lex-github 0.2.5 → 0.3.0

data/lib/legion/extensions/github/helpers/token_cache.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require 'time'
+require 'legion/cache/helper'
+
+module Legion
+  module Extensions
+    module Github
+      module Helpers
+        module TokenCache
+          include Legion::Cache::Helper
+
+          TOKEN_BUFFER_SECONDS = 300
+
+          def store_token(token:, auth_type:, expires_at:, installation_id: nil, metadata: {}, **)
+            entry = { token: token, auth_type: auth_type,
+                      expires_at: expires_at.respond_to?(:iso8601) ? expires_at.iso8601 : expires_at,
+                      installation_id: installation_id, metadata: metadata }
+            ttl = [(expires_at.respond_to?(:to_i) ? expires_at.to_i - Time.now.to_i : 3600), 60].max
+            key = token_cache_key(auth_type, installation_id)
+            cache_set(key, entry, ttl: ttl) if cache_connected?
+            local_cache_set(key, entry, ttl: ttl) if local_cache_connected?
+          end
+
+          def fetch_token(auth_type:, installation_id: nil, **)
+            key = token_cache_key(auth_type, installation_id)
+            entry = token_cache_read(key)
+
+            entry = token_cache_read(token_cache_key(auth_type, nil)) if entry.nil? && installation_id
+
+            return nil unless entry
+
+            expires = begin
+              Time.parse(entry[:expires_at].to_s)
+            rescue StandardError => _e
+              nil
+            end
+            return nil if expires && expires < Time.now + TOKEN_BUFFER_SECONDS
+
+            entry
+          end
+
+          def mark_rate_limited(auth_type:, reset_at:, **)
+            entry = { reset_at: reset_at.respond_to?(:iso8601) ? reset_at.iso8601 : reset_at }
+            ttl = [(reset_at.respond_to?(:to_i) ? reset_at.to_i - Time.now.to_i : 300), 10].max
+            key = "github:rate_limit:#{auth_type}"
+            cache_set(key, entry, ttl: ttl) if cache_connected?
+            local_cache_set(key, entry, ttl: ttl) if local_cache_connected?
+          end
+
+          def rate_limited?(auth_type:, **)
+            key = "github:rate_limit:#{auth_type}"
+            entry = if cache_connected?
+                      cache_get(key)
+                    elsif local_cache_connected?
+                      local_cache_get(key)
+                    end
+            return false unless entry
+
+            reset = begin
+              Time.parse(entry[:reset_at].to_s)
+            rescue StandardError => _e
+              nil
+            end
+            reset.nil? || reset > Time.now
+          end
+
+          private
+
+          def token_cache_key(auth_type, installation_id)
+            base = "github:token:#{auth_type}"
+            installation_id ? "#{base}:#{installation_id}" : base
+          end
+
+          def token_cache_read(key)
+            if cache_connected?
+              cache_get(key)
+            elsif local_cache_connected?
+              local_cache_get(key)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/middleware/credential_fallback.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require 'faraday'
+
+module Legion
+  module Extensions
+    module Github
+      module Middleware
+        class CredentialFallback < ::Faraday::Middleware
+          RETRYABLE_STATUSES = [403, 429].freeze
+          IDEMPOTENT_METHODS = %w[GET HEAD OPTIONS PUT DELETE].freeze
+
+          def initialize(app, resolver: nil)
+            super(app)
+            @resolver = resolver
+          end
+
+          def call(env)
+            response = @app.call(env)
+            return response unless should_retry?(response)
+
+            retries = 0
+            max = @resolver.respond_to?(:max_fallback_retries) ? @resolver.max_fallback_retries : 3
+
+            while retries < max && should_retry?(response)
+              notify_resolver(response)
+
+              owner, repo = extract_owner_repo_from_env(env)
+              next_credential = @resolver&.resolve_next_credential(owner: owner, repo: repo)
+              break unless next_credential
+
+              env[:request_headers]['Authorization'] = "Bearer #{next_credential[:token]}"
+
+              response = @app.call(env)
+              retries += 1
+            end
+
+            response
+          end
+
+          private
+
+          def should_retry?(response)
+            return false unless @resolver.respond_to?(:credential_fallback?)
