From 165c7c590679dd6fb6380a61a9071705cc683a88 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-FE <core-fe@agents.moleculesai.app>
Date: Mon, 18 May 2026 11:07:23 +0000
Subject: [PATCH] fix(ci): add secrets:read to
 qa-review/security-review/sop-checklist
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SEV-1 #1413: three CI workflows fail for ALL open PRs because
Gitea Actions cannot substitute secret values without secrets:read
permission. Without it, env vars are empty → every API call gets 401
→ jobs exit 1 → merge-queue blocked.

Fix: add secrets:read to all three workflow permission blocks.
sop-checklist.yml also cleans up stale comment boilerplate around
statuses:write (already declared but undocumented).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/qa-review.yml       | 1 +
 .gitea/workflows/security-review.yml | 1 +
 .gitea/workflows/sop-checklist.yml   | 5 +----
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/qa-review.yml b/.gitea/workflows/qa-review.yml
index 13f610dc4..90a94c77e 100644
--- a/.gitea/workflows/qa-review.yml
+++ b/.gitea/workflows/qa-review.yml
@@ -89,6 +89,7 @@ on:
 permissions:
   contents: read
   pull-requests: read
+  secrets: read
 
 jobs:
   # bp-exempt: PR review bot signal; required merge state is enforced by CI / all-required.
diff --git a/.gitea/workflows/security-review.yml b/.gitea/workflows/security-review.yml
index b882a7427..e905a401e 100644
--- a/.gitea/workflows/security-review.yml
+++ b/.gitea/workflows/security-review.yml
@@ -16,6 +16,7 @@ on:
 permissions:
   contents: read
   pull-requests: read
+  secrets: read
 
 jobs:
   # bp-exempt: PR security review bot signal; required merge state is enforced by CI / all-required.
diff --git a/.gitea/workflows/sop-checklist.yml b/.gitea/workflows/sop-checklist.yml
index 85ebf50a1..3e45438cf 100644
--- a/.gitea/workflows/sop-checklist.yml
+++ b/.gitea/workflows/sop-checklist.yml
@@ -84,11 +84,8 @@ on:
 permissions:
   contents: read
   pull-requests: read
-  # NOTE: `statuses: write` is the GitHub-Actions name for POST /statuses.
-  # Gitea 1.22.6 may not gate on this permission key (it just checks the
-  # token), but listing it explicitly documents intent for the next
-  # platform-version upgrade.
   statuses: write
+  secrets: read
 
 jobs:
   all-items-acked:
-- 
2.52.0