From c975ebfec975e9e0a24d5017ea7e350205ed6052 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Wed, 13 May 2026 06:03:14 +0000
Subject: [PATCH] fix(ci/staging): sync audit-force-merge REQUIRED_CHECKS with
 branch protection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

mc#798 drift-detect F3a/F3b: staging branch protection requires only
sop-checklist/all-items-acked, not sop-tier-check or Secret scan.

- F3a: removed sop-tier-check and Secret scan from REQUIRED_CHECKS
         (these are not enforced on staging — would false-positive)
- F3b: added sop-checklist/all-items-acked to REQUIRED_CHECKS
         (enforced on staging — force-merge without it would be missed)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/audit-force-merge.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml
index 09f4eb7b..218d0e0b 100644
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@@ -52,7 +52,10 @@ jobs:
           # Declared here rather than fetched from /branch_protections
           # because that endpoint requires admin write — sop-tier-bot is
           # read-only by design (least-privilege).
+          #
+          # staging branch protection (§F3a/F3b, mc#798): only
+          # sop-checklist / all-items-acked is required.  Unlike main,
+          # staging does not require sop-tier-check or Secret scan.
           REQUIRED_CHECKS: |
-            sop-tier-check / tier-check (pull_request)
-            Secret scan / Scan diff for credential-shaped strings (pull_request)
+            sop-checklist / all-items-acked (pull_request)
         run: bash .gitea/scripts/audit-force-merge.sh
-- 
2.45.2