molecule-ai/molecule-core
52
0
Fork 2
Code Issues 185 Pull Requests 55 Actions 1 Packages Projects Releases Wiki Activity

infra(sop-tier-check): drop GITHUB_TOKEN fallback + add :? guard #1271

Open
core-devops wants to merge 2 commits from infra/sop-tier-check-token-guard into staging
pull from: infra/sop-tier-check-token-guard
merge into: molecule-ai:staging
Conversation 5 Commits 2 Files Changed 4
+27 -3
4 changed files with 27 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/scripts/audit-force-merge.sh
+4 -1
View File
@@ -30,7 +30,10 @@
set -euo pipefail
: "${GITEA_TOKEN:?required}"
# Fail-fast on missing token — internal#316: drop the || GITHUB_TOKEN
# fallback from audit-force-merge.yml; the guard here makes the missing-
# secret failure obvious.
: "${GITEA_TOKEN:?GITEA_TOKEN env var required — set SOP_TIER_CHECK_TOKEN in repo secrets}"
: "${GITEA_HOST:?required}"
: "${REPO:?required}"
: "${PR_NUMBER:?required}"
.gitea/scripts/sop-tier-check.sh
+6
View File
@@ -44,6 +44,12 @@
set -euo pipefail
# Fail-fast on missing token — produces a clear error at line 1 rather
# than a confusing 403 mid-script when GITHUB_TOKEN lacks read:org scope.
# internal#316: drop the || GITHUB_TOKEN fallback in sop-tier-check.yml;
# the guard here makes the missing-secret failure obvious.
: "${GITEA_TOKEN:?GITEA_TOKEN env var required — set SOP_TIER_CHECK_TOKEN in repo secrets}"
# Ensure jq is available. Runners may not have it pre-installed, and the
# workflow-level jq install can fail on runners with network restrictions
# (GitHub releases not reachable from some runner networks — infra#241
.gitea/workflows/audit-force-merge.yml
+5 -1
View File
@@ -42,7 +42,11 @@ jobs:
- name: Detect force-merge + emit audit event
env:
# Same org-level secret the sop-tier-check workflow uses.
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
# No fallback to GITHUB_TOKEN — that token lacks read:org scope needed
# for team membership probes. A missing SOP_TIER_CHECK_TOKEN produces a
# clear failure at script entry (via :? guard in audit-force-merge.sh),
# not a confusing 403 mid-script. See internal#316.
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN }}
GITEA_HOST: git.moleculesai.app
REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
.gitea/workflows/sop-tier-check.yml
+12 -1
View File
@@ -55,6 +55,13 @@ name: sop-tier-check
# Gitea API. If a future change adds a checkout step, it MUST pin to
# `${{ github.event.pull_request.base.sha }}` (NOT `head.sha`) to keep
# the trust boundary.
# Cancel in-progress runs for the same PR to prevent stale status overwrites.
# Only fires on pull_request_target (not issue_comment) — sop-tier-check
# subscribes to PR events only.
concurrency:
group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
on:
pull_request_target:
types: [opened, edited, synchronize, reopened, labeled, unlabeled]
@@ -111,7 +118,11 @@ jobs:
# mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
continue-on-error: true
env:
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
# No fallback to GITHUB_TOKEN — that token lacks read:org scope needed
# for team membership probes. A missing SOP_TIER_CHECK_TOKEN produces a
# clear failure at script entry (via :? guard in sop-tier-check.sh),
# not a confusing 403 mid-script. See internal#316.
GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN }}
GITEA_HOST: git.moleculesai.app
REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}