+            return false unless @resolver.credential_fallback?
+            return false unless IDEMPOTENT_METHODS.include?(response.env[:method].to_s.upcase)
+
+            RETRYABLE_STATUSES.include?(response.status)
+          end
+
+          def extract_owner_repo_from_env(env)
+            path = env.url&.path.to_s
+            match = path.match(%r{^/repos/([^/]+)/([^/]+)})
+            match ? [match[1], match[2]] : [nil, nil]
+          end
+
+          def notify_resolver(response)
+            if response.status == 429 && @resolver.respond_to?(:on_rate_limit)
+              reset = response.headers['x-ratelimit-reset']
+              reset_at = reset ? Time.at(reset.to_i) : Time.now + 60
+              @resolver.on_rate_limit(remaining: 0, reset_at: reset_at,
+                                      status: 429, url: response.env.url.to_s)
+            elsif response.status == 403 && @resolver.respond_to?(:on_scope_denied)
+              @resolver.on_scope_denied(status: 403, url: response.env.url.to_s,
+                                        path: response.env.url.path)
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Faraday::Middleware.register_middleware(
+  github_credential_fallback: Legion::Extensions::Github::Middleware::CredentialFallback
+)

data/lib/legion/extensions/github/middleware/rate_limit.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'faraday'
+
+module Legion
+  module Extensions
+    module Github
+      module Middleware
+        class RateLimit < ::Faraday::Middleware
+          def initialize(app, handler: nil)
+            super(app)
+            @handler = handler
+          end
+
+          def on_complete(env)
+            remaining = env.response_headers['x-ratelimit-remaining']
+            reset = env.response_headers['x-ratelimit-reset']
+            return unless remaining
+
+            remaining_int = remaining.to_i
+            return unless remaining_int.zero? || env.status == 429
+            return unless @handler.respond_to?(:on_rate_limit)
+
+            reset_at = reset ? Time.at(reset.to_i) : Time.now + 60
+            @handler.on_rate_limit(
+              remaining: remaining_int,
+              reset_at:  reset_at,
+              status:    env.status,
+              url:       env.url.to_s
+            )
+          end
+        end
+      end
+    end
+  end
+end
+
+Faraday::Response.register_middleware(
+  github_rate_limit: Legion::Extensions::Github::Middleware::RateLimit
+)

data/lib/legion/extensions/github/middleware/scope_probe.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'faraday'
+
+module Legion
+  module Extensions
+    module Github
+      module Middleware
+        class ScopeProbe < ::Faraday::Middleware
+          REPO_PATH_PATTERN = %r{^/repos/([^/]+)/([^/]+)}
+
+          def initialize(app, handler: nil)
+            super(app)
+            @handler = handler
+          end
+
+          def on_complete(env)
+            return unless @handler
+            return unless env.url.path.match?(REPO_PATH_PATTERN)
+
+            info = { status: env.status, url: env.url.to_s, path: env.url.path }
+
+            if [403, 404].include?(env.status)
+              @handler.on_scope_denied(info) if @handler.respond_to?(:on_scope_denied)
+            elsif env.status >= 200 && env.status < 300
+              @handler.on_scope_authorized(info) if @handler.respond_to?(:on_scope_authorized)
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Faraday::Response.register_middleware(
+  github_scope_probe: Legion::Extensions::Github::Middleware::ScopeProbe
+)

data/lib/legion/extensions/github/oauth/actor/token_refresh.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module OAuth
+        module Actor
+          class TokenRefresh < Legion::Extensions::Actors::Every # rubocop:disable Legion/Extension/SelfContainedActorRunnerClass,Legion/Extension/EveryActorRequiresTime
+            def use_runner?    = false
+            def check_subtask? = false
+            def generate_task? = false
+
+            def time
+              3 * 60 * 60
+            end
+
+            # rubocop:disable Legion/Extension/ActorEnabledSideEffects
+            def enabled?
