fix(ci): upstream-sync opens a PR instead of pushing to protected main #2

2026-06-22T05:53:07Z

core-devops commented

2026-06-22 05:53:07 +00:00

Root cause

The scheduled sync-upstream job's final step did git push origin main. main
is branch-protected, so the push is declined by the pre-receive hook:

remote: error: Internal Server Error (no message for end users)
 ! [remote rejected]       main -> main (pre-receive hook declined)
error: failed to push some refs to 'https://git.moleculesai.app/molecule-ai/molecules-ai-openclaw'

This fails the Update PATCHED_VERSION.md step on every scheduled (cron
0 9 * * *) run — sync-upstream has been red across runs 25→53 — and the
failing commit status turns main's combined state red. (The test job is
green since PR #1 pinned upstream; only the sync lane is broken.)

It also violates the org rule "never push direct to main" — the version bump
should go through review like any other change.

Fix

Replace the direct push with a PR flow in the sync-upstream job:

Push the PATCHED_VERSION.md bump to a non-protected sync/upstream-<sha>
branch and open a PR via the Gitea API (base: main). Respects branch
protection; no more declined push.
Idempotent: skip if sync/upstream-<sha> already exists (PR already open).
Capture the upstream MCP smoke-test result (steps.smoke) and surface it in
the PR body, so the known upstream drift (currently the smoke test fails:
Cannot find module '../shared/net/redact-sensitive-url.js' — the overlay
needs a rebase) is flagged for the reviewer instead of silently warned in logs.
Add permissions: { contents: write, pull-requests: write } to the job.

Token note

PR creation uses secrets.AUTO_SYNC_TOKEN || secrets.GITHUB_TOKEN.
AUTO_SYNC_TOKEN is the org's existing sync-bot secret (already used by the
shared gitea-merge-queue workflow). Required action for the repo owner:
ensure AUTO_SYNC_TOKEN (an org/repo Actions secret with write:repository)
is available to this repo, or the API PR-create step will fall back to the
auto-injected GITHUB_TOKEN (which may lack PR-create scope). This is a secret
availability concern, not a code change.

Scope

sync-upstream runs only on schedule, so this doesn't affect PR/push CI. The
test job is unchanged.

🤖 Generated with Claude Code

## Root cause The scheduled `sync-upstream` job's final step did `git push origin main`. `main` is branch-protected, so the push is declined by the pre-receive hook: ``` remote: error: Internal Server Error (no message for end users) ! [remote rejected] main -> main (pre-receive hook declined) error: failed to push some refs to 'https://git.moleculesai.app/molecule-ai/molecules-ai-openclaw' ``` This fails the `Update PATCHED_VERSION.md` step on **every** scheduled (cron `0 9 * * *`) run — `sync-upstream` has been red across runs 25→53 — and the failing commit status turns `main`'s combined state red. (The `test` job is green since PR #1 pinned upstream; only the sync lane is broken.) It also violates the org rule "never push direct to `main`" — the version bump should go through review like any other change. ## Fix Replace the direct push with a PR flow in the `sync-upstream` job: - Push the `PATCHED_VERSION.md` bump to a non-protected `sync/upstream-<sha>` branch and open a PR via the Gitea API (`base: main`). Respects branch protection; no more declined push. - Idempotent: skip if `sync/upstream-<sha>` already exists (PR already open). - Capture the upstream MCP smoke-test result (`steps.smoke`) and surface it in the PR body, so the known upstream drift (currently the smoke test fails: `Cannot find module '../shared/net/redact-sensitive-url.js'` — the overlay needs a rebase) is flagged for the reviewer instead of silently warned in logs. - Add `permissions: { contents: write, pull-requests: write }` to the job. ## Token note PR creation uses `secrets.AUTO_SYNC_TOKEN || secrets.GITHUB_TOKEN`. `AUTO_SYNC_TOKEN` is the org's existing sync-bot secret (already used by the shared `gitea-merge-queue` workflow). **Required action for the repo owner:** ensure `AUTO_SYNC_TOKEN` (an org/repo Actions secret with `write:repository`) is available to this repo, or the API PR-create step will fall back to the auto-injected `GITHUB_TOKEN` (which may lack PR-create scope). This is a secret availability concern, not a code change. ## Scope `sync-upstream` runs only on `schedule`, so this doesn't affect PR/push CI. The `test` job is unchanged. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

core-devops added 1 commit 2026-06-22 05:53:07 +00:00

fix(ci): open a PR for upstream sync instead of pushing to protected main

Build and Publish Patched OpenClaw / test (pull_request) Successful in 20m47s

Details

Build and Publish Patched OpenClaw / sync-upstream (pull_request) Has been skipped

Details

e5a913f293

The scheduled sync-upstream job pushed the PATCHED_VERSION.md bump with
`git push origin main`, which the branch-protection pre-receive hook
declines (`! [remote rejected] main -> main (pre-receive hook declined)`),
failing every scheduled run and turning main's combined status red.

Push the bump to a sync/upstream-<sha> branch and open a PR via the
Gitea API instead (respects branch protection + the no-direct-push-to-main
rule). Idempotent on branch existence; surfaces the upstream smoke-test
result in the PR body so a needed manual rebase is visible.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

core-devops added 1 commit 2026-06-22 05:53:07 +00:00

fix(ci): open a PR for upstream sync instead of pushing to protected main

Build and Publish Patched OpenClaw / test (pull_request) Successful in 20m47s

Details

Build and Publish Patched OpenClaw / sync-upstream (pull_request) Has been skipped

Details

e5a913f293

The scheduled sync-upstream job pushed the PATCHED_VERSION.md bump with
`git push origin main`, which the branch-protection pre-receive hook
declines (`! [remote rejected] main -> main (pre-receive hook declined)`),
failing every scheduled run and turning main's combined status red.

