fix(sop-tier-check): flip jq install to apt-get-first (infra#241 follow-up)

GitHub releases are unreachable from Gitea runners — curl to github.com times out after ~3s. The previous GitHub-first/apt-get-fallback never reached apt-get, leaving jq uninstalled and blocking all CI. Flip both the workflow step and the script fallback to apt-get first, with GitHub binary as secondary fallback for environments where apt-get jq is also unavailable. Closes #428. Co-Authored-By: Molecule AI · core-be <core-be@agents.moleculesai.app>
2026-05-11 08:26:33 +00:00 · 2026-05-11 08:26:33 +00:00 · bd51e39fa4
commit bd51e39fa4
parent 85b3e42c01
2 changed files with 25 additions and 16 deletions
--- a/.gitea/scripts/sop-tier-check.sh
+++ b/.gitea/scripts/sop-tier-check.sh
@ -50,17 +50,19 @@ set -euo pipefail
 # when jq is already on PATH.
 if ! command -v jq >/dev/null 2>&1; then
  echo "::notice::jq not found on PATH — attempting install..."
-  # Download jq binary; fall back to apt-get. Use subshell to isolate
-  # from set -e so a failed install doesn't exit the script.
+  # apt-get first: GitHub releases are unreachable from Gitea runners
+  # (curl to github.com times out after ~3s). GitHub binary remains as
+  # secondary fallback for environments where apt-get jq is also unavailable.
+  # Use subshell to isolate from set -e so a failed install doesn't exit.
  (
+    apt-get update -qq && apt-get install -y -qq jq \
+    && echo "::notice::jq apt-installed: $(jq --version)"
+  ) || {
    timeout 60 curl -sSL \
      "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
      -o /usr/local/bin/jq \
    && chmod +x /usr/local/bin/jq \
-    && echo "::notice::jq binary installed: $(/usr/local/bin/jq --version)" \
-  ) || {
-    apt-get update -qq && apt-get install -y -qq jq \
-    && echo "::notice::jq apt-installed: $(jq --version)"
+    && echo "::notice::jq binary installed: $(/usr/local/bin/jq --version)"
  }
  # Verify jq is now available; if not, exit with clear error
  if ! command -v jq >/dev/null 2>&1; then
--- a/.gitea/workflows/sop-tier-check.yml
+++ b/.gitea/workflows/sop-tier-check.yml
@ -82,22 +82,29 @@ jobs:
        # The sop-tier-check script uses jq for all JSON API parsing.
        # Install jq before the script runs so sop-tier-check can pass.
        #
-        # Method: download binary directly from GitHub releases (faster and
-        # more reliable than apt-get in containerized environments). Falls
-        # back to apt-get if the download fails. The smoke test confirms
-        # jq is on PATH before the main script runs.
+        # Method: apt-get first (Gitea runner containers have apt-cache;
+        # GitHub binary downloads are unreachable — curl to github.com times
+        # out after ~3s and never reaches apt-get fallback). GitHub binary
+        # remains as secondary fallback for environments where apt-get jq is
+        # also unavailable. The smoke test confirms jq is on PATH.
        #
        # continue-on-error: true ensures this step failing does not fail the
        # job. The sop-tier-check script has its own jq fallback as a second
        # line of defense — this step failing gracefully is acceptable.
        continue-on-error: true
        run: |
-          timeout 60 curl -sSL \
-            "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
-            -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq \
-          || apt-get update -qq && apt-get install -y -qq jq \
-          || echo "::warning::jq install methods failed — script fallback will retry"
-          jq --version 2>/dev/null || echo "::notice::jq not yet available — script will install"
+          # apt-get first (GitHub unreachable from Gitea runners; infra#241).
+          apt-get update -qq && apt-get install -y -qq jq \
+          || echo "::warning::jq apt-get failed — trying GitHub binary..."
+          # GitHub binary as secondary fallback for environments where apt-get
+          # jq is unavailable (e.g. offline containers).
+          if ! command -v jq >/dev/null 2>&1; then
+            timeout 60 curl -sSL \
+              "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
+              -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq \
+            || echo "::warning::jq GitHub binary also failed — script fallback will retry"
+          fi
+          jq --version 2>/dev/null || echo "::notice::jq not yet on PATH — script will retry"

      - name: Verify tier label + reviewer team membership
        # continue-on-error: true at step level — job-level is ignored by Gitea