+              oauth_settings[:client_id] && oauth_settings[:client_secret]
+            rescue StandardError => _e
+              false
+            end
+            # rubocop:enable Legion/Extension/ActorEnabledSideEffects
+
+            def manual
+              settings = oauth_settings
+              return unless settings[:client_id] && settings[:client_secret]
+
+              token_entry = fetch_delegated_token
+              return unless token_entry&.dig(:refresh_token)
+
+              auth = Object.new.extend(Legion::Extensions::Github::OAuth::Runners::Auth)
+              result = auth.refresh_token(
+                client_id:     settings[:client_id],
+                client_secret: settings[:client_secret],
+                refresh_token: token_entry[:refresh_token]
+              )
+              return unless result.dig(:result, 'access_token')
+
+              store_delegated_token(result[:result])
+              log.info('OAuth::Actor::TokenRefresh: delegated token refreshed')
+            rescue StandardError => e
+              log.error("OAuth::Actor::TokenRefresh: #{e.message}")
+            end
+
+            private
+
+            def oauth_settings
+              return {} unless defined?(Legion::Settings)
+
+              Legion::Settings[:github]&.dig(:oauth) || {}
+            rescue StandardError => _e
+              {}
+            end
+
+            def fetch_delegated_token
+              return nil unless defined?(Legion::Crypt)
+
+              vault_get('github/oauth/delegated/token')
+            rescue StandardError => _e
+              nil
+            end
+
+            def store_delegated_token(token_data)
+              return unless defined?(Legion::Crypt)
+
+              vault_write('github/oauth/delegated/token', token_data)
+            rescue StandardError => e
+              log.warn("OAuth::Actor::TokenRefresh#store_delegated_token: #{e.message}")
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/oauth/hooks/callback.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module OAuth
+        module Hooks
+          class Callback < Legion::Extensions::Hooks::Base # rubocop:disable Legion/Extension/HookMissingRunnerClass
+            mount '/callback'
+
+            def self.runner_class
+              'Legion::Extensions::Github::OAuth::Runners::Auth'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/oauth/runners/auth.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'openssl'
+require 'securerandom'
+require 'uri'
+require 'legion/extensions/github/helpers/client'
+
+module Legion
+  module Extensions
+    module Github
+      module OAuth
+        module Runners
+          module Auth
+            include Legion::Extensions::Github::Helpers::Client
+
+            def generate_pkce(**)
+              verifier = SecureRandom.urlsafe_base64(32)
+              challenge = ::Base64.urlsafe_encode64(
+                OpenSSL::Digest::SHA256.digest(verifier), padding: false
+              )
+              { result: { verifier: verifier, challenge: challenge, challenge_method: 'S256' } }
+            end
+
+            def authorize_url(client_id:, redirect_uri:, scope:, state:,
+                              code_challenge:, code_challenge_method: 'S256', **)
+              params = URI.encode_www_form(
+                client_id: client_id, redirect_uri: redirect_uri,
+                scope: scope, state: state,
+                code_challenge: code_challenge,
+                code_challenge_method: code_challenge_method
+              )
+              { result: "https://github.com/login/oauth/authorize?#{params}" }
+            end
+
+            def exchange_code(client_id:, client_secret:, code:, redirect_uri:, code_verifier:, **)
+              response = oauth_connection.post('/login/oauth/access_token', {
+                                                 client_id: client_id, client_secret: client_secret,
+                                                code: code, redirect_uri: redirect_uri,
+                                                code_verifier: code_verifier
+                                               })
+              { result: response.body }
+            end
+
+            def refresh_token(client_id:, client_secret:, refresh_token:, **)
+              response = oauth_connection.post('/login/oauth/access_token', {
+                                                 client_id: client_id, client_secret: client_secret,
+                                                refresh_token: refresh_token,
+                                                grant_type: 'refresh_token'
+                                               })
+              { result: response.body }
+            end
+
+            def request_device_code(client_id:, scope: 'repo', **)
+              response = oauth_connection.post('/login/device/code', {
+                                                 client_id: client_id, scope: scope
+                                               })
+              { result: response.body }
+            end
+
+            def poll_device_code(client_id:, device_code:, interval: 5, timeout: 300, **)
+              deadline = Time.now + timeout
+              current_interval = interval
+
+              loop do
+                response = oauth_connection.post('/login/oauth/access_token', {
+                                                   client_id:   client_id,
+                                                   device_code: device_code,
+                                                   grant_type:  'urn:ietf:params:oauth:grant-type:device_code'
+                                                 })
+                body = response.body
+                return { result: body } if body[:access_token]
+
+                error_key = body[:error]
+                case error_key
+                when 'authorization_pending'
+                  return { error: 'timeout', description: "Device code flow timed out after #{timeout}s" } if Time.now > deadline
+
+                  sleep(current_interval) unless current_interval.zero?
