molecule-ai/molecule-core
41
0
Fork 2
Code Issues 103 Pull Requests 164 Actions 77 Packages Projects Releases Wiki Activity

fix(sop-checklist): use SOP_TIER_CHECK_TOKEN for review-refire job
Some checks failed
CI / Canvas Deploy Reminder (pull_request) Blocked by required conditions
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Blocked by required conditions
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 22s
Details
CI / Detect changes (pull_request) Successful in 34s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 46s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 32s
Details
E2E Chat / detect-changes (pull_request) Successful in 27s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 25s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 16s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 20s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 2m9s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m52s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 2m9s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 23s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 27s
Details
qa-review / approved (pull_request) Failing after 19s
Details
security-review / approved (pull_request) Failing after 18s
Details
gate-check-v3 / gate-check (pull_request) Failing after 23s
Details
sop-checklist / all-items-acked (pull_request) Successful in 19s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m45s
Details
sop-tier-check / tier-check (pull_request) Successful in 27s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m58s
Details
CI / Python Lint & Test (pull_request) Successful in 8m37s
Details
CI / Canvas (Next.js) (pull_request) Successful in 25m52s
Details
CI / Platform (Go) (pull_request) Successful in 29m33s
Details
CI / all-required (pull_request) Successful in 28m10s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 14s
Details
E2E Chat / E2E Chat (pull_request) Successful in 24s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 16s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 12s
Details

Browse Source 
The review-refire job's qa-review and security-review refire steps were
using RFC_324_TEAM_READ_TOKEN which has read-only scope. review-refire-status.sh
POSTs to /repos/{owner}/{repo}/statuses/{sha} — requires write scope.

Same fix that PR #1366 applied to review-refire-comments.yml lines 73 and 90.
SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization
and satisfies all required teams (qa, security, managers, engineers, ceo).

Reported by core-devops-agent review comments on PR #1333.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · infra-sre 2026-05-16 18:30:11 +00:00
parent 8f416bba26
commit 5396a97a99
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitea/workflows/sop-checklist.yml
View File

@ -178,7 +178,10 @@ jobs:
- name: Refire qa-review status
if: steps.classify.outputs.run_qa == 'true'
env:
GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
# RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
# review-refire-status.sh POSTs to /statuses — requires write scope.
# SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
GITEA_HOST: git.moleculesai.app
REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.issue.number }}
@ -194,7 +197,10 @@ jobs:
- name: Refire security-review status
if: steps.classify.outputs.run_security == 'true'
env:
GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
# RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
# review-refire-status.sh POSTs to /statuses — requires write scope.
# SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
GITEA_HOST: git.moleculesai.app
REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.issue.number }}