From 7f56b7cd6c5c3180c2ffcea505a316c7799fae62 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Sat, 16 May 2026 01:12:43 +0000
Subject: [PATCH 1/2] infra(sop-tier-check): drop GITHUB_TOKEN fallback + add
 :? guard (internal#316)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Drop `|| secrets.GITHUB_TOKEN` fallback from sop-tier-check.yml and
  audit-force-merge.yml. GITHUB_TOKEN lacks read:org scope — it never
  satisfies the team-membership gate; the fallback just disguises a
  missing SOP_TIER_CHECK_TOKEN as a confusing 403 mid-script.

- Add `: "${GITEA_TOKEN:?GITEA_TOKEN env var required — set
  SOP_TIER_CHECK_TOKEN in repo secrets}"` guard to sop-tier-check.sh.
  audit-force-merge.sh already had the guard; improved the message.

- Re-add missing `concurrency` block to sop-tier-check.yml (dropped by
  linter in prior session; restores cancellation of stale runs).

Refs: internal#316
---
 .gitea/scripts/audit-force-merge.sh    |  5 ++++-
 .gitea/scripts/sop-tier-check.sh       |  6 ++++++
 .gitea/workflows/audit-force-merge.yml |  6 +++++-
 .gitea/workflows/sop-tier-check.yml    | 13 ++++++++++++-
 4 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/.gitea/scripts/audit-force-merge.sh b/.gitea/scripts/audit-force-merge.sh
index 10ee9e6bf..e07ddff84 100755
--- a/.gitea/scripts/audit-force-merge.sh
+++ b/.gitea/scripts/audit-force-merge.sh
@@ -30,7 +30,10 @@
 
 set -euo pipefail
 
-: "${GITEA_TOKEN:?required}"
+# Fail-fast on missing token — internal#316: drop the || GITHUB_TOKEN
+# fallback from audit-force-merge.yml; the guard here makes the missing-
+# secret failure obvious.
+: "${GITEA_TOKEN:?GITEA_TOKEN env var required — set SOP_TIER_CHECK_TOKEN in repo secrets}"
 : "${GITEA_HOST:?required}"
 : "${REPO:?required}"
 : "${PR_NUMBER:?required}"
diff --git a/.gitea/scripts/sop-tier-check.sh b/.gitea/scripts/sop-tier-check.sh
index afd13e48b..5b19b2419 100755
--- a/.gitea/scripts/sop-tier-check.sh
+++ b/.gitea/scripts/sop-tier-check.sh
@@ -44,6 +44,12 @@
 
 set -euo pipefail
 
+# Fail-fast on missing token — produces a clear error at line 1 rather
+# than a confusing 403 mid-script when GITHUB_TOKEN lacks read:org scope.
+# internal#316: drop the || GITHUB_TOKEN fallback in sop-tier-check.yml;
+# the guard here makes the missing-secret failure obvious.
+: "${GITEA_TOKEN:?GITEA_TOKEN env var required — set SOP_TIER_CHECK_TOKEN in repo secrets}"
+
 # Ensure jq is available. Runners may not have it pre-installed, and the
 # workflow-level jq install can fail on runners with network restrictions
 # (GitHub releases not reachable from some runner networks — infra#241
diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml
index b3441bcaa..9e754cb53 100644
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@@ -42,7 +42,11 @@ jobs:
       - name: Detect force-merge + emit audit event
         env:
           # Same org-level secret the sop-tier-check workflow uses.
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          # No fallback to GITHUB_TOKEN — that token lacks read:org scope needed
+          # for team membership probes. A missing SOP_TIER_CHECK_TOKEN produces a
+          # clear failure at script entry (via :? guard in audit-force-merge.sh),
+          # not a confusing 403 mid-script. See internal#316.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
diff --git a/.gitea/workflows/sop-tier-check.yml b/.gitea/workflows/sop-tier-check.yml
index 235ed6334..df6f5179c 100644
--- a/.gitea/workflows/sop-tier-check.yml
+++ b/.gitea/workflows/sop-tier-check.yml
@@ -55,6 +55,13 @@ name: sop-tier-check
 # Gitea API. If a future change adds a checkout step, it MUST pin to
 # `${{ github.event.pull_request.base.sha }}` (NOT `head.sha`) to keep
 # the trust boundary.
+# Cancel in-progress runs for the same PR to prevent stale status overwrites.
+# Only fires on pull_request_target (not issue_comment) — sop-tier-check
+# subscribes to PR events only.
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 on:
   pull_request_target:
     types: [opened, edited, synchronize, reopened, labeled, unlabeled]
@@ -111,7 +118,11 @@ jobs:
         # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
         continue-on-error: true
         env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
+          # No fallback to GITHUB_TOKEN — that token lacks read:org scope needed
+          # for team membership probes. A missing SOP_TIER_CHECK_TOKEN produces a
+          # clear failure at script entry (via :? guard in sop-tier-check.sh),
+          # not a confusing 403 mid-script. See internal#316.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
-- 
2.52.0


From efe2c1ed782c28346fb4d2722a346814668cda32 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Sat, 16 May 2026 01:43:59 +0000
Subject: [PATCH 2/2] ci: re-trigger CI for infra/sop-tier-check-token-guard
 branch

-- 
2.52.0