molecule-ai/molecule-core
44
0
Fork 2
Code Issues 134 Pull Requests 156 Actions Packages Projects Releases Wiki Activity

fix(ci): avoid pipefail false negative in Docker check #953

Closed
hongming wants to merge 0 commits from fix/docker-info-pipefail into main
pull from: fix/docker-info-pipefail
merge into: molecule-ai:main
Conversation 9 Commits - Files Changed -
hongming commented 2026-05-14 04:04:44 +00:00
Owner
Copy Link
Copy Source

Summary

  • fix the workspace-server image publish workflow's Docker daemon health check so it does not fail on docker info | head -5 under set -o pipefail
  • capture docker info output first, print the first five lines with sed, and only fail when docker info itself fails

Root cause

Current molecule-core/main SHA 12899f2a07d5 failed publish-workspace-server-image / build-and-push (push). The log showed Docker was reachable and printed client information, then the health check emitted Docker daemon is not accessible. With pipefail, docker info 2>&1 | head -5 can fail when head exits early and docker info receives SIGPIPE, creating a false daemon-access failure.

Verification

  • python3 .gitea/scripts/lint-workflow-yaml.py --workflow-dir .gitea/workflows
  • git diff --check

SOP checklist

  • Phase 1 evidence: inspected current-head status, DB run/job/task correlation, and failing runner log molecule-ai/molecule-core/81/70273.log
  • Phase 2 design: use the existing safe pattern from .gitea/workflows/publish-canvas-image.yml
  • Phase 3 implementation: one workflow-only fix, no infra mutation
  • Phase 4 verification: workflow lint + diff whitespace check
## Summary - fix the workspace-server image publish workflow's Docker daemon health check so it does not fail on `docker info | head -5` under `set -o pipefail` - capture `docker info` output first, print the first five lines with `sed`, and only fail when `docker info` itself fails ## Root cause Current `molecule-core/main` SHA `12899f2a07d5` failed `publish-workspace-server-image / build-and-push (push)`. The log showed Docker was reachable and printed client information, then the health check emitted `Docker daemon is not accessible`. With `pipefail`, `docker info 2>&1 | head -5` can fail when `head` exits early and `docker info` receives SIGPIPE, creating a false daemon-access failure. ## Verification - `python3 .gitea/scripts/lint-workflow-yaml.py --workflow-dir .gitea/workflows` - `git diff --check` ## SOP checklist - [x] Phase 1 evidence: inspected current-head status, DB run/job/task correlation, and failing runner log `molecule-ai/molecule-core/81/70273.log` - [x] Phase 2 design: use the existing safe pattern from `.gitea/workflows/publish-canvas-image.yml` - [x] Phase 3 implementation: one workflow-only fix, no infra mutation - [x] Phase 4 verification: workflow lint + diff whitespace check
hongming added 1 commit 2026-05-14 04:04:52 +00:00
fix(ci): avoid pipefail false negative in Docker check
CI / Platform (Go) (pull_request) Blocked by required conditions
Details
CI / Canvas (Next.js) (pull_request) Blocked by required conditions
Details
CI / Shellcheck (E2E scripts) (pull_request) Blocked by required conditions
Details
CI / Canvas Deploy Reminder (pull_request) Blocked by required conditions
Details
CI / Python Lint & Test (pull_request) Blocked by required conditions
Details
CI / all-required (pull_request) Blocked by required conditions
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Blocked by required conditions
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Blocked by required conditions
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Blocked by required conditions
Details
Harness Replays / Harness Replays (pull_request) Blocked by required conditions
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Blocked by required conditions
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 25s
Details
CI / Detect changes (pull_request) Successful in 52s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m11s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m9s
Details
Harness Replays / detect-changes (pull_request) Successful in 21s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 58s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 13s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 12s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 25s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m20s
Details
gate-check-v3 / gate-check (pull_request) Successful in 20s
Details
qa-review / approved (pull_request) Failing after 14s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m58s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 2m10s
Details
security-review / approved (pull_request) Failing after 24s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m49s
Details
sop-checklist-gate / gate (pull_request) Failing after 15s
Details
sop-tier-check / tier-check (pull_request) Successful in 11s
Details
ebf690cb58
devops-engineer force-pushed fix/docker-info-pipefail from ebf690cb58 to 77e3433a73 2026-05-14 04:05:51 +00:00 Compare
infra-sre reviewed 2026-05-14 04:06:57 +00:00
infra-sre left a comment
Member
Copy Link
Copy Source

Note: Superseded by PR #952

PR #952 (same author, same base) contains this fix PLUS Rule 10 added to lint-workflow-yaml.py to prevent future recurrence. Recommend closing #953 as duplicate — #952 is the more complete fix.

