From ea98e889e2cde6fc1bf5dcc8bae0a1b22fb3971d Mon Sep 17 00:00:00 2001 From: Molecule AI Core-DevOps Date: Sun, 17 May 2026 13:16:15 +0000 Subject: [PATCH] fix(ci): add secrets:read to sop-checklist and sop-tier-check workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These workflows use {{ secrets.SOP_TIER_CHECK_TOKEN }} and {{ secrets.SOP_CHECKLIST_GATE_TOKEN }} in their env, but are missing `secrets: read` in their workflow-level permissions block. Without it, Gitea Actions cannot substitute the secret value — the env var is empty/undefined → every API call returns 401 → the job exits 1. The missing permission is currently causing sop-checklist to FAIL on all PRs, which blocks the entire merge queue (14 PRs stuck). This completes the fix from PR #1411 (which fixed qa-review.yml and security-review.yml but missed these two sop-* workflows). Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/sop-checklist.yml | 1 + .gitea/workflows/sop-tier-check.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.gitea/workflows/sop-checklist.yml b/.gitea/workflows/sop-checklist.yml index 85ebf50a1..b8ca6029d 100644 --- a/.gitea/workflows/sop-checklist.yml +++ b/.gitea/workflows/sop-checklist.yml @@ -84,6 +84,7 @@ on: permissions: contents: read pull-requests: read + secrets: read # NOTE: `statuses: write` is the GitHub-Actions name for POST /statuses. # Gitea 1.22.6 may not gate on this permission key (it just checks the # token), but listing it explicitly documents intent for the next diff --git a/.gitea/workflows/sop-tier-check.yml b/.gitea/workflows/sop-tier-check.yml index 1f9eb8889..c606aa4b3 100644 --- a/.gitea/workflows/sop-tier-check.yml +++ b/.gitea/workflows/sop-tier-check.yml @@ -71,6 +71,7 @@ jobs: permissions: contents: read pull-requests: read + secrets: read steps: - name: Check out base branch (for the script) uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 -- 2.52.0