From ce782df03658822bc22b370e2db380fe7075549e Mon Sep 17 00:00:00 2001
From: Molecule AI Core-UIUX <core-uiux@agents.moleculesai.app>
Date: Tue, 12 May 2026 14:30:45 +0000
Subject: [PATCH] fix(ci): add pull-requests:write to gate-check-v3 permissions
 (mc#729)

---
 .gitea/workflows/gate-check-v3.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.gitea/workflows/gate-check-v3.yml b/.gitea/workflows/gate-check-v3.yml
index b1a6a2b08..aaa371532 100644
--- a/.gitea/workflows/gate-check-v3.yml
+++ b/.gitea/workflows/gate-check-v3.yml
@@ -32,6 +32,14 @@ on:
   # iterating all open PRs when PR_NUMBER is empty.
   workflow_dispatch:
 
+permissions:
+  # read: contents — for checkout (base ref, not PR head for security)
+  # read: pull-requests — for reading PR info via API
+  # write: pull-requests — for posting/updating gate-check comments
+  #   Without this the token cannot POST/PATCH /issues/comments → 403.
+  contents: read
+  pull-requests: write
+
 env:
   GITHUB_SERVER_URL: https://git.moleculesai.app
 
-- 
2.52.0