@misterhuydo/sentinel 1.4.68 → 1.4.69

package/python/scripts/patch_chain_release.py

@@ -0,0 +1,236 @@
+#!/usr/bin/env python3
+"""Patch sentinel_boss.py to add chain_release tool."""
+import sys
+
+TARGET = '/home/sentinel/sentinel/code/sentinel/sentinel_boss.py'
+
+with open(TARGET, 'r', encoding='utf-8') as f:
+    content = f.read()
+
+# ── 1. Add tool definition (before the closing ] of the tools list) ──────────
+
+TOOL_DEF = '''    {
+        "name": "chain_release",
+        "description": (
+            "Execute a sequential release chain: release repo A, update repo B's dependency on A and release B, "
+            "update repo C's dependency on B and release C, and so on. "
+            "Use when the admin describes a multi-step release pipeline like "
+            "'release TypeLib, then update Java-SDK with new TypeLib and release it, then update Admin-SDK...'. "
+            "Also handles shorter requests like 'release TypeLib and cascade' by inferring the full chain. "
+            "confirmed=false shows the full plan with version numbers; confirmed=true executes all steps in order."
+        ),
+        "input_schema": {
+            "type": "object",
+            "properties": {
+                "chain": {
+                    "type": "array",
+                    "items": {"type": "string"},
+                    "description": (
+                        "Ordered list of repo names from first-to-release to last. "
+                        "E.g. ['Whydah-TypeLib', 'Whydah-Java-SDK', 'Whydah-Admin-SDK', '1881-SSOLoginWebApp']"
+                    ),
+                },
+                "confirmed": {
+                    "type": "boolean",
+                    "description": "false = show plan only (default); true = execute all steps in sequence",
+                },
+            },
+            "required": ["chain", "confirmed"],
+        },
+    },
+]'''
+
+OLD_CLOSE = '''    },
+]
+
+
+# ── Workspace helpers'''
+
+NEW_CLOSE = TOOL_DEF + '''
+
+
+# ── Workspace helpers'''
+
+if OLD_CLOSE not in content:
+    print("ERROR: tools list closing marker not found")
+    sys.exit(1)
+
+content = content.replace(OLD_CLOSE, NEW_CLOSE, 1)
+
+# ── 2. Add chain_release to _ADMIN_TOOLS ─────────────────────────────────────
+
+OLD_ADMIN = '"manage_release"}'
+NEW_ADMIN = '"manage_release", "chain_release"}'
+if OLD_ADMIN not in content:
+    print("ERROR: _ADMIN_TOOLS not found")
+    sys.exit(1)
+content = content.replace(OLD_ADMIN, NEW_ADMIN, 1)
+
+# ── 3. Add handler (before final "unknown tool" fallback) ────────────────────
+
+HANDLER = '''    if name == "chain_release":
+        from .dependency_manager import get_artifact_id, get_release_version, update_dependency
+        from .git_manager import commit_file_change, push_dep_update
+        from .cicd_trigger import _trigger_jenkins_release
+        from .notify import slack_alert
+
+        chain_repos = inputs.get("chain", [])
+        confirmed   = bool(inputs.get("confirmed", False))
+
+        if not chain_repos or len(chain_repos) < 2:
+            return json.dumps({"error": "chain must contain at least 2 repos"})
+
+        # Resolve repo configs (fuzzy match)
+        resolved = []
+        for rname in chain_repos:
+            repo = cfg_loader.repos.get(rname)
+            if not repo:
+                for k, v in cfg_loader.repos.items():
+                    if rname.lower() in k.lower():
+                        repo = v
+                        rname = k
+                        break
+            if not repo:
+                return json.dumps({"error": f"Repo not found: {rname}. Known: {list(cfg_loader.repos.keys())}"})
+            resolved.append(repo)
+
