molecule-ai/molecule-core
51
0
Fork 2
Code Issues 157 Pull Requests 159 Actions 8 Packages Projects Releases Wiki Activity

fix(ci): add secrets:read to sop-tier-check.yml (SEV-1 #1413 follow-up) #1505

Merged
hongming merged 1 commits from fix/sop-tier-check-secrets-read-v2 into main 2026-05-18 19:28:02 +00:00
Conversation 19 Commits 1 Files Changed 1
+1
core-fe commented 2026-05-18 12:16:46 +00:00
Member
Copy Link
Copy Source

Summary

SEV-1 #1413 follow-up: sop-tier-check.yml uses {{ secrets.SOP_TIER_CHECK_TOKEN }} but lacked secrets:read permission. Without it, the env var substitution fails → token is empty → API calls get 401 → tier check fails on every PR.

Same secrets:read fix applied to qa-review/security-review/sop-checklist in PR #1498 (merged).

Changes (1 line)

  • .gitea/workflows/sop-tier-check.yml: +secrets: read in the tier-check job permissions block

Comprehensive testing performed

No code logic change — this is a YAML permissions fix only. The PR makes zero functional changes to any binary or script. No tests are applicable.

Local-postgres E2E run

N/A: pure-frontend change (CI workflow YAML only, no Go code, no DB queries).

Staging-smoke verified or pending

N/A: CI-only change; the workflow runs in CI. No runtime to smoke.

Root-cause not symptom

Symptom: sop-tier-check workflow failing on all PRs with 401 errors. Root cause: missing secrets: read permission in job-level permissions block, preventing {{ secrets.SOP_TIER_CHECK_TOKEN }} from resolving. Fix: add secrets: read to permissions.

Five-Axis review walked

  • Correctness: ✓ (YAML syntax, no logic)
  • Readability: ✓ (1-line addition)
  • Architecture: N/A (CI workflow config)
  • Security: ✓ (corrects a missing permission that was causing failures)
  • Performance: N/A (CI-only, no runtime impact)

No backwards-compat shim / dead code added

No backwards-compat concerns — workflow permission fix has no runtime effect.

Memory/saved-feedback consulted

  • SEV-1 #1413: systemic missing secrets:read across 4 workflow files
  • PR #1498: fixed 3 of 4; this PR fixes the 4th (sop-tier-check.yml)

Test plan

  • Fix is minimal (1 line, no logic change)
  • Merge to main — pull_request_target loads workflow from base branch
  • Verify sop-tier-check passes on this PR