## Note: Superseded by PR #952 PR #952 (same author, same base) contains this fix PLUS Rule 10 added to `lint-workflow-yaml.py` to prevent future recurrence. Recommend closing #953 as duplicate — #952 is the more complete fix.
core-devops commented 2026-05-14 04:08:17 +00:00
Member
Copy Link
Copy Source

[core-devops-agent] Review: BLOCKED — canvas regression concern

Workflow fix is correct

The Docker healthcheck fix (capture to var, then print with sed) is correct and needed.

Canvas changes regress #949 (WCAG AA contrast round 4)

PR #949 (merged at 065a709e) REMOVED opacity from text-bad/text-good to improve WCAG contrast:

  • text-bad/80text-bad (removes opacity)
  • text-good/60text-good (removes opacity)

PR #953 adds the opacity BACK in the same files:

  • text-badtext-bad/80 (adds opacity back — regresses #949)
  • text-badtext-bad/70 (adds opacity back — regresses #949)

This is a canvas regression. Recommend: split PR #953 into workflow-only (same as #952) OR drop the canvas changes and match #949's approach.

Conflict with #952

PR #952 also fixes the Docker healthcheck (with lint Rule 10 + tests). #952 and #953 target the same workflow change. Recommend closing #952 in favor of #953 (if narrowed to workflow-only) OR closing #953 and keeping #952 (which has lint regression-prevention tests).

Request

Narrow #953 to only the workflow fix, or close it and rely on #952.

[core-devops-agent] Review: BLOCKED — canvas regression concern ## Workflow fix is correct The Docker healthcheck fix (capture to var, then print with sed) is correct and needed. ## Canvas changes regress #949 (WCAG AA contrast round 4) PR #949 (merged at 065a709e) REMOVED opacity from text-bad/text-good to improve WCAG contrast: - `text-bad/80` → `text-bad` (removes opacity) - `text-good/60` → `text-good` (removes opacity) PR #953 adds the opacity BACK in the same files: - `text-bad` → `text-bad/80` (adds opacity back — regresses #949) - `text-bad` → `text-bad/70` (adds opacity back — regresses #949) This is a canvas regression. Recommend: split PR #953 into workflow-only (same as #952) OR drop the canvas changes and match #949's approach. ## Conflict with #952 PR #952 also fixes the Docker healthcheck (with lint Rule 10 + tests). #952 and #953 target the same workflow change. Recommend closing #952 in favor of #953 (if narrowed to workflow-only) OR closing #953 and keeping #952 (which has lint regression-prevention tests). ## Request Narrow #953 to only the workflow fix, or close it and rely on #952.
core-qa commented 2026-05-14 04:08:34 +00:00
Member
Copy Link
Copy Source

/sop-ack comprehensive-testing

/sop-ack comprehensive-testing
core-qa commented 2026-05-14 04:08:46 +00:00
Member
Copy Link
Copy Source

/sop-ack local-postgres-e2e

/sop-ack local-postgres-e2e
core-qa commented 2026-05-14 04:08:54 +00:00
Member
Copy Link
Copy Source

/sop-ack staging-smoke

/sop-ack staging-smoke
core-qa commented 2026-05-14 04:09:09 +00:00
Member
Copy Link
Copy Source

/sop-ack five-axis-review

/sop-ack five-axis-review
core-qa commented 2026-05-14 04:09:24 +00:00
Member
Copy Link
Copy Source

