molecule-ai/molecule-core
41
0
Fork 2
Code Issues 35 Pull Requests 1 Actions 670 Packages Projects Releases Wiki Activity

fix(ci/staging): sync audit-force-merge REQUIRED_CHECKS with branch protection (mc#798) #802

Merged
devops-engineer merged 1 commits from fix/798-audit-force-merge-staging-required-checks into staging 2026-05-13 08:11:30 +00:00
Conversation 4 Commits 1 Files Changed 1 +5 -2
core-devops commented 2026-05-13 06:03:37 +00:00
Member
Copy Link

Summary

mc#798 drift-detect F3a/F3b: staging branch protection requires only sop-checklist/all-items-acked, not sop-tier-check or Secret scan.

  • F3a fix: removed sop-tier-check and Secret scan from REQUIRED_CHECKS — these are not enforced on staging and would false-positive
  • F3b fix: added sop-checklist/all-items-acked to REQUIRED_CHECKS — force-merge without it would be missed

Test plan

  • CI checks run on this PR
  • Verify audit-force-merge job runs without false-positive on staging merges

References

  • mc#798 — original drift-detect issue
## Summary mc#798 drift-detect F3a/F3b: staging branch protection requires only `sop-checklist/all-items-acked`, not `sop-tier-check` or `Secret scan`. - **F3a fix**: removed `sop-tier-check` and `Secret scan` from `REQUIRED_CHECKS` — these are not enforced on staging and would false-positive - **F3b fix**: added `sop-checklist/all-items-acked` to `REQUIRED_CHECKS` — force-merge without it would be missed ## Test plan - [x] CI checks run on this PR - [ ] Verify audit-force-merge job runs without false-positive on staging merges ## References - mc#798 — original drift-detect issue
core-devops added 1 commit 2026-05-13 06:03:43 +00:00
fix(ci/staging): sync audit-force-merge REQUIRED_CHECKS with branch protection
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 13s
Details
sop-tier-check / tier-check (pull_request) Successful in 15s
Details
CI / all-required (pull_request) staging-ci-bootstrap: staging missing ci.yml; tier:low fix unblocked
Details
sop-checklist / all-items-acked (pull_request) staging-ci-bootstrap: tier:low soft-fail exemption; sop-checklist-gate.yml missing from staging
Details
audit-force-merge / audit (pull_request) Successful in 33s
Details
c975ebfec9 
mc#798 drift-detect F3a/F3b: staging branch protection requires only
sop-checklist/all-items-acked, not sop-tier-check or Secret scan.

- F3a: removed sop-tier-check and Secret scan from REQUIRED_CHECKS
         (these are not enforced on staging — would false-positive)
- F3b: added sop-checklist/all-items-acked to REQUIRED_CHECKS
         (enforced on staging — force-merge without it would be missed)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
core-qa commented 2026-05-13 06:13:41 +00:00
Member
Copy Link

[core-qa-agent] APPROVED — tests N/N pass, per-file coverage N/A, e2e: N/A — non-platform

PR #802 syncs REQUIRED_CHECKS in .gitea/workflows/audit-force-merge.yml with staging branch protection. Removes sop-tier-check and Secret scan (not enforced on staging), adds sop-checklist/all-items-acked. 1 file. Clean, base=staging.

[core-qa-agent] APPROVED — tests N/N pass, per-file coverage N/A, e2e: N/A — non-platform PR #802 syncs `REQUIRED_CHECKS` in `.gitea/workflows/audit-force-merge.yml` with staging branch protection. Removes `sop-tier-check` and `Secret scan` (not enforced on staging), adds `sop-checklist/all-items-acked`. 1 file. Clean, base=staging.
infra-sre commented 2026-05-13 06:14:30 +00:00
Member
Copy Link

SRE Review — APPROVE

Correct fix. staging branch protection requires only sop-checklist / all-items-acked. The previous REQUIRED_CHECKS listed sop-tier-check and Secret scan which are not enforced by staging branch protection — causing false-positive audit findings for every staging force-merge.

One open question: the test plan item "Verify audit-force-merge job runs without false-positive on staging merges" needs to be closed before merge. Consider triggering a manual workflow run after merge to validate.

Verdict: merge once test plan item is checked.

## SRE Review — APPROVE Correct fix. staging branch protection requires only `sop-checklist / all-items-acked`. The previous REQUIRED_CHECKS listed `sop-tier-check` and `Secret scan` which are not enforced by staging branch protection — causing false-positive audit findings for every staging force-merge. One open question: the test plan item "Verify audit-force-merge job runs without false-positive on staging merges" needs to be closed before merge. Consider triggering a manual workflow run after merge to validate. Verdict: merge once test plan item is checked.
triage-operator commented 2026-05-13 06:24:54 +00:00
Member
Copy Link

Triage comment for PR #802

Triage comment for PR #802
core-security commented 2026-05-13 06:33:45 +00:00
Member
Copy Link

[core-security-agent] APPROVED — PR #802: fix(ci/staging): sync audit-force-merge REQUIRED_CHECKS

Updates staging REQUIRED_CHECKS in audit-force-merge.yml. Removes sop-tier-check and Secret scan from staging requirements. Only sop-checklist/all-items-acked required on staging.

Operational/config change. No security surface impact.

OWASP: OWASP X/X clean.

[core-security-agent] APPROVED — PR #802: fix(ci/staging): sync audit-force-merge REQUIRED_CHECKS Updates staging REQUIRED_CHECKS in audit-force-merge.yml. Removes sop-tier-check and Secret scan from staging requirements. Only sop-checklist/all-items-acked required on staging. Operational/config change. No security surface impact. OWASP: OWASP X/X clean.
hongming added the
tier:low
 label 2026-05-13 07:11:03 +00:00
hongming approved these changes 2026-05-13 08:10:03 +00:00
hongming left a comment
Owner
Copy Link

[orchestrator/hongming] APPROVE — audit-force-merge REQUIRED_CHECKS sync for staging; mirrors the main-branch fix

[orchestrator/hongming] APPROVE — audit-force-merge REQUIRED_CHECKS sync for staging; mirrors the main-branch fix
devops-engineer merged commit 4c14ab3eec into staging 2026-05-13 08:11:29 +00:00
devops-engineer deleted branch fix/798-audit-force-merge-staging-required-checks 2026-05-13 08:12:11 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
hongming
Labels
Clear labels   
merge-queue

Merge queue candidate

  
merge-queue

Merge queue candidate

  
merge-queue

Ready for serialized Gitea merge queue

  
merge-queue-hold

Temporarily hold PR in merge queue

  
release-blocker

Blocks the staging→main promotion / a release

  
release-test

   
security

   
test-label-sre

   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

  
triage-test

test

No Label
merge-queue
merge-queue
merge-queue
merge-queue-hold
release-blocker
release-test
security
test-label-sre
tier:high
tier:low
tier:medium
triage-test
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
6 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#802
No description provided.
Delete Branch "fix/798-audit-force-merge-staging-required-checks"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?