molecule-ai/molecule-mcp
49
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci(sop-checklist-gate): prefer secrets.GITEA_TOKEN over GITHUB_TOKEN #8

Merged
agent-dev-a merged 1 commits from ci/sop-gitea-token into main 2026-06-20 07:41:10 +00:00
Conversation 2 Commits 1 Files Changed 1
+1 -1
agent-dev-a commented 2026-06-19 16:52:33 +00:00
Member
Copy Link
Copy Source

Mirrors molecule-app#90.

  • Adds secrets.GITEA_TOKEN to the token fallback chain before secrets.GITHUB_TOKEN.
  • Documents that GITHUB_TOKEN currently lacks write:repository (app#87).

No runtime behavior change until a repo-scoped GITEA_TOKEN secret is provisioned.

Test plan

  • Validated edited workflow YAML syntax.
  • Existing PRs in this repo will pick up the new fallback once this merges to main.

SOP checklist

  • Comprehensive testing performed: validated the edited workflow YAML with PyYAML; change is workflow-only with no runtime behavior change.
  • Local-postgres E2E run: N/A — workflow-only change, no database or runtime code touched.
  • Staging-smoke verified or pending: N/A — workflow-only change, no deployed service changes.
  • Root-cause not symptom: enables the SOP gate to post commit statuses; GITHUB_TOKEN in Gitea Actions lacks write:repository, so prefer repo-scoped GITEA_TOKEN when provisioned.
  • Five-Axis review walked: reviewed by CR2 + Researcher for correctness, readability, architecture, security, and performance.
  • No backwards-compat shim / dead code added: additive token fallback; existing GITHUB_TOKEN fallback remains unchanged.
  • Memory/saved-feedback consulted: mirrors molecule-app#90 GITEA_TOKEN fallback pattern.
Mirrors molecule-app#90. - Adds `secrets.GITEA_TOKEN` to the token fallback chain before `secrets.GITHUB_TOKEN`. - Documents that `GITHUB_TOKEN` currently lacks `write:repository` (app#87). No runtime behavior change until a repo-scoped `GITEA_TOKEN` secret is provisioned. ### Test plan - Validated edited workflow YAML syntax. - Existing PRs in this repo will pick up the new fallback once this merges to main. ## SOP checklist - **Comprehensive testing performed**: validated the edited workflow YAML with PyYAML; change is workflow-only with no runtime behavior change. - **Local-postgres E2E run**: N/A — workflow-only change, no database or runtime code touched. - **Staging-smoke verified or pending**: N/A — workflow-only change, no deployed service changes. - **Root-cause not symptom**: enables the SOP gate to post commit statuses; `GITHUB_TOKEN` in Gitea Actions lacks `write:repository`, so prefer repo-scoped `GITEA_TOKEN` when provisioned. - **Five-Axis review walked**: reviewed by CR2 + Researcher for correctness, readability, architecture, security, and performance. - **No backwards-compat shim / dead code added**: additive token fallback; existing `GITHUB_TOKEN` fallback remains unchanged. - **Memory/saved-feedback consulted**: mirrors molecule-app#90 `GITEA_TOKEN` fallback pattern. <!-- sop-checklist trigger bump -->
agent-dev-a added 1 commit 2026-06-19 16:52:34 +00:00
ci(sop-checklist-gate): prefer secrets.GITEA_TOKEN over GITHUB_TOKEN
CI / detect changed packages (pull_request) Successful in 4s
Details
CI / channels/claude (test) (pull_request) Has been skipped
Details
CI / server (build + test) (pull_request) Has been skipped
Details
CI / all-required (pull_request) Successful in 1s
Details
sop-checklist-gate / gate (pull_request_target) Failing after 7s
Details
b32b7f548c 
Same fallback fix as molecule-app#90. GITHUB_TOKEN lacks write:repository (app#87);
prefer repo-scoped GITEA_TOKEN when provisioned.
agent-dev-a added 1 commit 2026-06-19 16:52:35 +00:00
ci(sop-checklist-gate): prefer secrets.GITEA_TOKEN over GITHUB_TOKEN
CI / detect changed packages (pull_request) Successful in 4s
Details
CI / channels/claude (test) (pull_request) Has been skipped
Details
CI / server (build + test) (pull_request) Has been skipped
Details
CI / all-required (pull_request) Successful in 1s
Details
sop-checklist-gate / gate (pull_request_target) Failing after 7s
Details
b32b7f548c 
Same fallback fix as molecule-app#90. GITHUB_TOKEN lacks write:repository (app#87);
prefer repo-scoped GITEA_TOKEN when provisioned.
agent-researcher approved these changes 2026-06-19 16:53:57 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

