diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml index dfa5ddbf..8d943ea0 100644 --- a/.gitea/workflows/audit-force-merge.yml +++ b/.gitea/workflows/audit-force-merge.yml @@ -60,16 +60,19 @@ jobs: # (currently `main`; `staging` protection forthcoming per # RFC internal#219 Phase 4). # - # Initialized 2026-05-11 from the current molecule-core `main` - # branch protection: + # Current molecule-core `main` branch protection: # # GET /api/v1/repos/molecule-ai/molecule-core/ # branch_protections/main # → status_check_contexts = [ - # "Secret scan / Scan diff for credential-shaped strings (pull_request)", - # "sop-tier-check / tier-check (pull_request)" + # "CI / all-required (pull_request)", + # "sop-checklist / all-items-acked (pull_request)" # ] # + # mc#805 drift F3a/F3b: previous REQUIRED_CHECKS listed checks + # not enforced on main (Secret scan, sop-tier-check) while + # missing the enforced sop-checklist. Fixed here. + # # Declared here rather than fetched from /branch_protections # because that endpoint requires admin write — sop-tier-bot # is read-only by design (least-privilege per @@ -78,12 +81,10 @@ jobs: # auto-detected by `ci-required-drift.yml` (RFC §4 + §6), # which opens a `[ci-drift]` issue within one hour. # - # When the protection set changes (e.g. Phase 4 adds the - # `ci / all-required (pull_request)` sentinel), update BOTH - # branch protection AND this env in the SAME PR; drift-detect - # will otherwise file an issue for you. + # When the protection set changes, update BOTH branch + # protection AND this env in the SAME PR; drift-detect will + # otherwise file an issue for you. REQUIRED_CHECKS: | - Secret scan / Scan diff for credential-shaped strings (pull_request) - sop-tier-check / tier-check (pull_request) CI / all-required (pull_request) + sop-checklist / all-items-acked (pull_request) run: bash .gitea/scripts/audit-force-merge.sh