diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml
index 09f4eb7b..218d0e0b 100644
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@@ -52,7 +52,10 @@ jobs:
           # Declared here rather than fetched from /branch_protections
           # because that endpoint requires admin write — sop-tier-bot is
           # read-only by design (least-privilege).
+          #
+          # staging branch protection (§F3a/F3b, mc#798): only
+          # sop-checklist / all-items-acked is required.  Unlike main,
+          # staging does not require sop-tier-check or Secret scan.
           REQUIRED_CHECKS: |
-            sop-tier-check / tier-check (pull_request)
-            Secret scan / Scan diff for credential-shaped strings (pull_request)
+            sop-checklist / all-items-acked (pull_request)
         run: bash .gitea/scripts/audit-force-merge.sh