forked from molecule-ai/molecule-core
2d096aa7ae
## Why Gitea 1.22.6's `pull_request_review` event doesn't refire workflows (go-gitea/gitea#33700). The existing sop-tier-check workflow subscribes to the review event, but the subscription is silently dead. When an approving review lands AFTER tier-check ran on PR-open/synchronize, the PR's `sop-tier-check / tier-check (pull_request)` status stays at failure forever, forcing the orchestrator down the admin force-merge path (audited via audit-force-merge.yml, but the audit trail keeps growing — see feedback_never_admin_merge_bypass). ## What New `.gitea/workflows/sop-tier-refire.yml` listening on `issue_comment` events. When a repo MEMBER/OWNER/COLLABORATOR comments `/refire-tier-check` on a PR, the workflow re-invokes the canonical sop-tier-check.sh and POSTs the resulting status directly to the PR head SHA (no empty commit, no git history bloat, no cascade re-fire of every other workflow). ## Security model Three gates in the workflow `if:` expression — all required: 1. `github.event.issue.pull_request != null` — comment is on a PR, not a plain issue. 2. `author_association` ∈ {MEMBER, OWNER, COLLABORATOR} — only repo collaborators+ can flip the status (per the internal#292 core-security review#1066 ask). 3. Comment body contains `/refire-tier-check` — slash-command-shaped, not just any word in normal review prose. Workflow does NOT check out PR HEAD; only HTTP-calls the Gitea API. Same trust boundary as sop-tier-check.yml's `pull_request_target`. ## DRY: re-uses sop-tier-check.sh Refire shells out to the canonical script with the same env the original workflow provides. We get the EXACT AND-composition gate, not a watered-down approving-count check. ## Rate-limit 30-second window between status updates per PR head SHA — prevents comment-spam status thrash. Override via SOP_REFIRE_RATE_LIMIT_SEC or disable for tests via SOP_REFIRE_DISABLE_RATE_LIMIT=1. ## Tests `.gitea/scripts/tests/test_sop_tier_refire.sh` — 23 assertions across T1-T7 covering: success POST, failure POST, no-op on closed, rate-limit skip, plus YAML-level checks of all three security gates. Real script runs against a local-fixture HTTP server (`_refire_fixture.py`) with a mock tier-check (`_mock_tier_check.sh`) — the latter sidesteps the known bash 3.2 (macOS dev) parser bug on `declare -A`; Linux Gitea runners (bash 4/5) use the real sop-tier-check.sh in production. Hostile self-review verified: - Tests FAIL on absent code (exit 1, FAIL=2 PASS=0 in existence-block). - Tests FAIL on swapped success/failure label (exit 1). - Tests PASS on correct code (exit 0, 23/23). ## Brief-falsification log (a) Keep using force_merge — no, this is the issue being closed. (b) Empty-commit re-trigger — no, status-POST is cleaner + faster + doesn't bloat git history. (c) author_association check in the script not the workflow — both work but workflow-level short-circuits faster (saves runner spin). (d) Re-implement a watered-down tier-check inside refire — no, that's a security regression (skips team-membership AND-composition). Refire shells out to the canonical script. Tier: tier:high (unblocks approved-PR-backlog drain class). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| tests | ||
| audit-force-merge.sh | ||
| ci-required-drift.py | ||
| main-red-watchdog.py | ||
| sop-tier-check.sh | ||
| sop-tier-refire.sh | ||