The .github→.gitea migration left 3 secret-name drifts that mean the
ported workflows reference secret-store names that don't match the
canonical names. Renaming the workflow refs so the upcoming secret-store
PUT (#425 class-A) lands under the names the workflows actually look up:
- CP_STAGING_ADMIN_TOKEN -> CP_STAGING_ADMIN_API_TOKEN
(sweep-aws-secrets, sweep-cf-orphans, sweep-cf-tunnels — peers in
redeploy-tenants-on-staging + continuous-synth-e2e already use the
_API_TOKEN form; semantic precision wins, 3v2 caller split)
- CP_PROD_ADMIN_TOKEN -> CP_ADMIN_API_TOKEN
(same 3 sweep workflows — CP_ADMIN_API_TOKEN is already the canonical
name for the prod variant on molecule-controlplane, and matches
ops.sh's `mol_tenants` reading `CP_ADMIN_API_TOKEN` from Railway)
- MOLECULE_STAGING_OPENAI_KEY -> MOLECULE_STAGING_OPENAI_API_KEY
(canary-staging, continuous-synth-e2e, e2e-staging-saas — the `_KEY`
vs `_API_KEY` drift; peers are MOLECULE_STAGING_ANTHROPIC_API_KEY /
MOLECULE_STAGING_MINIMAX_API_KEY. Confirmed CONSUMED — langgraph +
hermes runtime tests use openai/gpt-4o and check the env presence —
so renamed, not deleted.)
KEPT as-is (no rename): CF_ACCOUNT_ID / CF_API_TOKEN / CF_ZONE_ID — these
are the documented CI-scoped duplicates of the operator-host CLOUDFLARE_*
admin names; renaming would touch 3 sweep workflows for zero functional
gain. Documented as CI-scoped-dup in the secrets-map follow-up.
Also updated the inline `for var in ...` presence-check loops + the
`required_secret_name="..."` error strings so the workflows' diagnostics
match the renamed names.
Sequence: this PR merges → #425 class-A PUT populates the secret store
under the canonical names → the 3 schedule-only reds (canary-staging,
sweep-aws-secrets, continuous-synth-e2e) go green within ~30 min →
watchdog #423 auto-closes their [main-red] issues.
Refs: molecule-core#425 (secret-store audit, Section D), internal#297.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hongming-pc2
2afcf5ab99