From 22858d5f7f54a4d483136e2ee730bc192fe9785c Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Mon, 11 May 2026 06:34:28 +0000
Subject: [PATCH] fix(sop-tier-check): add jq fallback at script level +
 step-level continue-on-error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root cause: Job-level `continue-on-error: true` is silently ignored by
Gitea Actions (only step-level is supported). When the jq binary download
fails on runners with restricted network access, the job reports "failure"
and blocks all PR merges.

Fixes:
1. Workflow: add `continue-on-error: true` to the "Install jq" step.
   This prevents the step's `set -e` from failing the job when curl
   can't reach GitHub releases.
2. Script: add jq binary download + apt-get fallback at script startup.
   Second line of defense — runs before script uses jq. Idempotent.

Combined effect: if the workflow-level install fails, the script self-
installs before using jq. Neither failure mode blocks PR merges.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/scripts/sop-tier-check.sh    | 14 ++++++++++++++
 .gitea/workflows/sop-tier-check.yml |  6 ++++++
 2 files changed, 20 insertions(+)

diff --git a/.gitea/scripts/sop-tier-check.sh b/.gitea/scripts/sop-tier-check.sh
index c7b2c820..dba78d4b 100755
--- a/.gitea/scripts/sop-tier-check.sh
+++ b/.gitea/scripts/sop-tier-check.sh
@@ -44,6 +44,20 @@
 
 set -euo pipefail
 
+# Ensure jq is available. Runners may not have it pre-installed, and the
+# workflow-level jq install can fail on runners with network restrictions
+# (GitHub releases not reachable). This fallback is idempotent — no-op
+# when jq is already on PATH.
+if ! command -v jq &>/dev/null; then
+  echo "::notice::jq not found on PATH — installing..."
+  timeout 60 curl -sSL \
+    "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
+    -o /usr/local/bin/jq \
+    && chmod +x /usr/local/bin/jq \
+  || apt-get update -qq && apt-get install -y -qq jq
+  echo "::notice::jq installed: $(jq --version)"
+fi
+
 debug() {
   if [ "${SOP_DEBUG:-}" = "1" ]; then
     echo "  [debug] $*" >&2
diff --git a/.gitea/workflows/sop-tier-check.yml b/.gitea/workflows/sop-tier-check.yml
index 76750d50..9cc459b2 100644
--- a/.gitea/workflows/sop-tier-check.yml
+++ b/.gitea/workflows/sop-tier-check.yml
@@ -86,6 +86,12 @@ jobs:
         # more reliable than apt-get in containerized environments). Falls
         # back to apt-get if the download fails. The smoke test confirms
         # jq is on PATH before the main script runs.
+        #
+        # IMPORTANT: continue-on-error: true is REQUIRED at the step level.
+        # Job-level continue-on-error is ignored by Gitea Actions (only step
+        # level is supported). Without this, network failures on the jq curl
+        # download cause the entire job to fail and block all PRs.
+        continue-on-error: true
         run: |
           set -e
           timeout 60 curl -sSL \