From 639ee80e7d98d78e478693865969858c3bd4b4e0 Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Wed, 13 May 2026 06:38:28 +0000
Subject: [PATCH] fix(ci/main): sync audit-force-merge REQUIRED_CHECKS with
 branch protection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

mc#805 drift F3a/F3b: main branch protection requires
CI/all-required and sop-checklist/all-items-acked, not Secret scan
or sop-tier-check.

- F3a: removed Secret scan and sop-tier-check from REQUIRED_CHECKS
         (not enforced on main — would false-positive)
- F3b: added sop-checklist/all-items-acked to REQUIRED_CHECKS
         (enforced on main — force-merge without it was missed)
- Also updated stale comment block that listed old contexts

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/audit-force-merge.yml | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/audit-force-merge.yml b/.gitea/workflows/audit-force-merge.yml
index dfa5ddbf..8d943ea0 100644
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@@ -60,16 +60,19 @@ jobs:
           # (currently `main`; `staging` protection forthcoming per
           # RFC internal#219 Phase 4).
           #
-          # Initialized 2026-05-11 from the current molecule-core `main`
-          # branch protection:
+          # Current molecule-core `main` branch protection:
           #
           #   GET /api/v1/repos/molecule-ai/molecule-core/
           #       branch_protections/main
           #   → status_check_contexts = [
-          #       "Secret scan / Scan diff for credential-shaped strings (pull_request)",
-          #       "sop-tier-check / tier-check (pull_request)"
+          #       "CI / all-required (pull_request)",
+          #       "sop-checklist / all-items-acked (pull_request)"
           #     ]
           #
+          # mc#805 drift F3a/F3b: previous REQUIRED_CHECKS listed checks
+          # not enforced on main (Secret scan, sop-tier-check) while
+          # missing the enforced sop-checklist. Fixed here.
+          #
           # Declared here rather than fetched from /branch_protections
           # because that endpoint requires admin write — sop-tier-bot
           # is read-only by design (least-privilege per
@@ -78,12 +81,10 @@ jobs:
           # auto-detected by `ci-required-drift.yml` (RFC §4 + §6),
           # which opens a `[ci-drift]` issue within one hour.
           #
-          # When the protection set changes (e.g. Phase 4 adds the
-          # `ci / all-required (pull_request)` sentinel), update BOTH
-          # branch protection AND this env in the SAME PR; drift-detect
-          # will otherwise file an issue for you.
+          # When the protection set changes, update BOTH branch
+          # protection AND this env in the SAME PR; drift-detect will
+          # otherwise file an issue for you.
           REQUIRED_CHECKS: |
-            Secret scan / Scan diff for credential-shaped strings (pull_request)
-            sop-tier-check / tier-check (pull_request)
             CI / all-required (pull_request)
+            sop-checklist / all-items-acked (pull_request)
         run: bash .gitea/scripts/audit-force-merge.sh
-- 
2.45.2