From 1e26408997a9f317684b0ae95d5e22794ab62ab7 Mon Sep 17 00:00:00 2001
From: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app>
Date: Sat, 16 May 2026 18:30:11 +0000
Subject: [PATCH] fix(sop-checklist): use SOP_TIER_CHECK_TOKEN for
 review-refire job
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The review-refire job's qa-review and security-review refire steps were
using RFC_324_TEAM_READ_TOKEN which has read-only scope. review-refire-status.sh
POSTs to /repos/{owner}/{repo}/statuses/{sha} — requires write scope.

Same fix that PR #1366 applied to review-refire-comments.yml lines 73 and 90.
SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization
and satisfies all required teams (qa, security, managers, engineers, ceo).

Reported by core-devops-agent review comments on PR #1333.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/sop-checklist.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/sop-checklist.yml b/.gitea/workflows/sop-checklist.yml
index dcc9798f..4916eb2d 100644
--- a/.gitea/workflows/sop-checklist.yml
+++ b/.gitea/workflows/sop-checklist.yml
@@ -178,7 +178,10 @@ jobs:
       - name: Refire qa-review status
         if: steps.classify.outputs.run_qa == 'true'
         env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          # RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
+          # review-refire-status.sh POSTs to /statuses — requires write scope.
+          # SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.issue.number }}
@@ -194,7 +197,10 @@ jobs:
       - name: Refire security-review status
         if: steps.classify.outputs.run_security == 'true'
         env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          # RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
+          # review-refire-status.sh POSTs to /statuses — requires write scope.
+          # SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.issue.number }}