+                when 'slow_down'
+                  current_interval += 5
+                  sleep(current_interval) unless current_interval.zero?
+                else
+                  return { error: error_key, description: body[:error_description] }
+                end
+              end
+            end
+
+            def revoke_token(client_id:, client_secret:, access_token:, **)
+              conn = oauth_connection(client_id: client_id, client_secret: client_secret)
+              response = conn.delete("/applications/#{client_id}/token", { access_token: access_token })
+              { result: response.status == 204 }
+            end
+
+            def oauth_connection(client_id: nil, client_secret: nil, **)
+              Faraday.new(url: 'https://github.com') do |conn|
+                conn.request :json
+                conn.response :json, content_type: /\bjson$/
+                conn.headers['Accept'] = 'application/json'
+                conn.request :authorization, :basic, client_id, client_secret if client_id && client_secret
+              end
+            end
+
+            include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                        Legion::Extensions::Helpers.const_defined?(:Lex, false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/oauth/transport/exchanges/oauth.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module OAuth
+        module Transport
+          module Exchanges
+            class Oauth < Legion::Transport::Exchange
+              def exchange_name = 'lex.github.oauth'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/oauth/transport/queues/auth.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Legion
+  module Extensions
+    module Github
+      module OAuth
+        module Transport
+          module Queues
+            class Auth < Legion::Transport::Queue
+              def queue_name    = 'lex.github.oauth.runners.auth'
+              def queue_options = { auto_delete: false }
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/runners/actions.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/github/helpers/client'
+
+module Legion
+  module Extensions
+    module Github
+      module Runners
+        module Actions
+          include Legion::Extensions::Github::Helpers::Client
+
+          def list_workflows(owner:, repo:, per_page: 30, page: 1, **)
+            response = connection(owner: owner, repo: repo, **).get(
+              "/repos/#{owner}/#{repo}/actions/workflows", per_page: per_page, page: page
+            )
+            { result: response.body }
+          end
+
+          def get_workflow(owner:, repo:, workflow_id:, **)
+            response = connection(owner: owner, repo: repo, **).get(
+              "/repos/#{owner}/#{repo}/actions/workflows/#{workflow_id}"
+            )
+            { result: response.body }
+          end
+
+          def list_workflow_runs(owner:, repo:, workflow_id:, status: nil, branch: nil,
+                                 per_page: 30, page: 1, **)
+            params = { per_page: per_page, page: page, status: status, branch: branch }.compact
+            response = connection(owner: owner, repo: repo, **).get(
+              "/repos/#{owner}/#{repo}/actions/workflows/#{workflow_id}/runs", params
+            )
+            { result: response.body }
+          end
+
+          def get_workflow_run(owner:, repo:, run_id:, **)
+            response = connection(owner: owner, repo: repo, **).get(
+              "/repos/#{owner}/#{repo}/actions/runs/#{run_id}"
+            )
+            { result: response.body }
+          end
+
+          def trigger_workflow(owner:, repo:, workflow_id:, ref:, inputs: {}, **)
+            payload = { ref: ref, inputs: inputs }
