From bff08707c9de03570034b60e76e13b81ba2b5171 Mon Sep 17 00:00:00 2001
From: Molecule AI Infra-Runtime-BE <infra-runtime-be@agents.moleculesai.app>
Date: Mon, 18 May 2026 11:41:08 +0000
Subject: [PATCH] fix(ci): add secrets:read to sop-tier-check.yml

sop-tier-check.yml uses {{ secrets.SOP_TIER_CHECK_TOKEN }} but was
missing the secrets:read permission grant. Gitea 1.22.6 requires
explicit permission to substitute workflow secrets into env vars.

Follows the same fix applied to qa-review.yml / security-review.yml /
sop-checklist.yml in PR #1498.

Refs #1414.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/sop-tier-check.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitea/workflows/sop-tier-check.yml b/.gitea/workflows/sop-tier-check.yml
index 1f9eb8889..6a02f3b2c 100644
--- a/.gitea/workflows/sop-tier-check.yml
+++ b/.gitea/workflows/sop-tier-check.yml
@@ -71,6 +71,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: read
+      secrets: read   # SOP_TIER_CHECK_TOKEN env var substitution — Gitea 1.22.6 requires explicit grant
     steps:
       - name: Check out base branch (for the script)
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-- 
2.52.0