.gitea/workflows/auto-promote-staging.yml

@@ -50,13 +50,25 @@ jobs:
         run: |
           set -euo pipefail
 
-          # Try to read required gates from branch protection. Free-tier
-          # private repos may 403; handle that gracefully.
-          GATES_JSON=$(gh api "repos/${REPO}/branches/staging/protection/required_status_checks" 2>/dev/null || echo '{}')
+          # Try to read required gates from branch protection. Distinguish
+          # "API call failed" (fail-CLOSED — do not promote) from
+          # "API succeeded, genuinely no contexts" (rely on --ff-only).
+          # Free-tier private repos may 403; that's an API FAILURE, not
+          # a genuine empty config, so the previous swallow-and-treat-as-empty
+          # behavior was a fail-OPEN promotion-safety bug.
+          set +e
+          GATES_JSON=$(gh api "repos/${REPO}/branches/staging/protection/required_status_checks" 2>/dev/null)
+          GATES_RC=$?
+          set -e
+          if [ "$GATES_RC" -ne 0 ]; then
+            echo "::error::branch-protection API inaccessible (gh api exit ${GATES_RC}) — refusing to promote (fail-closed). Resolve the API auth/network issue before promoting."
+            echo "ok=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
           GATES=$(echo "${GATES_JSON}" | jq -r '.contexts[]?' 2>/dev/null || true)
 
           if [ -z "$GATES" ]; then
-            echo "No required gates configured (or API inaccessible). Relying on --ff-only safety."
+            echo "No required gates configured. Relying on --ff-only safety."
             echo "ok=true" >> "$GITHUB_OUTPUT"
             exit 0
           fi