fix(ci): align REQUIRED_CHECKS in audit-force-merge.yml with branch protection

Fixes F3a+F3b drift findings from mc#798 and mc#782.

Branch protection on main + staging requires:
  - "CI / all-required (pull_request)"
  - "sop-checklist / all-items-acked (pull_request)"

The previous REQUIRED_CHECKS listed sop-tier-check + Secret scan, which
are not in branch protection — causing false-positive audit findings for
force-merges AND missing the sop-checklist bypass as an unforced violation.

Note: sop-tier-check / Secret scan are real CI jobs that run but are
not enforced by branch protection (CI/all-required covers tier via
sop-tier-check.sh inline). The audit-force-merge.sh REQUIRED_CHECKS
must match what branch protection actually requires, not what CI runs.

Fixes: molecule-ai/molecule-core#798 (also resolves mc#782)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/audit-force-merge.yml

@@ -52,7 +52,14 @@ jobs:
           # Declared here rather than fetched from /branch_protections
           # because that endpoint requires admin write — sop-tier-bot is
           # read-only by design (least-privilege).
+          #
+          # mc#798: F3a+F3b fix — staging/main branch protection requires:
+          #   - "CI / all-required (pull_request)"
+          #   - "sop-checklist / all-items-acked (pull_request)"
+          # The previous values (sop-tier-check, Secret scan) were not in
+          # branch protection — they would have caused false-positive audit
+          # findings AND missed unforced sop-checklist bypasses.
           REQUIRED_CHECKS: |
-            sop-tier-check / tier-check (pull_request)
-            Secret scan / Scan diff for credential-shaped strings (pull_request)
+            CI / all-required (pull_request)
+            sop-checklist / all-items-acked (pull_request)
         run: bash .gitea/scripts/audit-force-merge.sh