From d1a2a88f7448beaaa3fa97791b892778a6dfd270 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-FE <core-fe@agents.moleculesai.app>
Date: Mon, 18 May 2026 12:16:36 +0000
Subject: [PATCH] fix(ci): add secrets:read to sop-tier-check workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SEV-1 #1413 follow-up: sop-tier-check.yml uses
{{ secrets.SOP_TIER_CHECK_TOKEN }} but lacked secrets:read
permission. Without it, the env var substitution fails → token
is empty → API calls get 401 → tier check fails on every PR.

Same fix applied to qa-review/security-review/sop-checklist in PR #1498.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/sop-tier-check.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitea/workflows/sop-tier-check.yml b/.gitea/workflows/sop-tier-check.yml
index 1f9eb8889..c606aa4b3 100644
--- a/.gitea/workflows/sop-tier-check.yml
+++ b/.gitea/workflows/sop-tier-check.yml
@@ -71,6 +71,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: read
+      secrets: read
     steps:
       - name: Check out base branch (for the script)
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-- 
2.52.0