diff --git a/.gitea/scripts/sop-tier-refire.sh b/.gitea/scripts/sop-tier-refire.sh index ef0e0473c..22dfbdc34 100755 --- a/.gitea/scripts/sop-tier-refire.sh +++ b/.gitea/scripts/sop-tier-refire.sh @@ -125,7 +125,9 @@ if [ ! -f "$SCRIPT" ]; then fi # Re-invoke. Pipe stdout/stderr through so the runner log shows the -# tier-check decision inline. +# tier-check decision inline. Capture the real exit code so the posted +# protected status reflects the evaluator result (closes #2140). +TIER_EXIT=0 GITEA_TOKEN="$GITEA_TOKEN" \ GITEA_HOST="$GITEA_HOST" \ REPO="$REPO" \ @@ -133,8 +135,7 @@ GITEA_TOKEN="$GITEA_TOKEN" \ PR_AUTHOR="$PR_AUTHOR" \ SOP_DEBUG="${SOP_DEBUG:-0}" \ SOP_LEGACY_CHECK="${SOP_LEGACY_CHECK:-0}" \ - bash "$SCRIPT" || true -TIER_EXIT=0 + bash "$SCRIPT" || TIER_EXIT=$? debug "sop-tier-check.sh exit=$TIER_EXIT" # 4. POST the resulting status. diff --git a/.gitea/scripts/tests/test_sop_tier_refire.sh b/.gitea/scripts/tests/test_sop_tier_refire.sh index 2f2966beb..95b8c46d2 100755 --- a/.gitea/scripts/tests/test_sop_tier_refire.sh +++ b/.gitea/scripts/tests/test_sop_tier_refire.sh @@ -246,21 +246,21 @@ assert_contains "T1 POST context is sop-tier-check / tier-check" \ '"context": "sop-tier-check / tier-check (pull_request)"' "$POSTED" assert_contains "T1 description names commenter" "test-runner" "$POSTED" -# T2: missing tier label → tier-check fails internally, but refire status -# matches the canonical workflow's fail-open job conclusion. +# T2: missing tier label → tier-check fails internally; refire now posts the +# real evaluator result (failure) to the protected status (#2140). run_scenario "T2_no_tier_label" "fail_no_label" RC=$(cat "$FIX_STATE_DIR/last_rc") POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true) -assert_eq "T2 exit code 0 (canonical fail-open)" "0" "$RC" -assert_contains "T2 POSTed state=success" '"state": "success"' "$POSTED" +assert_eq "T2 exit code 1 (evaluator failure propagated)" "1" "$RC" +assert_contains "T2 POSTed state=failure" '"state": "failure"' "$POSTED" -# T3: tier:low present but ZERO approving reviews → internal tier check fails, -# refire status remains aligned with the canonical workflow. +# T3: tier:low present but ZERO approving reviews → internal tier check fails; +# refire posts failure so the protected status reflects reality. run_scenario "T3_no_approvals" "fail_no_approvals" RC=$(cat "$FIX_STATE_DIR/last_rc") POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true) -assert_eq "T3 exit code 0 (canonical fail-open)" "0" "$RC" -assert_contains "T3 POSTed state=success" '"state": "success"' "$POSTED" +assert_eq "T3 exit code 1 (evaluator failure propagated)" "1" "$RC" +assert_contains "T3 POSTed state=failure" '"state": "failure"' "$POSTED" # T4: closed PR — refire is a no-op (no POST, exit 0) run_scenario "T4_closed" "pass"