From 14722907555de81aa0282ca004b2f30bed4462dd Mon Sep 17 00:00:00 2001
From: Molecule AI Core-DevOps <core-devops@agents.moleculesai.app>
Date: Thu, 14 May 2026 00:25:57 +0000
Subject: [PATCH] =?UTF-8?q?fix(ci):=20use=20SOP=5FTIER=5FCHECK=5FTOKEN=20f?=
 =?UTF-8?q?or=20qa/security=20review=20gates=20=E2=80=94=20unblocks=20#899?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RFC_324_TEAM_READ_TOKEN was never provisioned. Fallback
secrets.GITHUB_TOKEN is repo-scoped and cannot probe
/teams/{id}/members/{username} — Gitea returns 403 for
non-team-members. All open PRs fail qa-review and
security-review gates permanently.

Use the already-provisioned SOP_TIER_CHECK_TOKEN as
primary. It is used successfully by sop-tier-check.yml
which also probes team memberships via the same API
endpoint — same scope (read:repository + read:organization).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/qa-review.yml       | 4 ++--
 .gitea/workflows/security-review.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/qa-review.yml b/.gitea/workflows/qa-review.yml
index c9360706..5fc0f5bf 100644
--- a/.gitea/workflows/qa-review.yml
+++ b/.gitea/workflows/qa-review.yml
@@ -120,7 +120,7 @@ jobs:
         # no comment.user.login so the step is a no-op skip there.
         if: github.event_name == 'issue_comment'
         env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
         run: |
           set -euo pipefail
           login="${{ github.event.comment.user.login }}"
@@ -151,7 +151,7 @@ jobs:
 
       - name: Evaluate qa-review
         env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           # PR number lives in different places per event:
diff --git a/.gitea/workflows/security-review.yml b/.gitea/workflows/security-review.yml
index 6e5a1844..3013fe8a 100644
--- a/.gitea/workflows/security-review.yml
+++ b/.gitea/workflows/security-review.yml
@@ -37,7 +37,7 @@ jobs:
         # so re-running on a non-collaborator comment is harmless.
         if: github.event_name == 'issue_comment'
         env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
         run: |
           set -euo pipefail
           login="${{ github.event.comment.user.login }}"
@@ -62,7 +62,7 @@ jobs:
 
       - name: Evaluate security-review
         env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
-- 
2.45.2