From c536a1ee978a5f745702f55481aef5fdcaa7f9a4 Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Thu, 4 Jun 2026 08:59:12 +0000 Subject: [PATCH] fix(ci): replace placeholder qa/security teams with real ones in sop-tier-check (#2139) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The qa (id 20) and security (id 21) Gitea teams have existed since the 2026-05-12 orchestrator preflight (verified via /orgs/{org}/teams), but sop-tier-check.sh still treated them as pending placeholders (qa???, security???). This meant tier:medium PRs could never satisfy the qa/security clause — the script skipped unresolved ???-suffixed teams and the clause always failed. Changes: - TIER_EXPR[tier:medium]: qa???,security??? → qa,security - Update comment block to list the five live teams (ceo, engineers, managers, qa, security) and remove the internal#189 pending-team note. - Update test_sop_tier_check_clause_split.sh fixture to match the real team names. The ???-suffix fallback logic is preserved in the resolver so genuinely missing future teams still fail closed with a clear error. Closes #2139 Co-Authored-By: Claude Opus 4.7 --- .gitea/scripts/sop-tier-check.sh | 12 ++++-------- .../tests/test_sop_tier_check_clause_split.sh | 4 ++-- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/.gitea/scripts/sop-tier-check.sh b/.gitea/scripts/sop-tier-check.sh index d1bd2c235..16f932c73 100755 --- a/.gitea/scripts/sop-tier-check.sh +++ b/.gitea/scripts/sop-tier-check.sh @@ -160,18 +160,14 @@ debug "tier=$TIER" # as unachievable (would always fail) — operators notice the clear error # and create the missing team. # -# Current Gitea teams: ceo, engineers, managers -# Future teams (create before removing "???" fallback): qa, security, security-audit +# Current Gitea teams: ceo, engineers, managers, qa, security declare -A TIER_EXPR=( # tier:low — same as previous OR gate: any engineer, manager, or ceo. ["tier:low"]="engineers,managers,ceo" - # tier:medium — AND of (managers) AND (engineers) AND (qa???,security???) - # The qa+security clause requires both teams to exist; when not yet - # created, the PR author is responsible for adding them before requesting - # approval on a tier:medium PR. Ops: create qa + security Gitea teams - # and update this map to remove the "???" markers (internal#189 follow-up). - ["tier:medium"]="managers AND engineers AND qa???,security???" + # tier:medium — AND of (managers) AND (engineers) AND (qa,security) + # ≥1 approver from managers AND ≥1 from engineers AND ≥1 from qa OR security. + ["tier:medium"]="managers AND engineers AND qa,security" # tier:high — ceo only. The AND-composition adds no value for a # single-team gate, but the framework is wired for consistency. diff --git a/.gitea/scripts/tests/test_sop_tier_check_clause_split.sh b/.gitea/scripts/tests/test_sop_tier_check_clause_split.sh index 3671fabaf..dac8bdb81 100755 --- a/.gitea/scripts/tests/test_sop_tier_check_clause_split.sh +++ b/.gitea/scripts/tests/test_sop_tier_check_clause_split.sh @@ -57,12 +57,12 @@ echo "test: tier:low OR-clause splits to 3 tokens" assert_eq "tier:low" "engineers|managers|ceo" "$(split_clause "engineers,managers,ceo")" echo "test: tier:medium AND-expression — bash word-split on \$EXPR yields 5 tokens" -EXPR="managers AND engineers AND qa???,security???" +EXPR="managers AND engineers AND qa,security" out="" for _raw in $EXPR; do out="${out}${out:+ ; }$(split_clause "$_raw")" done -assert_eq "tier:medium" "managers ; AND ; engineers ; AND ; qa???|security???" "$out" +assert_eq "tier:medium" "managers ; AND ; engineers ; AND ; qa|security" "$out" echo "test: tier:high single-team OR-clause" assert_eq "tier:high" "ceo" "$(split_clause "ceo")" -- 2.52.0