staging]
|
|
# GitHub merge queue fires `merge_group` for the queue's pre-merge CI run.
|
|
# Required so CodeQL Analyze checks get a real result on the queued
|
|
# commit instead of a false-green. Event only fires once merge queue is
|
|
# enabled on the target branch — safe to add unconditionally.
|
|
merge_group:
|
|
types: [checks_requested]
|
|
schedule:
|
|
# Weekly run picks up findings in code that hasn't been touched.
|
|
- cron: '30 1 * * 0'
|
|
|
|
# Workflow-level concurrency: only one CodeQL run per branch/PR at a time.
|
|
# `cancel-in-progress: false` queues new runs so a quick follow-up push
|
|
# doesn't nuke a 45-min analysis mid-flight.
|
|
concurrency:
|
|
group: codeql-${{ github.ref }}
|
|
cancel-in-progress: false
|
|
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
# No security-events: write — we don't call the upload API.
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze (${{ matrix.language }})
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 45
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
language: [go, javascript-typescript, python]
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
# github-app-auth sibling-checkout removed 2026-05-07 (#157):
|
|
# plugin was dropped + the Dockerfile no longer needs it.
|
|
# jq is pre-installed on ubuntu-latest — no setup step needed.
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
# security-extended widens past the default to include the
|
|
# full security-query set for a public SaaS surface.
|
|
queries: security-extended
|
|
|
|
- name: Autobuild
|
|
uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
|
|
|
- name: Perform CodeQL Analysis
|
|
id: analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
|
with:
|
|
category: "/language:${{ matrix.language }}"
|
|
# upload: never — GHAS isn't enabled on this repo, so the
|
|
# upload API 403s. Write SARIF locally instead.
|
|
upload: never
|
|
output: sarif-results/${{ matrix.language }}
|
|
|
|
- name: Parse SARIF + fail on findings
|
|
# The analyze step writes <database>.sarif into the output
|
|
# directory — database name is the short CodeQL lang id, not
|
|
# the matrix value (e.g. "javascript-typescript" →
|
|
# javascript.sarif), so glob rather than hardcode.
|
|
# Filter to error/warning severity: security-extended emits
|
|
# "note" rows for informational findings we don't want to fail
|
|
# the build over.
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
dir="sarif-results/${{ matrix.language }}"
|
|
sarif=$(ls "$dir"/*.sarif 2>/dev/null | head -1 || true)
|
|
if [ -z "$sarif" ] || [ ! -f "$sarif" ]; then
|
|
echo "::error::No SARIF file found under $dir"
|
|
ls -la "$dir" 2>/dev/null || true
|
|
exit 1
|
|
fi
|
|
echo "Parsing $sarif"
|
|
count=$(jq '[.runs[].results[] | select(.level == "error" or .level == "warning")] | length' "$sarif")
|
|
echo "CodeQL findings (error+warning) for ${{ matrix.language }}: $count"
|
|
if [ "$count" -gt 0 ]; then
|
|
echo "::error::CodeQL found $count issues. Details below; full SARIF in the artifact."
|
|
jq -r '.runs[].results[] | select(.level == "error" or .level == "warning") | " - [\(.level)] \(.ruleId // "?"): \(.message.text // "(no message)") @ \(.locations[0].physicalLocation.artifactLocation.uri // "?"):\(.locations[0].physicalLocation.region.startLine // "?")"' "$sarif"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Upload SARIF artifact
|
|
# Keep SARIF around on success + failure so triagers can diff.
|
|
# 14-day retention — longer than default 3, short enough not
|
|
# to bloat quota.
|
|
if: always()
|
|
uses: actions/upload-artifact@v3 # pinned to v3 for Gitea act_runner v0.6 compatibility (internal#46)
|
|
with:
|
|
name: codeql-sarif-${{ matrix.language }}
|
|
path: sarif-results/${{ matrix.language }}/
|
|
retention-days: 14
|