Push the bump to a sync/upstream-<sha> branch and open a PR via the
Gitea API instead (respects branch protection + the no-direct-push-to-main
rule). Idempotent on branch existence; surfaces the upstream smoke-test
result in the PR body so a needed manual rebase is visible.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

molecule-code-reviewer approved these changes 2026-06-22 05:57:19 +00:00

molecule-code-reviewer left a comment

Reviewed for correctness.

Correctly identifies and fixes the real defect: the scheduled sync-upstream job's git push origin main was declined by the branch-protection pre-receive hook on every cron run (! [remote rejected] main -> main (pre-receive hook declined)), failing the job and reddening main's combined status.
The replacement pushes the bump to a non-protected sync/upstream-<sha> branch and opens a PR via the API — respects branch protection and the no-direct-push-to-main rule, and routes the bump through review.
Idempotent: git ls-remote --heads short-circuits if the sync branch already exists; PR-create accepts 201 or 409.
set -euo pipefail is safe here — the git commit always has a change to commit (a fresh PATCHED_VERSION.md is written immediately before), and the step only runs when sync_needed=true.
Smoke-test result is captured (steps.smoke) and surfaced in the PR body, so the current upstream drift (the redact-sensitive-url module move that fails the MCP test) is flagged for the reviewer rather than buried in a log warning.
if: github.event_name == 'schedule' is unchanged → confirmed skipped (not failed) on this PR's pull_request run. test job untouched and green.

Scoped, correct, no regression to PR/push CI. Approve.

Reviewed for correctness. - Correctly identifies and fixes the real defect: the scheduled `sync-upstream` job's `git push origin main` was declined by the branch-protection pre-receive hook on every cron run (`! [remote rejected] main -> main (pre-receive hook declined)`), failing the job and reddening main's combined status. - The replacement pushes the bump to a non-protected `sync/upstream-<sha>` branch and opens a PR via the API — respects branch protection and the no-direct-push-to-main rule, and routes the bump through review. - Idempotent: `git ls-remote --heads` short-circuits if the sync branch already exists; PR-create accepts 201 or 409. - `set -euo pipefail` is safe here — the `git commit` always has a change to commit (a fresh PATCHED_VERSION.md is written immediately before), and the step only runs when sync_needed=true. - Smoke-test result is captured (`steps.smoke`) and surfaced in the PR body, so the current upstream drift (the redact-sensitive-url module move that fails the MCP test) is flagged for the reviewer rather than buried in a log warning. - `if: github.event_name == 'schedule'` is unchanged → confirmed `skipped` (not failed) on this PR's pull_request run. `test` job untouched and green. Scoped, correct, no regression to PR/push CI. Approve.

core-security approved these changes 2026-06-22 05:57:19 +00:00

core-security left a comment

Security review.

Trust boundary intact: the job still runs only on schedule (not pull_request_target / not from PR-head), so no untrusted PR code executes with the write token.
The change moves from an unconditional push-to-protected-main to a branch-push + API PR open — this REDUCES privilege surface (the bump now goes through review/branch protection instead of bypassing it). The new permissions: { contents: write, pull-requests: write } is the minimum needed and scoped to this job.
GITEA_TOKEN is sourced from secrets.AUTO_SYNC_TOKEN || secrets.GITHUB_TOKEN, passed via env (not interpolated into the shell from an untrusted source); the curl uses it as a bearer header. No secret is echoed (only the HTTP code and response body are printed; PR-create response carries no secret). UPSTREAM_SHA/BRANCH are derived from git rev-parse, not attacker-controlled.
Token-availability caveat is documented in the PR for the owner to confirm — not a code defect.

No security concerns. Approve.

Security review. - Trust boundary intact: the job still runs only on `schedule` (not pull_request_target / not from PR-head), so no untrusted PR code executes with the write token. - The change moves from an unconditional push-to-protected-main to a branch-push + API PR open — this REDUCES privilege surface (the bump now goes through review/branch protection instead of bypassing it). The new `permissions: { contents: write, pull-requests: write }` is the minimum needed and scoped to this job. - `GITEA_TOKEN` is sourced from `secrets.AUTO_SYNC_TOKEN || secrets.GITHUB_TOKEN`, passed via env (not interpolated into the shell from an untrusted source); the curl uses it as a bearer header. No secret is echoed (only the HTTP code and response body are printed; PR-create response carries no secret). UPSTREAM_SHA/BRANCH are derived from git rev-parse, not attacker-controlled. - Token-availability caveat is documented in the PR for the owner to confirm — not a code defect. No security concerns. Approve.

core-devops scheduled this pull request to auto merge when all checks succeed 2026-06-22 05:58:22 +00:00

Build and Publish Patched OpenClaw / test (pull_request) Successful in 20m47s

Details

Build and Publish Patched OpenClaw / sync-upstream (pull_request) Has been skipped

Details

CI / all-required (pull_request)

Required

Some required checks are missing.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin fix/ci-sync-upstream-pr-not-push-main:fix/ci-sync-upstream-pr-not-push-main

git checkout fix/ci-sync-upstream-pr-not-push-main

Sign in to join this conversation.

3 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecules-ai-openclaw#2