+        # Gather artifact IDs and release versions for each repo
+        steps = []
+        for repo in resolved:
+            artifact_id  = get_artifact_id(repo.local_path)  if repo.local_path else ""
+            release_ver  = get_release_version(repo.local_path) if repo.local_path else ""
+            steps.append({
+                "repo":            repo.repo_name,
+                "artifact_id":     artifact_id,
+                "release_version": release_ver,
+                "cicd_url":        repo.cicd_job_url,
+                "auto_publish":    repo.auto_publish,
+            })
+
+        # ── Plan phase ───────────────────────────────────────────────────────
+        if not confirmed:
+            plan_steps = []
+            for i, step in enumerate(steps):
+                if i == 0:
+                    desc = f"Release {step['repo']} v{step['release_version']}"
+                else:
+                    prev = steps[i - 1]
+                    desc = (
+                        f"Update {step['repo']} dep on {prev['artifact_id']} "
+                        f"→ {prev['release_version']}, then release v{step['release_version']}"
+                    )
+                plan_steps.append({
+                    "step":            i + 1,
+                    "action":          desc,
+                    "repo":            step["repo"],
+                    "release_version": step["release_version"],
+                    "jenkins_url":     step["cicd_url"],
+                    "mode":            "push to main" if step["auto_publish"] else "open PR",
+                })
+            return json.dumps({
+                "plan":           f"Sequential release chain: {' → '.join(s['repo'] for s in steps)}",
+                "steps":          plan_steps,
+                "confirm_prompt": "Reply with confirmed=true to execute all steps in sequence.",
+            })
+
+        # ── Execute phase ─────────────────────────────────────────────────────
+        cfg = cfg_loader.sentinel
+        slack_alert(
+            cfg.slack_bot_token, cfg.slack_channel,
+            f":chains: *Chain release started* ({len(steps)} steps)\\n"
+            + " \\u2192 ".join(s["repo"] for s in steps),
+        )
+
+        results = []
+        for i, (step, repo) in enumerate(zip(steps, resolved)):
+            step_label = f"Step {i + 1}/{len(steps)}"
+
+            # Update dependency on previous repo's artifact
+            if i > 0:
+                prev = steps[i - 1]
+                if not prev["artifact_id"] or not prev["release_version"]:
+                    msg = f"{step_label}: skipped — could not read artifact/version from {prev['repo']}"
+                    results.append({"step": i + 1, "repo": step["repo"], "status": "skipped", "error": msg})
+                    slack_alert(cfg.slack_bot_token, cfg.slack_channel, f":warning: {msg}")
+                    break
+                changed = update_dependency(repo.local_path, prev["artifact_id"], prev["release_version"])
+                if changed:
+                    commit_msg = (
+                        f"chore(deps): update {prev['artifact_id']} to {prev['release_version']} [sentinel-chain]\\n\\n"
+                        f"Part of release chain: {' -> '.join(s['repo'] for s in steps)}"
+                    )
+                    status, commit_hash = commit_file_change(repo, ["pom.xml"], commit_msg)
+                    if status != "committed":
+                        msg = f"{step_label}: git commit failed for {repo.repo_name}"
+                        results.append({"step": i + 1, "repo": step["repo"], "status": "failed", "error": msg})