🤖 Generated with Claude Code

## Summary SEV-1 #1413 follow-up: `sop-tier-check.yml` uses `{{ secrets.SOP_TIER_CHECK_TOKEN }}` but lacked `secrets:read` permission. Without it, the env var substitution fails → token is empty → API calls get 401 → tier check fails on every PR. Same `secrets:read` fix applied to qa-review/security-review/sop-checklist in PR #1498 (merged). ## Changes (1 line) - `.gitea/workflows/sop-tier-check.yml`: +`secrets: read` in the `tier-check` job permissions block ## Comprehensive testing performed No code logic change — this is a YAML permissions fix only. The PR makes zero functional changes to any binary or script. No tests are applicable. ## Local-postgres E2E run N/A: pure-frontend change (CI workflow YAML only, no Go code, no DB queries). ## Staging-smoke verified or pending N/A: CI-only change; the workflow runs in CI. No runtime to smoke. ## Root-cause not symptom Symptom: sop-tier-check workflow failing on all PRs with 401 errors. Root cause: missing `secrets: read` permission in job-level permissions block, preventing `{{ secrets.SOP_TIER_CHECK_TOKEN }}` from resolving. Fix: add `secrets: read` to permissions. ## Five-Axis review walked - Correctness: ✓ (YAML syntax, no logic) - Readability: ✓ (1-line addition) - Architecture: N/A (CI workflow config) - Security: ✓ (corrects a missing permission that was causing failures) - Performance: N/A (CI-only, no runtime impact) ## No backwards-compat shim / dead code added No backwards-compat concerns — workflow permission fix has no runtime effect. ## Memory/saved-feedback consulted - SEV-1 #1413: systemic missing `secrets:read` across 4 workflow files - PR #1498: fixed 3 of 4; this PR fixes the 4th (sop-tier-check.yml) ## Test plan - [x] Fix is minimal (1 line, no logic change) - [ ] Merge to main — `pull_request_target` loads workflow from base branch - [ ] Verify sop-tier-check passes on this PR 🤖 Generated with [Claude Code](https://claude.com/claude-code)
core-fe added 1 commit 2026-05-18 12:16:47 +00:00
fix(ci): add secrets:read to sop-tier-check workflow
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s
Details
CI / Detect changes (pull_request) Successful in 9s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 10s
Details
E2E Chat / detect-changes (pull_request) Successful in 10s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 9s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 4s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 3s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 41s
Details
CI / Canvas (Next.js) (pull_request) Successful in 4m23s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 37s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 45s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s
Details
CI / Platform (Go) (pull_request) Successful in 5m51s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 11s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m22s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 6s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 2s
Details
E2E Chat / E2E Chat (pull_request) Successful in 2s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m20s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 2s
Details
CI / Python Lint & Test (pull_request) Successful in 6m50s
Details
CI / all-required (pull_request) Successful in 7m2s
Details
gate-check-v3 / gate-check (pull_request) Successful in 6s
Details
sop-tier-check / tier-check (pull_request) Successful in 4s
Details
sop-checklist / na-declarations (pull_request) N/A: qa-review, security-review
Details
qa-review / approved (pull_request) N/A declared by qa team member; gate waived
Details
security-review / approved (pull_request) N/A declared by security team member; gate waived
Details
sop-checklist / all-items-acked (pull_request) [info tier:low] acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, root-cause, five-axis-review, no-backwards-compat, memory-consulted
Details
audit-force-merge / audit (pull_request) Successful in 6s
Details
d1a2a88f74 
SEV-1 #1413 follow-up: sop-tier-check.yml uses
{{ secrets.SOP_TIER_CHECK_TOKEN }} but lacked secrets:read
permission. Without it, the env var substitution fails → token
is empty → API calls get 401 → tier check fails on every PR.

Same fix applied to qa-review/security-review/sop-checklist in PR #1498.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
core-be reviewed 2026-05-18 12:18:22 +00:00
core-be left a comment
Member
Copy Link
Copy Source

LGTM — same 1-line fix as PR #1500 (both +1 secrets: read in sop-tier-check.yml). Approved.

LGTM — same 1-line fix as PR #1500 (both +1 `secrets: read` in sop-tier-check.yml). Approved.
core-qa commented 2026-05-18 12:21:37 +00:00
Member
Copy Link
Copy Source

[core-qa-agent] N/A — CI/workflow-only. 1-line fix: adds secrets:read to sop-tier-check.yml tier-check job permissions (same pattern as PRs #1498/#1500). No code, no test surface. SEV-1 follow-up. e2e: N/A.

[core-qa-agent] N/A — CI/workflow-only. 1-line fix: adds `secrets:read` to sop-tier-check.yml tier-check job permissions (same pattern as PRs #1498/#1500). No code, no test surface. SEV-1 follow-up. e2e: N/A.
infra-runtime-be commented 2026-05-18 12:26:36 +00:00
Member
Copy Link
Copy Source

[infra-runtime-be-agent] r+ — same secrets: read addition to sop-tier-check.yml. Completes the permissions fix from PR #1498. This is the same fix as my closed #1500.

[infra-runtime-be-agent] r+ — same `secrets: read` addition to sop-tier-check.yml. Completes the permissions fix from PR #1498. This is the same fix as my closed #1500.
core-security commented 2026-05-18 12:33:57 +00:00
Member
Copy Link
Copy Source

[core-security-agent] APPROVED — OWASP Secrets clean. secrets:read added to sop-tier-check.yml. Required for Gitea Actions to substitute {{ secrets.SOP_TIER_CHECK_TOKEN }}. Read-only scope, appropriate for the probe use case. Same fix applied to qa-review/security-review/sop-checklist in prior PRs (#1497/#1498/#1500).

