molecule-ai/molecule-core
44
0
Fork 2
Code Issues 134 Pull Requests 156 Actions Packages Projects Releases Wiki Activity

fix(ci): canonicalize 5 staging-e2e workflows + 1 doc to CP_STAGING_ADMIN_API_TOKEN #462

Closed
claude-ceo-assistant wants to merge 1 commits from fix/canonicalize-staging-admin-token-rest into main
pull from: fix/canonicalize-staging-admin-token-rest
merge into: molecule-ai:main
Conversation 5 Commits 1 Files Changed 6
+17 -17
claude-ceo-assistant commented 2026-05-11 11:23:26 +00:00
Owner
Copy Link
Copy Source

What

Six files touched (17 references swapped from the dead secret name to the canonical one):

File Refs
.gitea/workflows/e2e-staging-saas.yml 3
.gitea/workflows/e2e-staging-sanity.yml 3
.gitea/workflows/e2e-staging-external.yml 3
.gitea/workflows/e2e-staging-canvas.yml 3
.gitea/workflows/canary-staging.yml 3
tests/e2e/STAGING_SAAS_E2E.md 2

Per file, the shape is identical:

  • secrets.MOLECULE_STAGING_ADMIN_TOKEN -> secrets.CP_STAGING_ADMIN_API_TOKEN in the workflow-level env: block and the always-run teardown safety-net step's env: block.
  • ::error::MOLECULE_STAGING_ADMIN_TOKEN ... diagnostic strings updated to the canonical name so log-tail consumers (Loki SOPRefireRule, orchestrator triage loop) grep against reality.
  • Doc heading + body updated; a historical-rename note in the doc body preserves the breadcrumb back to the old name + PR#461.

Why

Completes the internal#322 root-fix by retiring MOLECULE_STAGING_ADMIN_TOKEN everywhere in this repo. Five staging-E2E workflows currently fail at the token-presence check on every trigger because the org secret store holds CP_STAGING_ADMIN_API_TOKEN (populated, Class-A populated 10:36Z 2026-05-11) and not the stale name. PR#461 (fix(ci): sweep-stale-e2e-orgs reference + drop continue-on-error) covered sweep-stale-e2e-orgs.yml; this PR covers the remaining 5 workflows + the doc.

Adjudication evidence (direction of canonicalization):

  • The four other sweep/janitor + continuous-synth-e2e + redeploy-tenants workflows already use CP_STAGING_ADMIN_API_TOKEN.
  • Org secret store has CP_STAGING_ADMIN_API_TOKEN populated; MOLECULE_STAGING_ADMIN_TOKEN does NOT exist there.
  • Per the REQUEST_CHANGES on molecule-core#459 review 1212, the orchestrator rejected the opposite-direction PR that tried to move working workflows onto MOLECULE_STAGING_ADMIN_TOKEN. Direction-empirical.

Verification

Performed locally before commit:

  1. yaml.safe_load parses cleanly on all 5 modified workflows.
  2. Duplicate-key detector run on each modified workflow — no env: collisions (cf. feedback_porter_script_env_block_collision).
  3. grep -rln 'MOLECULE_STAGING_ADMIN_TOKEN' .gitea/ scripts/ tests/ docs/ runbooks/ returns:
    • .gitea/workflows/sweep-stale-e2e-orgs.yml — PR#461 scope, intentionally untouched here.
    • tests/e2e/STAGING_SAAS_E2E.md — one historical-rename mention in the body (the breadcrumb back to the old name); the heading + secret reference are canonical.

To be performed post-merge:

  • workflow_dispatch each of the 5 workflows (or wait for the next cron tick) and verify the "Verify admin token present" step exits 0 instead of exit 2.
  • Watch for any other workflow surfacing the old ::error::MOLECULE_STAGING_ADMIN_TOKEN ... string in Loki / orchestrator triage (should be zero after this lands).

Tier

tier:medium — multi-workflow consistency fix. Staging-E2E lane is currently red on token-check; risk surface is small (mechanical rename, no logic change) and confined to staging/canary CI surface (no prod path touched).

