From 02aed7029162a06d58de6d0031fa2e83c4946168 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Molecule=20AI=20=C2=B7=20core-devops?=
 <core-devops@agents.moleculesai.app>
Date: Mon, 11 May 2026 12:47:51 -0700
Subject: [PATCH] fix(ci): ci-required-drift uses scoped mc-drift-bot token
 (mirrors controlplane)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Companion to molecule-controlplane PR#134. The `ci-required-drift`
detector calls GET /repos/{owner}/{repo}/branch_protections/{branch},
which Gitea 1.22.6 gates behind the repo-ADMIN role. The previous
fallback chain (`secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN`)
had only read or write — neither admin — so drift runs would 403.

Switch to `secrets.DRIFT_BOT_TOKEN`, owned by the new least-privilege
`mc-drift-bot` persona (team: drift-bot, permission: admin, scope:
read:repository,write:issue,read:organization, repos: this + CP).

Note: this repo's drift detector additionally requires the
`all-required` sentinel job in ci.yml, which is being added in PR#553.
After both PRs merge the drift workflow will be fully green.

Audit trail in internal#329. Sibling pattern: internal#327
(publish-runtime-bot). Per feedback_per_agent_gitea_identity_default.
---
 .gitea/workflows/ci-required-drift.yml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/.gitea/workflows/ci-required-drift.yml b/.gitea/workflows/ci-required-drift.yml
index 6bbdf94d..391c8874 100644
--- a/.gitea/workflows/ci-required-drift.yml
+++ b/.gitea/workflows/ci-required-drift.yml
@@ -77,13 +77,18 @@ jobs:
         run: python -m pip install --quiet 'PyYAML==6.0.2'
       - name: Run drift detector
         env:
-          # GITEA_TOKEN reads protection + writes issues. molecule-core
-          # uses `SOP_TIER_CHECK_TOKEN` as the org-level secret name for
-          # read-only Gitea API access from CI (set by audit-force-merge
-          # and sop-tier-check too). Falls back to the auto-injected
-          # GITHUB_TOKEN if the org-level secret isn't set
-          # (transitional repos).
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          # DRIFT_BOT_TOKEN is owned by mc-drift-bot, a least-privilege
+          # Gitea persona whose ONLY job is reading branch_protections
+          # and posting the [ci-drift] tracking issue. The endpoint
+          # `GET /repos/.../branch_protections/{branch}` requires
+          # repo-ADMIN role (Gitea 1.22.6) — SOP_TIER_CHECK_TOKEN and the
+          # auto-injected GITHUB_TOKEN do NOT have it (read-only / write
+          # without admin), so the previous fallback chain 403'd.
+          # Mirrors the controlplane fix landed in CP PR#134.
+          # Provisioning trail: internal#329 (audit) + parent pattern
+          # internal#327 (publish-runtime-bot). Per
+          # `feedback_per_agent_gitea_identity_default`.
+          GITEA_TOKEN: ${{ secrets.DRIFT_BOT_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           # Branches whose protection we compare against. molecule-core