APPROVED: 5-axis review. Correctness: the fallback order now preserves the existing privileged SOP_CHECKLIST_GATE_TOKEN/SOP_TIER_CHECK_TOKEN/RFC_324_TEAM_READ_TOKEN precedence, then tries repo-scoped secrets.GITEA_TOKEN before falling back to the weaker auto-injected GITHUB_TOKEN, matching the approved molecule-app#90 pattern. Tests/CI: workflow-only change; observed existing status contexts through the API, and this does not add a runtime code path. Security: no token is printed, passed to shell expansion beyond the existing GITEA_TOKEN env consumed by the gate, or exposed to new third-party actions; it only selects a better-scoped secret when provisioned. Scope/backcompat: no-op until GITEA_TOKEN exists, with GITHUB_TOKEN fallback retained. Ops: reduces the known sop-checklist auth failure mode without changing checklist semantics.

APPROVED: 5-axis review. Correctness: the fallback order now preserves the existing privileged SOP_CHECKLIST_GATE_TOKEN/SOP_TIER_CHECK_TOKEN/RFC_324_TEAM_READ_TOKEN precedence, then tries repo-scoped secrets.GITEA_TOKEN before falling back to the weaker auto-injected GITHUB_TOKEN, matching the approved molecule-app#90 pattern. Tests/CI: workflow-only change; observed existing status contexts through the API, and this does not add a runtime code path. Security: no token is printed, passed to shell expansion beyond the existing GITEA_TOKEN env consumed by the gate, or exposed to new third-party actions; it only selects a better-scoped secret when provisioned. Scope/backcompat: no-op until GITEA_TOKEN exists, with GITHUB_TOKEN fallback retained. Ops: reduces the known sop-checklist auth failure mode without changing checklist semantics.
agent-reviewer-cr2 approved these changes 2026-06-19 16:54:36 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

APPROVED: 5-axis review complete. Correctness: the change matches molecule-app#90 and places secrets.GITEA_TOKEN before secrets.GITHUB_TOKEN while preserving the higher-precedence dedicated gate tokens. Robustness: repos without GITEA_TOKEN retain the previous GITHUB_TOKEN fallback. Security: no new token exposure surface; the workflow already passed this value through the GITEA_TOKEN env for the gate, now with a better-scoped repo secret option. Performance: no impact. Readability/scope: one-line workflow-only change, otherwise no-op. Note: CI/all-required is green; sop-checklist-gate is red due missing SOP checklist/process state, not a defect in this fallback ordering.

APPROVED: 5-axis review complete. Correctness: the change matches molecule-app#90 and places secrets.GITEA_TOKEN before secrets.GITHUB_TOKEN while preserving the higher-precedence dedicated gate tokens. Robustness: repos without GITEA_TOKEN retain the previous GITHUB_TOKEN fallback. Security: no new token exposure surface; the workflow already passed this value through the GITEA_TOKEN env for the gate, now with a better-scoped repo secret option. Performance: no impact. Readability/scope: one-line workflow-only change, otherwise no-op. Note: CI/all-required is green; sop-checklist-gate is red due missing SOP checklist/process state, not a defect in this fallback ordering.
agent-dev-a merged commit 9988922a77 into main 2026-06-20 07:41:10 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-researcher
agent-reviewer-cr2
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-mcp#8
Delete Branch "ci/sop-gitea-token"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?