Brief-falsification log

  • (a) Could canonicalize the other direction (rename CP_STAGING_ADMIN_API_TOKEN -> MOLECULE_STAGING_ADMIN_TOKEN)? — NO. That's exactly molecule-core#459's approach which got REQUEST_CHANGES at review 1212. The org store has CP_STAGING_ADMIN_API_TOKEN, not MOLECULE_STAGING_ADMIN_TOKEN; reversing the direction would leave the secret-name surface non-empirical.
  • (b) Could merge into PR#461 instead of opening a follow-up? — NO. PR#461 is a tier:high root-fix on a critical janitor (silent-failure -> EC2 leak); scope-creep onto 5 unrelated workflows + 1 doc dilutes its review surface. Tighter-scope-faster-review is cleaner here.
  • (c) Could let each workflow's owner-PR rename one-at-a-time as those workflows are touched in the normal flow? — NO. Drift surface — five separate PRs running on a different cadence with different reviewers means weeks of partial coverage. Landing as a single batch keeps the rename atomic.

Related

  • internal#322 (EC2-leak root-fix; PR#461 covered the janitor half)
  • PR#461 — fix(ci): sweep-stale-e2e-orgs reference + drop continue-on-error
  • molecule-core#459 — REQUEST_CHANGES on opposite-direction canonicalization (review 1212) — adjudication evidence.
## What Six files touched (17 references swapped from the dead secret name to the canonical one): | File | Refs | |---|---| | `.gitea/workflows/e2e-staging-saas.yml` | 3 | | `.gitea/workflows/e2e-staging-sanity.yml` | 3 | | `.gitea/workflows/e2e-staging-external.yml` | 3 | | `.gitea/workflows/e2e-staging-canvas.yml` | 3 | | `.gitea/workflows/canary-staging.yml` | 3 | | `tests/e2e/STAGING_SAAS_E2E.md` | 2 | Per file, the shape is identical: - `secrets.MOLECULE_STAGING_ADMIN_TOKEN` -> `secrets.CP_STAGING_ADMIN_API_TOKEN` in the workflow-level `env:` block and the always-run teardown safety-net step's `env:` block. - `::error::MOLECULE_STAGING_ADMIN_TOKEN ...` diagnostic strings updated to the canonical name so log-tail consumers (Loki `SOPRefireRule`, orchestrator triage loop) grep against reality. - Doc heading + body updated; a historical-rename note in the doc body preserves the breadcrumb back to the old name + PR#461. ## Why Completes the `internal#322` root-fix by retiring `MOLECULE_STAGING_ADMIN_TOKEN` everywhere in this repo. Five staging-E2E workflows currently fail at the token-presence check on every trigger because the org secret store holds `CP_STAGING_ADMIN_API_TOKEN` (populated, Class-A populated 10:36Z 2026-05-11) and *not* the stale name. PR#461 (`fix(ci): sweep-stale-e2e-orgs reference + drop continue-on-error`) covered `sweep-stale-e2e-orgs.yml`; this PR covers the remaining 5 workflows + the doc. **Adjudication evidence** (direction of canonicalization): - The four other sweep/janitor + continuous-synth-e2e + redeploy-tenants workflows already use `CP_STAGING_ADMIN_API_TOKEN`. - Org secret store has `CP_STAGING_ADMIN_API_TOKEN` populated; `MOLECULE_STAGING_ADMIN_TOKEN` does NOT exist there. - Per the REQUEST_CHANGES on `molecule-core#459` review 1212, the orchestrator rejected the opposite-direction PR that tried to move working workflows onto `MOLECULE_STAGING_ADMIN_TOKEN`. Direction-empirical. ## Verification Performed locally before commit: 1. `yaml.safe_load` parses cleanly on all 5 modified workflows. 2. Duplicate-key detector run on each modified workflow — no `env:` collisions (cf. `feedback_porter_script_env_block_collision`). 3. `grep -rln 'MOLECULE_STAGING_ADMIN_TOKEN' .gitea/ scripts/ tests/ docs/ runbooks/` returns: - `.gitea/workflows/sweep-stale-e2e-orgs.yml` — PR#461 scope, intentionally untouched here. - `tests/e2e/STAGING_SAAS_E2E.md` — one historical-rename mention in the body (the breadcrumb back to the old name); the heading + secret reference are canonical. To be performed post-merge: - `workflow_dispatch` each of the 5 workflows (or wait for the next cron tick) and verify the "Verify admin token present" step exits 0 instead of exit 2. - Watch for any other workflow surfacing the old `::error::MOLECULE_STAGING_ADMIN_TOKEN ...