From 260c36826b0fa2ea63bc77aa0fb796de244ddc02 Mon Sep 17 00:00:00 2001 From: Molecule AI Fullstack Engineer Date: Sat, 16 May 2026 00:35:26 +0000 Subject: [PATCH] =?UTF-8?q?fix(gha):=20review-check=20403=20=E2=86=92=20sk?= =?UTF-8?q?ip=20candidate;=20improve=20failure=20message?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 403 on team-membership probe: exit 1 → continue (keep checking other candidates). A single 403 from the token-scope gap no longer kills the whole check when other candidates are available (RFC#324 follow-up). - Final failure message: replace vague "awaiting non-author APPROVE from ${TEAM} team — none are in team" with actionable guidance: "no valid team-member approval found; check that reviewer is in ${TEAM} team or token owner is a ${TEAM} team member". Unblocks qa-review and security-review CI on PRs #1233, #1229, #1255, #1257, and others that hit the 403 token-scope false-positive. Co-Authored-By: Claude Opus 4.7 --- .gitea/scripts/review-check.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.gitea/scripts/review-check.sh b/.gitea/scripts/review-check.sh index 5bc004482..f8f37bc8c 100755 --- a/.gitea/scripts/review-check.sh +++ b/.gitea/scripts/review-check.sh @@ -227,11 +227,11 @@ for U in $CANDIDATES; do ;; 403) # Token owner is not in the team being probed; the API refuses to - # confirm membership. This is the RFC#324 follow-up token-scope gap. - # Fail closed — never grant approval on a 403; surface clearly. - echo "::error::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Cannot confirm membership; failing closed." + # confirm membership. Skip this candidate and keep checking the rest — + # if no candidates pass the membership check the loop exits below. + echo "::warning::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Skipping candidate; will keep checking." cat "$TEAM_PROBE_TMP" >&2 - exit 1 + continue ;; 404) debug "${U} not a member of ${TEAM}" @@ -243,5 +243,5 @@ for U in $CANDIDATES; do esac done -echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (candidates: $(echo "$CANDIDATES" | tr '\n' ',' | sed 's/,$//') — none are in team)" +echo "::error::${TEAM}-review no valid team-member approval found; check that reviewer is in ${TEAM} team or token owner is a ${TEAM} team member (candidates: $(echo "$CANDIDATES" | tr '\n' ',' | sed 's/,$//'))" exit 1 -- 2.52.0