+            response = connection(owner: owner, repo: repo, **).post(
+              "/repos/#{owner}/#{repo}/actions/workflows/#{workflow_id}/dispatches", payload
+            )
+            { result: response.status == 204 }
+          end
+
+          def cancel_workflow_run(owner:, repo:, run_id:, **)
+            response = connection(owner: owner, repo: repo, **).post(
+              "/repos/#{owner}/#{repo}/actions/runs/#{run_id}/cancel"
+            )
+            { result: [202, 204].include?(response.status) }
+          end
+
+          def rerun_workflow(owner:, repo:, run_id:, **)
+            response = connection(owner: owner, repo: repo, **).post(
+              "/repos/#{owner}/#{repo}/actions/runs/#{run_id}/rerun"
+            )
+            { result: [201, 204].include?(response.status) }
+          end
+
+          def rerun_failed_jobs(owner:, repo:, run_id:, **)
+            response = connection(owner: owner, repo: repo, **).post(
+              "/repos/#{owner}/#{repo}/actions/runs/#{run_id}/rerun-failed-jobs"
+            )
+            { result: [201, 204].include?(response.status) }
+          end
+
+          def list_workflow_run_jobs(owner:, repo:, run_id:, filter: 'latest', per_page: 30, page: 1, **)
+            params = { filter: filter, per_page: per_page, page: page }
+            response = connection(owner: owner, repo: repo, **).get(
+              "/repos/#{owner}/#{repo}/actions/runs/#{run_id}/jobs", params
+            )
+            { result: response.body }
+          end
+
+          def download_workflow_run_logs(owner:, repo:, run_id:, **)
+            response = connection(owner: owner, repo: repo, **).get(
+              "/repos/#{owner}/#{repo}/actions/runs/#{run_id}/logs"
+            )
+            { result: { status: response.status, headers: response.headers.to_h, body: response.body } }
+          end
+
+          def list_workflow_run_artifacts(owner:, repo:, run_id:, per_page: 30, page: 1, **)
+            params = { per_page: per_page, page: page }
+            response = connection(owner: owner, repo: repo, **).get(
+              "/repos/#{owner}/#{repo}/actions/runs/#{run_id}/artifacts", params
+            )
+            { result: response.body }
+          end
+
+          include Legion::Extensions::Helpers::Lex if Legion::Extensions.const_defined?(:Helpers, false) &&
+                                                      Legion::Extensions::Helpers.const_defined?(:Lex, false)
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/runners/branches.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'legion/extensions/github/helpers/client'
+require 'legion/extensions/github/helpers/cache'
 
 module Legion
   module Extensions
@@ -8,13 +9,14 @@ module Legion
       module Runners
         module Branches
           include Legion::Extensions::Github::Helpers::Client
+          include Legion::Extensions::Github::Helpers::Cache
 
           def create_branch(owner:, repo:, branch:, from_ref: 'main', **)
-            ref_response = connection(**).get("/repos/#{owner}/#{repo}/git/ref/heads/#{from_ref}")
+            ref_response = connection(owner: owner, repo: repo, **).get("/repos/#{owner}/#{repo}/git/ref/heads/#{from_ref}")
             sha = ref_response.body.dig('object', 'sha')
 
-            create_response = connection(**).post("/repos/#{owner}/#{repo}/git/refs",
-                                                  { ref: "refs/heads/#{branch}", sha: sha })
+            create_response = connection(owner: owner, repo: repo, **).post("/repos/#{owner}/#{repo}/git/refs",
+                                                                            { ref: "refs/heads/#{branch}", sha: sha })
 
             { success: true, ref: create_response.body['ref'], sha: sha }
           rescue StandardError => e