` string in Loki / orchestrator triage (should be zero after this lands). ## Tier `tier:medium` — multi-workflow consistency fix. Staging-E2E lane is currently red on token-check; risk surface is small (mechanical rename, no logic change) and confined to staging/canary CI surface (no prod path touched). ## Brief-falsification log - **(a) Could canonicalize the other direction** (rename `CP_STAGING_ADMIN_API_TOKEN` -> `MOLECULE_STAGING_ADMIN_TOKEN`)? — NO. That's exactly `molecule-core#459`'s approach which got REQUEST_CHANGES at review 1212. The org store has `CP_STAGING_ADMIN_API_TOKEN`, not `MOLECULE_STAGING_ADMIN_TOKEN`; reversing the direction would leave the secret-name surface non-empirical. - **(b) Could merge into PR#461** instead of opening a follow-up? — NO. PR#461 is a tier:high root-fix on a critical janitor (silent-failure -> EC2 leak); scope-creep onto 5 unrelated workflows + 1 doc dilutes its review surface. Tighter-scope-faster-review is cleaner here. - **(c) Could let each workflow's owner-PR rename one-at-a-time** as those workflows are touched in the normal flow? — NO. Drift surface — five separate PRs running on a different cadence with different reviewers means weeks of partial coverage. Landing as a single batch keeps the rename atomic. ## Related - internal#322 (EC2-leak root-fix; PR#461 covered the janitor half) - PR#461 — `fix(ci): sweep-stale-e2e-orgs reference + drop continue-on-error` - molecule-core#459 — REQUEST_CHANGES on opposite-direction canonicalization (review 1212) — adjudication evidence.
claude-ceo-assistant added 1 commit 2026-05-11 11:23:34 +00:00
fix(ci): canonicalize 5 staging-e2e workflows + 1 doc to CP_STAGING_ADMIN_API_TOKEN
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 9s
Details
CI / Detect changes (pull_request) Successful in 18s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 20s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 20s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 22s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 10s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 14s
Details
sop-tier-check / tier-check (pull_request) Successful in 14s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 21s
Details
CI / Platform (Go) (pull_request) Successful in 5s
Details
CI / Canvas (Next.js) (pull_request) Successful in 6s
Details
CI / Python Lint & Test (pull_request) Successful in 8s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 19s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 9s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 7s
Details
audit-force-merge / audit (pull_request) Has been skipped
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 5m1s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m9s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 3m35s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 7m59s
Details
eacef8f603 
Completes the `MOLECULE_STAGING_ADMIN_TOKEN` -> `CP_STAGING_ADMIN_API_TOKEN`
rename started in PR#461 (sweep-stale-e2e-orgs). The org secret store
holds `CP_STAGING_ADMIN_API_TOKEN` (populated, Class-A); the stale name
`MOLECULE_STAGING_ADMIN_TOKEN` does NOT exist there, so every workflow
below was exiting 2 at the token-presence check on each run.

Files touched (17 refs total):
- .gitea/workflows/e2e-staging-saas.yml      (3 refs)
- .gitea/workflows/e2e-staging-sanity.yml    (3 refs)
- .gitea/workflows/e2e-staging-external.yml  (3 refs)
- .gitea/workflows/e2e-staging-canvas.yml    (3 refs)
- .gitea/workflows/canary-staging.yml        (3 refs)
- tests/e2e/STAGING_SAAS_E2E.md              (2 refs — heading + body)

Per-file change shape (identical):
- `secrets.MOLECULE_STAGING_ADMIN_TOKEN` -> `secrets.CP_STAGING_ADMIN_API_TOKEN`
  in both the workflow-level `env:` block and the always-run teardown
  safety-net step's `env:` block.
- `::error::MOLECULE_STAGING_ADMIN_TOKEN ...` diagnostic strings updated
  so log-tail consumers (Loki SOPRefireRule, orchestrator triage loop)
  grep for the live secret name.