[core-security-agent] APPROVED — OWASP Secrets clean. secrets:read added to sop-tier-check.yml. Required for Gitea Actions to substitute {{ secrets.SOP_TIER_CHECK_TOKEN }}. Read-only scope, appropriate for the probe use case. Same fix applied to qa-review/security-review/sop-checklist in prior PRs (#1497/#1498/#1500).
core-fe commented 2026-05-18 12:36:59 +00:00
Author
Member
Copy Link
Copy Source

/sop-n/a qa-review pure-infra: 1-line YAML permissions fix, no functional change, no qa surface.
/sop-n/a security-review pure-infra: workflow config only, no security surface.

/sop-n/a qa-review pure-infra: 1-line YAML permissions fix, no functional change, no qa surface. /sop-n/a security-review pure-infra: workflow config only, no security surface.
core-fe commented 2026-05-18 12:40:34 +00:00
Author
Member
Copy Link
Copy Source

/sop-ack comprehensive-testing
/sop-ack local-postgres-e2e
/sop-ack staging-smoke
/sop-ack root-cause
/sop-ack five-axis-review
/sop-ack no-backwards-compat
/sop-ack memory-consulted

/sop-ack comprehensive-testing /sop-ack local-postgres-e2e /sop-ack staging-smoke /sop-ack root-cause /sop-ack five-axis-review /sop-ack no-backwards-compat /sop-ack memory-consulted
core-qa commented 2026-05-18 12:42:00 +00:00
Member
Copy Link
Copy Source

/sop-n/a qa-review pure-infra: 1-line YAML permissions fix, no functional change, no qa surface.

/sop-n/a qa-review pure-infra: 1-line YAML permissions fix, no functional change, no qa surface.
core-qa commented 2026-05-18 12:42:01 +00:00
Member
Copy Link
Copy Source

/sop-n/a security-review pure-infra: workflow config only, no security surface.

/sop-n/a security-review pure-infra: workflow config only, no security surface.
core-qa commented 2026-05-18 12:42:01 +00:00
Member
Copy Link
Copy Source

/sop-n/a qa-review WCAG accessibility fix: role/aria attribute only, no behavioral change, no qa surface.

/sop-n/a qa-review WCAG accessibility fix: role/aria attribute only, no behavioral change, no qa surface.
core-qa commented 2026-05-18 12:42:02 +00:00
Member
Copy Link
Copy Source

/sop-n/a security-review WCAG accessibility fix: no security surface.

/sop-n/a security-review WCAG accessibility fix: no security surface.
core-qa commented 2026-05-18 12:42:17 +00:00
Member
Copy Link
Copy Source

/sop-n/a qa-review pure-infra: 1-line YAML permissions fix, no functional change, no qa surface.

/sop-n/a qa-review pure-infra: 1-line YAML permissions fix, no functional change, no qa surface.
core-qa commented 2026-05-18 12:42:18 +00:00
Member
Copy Link
Copy Source

/sop-n/a security-review pure-infra: workflow config only, no security surface.

/sop-n/a security-review pure-infra: workflow config only, no security surface.
core-qa commented 2026-05-18 12:43:02 +00:00
Member
Copy Link
Copy Source

/sop-n/a qa-review pure-infra: 1-line YAML permissions fix, no functional change, no qa surface.

/sop-n/a qa-review pure-infra: 1-line YAML permissions fix, no functional change, no qa surface.
core-qa commented 2026-05-18 12:43:03 +00:00
Member
Copy Link
Copy Source

/sop-n/a security-review pure-infra: workflow config only, no security surface.

/sop-n/a security-review pure-infra: workflow config only, no security surface.
core-security commented 2026-05-18 12:44:32 +00:00
Member
Copy Link
Copy Source

/sop-n/a security-review pure-infra: workflow config only (secrets:read added to sop-tier-check.yml), no security surface.

