fix(sop-tier-check): make jq install fully non-failing at workflow and script level

1. Workflow "Install jq" step: removed `set -e` so the step never fails even if both curl and apt-get fail. Added `|| echo warning` as final fallback to ensure step always exits 0. 2. Script jq fallback: moved install inside a subshell `( ... ) || { ... }` so `set -euo pipefail` doesn't exit the script if the fallback fails. Added explicit jq availability check after fallback with clear error. Combined fix: workflow step never fails → script always runs → script always has jq (or fails with clear error). The "Failing after 15s" pattern is eliminated. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 06:52:36 +00:00 · 2026-05-11 06:52:36 +00:00 · 8dbeebdbcb
commit 8dbeebdbcb
parent fbb00b97db
2 changed files with 25 additions and 14 deletions
--- a/.gitea/scripts/sop-tier-check.sh
+++ b/.gitea/scripts/sop-tier-check.sh
@ -48,14 +48,26 @@ set -euo pipefail
 # workflow-level jq install can fail on runners with network restrictions
 # (GitHub releases not reachable). This fallback is idempotent — no-op
 # when jq is already on PATH.
-if ! command -v jq &>/dev/null; then
-  echo "::notice::jq not found on PATH — installing..."
-  timeout 60 curl -sSL \
-    "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
-    -o /usr/local/bin/jq \
+if ! command -v jq >/dev/null 2>&1; then
+  echo "::notice::jq not found on PATH — attempting install..."
+  # Download jq binary; fall back to apt-get. Use subshell to isolate
+  # from set -e so a failed install doesn't exit the script.
+  (
+    timeout 60 curl -sSL \
+      "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
+      -o /usr/local/bin/jq \
    && chmod +x /usr/local/bin/jq \
-  || apt-get update -qq && apt-get install -y -qq jq
-  echo "::notice::jq installed: $(jq --version)"
+    && echo "::notice::jq binary installed: $(/usr/local/bin/jq --version)" \
+  ) || {
+    apt-get update -qq && apt-get install -y -qq jq \
+    && echo "::notice::jq apt-installed: $(jq --version)"
+  }
+  # Verify jq is now available; if not, exit with clear error
+  if ! command -v jq >/dev/null 2>&1; then
+    echo "::error::jq installation failed — neither binary download nor apt-get succeeded."
+    echo "::error::sop-tier-check requires jq for all JSON API parsing."
+    exit 1
+  fi
 fi

 debug() {
--- a/.gitea/workflows/sop-tier-check.yml
+++ b/.gitea/workflows/sop-tier-check.yml
@ -87,18 +87,17 @@ jobs:
        # back to apt-get if the download fails. The smoke test confirms
        # jq is on PATH before the main script runs.
        #
-        # IMPORTANT: continue-on-error: true is REQUIRED at the step level.
-        # Job-level continue-on-error is ignored by Gitea Actions (only step
-        # level is supported). Without this, network failures on the jq curl
-        # download cause the entire job to fail and block all PRs.
+        # continue-on-error: true ensures this step failing does not fail the
+        # job. The sop-tier-check script has its own jq fallback as a second
+        # line of defense — this step failing gracefully is acceptable.
        continue-on-error: true
        run: |
-          set -e
          timeout 60 curl -sSL \
            "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
            -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq \
-          || apt-get update -qq && apt-get install -y -qq jq
-          jq --version
+          || apt-get update -qq && apt-get install -y -qq jq \
+          || echo "::warning::jq install methods failed — script fallback will retry"
+          jq --version 2>/dev/null || echo "::notice::jq not yet available — script will install"

      - name: Verify tier label + reviewer team membership
        # continue-on-error: true at step level — job-level is ignored by Gitea