molecule-ai/molecule-core
52
0
Fork 2
Code Issues 180 Pull Requests 15 Actions 6 Packages Projects Releases Wiki Activity

fix(ci): gate-check-v3 fails on every PR — token lacks write:repository, --post-comment 403s #543

New Issue
Closed
opened 2026-05-11 18:57:50 +00:00 by claude-ceo-assistant · 0 comments
claude-ceo-assistant commented 2026-05-11 18:57:50 +00:00
Owner
Copy Link
Copy Source

Symptom (reproduces on every PR)

gate-check-v3 / gate-check (pull_request) reports Failing after 27s on:

  • molecule-core#535 (head e922351b and updated)
  • molecule-core#536 (head b95a20bb and updated)
  • — confirmed by hongming-pc 2026-05-11 18:51Z as reproducing on multiple PRs

Root cause (sub-agent diagnosis, comment 12357 on #535)

Run log: tools/gate-check-v3/gate_check.py:514 (in run(), AFTER the verdict JSON CI_PENDING was emitted) dies with:

urllib.error.HTTPError: HTTP Error 403: Forbidden

Most likely the --post-comment POST call. The token (likely SOP_TIER_CHECK_TOKEN or the workflow-default) lacks write:repository scope required to comment on issues. This is the same class as internal#321 defect #2.

Why it matters

If gate-check-v3 / gate-check is (or becomes) a required status check, it blocks every PR merge across the merge-queue. Currently it's NOT in status_check_contexts on main (verified: only Secret scan + sop-tier-check required), so merges aren't blocked TODAY — but the red is noise that obscures real findings + signals broken CI hygiene.

Fix options (pick ONE)

Option A (preferred — keep least-privilege): make the script exit 0 if the VERDICT was OK even when the --post-comment POST 403s. The comment is informational; the job's conclusion IS the status. Same logic as RFC#324 A1-α's job-conclusion-status approach. Sidesteps needing write:repository entirely.

Pseudo-diff in tools/gate-check-v3/gate_check.py:

try:
    post_pr_comment(pr, body)
except urllib.error.HTTPError as e:
    if e.code == 403:
        print(f'WARN: --post-comment 403 (token scope) — verdict={verdict}; skipping comment-post', file=sys.stderr)
    else:
        raise

Exit code derives from the verdict, not the comment-post success.

Option B: give SOP_TIER_CHECK_TOKEN write:repository scope. But — we're retiring SOP_TIER_CHECK_TOKEN entirely per RFC#324 Step 4 (Remove SOP_TIER_CHECK_TOKEN from secret store after final delete PR merges), so this is throwaway work.

Option C: route through safe_curl / -K stdin pattern (per molecule-core#541 — defense-in-depth for RFC_324_TEAM_READ_TOKEN). Orthogonal to the scope issue — doesn't fix the 403 by itself.

Recommendation: Option A

  • One-line try/except in the comment-post path
  • No token-scope change (compatible with SOP_TIER_CHECK_TOKEN's upcoming retirement)
  • Comments still post when token IS scoped (no regression for properly-configured deployments)

Tier

tier:medium — currently noise (not a required check) but obscuring real CI findings + would become a merge-blocker if added to status_check_contexts.

Cross-links

  • molecule-core#535 + #536 — reproducing PRs
  • molecule-core#541 — related token-handling discipline (safe_curl for argv-exposed tokens)
  • internal#321 — sibling token-scope class (sop-tier-refire defect #2)
  • internal#324 — RFC retiring SOP_TIER_CHECK_TOKEN; this PR's fix should land BEFORE SOP_TIER_CHECK_TOKEN is removed

— filed by claude-ceo-assistant per hongming-pc directive 2026-05-11 18:51Z ("reproduces — warrants filing now, not 'if reproduces'")

## Symptom (reproduces on every PR) `gate-check-v3 / gate-check (pull_request)` reports `Failing after 27s` on: - molecule-core#535 (head `e922351b` and updated) - molecule-core#536 (head `b95a20bb` and updated) - — confirmed by hongming-pc 2026-05-11 18:51Z as reproducing on multiple PRs ## Root cause (sub-agent diagnosis, comment 12357 on #535) Run log: `tools/gate-check-v3/gate_check.py:514` (in `run()`, AFTER the verdict JSON `CI_PENDING` was emitted) dies with: ``` urllib.error.HTTPError: HTTP Error 403: Forbidden ``` Most likely the `--post-comment` POST call. The token (likely `SOP_TIER_CHECK_TOKEN` or the workflow-default) lacks `write:repository` scope required to comment on issues. This is the same class as internal#321 defect #2. ## Why it matters If `gate-check-v3 / gate-check` is (or becomes) a required status check, it blocks every PR merge across the merge-queue. Currently it's NOT in `status_check_contexts` on `main` (verified: only `Secret scan` + `sop-tier-check` required), so merges aren't blocked TODAY — but the red is noise that obscures real findings + signals broken CI hygiene. ## Fix options (pick ONE) **Option A (preferred — keep least-privilege):** make the script `exit 0` if the VERDICT was OK even when the `--post-comment` POST 403s. The comment is informational; the job's conclusion IS the status. Same logic as RFC#324 A1-α's job-conclusion-status approach. Sidesteps needing `write:repository` entirely. Pseudo-diff in `tools/gate-check-v3/gate_check.py`: ```python try: post_pr_comment(pr, body) except urllib.error.HTTPError as e: if e.code == 403: print(f'WARN: --post-comment 403 (token scope) — verdict={verdict}; skipping comment-post', file=sys.stderr) else: raise ``` Exit code derives from the verdict, not the comment-post success. **Option B:** give `SOP_TIER_CHECK_TOKEN` `write:repository` scope. But — we're retiring SOP_TIER_CHECK_TOKEN entirely per RFC#324 Step 4 (`Remove SOP_TIER_CHECK_TOKEN from secret store after final delete PR merges`), so this is throwaway work. **Option C:** route through `safe_curl` / `-K` stdin pattern (per molecule-core#541 — defense-in-depth for RFC_324_TEAM_READ_TOKEN). Orthogonal to the scope issue — doesn't fix the 403 by itself. ## Recommendation: Option A - One-line `try/except` in the comment-post path - No token-scope change (compatible with `SOP_TIER_CHECK_TOKEN`'s upcoming retirement) - Comments still post when token IS scoped (no regression for properly-configured deployments) ## Tier `tier:medium` — currently noise (not a required check) but obscuring real CI findings + would become a merge-blocker if added to `status_check_contexts`. ## Cross-links - molecule-core#535 + #536 — reproducing PRs - molecule-core#541 — related token-handling discipline (`safe_curl` for argv-exposed tokens) - internal#321 — sibling token-scope class (sop-tier-refire defect #2) - internal#324 — RFC retiring SOP_TIER_CHECK_TOKEN; this PR's fix should land BEFORE SOP_TIER_CHECK_TOKEN is removed — filed by claude-ceo-assistant per hongming-pc directive 2026-05-11 18:51Z ("reproduces — warrants filing now, not 'if reproduces'")
claude-ceo-assistant added the securitytier:medium labels 2026-05-11 18:57:51 +00:00
core-devops self-assigned this 2026-05-11 19:08:03 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label security tier:medium
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees core-devops
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#543
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?