From d063ecd186634d8cec257963644e69a93e2c6f9c Mon Sep 17 00:00:00 2001 From: core-devops Date: Thu, 4 Jun 2026 21:10:13 -0700 Subject: [PATCH] harden(ci): remove expired sop-tier-check burn-in masks (internal#189 Phase 1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The internal#189 Phase 1 burn-in window closed 2026-05-17 (18+ days ago). The header comment already claimed continue-on-error was removed from the tier-check job, but three masking layers persisted and made the gate unable to honestly fail CI on a real SOP-6 violation: 1. continue-on-error: true on the 'Install jq' setup step (redundant — the step's final command already exits 0 unconditionally; not a gate). 2. continue-on-error: true on the 'Verify tier label + reviewer team membership' step — the actual expired burn-in mask. 3. '|| true' after the sop-tier-check.sh invocation, which swallowed the script's real exit 1 (missing tier label / no approval / unsatisfied AND-clause). All three removed. SOP_FAIL_OPEN=1 is RETAINED: it fails-open ONLY on infra faults (empty/invalid token, unreachable Gitea API, missing jq) via the guarded exit-0 branches in sop-tier-check.sh — it does NOT mask a real tier-gate verdict. Stale header comment updated to reflect reality. Evidence it is safe: across the 50 open core PRs, the latest per-context sop-tier-check status is success/pending; the two PRs showing a 'failure' context (#2285, #2132) are 'Has been cancelled' supersede artifacts from cancel-in-progress, whose real (pull_request_review) run is success — not gate verdicts. No currently-green PR newly reds from this change. Restores the gate's honest ability to fail per the no-non-gating-CI goal. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitea/workflows/sop-tier-check.yml | 50 ++++++++++++++++++----------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/.gitea/workflows/sop-tier-check.yml b/.gitea/workflows/sop-tier-check.yml index 8ee676ec4..90363ee16 100644 --- a/.gitea/workflows/sop-tier-check.yml +++ b/.gitea/workflows/sop-tier-check.yml @@ -33,11 +33,20 @@ # 2026-05-17 (internal#189 Phase 1). # # BURN-IN CLOSED 2026-05-17 (internal#189 Phase 1): The 7-day burn-in -# window closed. continue-on-error: true has been removed from the -# tier-check job; AND-composition is now fully enforced. If you need -# to temporarily re-introduce a mask, file a tracker and follow the -# mc#1982 protocol (Tier 2e lint requires a current tracker within -# 2 lines of any continue-on-error: true). +# window closed. As of 2026-06-04 the residual masks left behind by the +# burn-in are removed for real (the comment previously claimed this while +# the masks still persisted — that was stale): +# - continue-on-error: true on the jq-install step (redundant; the step +# already exits 0) and on the tier-check step (the burn-in mask). +# - the `|| true` after the sop-tier-check.sh invocation, which masked +# real tier-gate verdicts. +# AND-composition is now fully enforced and the tier-check step can +# honestly red CI on a real SOP-6 violation. SOP_FAIL_OPEN=1 is RETAINED +# as sanctioned infra-resilience: it fails-open only on token/network/jq +# faults, never on a real gate verdict. If you need to temporarily +# re-introduce a mask, file a tracker and follow the mc#1982 protocol +# (Tier 2e lint requires a current tracker within 2 lines of any +# continue-on-error: true). name: sop-tier-check @@ -90,10 +99,11 @@ jobs: # GitHub releases may be unreachable from some runner networks # (infra#241 follow-up: GitHub timeout after 3s on 5.78.80.188 # runners). The sop-tier-check script has its own fallback as a - # third line of defense. continue-on-error: true ensures this step - # failing does not block the job. - # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently. - continue-on-error: true + # third line of defense, and this step's final command + # (`jq --version ... || echo`) already exits 0 unconditionally — so + # the step cannot fail the job on its own. + # continue-on-error REMOVED 2026-06-04 (mc#1982 directive: root-fix + # and remove, do not renew). It was redundant masking, not a gate. run: | # apt-get is the primary method — Ubuntu package mirrors are reliably # reachable from runner containers. GitHub releases may be blocked @@ -110,11 +120,11 @@ jobs: jq --version 2>/dev/null || echo "::notice::jq not yet available — script fallback will retry" - name: Verify tier label + reviewer team membership - # continue-on-error: true at step level — job-level is ignored by Gitea - # Actions (quirk #10, internal runbooks). Belt-and-suspenders with - # SOP_FAIL_OPEN=1 + || true below. - # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently. - continue-on-error: true + # continue-on-error REMOVED 2026-06-04 (expired internal#189 Phase 1 + # burn-in, window closed 2026-05-17; mc#1982 directive: root-fix and + # remove, do not renew). SOP_FAIL_OPEN=1 below still fails-open on + # token/network/infra errors only (never on a real tier-gate verdict), + # so this step can now honestly fail CI on a genuine SOP-6 violation. env: GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }} GITEA_HOST: git.moleculesai.app @@ -123,9 +133,13 @@ jobs: PR_AUTHOR: ${{ github.event.pull_request.user.login }} SOP_DEBUG: '0' SOP_LEGACY_CHECK: '0' - # SOP_FAIL_OPEN=1 makes the script always exit 0. The UI enforces - # the actual merge gate. Combined with continue-on-error: true - # above, this step never fails the job regardless of script exit. + # SOP_FAIL_OPEN=1 fails-open ONLY on infra faults (empty/invalid + # token, unreachable Gitea API, missing jq) — see the guarded + # `exit 0` branches in sop-tier-check.sh. It does NOT mask a real + # tier-gate verdict: a missing tier label, no approving review, or + # an unsatisfied AND-clause still `exit 1`. Kept as sanctioned + # infra-resilience; the `|| true` mask was REMOVED with the burn-in + # COE (2026-06-04) so a genuine SOP-6 violation now reds CI. SOP_FAIL_OPEN: '1' run: | - bash .gitea/scripts/sop-tier-check.sh || true + bash .gitea/scripts/sop-tier-check.sh -- 2.52.0