fix(review-refire-comments): use SOP_TIER_CHECK_TOKEN (write scope) for qa/security refires
Some checks failed
E2E API Smoke Test / E2E API Smoke Test (pull_request) Blocked by required conditions
E2E Chat / E2E Chat (pull_request) Blocked by required conditions
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Blocked by required conditions
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Blocked by required conditions
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Blocked by required conditions
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 18s
CI / Detect changes (pull_request) Successful in 30s
E2E API Smoke Test / detect-changes (pull_request) Successful in 25s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 38s
E2E Chat / detect-changes (pull_request) Successful in 25s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 21s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 18s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 17s
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 2m10s
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m58s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 26s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 2m5s
gate-check-v3 / gate-check (pull_request) Successful in 24s
qa-review / approved (pull_request) Failing after 19s
security-review / approved (pull_request) Failing after 19s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m33s
sop-checklist / all-items-acked (pull_request) Successful in 23s
sop-tier-check / tier-check (pull_request) Successful in 31s
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 2m11s
CI / Python Lint & Test (pull_request) Successful in 8m23s
audit-force-merge / audit (pull_request) Waiting to run
CI / Canvas (Next.js) (pull_request) Successful in 24m1s
CI / Platform (Go) (pull_request) Successful in 27m55s
CI / Canvas Deploy Reminder (pull_request) Has been cancelled
CI / all-required (pull_request) Successful in 27m53s
Some checks failed
E2E API Smoke Test / E2E API Smoke Test (pull_request) Blocked by required conditions
E2E Chat / E2E Chat (pull_request) Blocked by required conditions
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Blocked by required conditions
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Blocked by required conditions
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Blocked by required conditions
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 18s
CI / Detect changes (pull_request) Successful in 30s
E2E API Smoke Test / detect-changes (pull_request) Successful in 25s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 38s
E2E Chat / detect-changes (pull_request) Successful in 25s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 21s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 18s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 17s
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 2m10s
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m58s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 26s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 2m5s
gate-check-v3 / gate-check (pull_request) Successful in 24s
qa-review / approved (pull_request) Failing after 19s
security-review / approved (pull_request) Failing after 19s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m33s
sop-checklist / all-items-acked (pull_request) Successful in 23s
sop-tier-check / tier-check (pull_request) Successful in 31s
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 2m11s
CI / Python Lint & Test (pull_request) Successful in 8m23s
audit-force-merge / audit (pull_request) Waiting to run
CI / Canvas (Next.js) (pull_request) Successful in 24m1s
CI / Platform (Go) (pull_request) Successful in 27m55s
CI / Canvas Deploy Reminder (pull_request) Has been cancelled
CI / all-required (pull_request) Successful in 27m53s
review-refire-status.sh POSTs to /repos/{owner}/{repo}/statuses/{sha}.
RFC_324_TEAM_READ_TOKEN was provisioned read-only per RFC#324 §A1-a —
it can only read team membership, not write commit statuses.
SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization,
which is sufficient for both team membership checks (via read:organization)
and status posting (via write:repository).
Also fixes the same bug present in PR #1333 (which introduced the
RFC_324_TEAM_READ_TOKEN usage without addressing the write scope requirement).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
6cfe76b6dd
commit
64fed6f376
@ -70,7 +70,10 @@ jobs:
|
||||
- name: Refire qa-review status
|
||||
if: steps.classify.outputs.run_qa == 'true'
|
||||
env:
|
||||
GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
# RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
|
||||
# review-refire-status.sh POSTs to /statuses — requires write scope.
|
||||
# SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
|
||||
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
GITEA_HOST: git.moleculesai.app
|
||||
REPO: ${{ github.repository }}
|
||||
PR_NUMBER: ${{ github.event.issue.number }}
|
||||
@ -87,7 +90,10 @@ jobs:
|
||||
- name: Refire security-review status
|
||||
if: steps.classify.outputs.run_security == 'true'
|
||||
env:
|
||||
GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
# RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
|
||||
# review-refire-status.sh POSTs to /statuses — requires write scope.
|
||||
# SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
|
||||
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
|
||||
GITEA_HOST: git.moleculesai.app
|
||||
REPO: ${{ github.repository }}
|
||||
PR_NUMBER: ${{ github.event.issue.number }}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user