molecule-ai/molecule-sdk-python
41
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

infra: add CI / all-required sentinel (cross-repo hard-gate sweep) #11

New Issue
Open
opened 2026-05-12 05:38:44 +00:00 by hongming · 3 comments
hongming commented 2026-05-12 05:38:44 +00:00
Owner
Copy Link
Copy Source

Context

Cross-repo sweep adding CI / all-required (pull_request) (or equivalent
single-sentinel context) to each repo's default-branch protection so that
"main cannot be merged until all CI is green" can be enforced via a single
required-status-check entry, instead of having to enumerate every individual
required job per repo.

Older sibling PATCH (audit trail): molecule-ai/internal#345 — the
molecule-core PATCH that landed first under Hongming GO 2026-05-11 04:50-04:54Z
("until all CICD green main should not be merged by PR" + "apply that to all
repos and all future ones").

This repo is in Class B of the audit: it has CI workflows, the default
branch (main) is protected, but there is no all-required sentinel
job that posts a single hard-gate context. Without that sentinel, adding
a single org-wide required-check entry is not possible without breaking the
existing per-job status-check shape on main.

Current state (main BP)

  • enable_status_check: true
  • status_check_contexts: ["Test / test (3.11) (pull_request)", "Test / test (3.12) (pull_request)", "Test / test (3.13) (pull_request)"]
  • required_approvals: 1

Discovered CI workflows

  • .gitea/workflows/auto-promote-staging.yml
  • .gitea/workflows/ci.yml
  • .gitea/workflows/publish.yml

Ask

Add (or rename) a workflow that posts a single all-required status under
the existing CI workflow name. Recommended pattern from molecule-controlplane:

# .gitea/workflows/ci.yml  (top-level workflow `name:` already exists)
jobs:
  # ...existing jobs...

  all-required:
    name: all-required
    needs: [<every other job id>]
    if: always()
    runs-on: ubuntu-latest
    steps:
      - name: Verify all required jobs passed
        run: |
          if [ "${ needs.*.result }" != "success success success" ]; then
            echo "One or more required jobs failed"; exit 1
          fi

Once that sentinel posts at least once on a PR against main, the BP
on this repo can be PATCHed to APPEND <workflow-name> / all-required (pull_request)
to status_check_contexts — at which point a single required-check entry
covers all CI on this repo.

Why "append, don't replace"

Per feedback_phantom_required_check_after_gitea_migration: never add a
required-check name that no workflow currently posts. Adding the sentinel
job (this PR's scope) must land and produce a check-run on the default
branch BEFORE the BP PATCH is applied, or the sentinel context will be a
phantom-required-check and block every PR forever.

Cross-links

  • molecule-ai/internal#345 — molecule-core PATCH audit trail (older sibling)
  • molecule-ai/internal#XXXX — this sweep's audit issue (to be filed; will
    link back here)
  • feedback_phantom_required_check_after_gitea_migration — the failure mode
    this discipline avoids
  • Hongming GO 2026-05-11 04:50-04:54Z (chat)