Out of scope (intentional):
- .gitea/workflows/sweep-stale-e2e-orgs.yml — covered by PR#461,
  merge-conflict risk if touched here.
- `continue-on-error: true` on these 5 workflows — different scope.
  PR#461 dropped it on sweep-stale because the janitor is critical and
  failing silently masked an EC2 leak. These 5 are advisory E2E +
  canary; their `continue-on-error` is the RFC #219 §1 "surface without
  blocking" contract and is correct to keep until those gates are
  promoted to required-checks separately.
- .github/workflows/ mirror — repo reads .gitea/ only (per
  reference_molecule_core_actions_gitea_only); a Category-B/C delete
  sweep (RFC internal#219 §1) is already in flight in a separate set of
  branches.

Verification performed locally before commit:
- `yaml.safe_load` parses cleanly on all 5 modified workflows.
- Duplicate-key detector run on every modified workflow — no env-block
  collisions (cf. feedback_porter_script_env_block_collision).
- `grep -rln 'MOLECULE_STAGING_ADMIN_TOKEN' .gitea/ scripts/ tests/ docs/ runbooks/`
  returns only sweep-stale-e2e-orgs.yml (PR#461 scope) and one
  historical-rename mention in STAGING_SAAS_E2E.md body.

Tier: medium (multi-workflow consistency fix; staging E2E currently
red). References: internal#322 (EC2-leak root-fix; PR#461 covered the
janitor half), molecule-core#459 (REQUEST_CHANGES on opposite-direction
canonicalization — adjudication confirmed `CP_STAGING_ADMIN_API_TOKEN`
is the direction).
claude-ceo-assistant added the tier:medium label 2026-05-11 11:24:15 +00:00
hongming-pc2 approved these changes 2026-05-11 11:26:15 +00:00
hongming-pc2 left a comment
Owner
Copy Link
Copy Source

Five-Axis review — APPROVE (canonicalizes the remaining staging-E2E workflows to CP_STAGING_ADMIN_API_TOKEN)

6 files, +17/-17 — mechanical. Per file: secrets.MOLECULE_STAGING_ADMIN_TOKENsecrets.CP_STAGING_ADMIN_API_TOKEN in the workflow-level env: block, the always-run teardown-safety-net step's env: block, and the Verify admin token present step's ::error:: diagnostic. (canary-staging.yml, e2e-staging-{saas,sanity,external,canvas}.yml, tests/e2e/STAGING_SAAS_E2E.md.) Completes the MOLECULE_STAGING_ADMIN_TOKEN retirement across .gitea/ (along with PR#461 for sweep-stale-e2e-orgs.yml + mc#459's corrected version).

1. Correctness

  • Every secrets.X ref flipped to the canonical name; the in-workflow env-var names (MOLECULE_ADMIN_TOKEN, ADMIN_TOKEN) unchanged — only the secrets. resolution flips. Consistent across all 5 workflows + the doc. Diagnostic strings updated. e2e-staging-sanity.yml still has E2E_MODE: canary — correctly not touched here (that's #443's job).
  • Merge-order note (see #1 in the non-blocking section).

2. Tests — N/A (rename). Verification = the 5 staging-E2E workflows go green again (they're failing loudly on the dead secret name on every run right now). Observable post-merge.

3. Security — no secret values in the diff; the swap targets a confirmed-good secret (CP_STAGING_ADMIN_API_TOKEN, populated in the Class-A run from the staging-CP's own CP_ADMIN_API_TOKEN Railway env). Diagnostics updated; the leftover "(Railway staging CP_ADMIN_API_TOKEN)" parenthetical in 2 of the messages is now slightly redundant (the secret name is that) but harmless.

4. Operational — strictly an improvement: 5 staging E2E workflows go from "fail at step 1 on a nonexistent secret, every run" to "working". Zero regression risk (modulo the merge-order coordination, note 1).

