From 72730295323b732dddc3a15636e329c410bc696e Mon Sep 17 00:00:00 2001
From: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app>
Date: Wed, 13 May 2026 06:02:19 +0000
Subject: [PATCH] fix(ci): align REQUIRED_CHECKS in audit-force-merge.yml with
 branch protection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes F3a+F3b drift findings from mc#798 and mc#782.

Branch protection on main + staging requires:
  - "CI / all-required (pull_request)"
  - "sop-checklist / all-items-acked (pull_request)"

The previous REQUIRED_CHECKS listed sop-tier-check + Secret scan, which
are not in branch protection — causing false-positive audit findings for
force-merges AND missing the sop-checklist bypass as an unforced violation.

Note: sop-tier-check / Secret scan are real CI jobs that run but are
not enforced by branch protection (CI/all-required covers tier via
sop-tier-check.sh inline). The audit-force-merge.sh REQUIRED_CHECKS
must match what branch protection actually requires, not what CI runs.

Fixes: molecule-ai/molecule-core#798 (also resolves mc#782)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/audit-force-merge.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml
index 09f4eb7b..1115a5fc 100644
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@@ -52,7 +52,14 @@ jobs:
           # Declared here rather than fetched from /branch_protections
           # because that endpoint requires admin write — sop-tier-bot is
           # read-only by design (least-privilege).
+          #
+          # mc#798: F3a+F3b fix — staging/main branch protection requires:
+          #   - "CI / all-required (pull_request)"
+          #   - "sop-checklist / all-items-acked (pull_request)"
+          # The previous values (sop-tier-check, Secret scan) were not in
+          # branch protection — they would have caused false-positive audit
+          # findings AND missed unforced sop-checklist bypasses.
           REQUIRED_CHECKS: |
-            sop-tier-check / tier-check (pull_request)
-            Secret scan / Scan diff for credential-shaped strings (pull_request)
+            CI / all-required (pull_request)
+            sop-checklist / all-items-acked (pull_request)
         run: bash .gitea/scripts/audit-force-merge.sh