+                        slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                                    f":x: *Chain release failed at {step_label}*\\n{msg}")
+                        break
+                    branch, pr_url = push_dep_update(repo, cfg, prev["artifact_id"], prev["release_version"], commit_hash)
+                    action = f"<{pr_url}|PR opened>" if pr_url else f"pushed to `{branch}`"
+                    slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                                f":arrow_right: {step_label}: Updated `{repo.repo_name}` "
+                                f"`{prev['artifact_id']}` \\u2192 `{prev['release_version']}` ({action})")
+                else:
+                    slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                                f":information_source: {step_label}: `{repo.repo_name}` dep already at "
+                                f"`{prev['release_version']}` — skipping pom.xml update")
+
+            # Trigger Jenkins release
+            if repo.cicd_job_url and repo.cicd_type:
+                success = _trigger_jenkins_release(repo)
+                if success:
+                    slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                                f":rocket: {step_label}: Jenkins release triggered — "
+                                f"`{repo.repo_name}` v{step['release_version']}")
+                    results.append({"step": i + 1, "repo": step["repo"], "status": "released",
+                                    "version": step["release_version"]})
+                else:
+                    msg = f"Jenkins release trigger failed for {repo.repo_name}"
+                    results.append({"step": i + 1, "repo": step["repo"], "status": "failed", "error": msg})
+                    slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                                f":x: *Chain release failed at {step_label}*\\n{msg}")
+                    break
+            else:
+                slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                            f":information_source: {step_label}: `{repo.repo_name}` has no CI/CD — "
+                            f"pom.xml updated but Jenkins not triggered")
+                results.append({"step": i + 1, "repo": step["repo"], "status": "no_cicd",
+                                "note": "pom.xml updated, no Jenkins trigger configured"})
+
+        all_ok = all(r.get("status") in ("released", "no_cicd") for r in results)
+        final  = "completed" if all_ok else "partial" if results else "failed"
+        slack_alert(
+            cfg.slack_bot_token, cfg.slack_channel,
+            f":{'white_check_mark' if all_ok else 'warning'}: *Chain release {final}* \\u2014 "
+            + ", ".join(
+                f"`{r['repo']}` {'\\u2713' if r.get('status') in ('released', 'no_cicd') else '\\u2717'}"
+                for r in results
+            ),
+        )
+        logger.info("Boss chain_release: %s by %s — %s", final, user_id, results)
+        return json.dumps({"status": final, "steps": results})
+
+'''
+
+OLD_FALLBACK = '    return json.dumps({"error": f"unknown tool: {name}"})'
+if OLD_FALLBACK not in content:
+    print("ERROR: unknown tool fallback not found")
+    sys.exit(1)
+content = content.replace(OLD_FALLBACK, HANDLER + OLD_FALLBACK, 1)
+
+with open(TARGET, 'w', encoding='utf-8') as f:
+    f.write(content)
+
+print("Patch applied successfully.")
+
+# Verify
+import ast, py_compile, tempfile, os
+with tempfile.NamedTemporaryFile(suffix='.py', delete=False, mode='w') as tmp:
+    tmp.write(content)
+    tmp_name = tmp.name
+try:
+    py_compile.compile(tmp_name, doraise=True)
+    print("Syntax OK")
+finally:
+    os.unlink(tmp_name)