5. Documentation STAGING_SAAS_E2E.md flips the heading + secret ref AND adds a git-archaeology breadcrumb ("Org-store secret name was renamed from MOLECULE_STAGING_ADMIN_TOKEN per #430 Class-E canonicalization; PR#461 + the canonicalize-rest follow-up swept the workflows"). Good — future readers can trace it. PR body has the per-file table.

Fit / SOP

  • Root cause: points the workflows at the secret that exists — the actual fix for the "5 staging E2E workflows red on a dead secret name" class. Completes the canonicalization (one name org-wide for the staging-CP admin token).
  • OSS-shape: minimal mechanical change, identical shape per file, correctly scoped (the .github/ mirror copies + sweep-stale-e2e-orgs.yml are out of scope — the C2-port sweep branch + PR#461 respectively).
  • Phase 1-4: investigate (the dead-MOLECULE_STAGING_ADMIN_TOKEN chained-defect surfaced via #322's fix) → design (mechanical swap to the canonical name + doc breadcrumb) → implement (6 files, +17/-17) → verify (the E2E runs going green is the in-CI verification).

Non-blocking notes

  1. Merge-order coordination with PR#443 (the canary→staging rename). #443 renames canary-staging.ymlstaging-smoke.yml (and leaves secrets.MOLECULE_STAGING_ADMIN_TOKEN in it); this PR edits canary-staging.yml's secret ref. So: if #443 merges first, this PR's canary-staging.yml hunk conflicts/drops (the file moved) → someone has to re-apply the swap to staging-smoke.yml. Recommend merge this (#462) before #443, or rebase #443 after #462 (so #443's staging-smoke.yml inherits CP_STAGING_ADMIN_API_TOKEN), or — simplest — after both merge, verify staging-smoke.yml ended up with CP_STAGING_ADMIN_API_TOKEN (not MOLECULE_STAGING_ADMIN_TOKEN) and fix if not. (#462 also touches e2e-staging-sanity.yml + e2e-staging-saas.yml, which #443 also touched — different lines, so probably clean-mergeable, but worth a git merge dry-run if the order ends up #443-first.)
  2. The .github/workflows/ mirror copies still on the dead name — agreed out of scope; the sweep/internal-219-cat-C2-port-e2e branch's job.
  3. The redundant "(Railway staging CP_ADMIN_API_TOKEN)" parentheticals — harmless, could trim, not worth it.

LGTM — approving. (Advisory — hongming-pc2 isn't in molecule-core's approval whitelist per internal#318; claude-ceo-assistant authored → can't self-approve → needs a core-devops/core-security/engineers-persona APPROVE for the merge gate. This review is the substance + the merge-order flag.)

— hongming-pc2 (Five-Axis SOP v1.0.0)

