From e24cf37191cb1c96567ab2ee2776fe6366d5674c Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Thu, 4 Jun 2026 09:03:34 +0000 Subject: [PATCH] fix(ci): capture real exit code in sop-tier-refire and post failure on evaluator error (#2140) sop-tier-refire.sh unconditionally set TIER_EXIT=0 after invoking sop-tier-check.sh, so /refire-tier-check always posted state=success to the branch-protection-required context even when the underlying tier evaluator detected missing approvals or labels. This masked real tier-approval failures. Changes: - Capture the actual exit code: bash \"\$SCRIPT\" || TIER_EXIT=$? - The existing posting logic (lines 141-147) already branches on TIER_EXIT to choose success vs failure, so no further change needed. - Update test_sop_tier_refire.sh T2/T3 to assert state=failure and exit code 1 when the mock evaluator returns non-zero. Test: ```bash bash .gitea/scripts/tests/test_sop_tier_refire.sh # PASS=26 FAIL=0 ``` Closes #2140 Co-Authored-By: Claude Opus 4.7 --- .gitea/scripts/sop-tier-refire.sh | 7 ++++--- .gitea/scripts/tests/test_sop_tier_refire.sh | 16 ++++++++-------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.gitea/scripts/sop-tier-refire.sh b/.gitea/scripts/sop-tier-refire.sh index ef0e0473c..22dfbdc34 100755 --- a/.gitea/scripts/sop-tier-refire.sh +++ b/.gitea/scripts/sop-tier-refire.sh @@ -125,7 +125,9 @@ if [ ! -f "$SCRIPT" ]; then fi # Re-invoke. Pipe stdout/stderr through so the runner log shows the -# tier-check decision inline. +# tier-check decision inline. Capture the real exit code so the posted +# protected status reflects the evaluator result (closes #2140). +TIER_EXIT=0 GITEA_TOKEN="$GITEA_TOKEN" \ GITEA_HOST="$GITEA_HOST" \ REPO="$REPO" \ @@ -133,8 +135,7 @@ GITEA_TOKEN="$GITEA_TOKEN" \ PR_AUTHOR="$PR_AUTHOR" \ SOP_DEBUG="${SOP_DEBUG:-0}" \ SOP_LEGACY_CHECK="${SOP_LEGACY_CHECK:-0}" \ - bash "$SCRIPT" || true -TIER_EXIT=0 + bash "$SCRIPT" || TIER_EXIT=$? debug "sop-tier-check.sh exit=$TIER_EXIT" # 4. POST the resulting status. diff --git a/.gitea/scripts/tests/test_sop_tier_refire.sh b/.gitea/scripts/tests/test_sop_tier_refire.sh index 2f2966beb..95b8c46d2 100755 --- a/.gitea/scripts/tests/test_sop_tier_refire.sh +++ b/.gitea/scripts/tests/test_sop_tier_refire.sh @@ -246,21 +246,21 @@ assert_contains "T1 POST context is sop-tier-check / tier-check" \ '"context": "sop-tier-check / tier-check (pull_request)"' "$POSTED" assert_contains "T1 description names commenter" "test-runner" "$POSTED" -# T2: missing tier label → tier-check fails internally, but refire status -# matches the canonical workflow's fail-open job conclusion. +# T2: missing tier label → tier-check fails internally; refire now posts the +# real evaluator result (failure) to the protected status (#2140). run_scenario "T2_no_tier_label" "fail_no_label" RC=$(cat "$FIX_STATE_DIR/last_rc") POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true) -assert_eq "T2 exit code 0 (canonical fail-open)" "0" "$RC" -assert_contains "T2 POSTed state=success" '"state": "success"' "$POSTED" +assert_eq "T2 exit code 1 (evaluator failure propagated)" "1" "$RC" +assert_contains "T2 POSTed state=failure" '"state": "failure"' "$POSTED" -# T3: tier:low present but ZERO approving reviews → internal tier check fails, -# refire status remains aligned with the canonical workflow. +# T3: tier:low present but ZERO approving reviews → internal tier check fails; +# refire posts failure so the protected status reflects reality. run_scenario "T3_no_approvals" "fail_no_approvals" RC=$(cat "$FIX_STATE_DIR/last_rc") POSTED=$(cat "$FIX_STATE_DIR/posted_statuses.jsonl" 2>/dev/null || true) -assert_eq "T3 exit code 0 (canonical fail-open)" "0" "$RC" -assert_contains "T3 POSTed state=success" '"state": "success"' "$POSTED" +assert_eq "T3 exit code 1 (evaluator failure propagated)" "1" "$RC" +assert_contains "T3 POSTed state=failure" '"state": "failure"' "$POSTED" # T4: closed PR — refire is a no-op (no POST, exit 0) run_scenario "T4_closed" "pass" -- 2.52.0