Out of scope

  • Removing or renaming existing required-check entries on main BP.
  • Touching staging/release branch BPs.
  • Adding workflows the repo doesn't already need; this issue only adds the
    meta-sentinel that gates on existing jobs.
## Context Cross-repo sweep adding `CI / all-required (pull_request)` (or equivalent single-sentinel context) to each repo's default-branch protection so that "main cannot be merged until all CI is green" can be enforced via a single required-status-check entry, instead of having to enumerate every individual required job per repo. Older sibling PATCH (audit trail): `molecule-ai/internal#345` — the molecule-core PATCH that landed first under Hongming GO 2026-05-11 04:50-04:54Z ("until all CICD green main should not be merged by PR" + "apply that to all repos and all future ones"). This repo is in **Class B** of the audit: it has CI workflows, the default branch (`main`) is protected, but there is no `all-required` sentinel job that posts a single hard-gate context. Without that sentinel, adding a single org-wide required-check entry is not possible without breaking the existing per-job status-check shape on `main`. ## Current state (main BP) - enable_status_check: true - status_check_contexts: ["Test / test (3.11) (pull_request)", "Test / test (3.12) (pull_request)", "Test / test (3.13) (pull_request)"] - required_approvals: 1 ## Discovered CI workflows - `.gitea/workflows/auto-promote-staging.yml` - `.gitea/workflows/ci.yml` - `.gitea/workflows/publish.yml` ## Ask Add (or rename) a workflow that posts a single `all-required` status under the existing CI workflow name. Recommended pattern from `molecule-controlplane`: ```yaml # .gitea/workflows/ci.yml (top-level workflow `name:` already exists) jobs: # ...existing jobs... all-required: name: all-required needs: [<every other job id>] if: always() runs-on: ubuntu-latest steps: - name: Verify all required jobs passed run: | if [ "${ needs.*.result }" != "success success success" ]; then echo "One or more required jobs failed"; exit 1 fi ``` Once that sentinel posts at least once on a PR against `main`, the BP on this repo can be PATCHed to APPEND `<workflow-name> / all-required (pull_request)` to `status_check_contexts` — at which point a single required-check entry covers all CI on this repo. ## Why "append, don't replace" Per `feedback_phantom_required_check_after_gitea_migration`: never add a required-check name that no workflow currently posts. Adding the sentinel job (this PR's scope) must land and produce a check-run on the default branch BEFORE the BP PATCH is applied, or the sentinel context will be a phantom-required-check and block every PR forever. ## Cross-links - `molecule-ai/internal#345` — molecule-core PATCH audit trail (older sibling) - `molecule-ai/internal#XXXX` — this sweep's audit issue (to be filed; will link back here) - `feedback_phantom_required_check_after_gitea_migration` — the failure mode this discipline avoids - Hongming GO 2026-05-11 04:50-04:54Z (chat) ## Out of scope - Removing or renaming existing required-check entries on `main` BP. - Touching staging/release branch BPs. - Adding workflows the repo doesn't already need; this issue only adds the meta-sentinel that gates on existing jobs.
hongming commented 2026-05-12 05:40:32 +00:00
Author
Owner
Copy Link
Copy Source

Cross-link: this issue's parent sweep audit is molecule-ai/internal#349. See that issue for the org-wide classification table and the larger (class-D, 53 repos without BP) scope-decision still pending.

Cross-link: this issue's parent sweep audit is [molecule-ai/internal#349](https://git.moleculesai.app/molecule-ai/internal/issues/349). See that issue for the org-wide classification table and the larger (class-D, 53 repos without BP) scope-decision still pending.
sdk-dev commented 2026-05-14 17:15:24 +00:00
Member
Copy Link
Copy Source

PR #13 (feat(ci): add all-required sentinel job) addresses this issue — adds CI / all-required (pull_request) context to the SDK Python CI workflow. The sentinel is queued in the merge queue.

PR #13 (`feat(ci): add all-required sentinel job`) addresses this issue — adds `CI / all-required (pull_request)` context to the SDK Python CI workflow. The sentinel is queued in the merge queue.
sdk-dev self-assigned this 2026-05-16 18:45:41 +00:00
sdk-dev commented 2026-05-16 21:04:38 +00:00
Member
Copy Link
Copy Source

I've implemented the all-required sentinel as PR #23. The changes:

  1. Renamed workflow name: from TestCI — this changes existing context names from Test / test (3.x) to CI / test (3.x). The branch protection BP update (separate step) should replace Test / test (3.x) entries with CI / test (3.x) and add CI / all-required as a new required check.

  2. Added all-required job that needs: [test], uses if: always(), and fails if any matrix variant returned failure/cancelled/skipped.

CI is running on PR #23. Once it posts CI / all-required (pull_request) successfully, the BP can be updated.

I've implemented the `all-required` sentinel as PR #23. The changes: 1. **Renamed** workflow `name:` from `Test` → `CI` — this changes existing context names from `Test / test (3.x)` to `CI / test (3.x)`. The branch protection BP update (separate step) should replace `Test / test (3.x)` entries with `CI / test (3.x)` and add `CI / all-required` as a new required check. 2. **Added** `all-required` job that `needs: [test]`, uses `if: always()`, and fails if any matrix variant returned `failure`/`cancelled`/`skipped`. CI is running on PR #23. Once it posts `CI / all-required (pull_request)` successfully, the BP can be updated.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
merge-queue
Ready for merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) plugin-dev (Molecule AI · plugin-dev) pm release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees sdk-dev
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-sdk-python#11
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?