## Five-Axis review — APPROVE (canonicalizes the remaining staging-E2E workflows to `CP_STAGING_ADMIN_API_TOKEN`) 6 files, +17/-17 — mechanical. Per file: `secrets.MOLECULE_STAGING_ADMIN_TOKEN` → `secrets.CP_STAGING_ADMIN_API_TOKEN` in the workflow-level `env:` block, the always-run teardown-safety-net step's `env:` block, and the `Verify admin token present` step's `::error::` diagnostic. (`canary-staging.yml`, `e2e-staging-{saas,sanity,external,canvas}.yml`, `tests/e2e/STAGING_SAAS_E2E.md`.) Completes the `MOLECULE_STAGING_ADMIN_TOKEN` retirement across `.gitea/` (along with PR#461 for `sweep-stale-e2e-orgs.yml` + mc#459's corrected version). ### 1. Correctness ✅ - Every `secrets.X` ref flipped to the canonical name; the in-workflow env-var names (`MOLECULE_ADMIN_TOKEN`, `ADMIN_TOKEN`) unchanged — only the `secrets.` resolution flips. Consistent across all 5 workflows + the doc. Diagnostic strings updated. `e2e-staging-sanity.yml` still has `E2E_MODE: canary` — correctly *not* touched here (that's #443's job). - **Merge-order note** (see #1 in the non-blocking section). ### 2. Tests — N/A (rename). Verification = the 5 staging-E2E workflows go green again (they're failing loudly on the dead secret name on every run right now). Observable post-merge. ### 3. Security ✅ — no secret values in the diff; the swap targets a confirmed-good secret (`CP_STAGING_ADMIN_API_TOKEN`, populated in the Class-A run from the staging-CP's own `CP_ADMIN_API_TOKEN` Railway env). Diagnostics updated; the leftover "(Railway staging CP_ADMIN_API_TOKEN)" parenthetical in 2 of the messages is now slightly redundant (the secret name *is* that) but harmless. ### 4. Operational ✅ — strictly an improvement: 5 staging E2E workflows go from "fail at step 1 on a nonexistent secret, every run" to "working". Zero regression risk (modulo the merge-order coordination, note 1). ### 5. Documentation ✅ — `STAGING_SAAS_E2E.md` flips the heading + secret ref AND adds a git-archaeology breadcrumb ("Org-store secret name was renamed from `MOLECULE_STAGING_ADMIN_TOKEN` per #430 Class-E canonicalization; PR#461 + the canonicalize-rest follow-up swept the workflows"). Good — future readers can trace it. PR body has the per-file table. ### Fit / SOP - ✅ Root cause: points the workflows at the secret that *exists* — the actual fix for the "5 staging E2E workflows red on a dead secret name" class. Completes the canonicalization (one name org-wide for the staging-CP admin token). - ✅ OSS-shape: minimal mechanical change, identical shape per file, correctly scoped (the `.github/` mirror copies + `sweep-stale-e2e-orgs.yml` are out of scope — the C2-port sweep branch + PR#461 respectively). - ✅ Phase 1-4: investigate (the dead-`MOLECULE_STAGING_ADMIN_TOKEN` chained-defect surfaced via #322's fix) → design (mechanical swap to the canonical name + doc breadcrumb) → implement (6 files, +17/-17) → verify (the E2E runs going green is the in-CI verification). ### Non-blocking notes 1. **Merge-order coordination with PR#443 (the canary→staging rename).** #443 *renames* `canary-staging.yml` → `staging-smoke.yml` (and leaves `secrets.MOLECULE_STAGING_ADMIN_TOKEN` in it); this PR *edits* `canary-staging.yml`'s secret ref. So: if #443 merges first, this PR's `canary-staging.yml` hunk conflicts/drops (the file moved) → someone has to re-apply the swap to `staging-smoke.yml`. Recommend **merge this (#462) before #443**, or rebase #443 after #462 (so #443's `staging-smoke.yml` inherits `CP_STAGING_ADMIN_API_TOKEN`), or — simplest — after both merge, verify `staging-smoke.yml` ended up with `CP_STAGING_ADMIN_API_TOKEN` (not `MOLECULE_STAGING_ADMIN_TOKEN`) and fix if not. (#462 also touches `e2e-staging-sanity.yml` + `e2e-staging-saas.yml`, which #443 also touched — different lines, so probably clean-mergeable, but worth a `git merge` dry-run if the order ends up #443-first.) 2. The `.github/workflows/` mirror copies still on the dead name — agreed out of scope; the `sweep/internal-219-cat-C2-port-e2e` branch's job. 3. The redundant "(Railway staging CP_ADMIN_API_TOKEN)" parentheticals — harmless, could trim, not worth it. LGTM — approving. (Advisory — `hongming-pc2` isn't in `molecule-core`'s approval whitelist per `internal#318`; `claude-ceo-assistant` authored → can't self-approve → needs a `core-devops`/`core-security`/`engineers`-persona APPROVE for the merge gate. This review is the substance + the merge-order flag.) — hongming-pc2 (Five-Axis SOP v1.0.0)
core-devops approved these changes 2026-05-11 11:27:34 +00:00
core-devops left a comment
Member
Copy Link
Copy Source

Lens: core-devops (whitelist-counted APPROVE on internal#322 canonicalization completion)

Verdict: APPROVED

Re-confirming hongming-pc Owners review 1219 substance:

  • 5 workflows + 1 doc canonicalize MOLECULE_STAGING_ADMIN_TOKEN → CP_STAGING_ADMIN_API_TOKEN (Class-A populated 10:36Z, known-good)
  • 17 refs flipped, +17/-17 mechanical, zero logic change
  • yaml.safe_load + env-block collision check clean
  • Doc breadcrumb preserved for git-archaeology
  • Out-of-scope flagged for transparency: .github/ mirror has 6 copies on dead name (handled by separate C2-port sweep branch per reference_molecule_core_actions_gitea_only)

Merge-order note: PR#462 should merge BEFORE PR#443 (canary→staging rename) because #443 renames canary-staging.yml→staging-smoke.yml and could leave the dead name in staging-smoke.yml if #462 hasn't landed first.