package/python/sentinel/cicd_trigger.py

@@ -7,6 +7,7 @@ triggered by the normal GitHub merge webhook.
 
 import logging
 import re
+import time
 from pathlib import Path
 
 import requests
@@ -16,8 +17,12 @@ from .state_store import StateStore
 
 logger = logging.getLogger(__name__)
 
+# How long to wait for a Jenkins release build to complete (chain releases can be slow)
+JENKINS_RELEASE_TIMEOUT = 900   # 15 minutes
+JENKINS_POLL_INTERVAL   = 20    # seconds between polls
 
-def trigger(repo: RepoConfig, store: StateStore, fingerprint: str) -> bool:
+
+def trigger(repo: RepoConfig, store: StateStore, fingerprint: str, wait: bool = False) -> bool:
     if not repo.cicd_type or not repo.cicd_job_url:
         return True
 
@@ -25,7 +30,7 @@ def trigger(repo: RepoConfig, store: StateStore, fingerprint: str) -> bool:
     if cicd_type == "jenkins":
         return _trigger_jenkins(repo)
     elif cicd_type in ("jenkins_release", "jenkins-release"):
-        return _trigger_jenkins_release(repo)
+        return _trigger_jenkins_release(repo, wait=wait)
     elif cicd_type in ("github_actions", "github-actions"):
         return _trigger_github_actions(repo, fingerprint)
     else:
@@ -44,29 +49,133 @@ def _trigger_jenkins(repo: RepoConfig) -> bool:
     return success
 
