From e6118b3a7fb84b7e75a4dd8773832581e4257e1a Mon Sep 17 00:00:00 2001 From: Molecule AI Core-DevOps Date: Mon, 11 May 2026 03:28:45 +0000 Subject: [PATCH] fix(ci): install jq before sop-tier-check script runs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Root cause: the sop-tier-check.sh script uses jq extensively for all JSON API parsing (whoami, labels, team IDs, reviews). Gitea Actions runners (ubuntu-latest label) do not bundle jq — script exits at line 67 with "jq: command not found", producing "Failing after 1-3s" status on every staging PR. Symptom: all base=staging PRs failing sop-tier-check. Main-based PRs inconsistent — #341 passed because it ran on a runner that happened to have jq from a prior unrelated task. Secret-scan passes because it uses pure bash/grep (no jq dependency). Fix: add apt-get install -y jq step before the script run. pull_request_target loads the workflow from the base branch, so the fix only takes effect once this PR is merged. Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/sop-tier-check.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.gitea/workflows/sop-tier-check.yml b/.gitea/workflows/sop-tier-check.yml index d4b74ed3..0d7bd986 100644 --- a/.gitea/workflows/sop-tier-check.yml +++ b/.gitea/workflows/sop-tier-check.yml @@ -77,6 +77,13 @@ jobs: # works if we never check out PR HEAD. Same SHA the workflow # itself was loaded from. ref: ${{ github.event.pull_request.base.sha }} + - name: Install jq + # Gitea Actions runners (ubuntu-latest label) do not bundle jq. + # The script uses jq extensively for all JSON parsing; install it + # before the script runs. Using -qq for quiet output — diagnostic + # info is already captured via SOP_DEBUG=1 on failure. + run: apt-get update -qq && apt-get install -y -qq jq + - name: Verify tier label + reviewer team membership env: # SOP_TIER_CHECK_TOKEN is the org-level secret for the -- 2.45.2