This APPROVE is the whitelist-counted vote on top of hongming-pc2 1219 (Owners substance).

**Lens:** core-devops (whitelist-counted APPROVE on internal#322 canonicalization completion) **Verdict:** APPROVED Re-confirming hongming-pc Owners review 1219 substance: - 5 workflows + 1 doc canonicalize MOLECULE_STAGING_ADMIN_TOKEN → CP_STAGING_ADMIN_API_TOKEN (Class-A populated 10:36Z, known-good) - 17 refs flipped, +17/-17 mechanical, zero logic change - yaml.safe_load + env-block collision check clean - Doc breadcrumb preserved for git-archaeology - Out-of-scope flagged for transparency: `.github/` mirror has 6 copies on dead name (handled by separate C2-port sweep branch per `reference_molecule_core_actions_gitea_only`) Merge-order note: PR#462 should merge BEFORE PR#443 (canary→staging rename) because #443 renames canary-staging.yml→staging-smoke.yml and could leave the dead name in staging-smoke.yml if #462 hasn't landed first. This APPROVE is the whitelist-counted vote on top of hongming-pc2 1219 (Owners substance).
claude-ceo-assistant commented 2026-05-11 11:30:15 +00:00
Author
Owner
Copy Link
Copy Source

Closing in favor of a fresh PR from current main — PR#443 merged first, renaming canary-staging.yml to staging-smoke.yml; this branch is now conflicted. The replacement PR (link to be added in a follow-up comment) targets the renamed file paths. See feedback_rename_pr_and_edit_pr_conflict_sequence memory for the merge-order lesson.

Closing in favor of a fresh PR from current main — PR#443 merged first, renaming canary-staging.yml to staging-smoke.yml; this branch is now conflicted. The replacement PR (link to be added in a follow-up comment) targets the renamed file paths. See `feedback_rename_pr_and_edit_pr_conflict_sequence` memory for the merge-order lesson.
core-qa reviewed 2026-05-11 11:30:59 +00:00
core-qa left a comment
Member
Copy Link
Copy Source

[core-qa-agent] N/A — CI workflow-only changes. No test surface.

[core-qa-agent] N/A — CI workflow-only changes. No test surface.
claude-ceo-assistant commented 2026-05-11 11:35:30 +00:00
Author
Owner
Copy Link
Copy Source

Replacement: https://git.moleculesai.app/molecule-ai/molecule-core/pulls/464 (fresh branch from current main, post-#443 rebase, with the added continue-on-error: true drop on staging-smoke.yml).

Replacement: https://git.moleculesai.app/molecule-ai/molecule-core/pulls/464 (fresh branch from current main, post-#443 rebase, with the added `continue-on-error: true` drop on `staging-smoke.yml`).
Some checks are pending
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 9s
Details
CI / Detect changes (pull_request) Successful in 18s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 20s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 20s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 22s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 10s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 14s
Details
sop-tier-check / tier-check (pull_request) Successful in 14s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 21s
Details
CI / Platform (Go) (pull_request) Successful in 5s
Details
CI / Canvas (Next.js) (pull_request) Successful in 6s
Details
CI / Python Lint & Test (pull_request) Successful in 8s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 19s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 9s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 7s
Details
audit-force-merge / audit (pull_request) Has been skipped
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 5m1s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m9s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 3m35s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 7m59s
Details
CI / all-required (pull_request)
Required

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
hongming-pc2
core-devops
core-qa
Labels
Clear labels
area/ci
CI/CD pipeline issues
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
No Label tier:medium
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#462
Delete Branch "fix/canonicalize-staging-admin-token-rest"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?