ci(sop-tier-check): use direct jq binary download with apt-get fallback

Download jq from GitHub releases directly (faster, more reliable than
apt-get in containerized environments). Falls back to apt-get if the
download fails. Add 'jq --version' smoke test to confirm installation.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/sop-tier-check.yml

@@ -79,9 +79,19 @@ jobs:
           ref: ${{ github.event.pull_request.base.sha }}
       - name: Install jq
         # Gitea Actions runners (ubuntu-latest label) do not bundle jq.
-        # The script uses jq extensively for all JSON parsing; install it
+        # The sop-tier-check script uses jq for all JSON API parsing.
-        # before the script runs. Using -qq for quiet output.
+        # Install jq before the script runs so sop-tier-check can pass.
-        run: apt-get update -qq && apt-get install -y -qq jq
+        #
+        # Method: download binary directly from GitHub releases (faster and
+        # more reliable than apt-get in containerized environments). Falls
+        # back to apt-get if the download fails.
+        run: |
+          set -e
+          timeout 60 curl -sSL \
+            "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
+            -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq \
+          || apt-get update -qq && apt-get install -y -qq jq
+          jq --version
 
       - name: Verify tier label + reviewer team membership
         env: