.gitea/scripts/gitea-merge-queue.py

@@ -44,7 +44,10 @@ REQUIRED_CONTEXTS_RAW = _env(
     "REQUIRED_CONTEXTS",
     default=(
         "CI / all-required (pull_request),"
-        "sop-checklist / all-items-acked (pull_request)"
+        "sop-checklist / all-items-acked (pull_request),"
+        "E2E Chat / E2E Chat (pull_request),"
+        "qa-review / approved (pull_request),"
+        "security-review / approved (pull_request)"
     ),
 )
 # Required contexts for push (main/staging) runs. The push CI uses the same
@@ -348,6 +351,25 @@ def post_comment(pr_number: int, body: str, *, dry_run: bool) -> None:
     api("POST", f"/repos/{OWNER}/{NAME}/issues/{pr_number}/comments", body={"body": body})
 
 
+def add_hold_label(pr_number: int, *, dry_run: bool) -> None:
+    """Apply the hold label so the queue skips this PR and processes the next."""
+    print(f"::notice::adding `{HOLD_LABEL}` to PR #{pr_number}")
+    if dry_run:
+        return
+    try:
+        api(
+            "POST",
+            f"/repos/{OWNER}/{NAME}/issues/{pr_number}/labels",
+            body={"labels": [HOLD_LABEL]},
+        )
+    except ApiError as exc:
+        # 404 = PR already closed/deleted; 422 = label already present (Gitea
+        # returns 422 for duplicate label assignment — not a real error).
+        if "404" in str(exc) or "422" in str(exc):
+            return
+        sys.stderr.write(f"::warning::could not add hold label to PR #{pr_number}: {exc}\n")
+
+
 def update_pull(pr_number: int, *, dry_run: bool) -> None:
     print(f"::notice::updating PR #{pr_number} with base branch via style={UPDATE_STYLE}")
     if dry_run:
@@ -444,6 +466,22 @@ def process_once(*, dry_run: bool = False) -> int:
             dry_run=dry_run,
         )
         return 0
+    if decision.action == "wait":
+        # Required contexts are not green. Auto-hold so the queue stops cycling
+        # on this PR and processes the next. Holds are removed manually once the
+        # blocker (e.g. qa/sec gate, missing SOP_TIER_CHECK_TOKEN) is resolved.
+        add_hold_label(pr_number, dry_run=dry_run)
+        post_comment(
+            pr_number,
+            (
+                f"merge-queue: auto-held — required contexts not green: "
+                f"{decision.reason}. "
+                "Remove the `merge-queue-hold` label and re-label `merge-queue` "
+                "to restart queue processing once the blocker is resolved."
+            ),
+            dry_run=dry_run,
+        )
+        return 0
     if decision.ready:
         latest_main_sha = get_branch_head(WATCH_BRANCH)
         if latest_main_sha != main_sha:
@@ -455,10 +493,29 @@ def process_once(*, dry_run: bool = False) -> int:
         try:
             merge_pull(pr_number, dry_run=dry_run)
         except MergePermissionError as exc:
-            # Permanent merge failure (HTTP 403/404/405). Post a comment so
-            # maintainers know why, then return 0 so this tick is done.
-            # The PR stays in the queue; future ticks can retry after the
-            # permission issue is resolved.
+            # HTTP 403/404/405. Distinguish status-check gate (405 with
+            # "Not all required status checks") from a genuine permission
+            # error. Case-insensitive match — Gitea uses "Not all required..."
+            # (capital N) while other paths may return lowercase.
+            msg_lower = str(exc).lower()
+            is_status_check_failure = "not all required status checks successful" in msg_lower
+            if is_status_check_failure:
+                # Gitea's merge gate blocked us — a required context (e.g.
+                # E2E Chat, qa-review, security-review) is failing. Auto-add
+                # hold so the queue skips this PR and processes the next.
+                add_hold_label(pr_number, dry_run=dry_run)
+                post_comment(
+                    pr_number,
+                    (
+                        "merge-queue: merge blocked by Gitea's status-check gate "
+                        "(E2E Chat, qa-review, security-review, or other required "
+                        "context failing). Auto-held via `merge-queue-hold`. "
+                        "Remove the hold label to requeue once CI is green."
+                    ),
+                    dry_run=dry_run,
+                )
+                return 0
+            # Genuine permission error — token lacks Can-merge.
             sys.stderr.write(f"::error::merge permission error for PR #{pr_number}: {exc}\n")
             post_comment(
                 pr_number,

.gitea/scripts/tests/test_gitea_merge_queue.py

@@ -128,3 +128,54 @@ def test_MergePermissionError_message_preserved():
     exc = mq.MergePermissionError("POST /merge -> HTTP 405: User not allowed")
     assert "405" in str(exc)
     assert "User not allowed" in str(exc)
+
+
+def test_merge_decision_waits_when_required_contexts_not_green():
+    """When a required context (e.g. qa-review, E2E Chat) is not success, the
+    decision is 'wait' — the queue can then auto-hold on this."""
+    required = [
+        "CI / all-required (pull_request)",
+        "sop-checklist / all-items-acked (pull_request)",
+        "qa-review / approved (pull_request)",
+    ]
+    decision = mq.evaluate_merge_readiness(
+        main_status={
+            "state": "success",
+            "statuses": [{"context": "CI / all-required (push)", "status": "success"}],
+        },
+        pr_status={
+            "state": "failure",
+            "statuses": [
+                {"context": "CI / all-required (pull_request)", "status": "success"},
+                {"context": "sop-checklist / all-items-acked (pull_request)", "status": "success"},
+                {"context": "qa-review / approved (pull_request)", "status": "failure"},
+            ],
+        },
+        required_contexts=required,
+        pr_has_current_base=True,
+        pr_labels=None,
+    )
+    assert decision.ready is False
+    assert decision.action == "wait"
+    assert "qa-review" in decision.reason
+
+
+def test_tier_low_sop_checklist_pending_soft_fail():
+    """tier:low PRs get soft-fail on sop-checklist: pending is accepted."""
+    required = ["sop-checklist / all-items-acked (pull_request)"]
+    statuses = {
+        "sop-checklist / all-items-acked (pull_request)": {"status": "pending"}
+    }
+    ok, missing = mq.required_contexts_green(statuses, required, pr_labels={"tier:low"})
+    assert ok is True
+    assert missing == []
+
+
+def test_tier_low_sop_checklist_failure_not_soft_fail():
+    """tier:low soft-fail only covers pending, not actual failure."""
+    required = ["sop-checklist / all-items-acked (pull_request)"]
+    statuses = {
+        "sop-checklist / all-items-acked (pull_request)": {"status": "failure"}
+    }
+    ok, missing = mq.required_contexts_green(statuses, required, pr_labels={"tier:low"})
+    assert ok is False

.gitea/workflows/qa-review.yml

@@ -89,6 +89,7 @@ on:
 permissions:
   contents: read
   pull-requests: read
+  secrets: read  # required for SOP_TIER_CHECK_TOKEN team-membership probe
 
 jobs:
   # bp-exempt: PR review bot signal; required merge state is enforced by CI / all-required.

.gitea/workflows/security-review.yml

@@ -16,6 +16,7 @@ on:
 permissions:
   contents: read
   pull-requests: read
+  secrets: read  # required for SOP_TIER_CHECK_TOKEN team-membership probe
 
 jobs:
   # bp-exempt: PR security review bot signal; required merge state is enforced by CI / all-required.