 
-def _trigger_jenkins_release(repo: RepoConfig) -> bool:
-    # Maven Release Plugin — POST to /m2release/submit with release + dev versions
+def _get_last_build_number(session: requests.Session, job_url: str) -> int:
+    """Return the current lastBuild number for a Jenkins job, or 0 if none."""
+    try:
+        r = session.get(f"{job_url.rstrip('/')}/api/json", timeout=10)
+        data = r.json()
+        lb = data.get("lastBuild")
+        return lb["number"] if lb else 0
+    except Exception as exc:
+        logger.warning("Could not get last build number for %s: %s", job_url, exc)
+        return 0
+
+
+def _wait_for_jenkins_build(
+    session: requests.Session,
+    job_url: str,
+    prev_build_num: int,
+    timeout: int = JENKINS_RELEASE_TIMEOUT,
+) -> bool:
+    """
+    Poll until a new build appears and completes. Returns True on SUCCESS.
+    Logs progress every poll cycle.
+    """
+    deadline = time.time() + timeout
+    build_num = None
+
+    # Phase 1: wait for a new build to appear
+    while time.time() < deadline:
+        current = _get_last_build_number(session, job_url)
+        if current > prev_build_num:
+            build_num = current
+            logger.info("Jenkins build #%d started for %s", build_num, job_url)
+            break
+        logger.debug("Waiting for Jenkins build to start (last=%d)...", current)
+        time.sleep(JENKINS_POLL_INTERVAL)
+    else:
+        logger.error("Timed out waiting for Jenkins build to start: %s", job_url)
+        return False
+
+    # Phase 2: poll until build completes
+    build_api = f"{job_url.rstrip('/')}/{build_num}/api/json"
+    while time.time() < deadline:
+        try:
+            r = session.get(build_api, timeout=10)
+            data = r.json()
+            if not data.get("building", True):
+                result = data.get("result", "UNKNOWN")
+                if result == "SUCCESS":
+                    logger.info("Jenkins build #%d SUCCESS: %s", build_num, job_url)
+                    return True
+                else:
+                    logger.error("Jenkins build #%d %s: %s", build_num, result, job_url)
+                    return False
+            elapsed = int(time.time() - (deadline - timeout))
+            logger.info("Jenkins build #%d still running (%ds elapsed)...", build_num, elapsed)
+        except Exception as exc:
+            logger.warning("Jenkins poll error for %s: %s", build_api, exc)
+        time.sleep(JENKINS_POLL_INTERVAL)
+
+    logger.error("Timed out waiting for Jenkins build #%d to complete: %s", build_num, job_url)
+    return False
+
+
+def _trigger_jenkins_release(repo: RepoConfig, wait: bool = False) -> bool:
+    # Maven Release Plugin — POST to /m2release/submit
+    # Jenkins/Stapler requires a `json` parameter containing the form data or it returns 400.
     release_ver, dev_ver = _maven_release_versions(repo.local_path)
+    if not release_ver:
+        logger.error("Jenkins release: could not determine release version from pom.xml")
+        return False
     url = f"{repo.cicd_job_url.rstrip('/')}/m2release/submit"
-    resp = requests.post(
+    auth = (repo.cicd_user or "sentinel", repo.cicd_token)
+
+    # Fetch crumb (CSRF token) using a session so the cookie is preserved
+    session = requests.Session()
+    session.auth = auth
+    from urllib.parse import urlparse
+    parsed = urlparse(repo.cicd_job_url)
+    jenkins_root = f"{parsed.scheme}://{parsed.netloc}"
+    crumb_data = session.get(f"{jenkins_root}/crumbIssuer/api/json", timeout=10).json()
+    crumb_header = {crumb_data["crumbRequestField"]: crumb_data["crumb"]}
+
+    # Record current last build number before triggering
+    prev_build_num = _get_last_build_number(session, repo.cicd_job_url) if wait else 0
+
+    scm_tag = f"{repo.repo_name}-{release_ver}"
+    import json as _json
+    stapler_json = _json.dumps({
+        "releaseVersion":        release_ver,
+        "developmentVersion":    dev_ver,
+        "isDryRun":              False,
+        "specifyScmCredentials": False,
+        "scmUsername":           "",
+        "scmCommentPrefix":      "[maven-release-plugin] ",
+        "appendHudsonUserName":  False,
+        "specifyScmTag":         False,
+        "scmTag":                scm_tag,
+    })
+    resp = session.post(
         url,
-        auth=(repo.cicd_user or "sentinel", repo.cicd_token),
+        headers={
+            **crumb_header,
+            "Referer": f"{repo.cicd_job_url.rstrip('/')}/m2release/",
+        },
         data={
-            "releaseVersion": release_ver,
+            "releaseVersion":     release_ver,
             "developmentVersion": dev_ver,
-            "isDryRun": "false",
-            "specifyScmCredentials": "false",
-            "specifyCustomScmCommentPrefix": "false",
-            "specifyCustomScmTag": "false",
+            "scmCommentPrefix":   "[maven-release-plugin] ",
+            "scmTag":             scm_tag,
+            "json":               stapler_json,
         },
         timeout=15,
+        allow_redirects=False,
     )
-    success = resp.status_code in (200, 201, 204)
-    if success:
-        logger.info("Jenkins Maven Release triggered: %s → %s (next: %s)", repo.cicd_job_url, release_ver, dev_ver)
-    else:
+    triggered = resp.status_code in (200, 201, 204, 302)
+    if not triggered:
         logger.error("Jenkins release trigger failed (%s): %s", resp.status_code, resp.text[:200])
-    return success
+        return False
+
+    logger.info(
+        "Jenkins Maven Release triggered: %s → %s (next: %s)%s",
+        repo.cicd_job_url, release_ver, dev_ver,
+        " — waiting for completion..." if wait else "",
+    )
+
+    if wait:
+        return _wait_for_jenkins_build(session, repo.cicd_job_url, prev_build_num)
+    return True
 