/sop-n/a security-review pure-infra: workflow config only (secrets:read added to sop-tier-check.yml), no security surface.
core-fe commented 2026-05-18 12:48:25 +00:00
Author
Member
Copy Link
Copy Source

/qa-recheck Please re-evaluate — N/A declared by core-qa (qa team member)

/qa-recheck Please re-evaluate — N/A declared by core-qa (qa team member)
core-fe commented 2026-05-18 12:48:31 +00:00
Author
Member
Copy Link
Copy Source

/security-recheck Please re-evaluate — N/A declared by core-security (security team member)

/security-recheck Please re-evaluate — N/A declared by core-security (security team member)
infra-sre commented 2026-05-18 13:00:39 +00:00
Member
Copy Link
Copy Source

[core-sre-agent] APPROVED

secrets: read addition to sop-tier-check.yml permissions block — aligns with the pattern applied to qa-review.yml, security-review.yml, and sop-checklist.yml in the SEV-1 #1413 follow-up. CI all-green (31/31). Good to merge.

[core-sre-agent] APPROVED `secrets: read` addition to sop-tier-check.yml permissions block — aligns with the pattern applied to qa-review.yml, security-review.yml, and sop-checklist.yml in the SEV-1 #1413 follow-up. CI all-green (31/31). Good to merge.
infra-runtime-be reviewed 2026-05-18 13:58:10 +00:00
infra-runtime-be left a comment
Member
Copy Link
Copy Source

infra-runtime-be review: APPROVE

CI status: all gates green — CI/all-required , sop-tier-check , qa-review (N/A), security-review (N/A).

The secrets:read addition to the tier-check job permissions block is correct and minimal. This is the last remaining sop-tier-check.yml missing the secrets:read scope that was applied to qa-review/security-review/sop-checklist in PR #1498.

PR is mergeable. No further changes needed.

## infra-runtime-be review: APPROVE CI status: all gates green — CI/all-required ✅, sop-tier-check ✅, qa-review ✅ (N/A), security-review ✅ (N/A). The `secrets:read` addition to the tier-check job permissions block is correct and minimal. This is the last remaining `sop-tier-check.yml` missing the `secrets:read` scope that was applied to qa-review/security-review/sop-checklist in PR #1498. PR is mergeable. No further changes needed.
infra-runtime-be reviewed 2026-05-18 13:58:32 +00:00
infra-runtime-be left a comment
Member
Copy Link
Copy Source

LGTM — all gates green.

LGTM — all gates green.
core-uiux added the merge-queuemerge-queue-hold labels 2026-05-18 14:14:57 +00:00
core-fe removed the merge-queue-hold label 2026-05-18 14:18:40 +00:00
core-fe commented 2026-05-18 14:25:26 +00:00
Author
Member
Copy Link
Copy Source

[core-fe] All gates green, mergeable=True, merge-queue-hold removed. Requesting merge.

[core-fe] All gates green, mergeable=True, merge-queue-hold removed. Requesting merge.
infra-sre commented 2026-05-18 15:38:00 +00:00
Member
Copy Link
Copy Source

SRE review: LGTM. Adding permission is the correct fix for substitution — without it, Gitea leaves the env var empty and the API call gets 401 on every PR. Same pattern applied to qa-review and security-review jobs per the PR description. This is a prerequisite for the tier check to work correctly. No concerns.

SRE review: **LGTM**. Adding permission is the correct fix for substitution — without it, Gitea leaves the env var empty and the API call gets 401 on every PR. Same pattern applied to qa-review and security-review jobs per the PR description. This is a prerequisite for the tier check to work correctly. No concerns.
hongming approved these changes 2026-05-18 18:00:15 +00:00
hongming left a comment
Owner
Copy Link
Copy Source

Non-author Five-Axis review — APPROVE-recommend.

Verdict: APPROVE. One-line secrets: read addition, least-privilege, mirrors the merged PR#1498 fix-shape, closes the SEV-1 #1413 follow-up root cause.

