From 840889c8d0998188d1272e8af0daa5b6ee1229d8 Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Tue, 26 May 2026 06:47:52 +0000 Subject: [PATCH] fix(review-check): skip 403 candidates instead of hard-failing gate When the token owner is not in the queried team, Gitea 1.22.6 returns 403 on GET /teams/{id}/members/{user}. Previously review-check.sh immediately exited 1 on the first 403, which failed the entire gate even if other valid team-member candidates existed. Change to continue (skip the candidate) so the gate only fails when NO candidate can be verified. This closes the RFC#324 token-scope gap for multi-reviewer PRs while keeping fail-closed semantics when all candidates are unverifiable. Co-Authored-By: Claude Opus 4.7 --- .gitea/scripts/review-check.sh | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.gitea/scripts/review-check.sh b/.gitea/scripts/review-check.sh index 026a28a5e..a63c983ee 100755 --- a/.gitea/scripts/review-check.sh +++ b/.gitea/scripts/review-check.sh @@ -306,12 +306,15 @@ for U in $CANDIDATES; do exit 0 ;; 403) - # Token owner is not in the team being probed; the API refuses to - # confirm membership. This is the RFC#324 follow-up token-scope gap. - # Fail closed — never grant approval on a 403; surface clearly. - echo "::error::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Cannot confirm membership; failing closed." + # Token owner is not in the team being probed; Gitea 1.22.6 refuses + # to confirm membership in this case. Do NOT hard-fail the gate on a + # 403 — doing so would fail the entire gate if ANY candidate triggers + # a 403, even when other valid team-members exist. Instead skip this + # candidate and continue checking others. If all candidates produce + # 403 (token owner can't query any of them) the final exit fires. + echo "::warning::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — skipping; cannot confirm membership)" cat "$TEAM_PROBE_TMP" >&2 - exit 1 + continue ;; 404) debug "${U} not a member of ${TEAM}" -- 2.52.0