molecule-ai/molecule-core
52
0
Fork 2
Code Issues 193 Pull Requests 55 Actions 2 Packages Projects Releases Wiki Activity

fix(review-check): skip 403 candidates instead of hard-failing gate #1894

Merged
agent-dev-a merged 1 commits from fix/review-check-403-graceful into main 2026-05-26 07:33:53 +00:00
Conversation 2 Commits 1 Files Changed 1
+8 -5
1 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/scripts/review-check.sh
+8 -5
View File
@@ -306,12 +306,15 @@ for U in $CANDIDATES; do
exit 0
;;
403)
# Token owner is not in the team being probed; the API refuses to
# confirm membership. This is the RFC#324 follow-up token-scope gap.
# Fail closed — never grant approval on a 403; surface clearly.
echo "::error::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Cannot confirm membership; failing closed."
# Token owner is not in the team being probed; Gitea 1.22.6 refuses
# to confirm membership in this case. Do NOT hard-fail the gate on a
# 403 — doing so would fail the entire gate if ANY candidate triggers
# a 403, even when other valid team-members exist. Instead skip this
# candidate and continue checking others. If all candidates produce
# 403 (token owner can't query any of them) the final exit fires.
echo "::warning::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — skipping; cannot confirm membership)"
cat "$TEAM_PROBE_TMP" >&2
exit 1
continue
;;
404)
debug "${U} not a member of ${TEAM}"