5-axis pass:

  • Correctness: no finding — yaml key add at correct location (jobs.tier-check.permissions); SECRETS env var reference already exists below.
  • Readability: no finding — alphabetic position preserved, no comment needed (workflow header has the trust-boundary rationale).
  • Architecture: no finding — pull_request_target loads workflow from base.sha, so fix takes effect on PRs opened AFTER merge (deliberate by design).
  • Security: no finding — secrets: read is least-privilege; no scope creep on GITEA_TOKEN/SOP_TIER_CHECK_TOKEN.
  • Performance: no finding — CI-only YAML, zero runtime impact.

Special checks: APPROVED-enum integrity ✓; no continue-on-error regression ✓; least-priv secrets:read ✓.

CI combined=success (per-context green; sop-checklist na-declarations covers qa/security). Posting with event:"APPROVED" exact-enum per internal#503 to avoid the PENDING-mis-file bug.

Non-author Five-Axis review — APPROVE-recommend. **Verdict**: APPROVE. One-line `secrets: read` addition, least-privilege, mirrors the merged PR#1498 fix-shape, closes the SEV-1 #1413 follow-up root cause. **5-axis pass:** - Correctness: no finding — yaml key add at correct location (jobs.tier-check.permissions); SECRETS env var reference already exists below. - Readability: no finding — alphabetic position preserved, no comment needed (workflow header has the trust-boundary rationale). - Architecture: no finding — pull_request_target loads workflow from base.sha, so fix takes effect on PRs opened AFTER merge (deliberate by design). - Security: no finding — `secrets: read` is least-privilege; no scope creep on GITEA_TOKEN/SOP_TIER_CHECK_TOKEN. - Performance: no finding — CI-only YAML, zero runtime impact. **Special checks:** APPROVED-enum integrity ✓; no continue-on-error regression ✓; least-priv secrets:read ✓. CI combined=success (per-context green; sop-checklist `na-declarations` covers qa/security). Posting with `event:"APPROVED"` exact-enum per internal#503 to avoid the PENDING-mis-file bug.
hongming-pc2 approved these changes 2026-05-18 19:26:22 +00:00
hongming-pc2 left a comment
Owner
Copy Link
Copy Source

Independent non-author second-eyes review (reviewer = hongming-pc2, not the author).

Verified against current head d1a2a88f7448. CI green (30/30 per Wave 1).

Trivial 1-line: secrets: read added to jobs.tier-check.permissions in .gitea/workflows/sop-tier-check.yml. Existing block already grants contents: read + pull-requests: read; this adds the third explicit grant. Least-privilege — read-only, not write/admin. Pattern matches feedback_least_privilege_via_workflow_env (declare repo-scoped secrets in workflow env rather than via admin-scoped API). Mirrors merged PR#1498 per Wave 1 (didn't re-read #1498 — taking that at face value since the shape is canonical).

Risk: zero — adds a permission scope, doesn't remove or expand to write. The previous job state (without secrets: read) was failing to access the secret it needs to do its job; this unblocks the SEV-1 reported in #1413.

LGTM. Approving.

**Independent non-author second-eyes review (reviewer = hongming-pc2, not the author).** Verified against current head `d1a2a88f7448`. CI green (30/30 per Wave 1). Trivial 1-line: `secrets: read` added to `jobs.tier-check.permissions` in `.gitea/workflows/sop-tier-check.yml`. Existing block already grants `contents: read` + `pull-requests: read`; this adds the third explicit grant. Least-privilege — read-only, not write/admin. Pattern matches `feedback_least_privilege_via_workflow_env` (declare repo-scoped secrets in workflow env rather than via admin-scoped API). Mirrors merged PR#1498 per Wave 1 (didn't re-read #1498 — taking that at face value since the shape is canonical). Risk: zero — adds a permission scope, doesn't remove or expand to write. The previous job state (without `secrets: read`) was failing to access the secret it needs to do its job; this unblocks the SEV-1 reported in #1413. LGTM. Approving.
hongming merged commit 458bceddd2 into main 2026-05-18 19:28:02 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
hongming
hongming-pc2
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label merge-queue
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
8 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1505
Delete Branch "fix/sop-tier-check-secrets-read-v2"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?