 
 def _maven_release_versions(local_path: str) -> tuple[str, str]:

package/python/sentinel/dependency_manager.py

@@ -33,12 +33,14 @@ class CascadeResult:
 # ── pom.xml helpers ────────────────────────────────────────────────────────────
 
 def get_artifact_id(local_path: str) -> str:
-    """Return the root <artifactId> from pom.xml."""
+    """Return the root <artifactId> from pom.xml (skips <parent> block)."""
     pom = Path(local_path) / "pom.xml"
     if not pom.exists():
         return ""
     text = pom.read_text(encoding="utf-8", errors="ignore")
-    m = re.search(r"<artifactId>([^<]+)</artifactId>", text)
+    # Strip <parent>...</parent> so we don't pick up the parent artifactId
+    text_no_parent = re.sub(r"<parent>.*?</parent>", "", text, flags=re.DOTALL)
+    m = re.search(r"<artifactId>([^<]+)</artifactId>", text_no_parent)
     return m.group(1).strip() if m else ""
 
 
@@ -57,6 +59,17 @@ def get_release_version(local_path: str) -> str:
     return get_pom_version(local_path).replace("-SNAPSHOT", "")
 
 
+def _resolve_property(prop_ref: str, text: str) -> str:
+    """Resolve a Maven ${property.name} reference from the <properties> section."""
+    if not prop_ref.startswith("${"):
+        return prop_ref
+    prop_name = prop_ref[2:-1]  # strip ${ and }
+    m = re.search(
+        rf"<{re.escape(prop_name)}>([^<]+)</{re.escape(prop_name)}>", text
+    )
+    return m.group(1).strip() if m else prop_ref
+
+
 def find_dependents(
     artifact_id: str,
     repos: dict,
@@ -75,18 +88,28 @@ def find_dependents(
         if not pom.exists():
             continue
         text = pom.read_text(encoding="utf-8", errors="ignore")
-        pattern = rf"<dependency>.*?<artifactId>{re.escape(artifact_id)}</artifactId>.*?</dependency>"
-        block_m = re.search(pattern, text, re.DOTALL)
-        if block_m:
-            ver_m = re.search(r"<version>([^<]+)</version>", block_m.group(0))
-            current_ver = ver_m.group(1).strip() if ver_m else "?"
+        # Iterate individual blocks to avoid cross-boundary matching
+        for block_m in re.finditer(r"<dependency>(.*?)</dependency>", text, re.DOTALL):
+            inner = block_m.group(1)
+            if not re.search(
+                rf"<artifactId>\s*{re.escape(artifact_id)}\s*</artifactId>", inner
+            ):
+                continue
+            ver_m = re.search(r"<version>([^<]+)</version>", inner)
+            if ver_m:
+                raw = ver_m.group(1).strip()
+                current_ver = _resolve_property(raw, text)
+            else:
+                current_ver = "?"
             results.append((repo, current_ver))
+            break
     return sorted(results, key=lambda t: t[0].repo_name)
 
 
 def update_dependency(local_path: str, artifact_id: str, new_version: str) -> bool:
     """
     Update the <version> inside the <dependency> block for artifact_id in pom.xml.
+    Handles both direct versions and ${property} references (updates <properties> section).
     Returns True if the file was changed.
     """
     pom = Path(local_path) / "pom.xml"
@@ -94,13 +117,58 @@ def update_dependency(local_path: str, artifact_id: str, new_version: str) -> bo
         return False
     text = pom.read_text(encoding="utf-8", errors="ignore")
 
-    def _replace_version(match: re.Match) -> str:
-        block = match.group(0)
-        return re.sub(r"<version>[^<]+</version>", f"<version>{new_version}</version>", block, count=1)
+    # First pass: find the target block and check for property reference
+    prop_name: str | None = None
+    found = False
+    for block_m in re.finditer(r"<dependency>(.*?)</dependency>", text, re.DOTALL):
+        inner = block_m.group(1)
+        if not re.search(
+            rf"<artifactId>\s*{re.escape(artifact_id)}\s*</artifactId>", inner
+        ):
+            continue
+        found = True
+        ver_m = re.search(r"<version>\$\{([^}]+)\}</version>", inner)
+        if ver_m:
+            prop_name = ver_m.group(1)
+        break
+
+    if not found:
+        return False
+
+    if prop_name:
+        # Update the property in <properties> section instead of the inline version
+        new_text, n = re.subn(
+            rf"(<{re.escape(prop_name)}>)[^<]+(</\s*{re.escape(prop_name)}>)",
+            rf"\g<1>{new_version}\2",
+            text,
+        )
+        if n == 0 or new_text == text:
+            logger.warning(
+                "update_dependency: property '%s' not found in <properties> for %s",
+                prop_name, artifact_id,
+            )
+            return False
+    else:
+        # Direct version — replace only inside the matching block, block by block
+        def _replace_block(m: re.Match) -> str:
+            inner = m.group(1)
+            if not re.search(
+                rf"<artifactId>\s*{re.escape(artifact_id)}\s*</artifactId>", inner
+            ):
+                return m.group(0)
+            new_inner = re.sub(
+                r"<version>[^<]+</version>",
+                f"<version>{new_version}</version>",
+                inner,
+                count=1,
+            )
+            return f"<dependency>{new_inner}</dependency>"
+
+        new_text = re.sub(
+            r"<dependency>(.*?)</dependency>", _replace_block, text, flags=re.DOTALL
+        )
 
