From 9604a121c7db2c494601b72f9375adabf8b8cb15 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Sat, 16 May 2026 16:37:05 +0000
Subject: [PATCH] fix(main-red-watchdog): close stale issues on
 pending+success; also re-add token scope fix

Two fixes bundled:

1. main-red-watchdog close-on-pending bug:
   Gitea combined-status `state` stays `pending` after merge even when all
   individual statuses are successful (some jobs still running). The watchdog
   only closed stale issues when `state == "success"`, causing 5 stale
   [main-red] issues to accumulate (#1355, #1336, #1319, #1279, #1234).
   Fix: close on `state in ("success", "pending")` when `is_red()` confirms
   0 failures. `is_red()` already checks individual status entries, so the
   combined `pending` is safe to treat as "no failures detected."

2. review-refire-comments.yml token scope (re-applied after linter revert):
   qa-review and security-review refire jobs were using RFC_324_TEAM_READ_TOKEN
   (read-only) while calling review-refire-status.sh which POSTs to /statuses.
   Switched to SOP_TIER_CHECK_TOKEN (write scope).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/scripts/main-red-watchdog.py         | 15 +++++++++++----
 .gitea/workflows/review-refire-comments.yml | 10 ++++++++--
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/.gitea/scripts/main-red-watchdog.py b/.gitea/scripts/main-red-watchdog.py
index a8467456..e313b20c 100755
--- a/.gitea/scripts/main-red-watchdog.py
+++ b/.gitea/scripts/main-red-watchdog.py
@@ -581,7 +581,14 @@ def run_once(*, dry_run: bool = False) -> int:
         # from earlier SHAs only when we're actually green; pending
         # means CI hasn't finished and the prior issue might still be
         # accurate.
-        if status.get("state") == "success":
+        if status.get("state") in ("success", "pending"):
+            # Close stale main-red issues when main has no failures.
+            # `pending` is included because Gitea combined-state can stay
+            # `pending` even when all observable individual statuses are
+            # successful (some jobs still running). The `is_red()` check
+            # already confirmed 0 failures — closing on `pending` prevents
+            # stale issues from persisting across cron ticks while
+            # long-running jobs finish.
             closed = close_open_red_issues_for_other_shas(sha, dry_run=dry_run)
             if closed:
                 emit_loki_event(
@@ -589,10 +596,10 @@ def run_once(*, dry_run: bool = False) -> int:
                     [],
                 )
             print(f"::notice::main is GREEN at {sha[:10]} on {WATCH_BRANCH} "
-                  f"(closed {closed} stale issue(s))")
+                  f"(closed {closed} stale issue(s), combined={status.get('state')})")
         else:
-            print(f"::notice::main is PENDING at {sha[:10]} on {WATCH_BRANCH} "
-                  f"(combined state={status.get('state')!r}; no action)")
+            print(f"::notice::main is RED/ERROR at {sha[:10]} on {WATCH_BRANCH} "
+                  f"(combined state={status.get('state')!r})")
     return 0
 
 
diff --git a/.gitea/workflows/review-refire-comments.yml b/.gitea/workflows/review-refire-comments.yml
index eb1c6b69..0da5b762 100644
--- a/.gitea/workflows/review-refire-comments.yml
+++ b/.gitea/workflows/review-refire-comments.yml
@@ -70,7 +70,10 @@ jobs:
       - name: Refire qa-review status
         if: steps.classify.outputs.run_qa == 'true'
         env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          # RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
+          # review-refire-status.sh POSTs to /statuses — requires write scope.
+          # SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.issue.number }}
@@ -87,7 +90,10 @@ jobs:
       - name: Refire security-review status
         if: steps.classify.outputs.run_security == 'true'
         env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          # RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
+          # review-refire-status.sh POSTs to /statuses — requires write scope.
+          # SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.issue.number }}
-- 
2.52.0