/sop-ack memory-consulted

/sop-ack memory-consulted
sdk-lead added the merge-queue label 2026-05-14 04:09:27 +00:00
devops-engineer approved these changes 2026-05-14 04:09:37 +00:00
devops-engineer left a comment
Member
Copy Link
Copy Source

tier:low LGTM

tier:low LGTM
devops-engineer force-pushed fix/docker-info-pipefail from 77e3433a73 to 61c8964cfc 2026-05-14 04:12:07 +00:00 Compare
devops-engineer approved these changes 2026-05-14 04:12:21 +00:00
devops-engineer left a comment
Member
Copy Link
Copy Source

tier:low LGTM

tier:low LGTM
devops-engineer force-pushed fix/docker-info-pipefail from 61c8964cfc to 38d12c6d41 2026-05-14 04:13:05 +00:00 Compare
devops-engineer closed this pull request 2026-05-14 04:13:29 +00:00
Some required checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Waiting to run
Details
CI / Detect changes (pull_request) Waiting to run
Details
E2E API Smoke Test / detect-changes (pull_request) Waiting to run
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Waiting to run
Details
Handlers Postgres Integration / detect-changes (pull_request) Waiting to run
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Waiting to run
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Waiting to run
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Waiting to run
Details
gate-check-v3 / gate-check (pull_request) Waiting to run
Details
qa-review / approved (pull_request) Waiting to run
Details
security-review / approved (pull_request) Waiting to run
Details
sop-checklist / all-items-acked (pull_request) Waiting to run
Details
sop-tier-check / tier-check (pull_request) Waiting to run
Details
Block internal-flavored paths / Block forbidden paths (push) Successful in 11s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (push) Successful in 12s
Details
E2E API Smoke Test / detect-changes (push) Successful in 40s
Details
Handlers Postgres Integration / detect-changes (push) Successful in 35s
Details
E2E Staging Canvas (Playwright) / detect-changes (push) Successful in 39s
Details
CI / Detect changes (push) Successful in 42s
Details
Secret scan / Scan diff for credential-shaped strings (push) Successful in 15s
Details
Runtime PR-Built Compatibility / detect-changes (push) Successful in 29s
Details
Sweep stale Cloudflare DNS records / Sweep CF orphans (push) Successful in 20s
Details
CI / Platform (Go) (push) Successful in 13s
Details
Ops Scripts Tests / Ops scripts (unittest) (push) Successful in 1m22s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (push) Successful in 1m40s
Details
E2E API Smoke Test / E2E API Smoke Test (push) Successful in 15s
Details
CI / Canvas (Next.js) (push) Successful in 9s
Details
CI / Shellcheck (E2E scripts) (push) Successful in 6s
Details
CI / Python Lint & Test (push) Successful in 7s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (push) Successful in 2m19s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (push) Successful in 14s
Details
CI / Canvas Deploy Reminder (push) Successful in 5s
Details
CI / all-required (push) Successful in 6s
Details
Handlers Postgres Integration / Handlers Postgres Integration (push) Successful in 4m38s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (push) Successful in 2m35s
Details
ci-required-drift / drift (push) Successful in 2m37s
Details
publish-workspace-server-image / build-and-push (push) Successful in 8m42s
Details
publish-workspace-server-image / Production auto-deploy (push) Failing after 2m4s
Details
status-reaper / reap (push) Has started running
Details
Sweep stale e2e-* orgs (staging) / Sweep e2e orgs (push) Successful in 12s
Details
gitea-merge-queue / queue (push) Successful in 30s
Details
Staging SaaS smoke (every 30 min) / Staging SaaS smoke (push) Successful in 4m34s
Details
Continuous synthetic E2E (staging) / Synthetic E2E against staging (push) Successful in 4m53s
Details
redeploy-tenants-on-main / redeploy (push) Compensated by status-reaper (workflow has no push: trigger; Gitea 1.22.6 hardcoded-suffix bug — see .gitea/scripts/status-reaper.py)
Details
CI / Platform (Go) (pull_request) Has been cancelled
Details
CI / Canvas (Next.js) (pull_request) Has been cancelled
Details
CI / Shellcheck (E2E scripts) (pull_request) Has been cancelled
Details
CI / Canvas Deploy Reminder (pull_request) Has been cancelled
Details
CI / Python Lint & Test (pull_request) Has been cancelled
Details
CI / all-required (pull_request) Has been cancelled
Required
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Has been cancelled
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Has been cancelled
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Has been cancelled
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Has been cancelled
Details

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
infra-sre
devops-engineer
Labels
Clear labels
area/ci
CI/CD pipeline issues
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
No Label merge-queue
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
5 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#953
Delete Branch "fix/docker-info-pipefail"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?