-    pattern = rf"<dependency>.*?<artifactId>{re.escape(artifact_id)}</artifactId>.*?</dependency>"
-    new_text, n = re.subn(pattern, _replace_version, text, flags=re.DOTALL)
-    if n == 0 or new_text == text:
+    if new_text == text:
         return False
     pom.write_text(new_text, encoding="utf-8")
     return True
@@ -164,7 +232,8 @@ def execute_cascade(
     Returns one CascadeResult per dependent repo attempted.
     """
     # Import here to avoid circular imports
-    from .git_manager import commit_file_change, push_dep_update, open_dep_pr, _git_env
+    from .git_manager import commit_file_change, push_dep_update, open_dep_pr, _git_env, _git, maven_compile_check, MissingToolError  # noqa: E501
+    from .notify import notify_cascade_build_failed
 
     all_dependents = find_dependents(artifact_id, repos, skip_repo=source_repo_name)
     if target_repo_names:
@@ -175,27 +244,69 @@ def execute_cascade(
     for repo, old_version in all_dependents:
         result = CascadeResult(repo_name=repo.repo_name, success=False, old_version=old_version, new_version=new_version)
         try:
+            # Ensure clean working tree before pulling — a previous failed attempt
+            # may have left pom.xml dirty, which causes git pull --rebase to fail.
+            _git(["checkout", "pom.xml"], cwd=repo.local_path, env=_git_env(repo))
+
+            # Pull BEFORE modifying pom.xml — git pull --rebase fails on dirty working tree
+            pull_r = _git(["pull", "--rebase", "origin", repo.branch], cwd=repo.local_path, env=_git_env(repo))
+            if pull_r.returncode != 0:
+                result.error = f"git pull failed: {pull_r.stderr.strip()[:200]}"
+                results.append(result)
+                continue
+
             changed = update_dependency(repo.local_path, artifact_id, new_version)
             if not changed:
                 result.error = "pom.xml not changed (already up to date?)"
                 results.append(result)
                 continue
 
+            # Dry-run: compile before committing — catch broken deps early
+            try:
+                compile_ok, compile_output = maven_compile_check(repo.local_path)
+            except MissingToolError:
+                compile_ok, compile_output = False, "mvn not installed on this server"
+
+            if not compile_ok:
+                # Revert pom.xml — never commit a broken dep update
+                _git(["checkout", "pom.xml"], cwd=repo.local_path, env=_git_env(repo))
+                result.error = f"Maven compile failed — pom.xml reverted: {compile_output[-200:]}"
+                logger.error(
+                    "Cascade build check failed for %s after bumping %s=%s:\n%s",
+                    repo.repo_name, artifact_id, new_version, compile_output[-500:],
+                )
+                notify_cascade_build_failed(
+                    cfg, repo.repo_name, artifact_id, new_version, compile_output,
+                )
+                results.append(result)
+                continue
+
             commit_msg = (
                 f"chore(deps): update {artifact_id} to {new_version} [sentinel]\n\n"
                 f"Automated dependency bump by Sentinel after {source_repo_name} release."
             )
-            status, commit_hash = commit_file_change(repo, ["pom.xml"], commit_msg)
+            status, commit_hash = commit_file_change(repo, ["pom.xml"], commit_msg, skip_pull=True)
             if status != "committed":
                 result.error = "git commit failed"
                 results.append(result)
                 continue
 
-            branch, pr_url = push_dep_update(repo, cfg, artifact_id, new_version, commit_hash)
-            result.success = True
+            branch, pr_url, push_ok = push_dep_update(repo, cfg, artifact_id, new_version, commit_hash)
             result.branch = branch
             result.pr_url = pr_url
-            logger.info("Cascade updated %s → %s=%s (branch: %s)", repo.repo_name, artifact_id, new_version, branch)
+            if push_ok:
+                result.success = True
+                logger.info(
+                    "Cascade updated %s → %s=%s (branch: %s)",
+                    repo.repo_name, artifact_id, new_version, branch,
+                )
+            else:
+                result.success = False
+                result.error = "commit is local only — no push access; Jenkins will handle its own release push"
+                logger.warning(
+                    "Cascade committed %s → %s=%s locally but push skipped (no write access)",
+                    repo.repo_name, artifact_id, new_version,
+                )
 
         except Exception as exc:
             result.error = str(exc)