From d180bd31887c56d909ea885006f96a7567ba2547 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Tue, 12 May 2026 13:51:01 +0000
Subject: [PATCH] fix(ci): add pull-requests:write to gate-check-v3 permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

gate-check-v3's --post-comment was 403ing on every run because
the workflow had no explicit permissions block. Gitea Actions
defaults to contents:read only — insufficient for POST/PATCH on
/repos/{owner}/{repo}/issues/{pr}/comments.

Add workflow-level permissions:
  contents: read   — checkout base ref
  pull-requests: write — post/update gate-check comments

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/gate-check-v3.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.gitea/workflows/gate-check-v3.yml b/.gitea/workflows/gate-check-v3.yml
index b1a6a2b0..aaa37153 100644
--- a/.gitea/workflows/gate-check-v3.yml
+++ b/.gitea/workflows/gate-check-v3.yml
@@ -32,6 +32,14 @@ on:
   # iterating all open PRs when PR_NUMBER is empty.
   workflow_dispatch:
 
+permissions:
+  # read: contents — for checkout (base ref, not PR head for security)
+  # read: pull-requests — for reading PR info via API
+  # write: pull-requests — for posting/updating gate-check comments
+  #   Without this the token cannot POST/PATCH /issues/comments → 403.
+  contents: read
+  pull-requests: write
+
 env:
   GITHUB_SERVER_URL: https://git.moleculesai.app
 
-- 
2.45.2