@misterhuydo/sentinel 1.4.68 → 1.4.70

package/python/sentinel/dependency_manager.py

@@ -33,12 +33,14 @@ class CascadeResult:
 # ── pom.xml helpers ────────────────────────────────────────────────────────────
 
 def get_artifact_id(local_path: str) -> str:
-    """Return the root <artifactId> from pom.xml."""
+    """Return the root <artifactId> from pom.xml (skips <parent> block)."""
     pom = Path(local_path) / "pom.xml"
     if not pom.exists():
         return ""
     text = pom.read_text(encoding="utf-8", errors="ignore")
-    m = re.search(r"<artifactId>([^<]+)</artifactId>", text)
+    # Strip <parent>...</parent> so we don't pick up the parent artifactId
+    text_no_parent = re.sub(r"<parent>.*?</parent>", "", text, flags=re.DOTALL)
+    m = re.search(r"<artifactId>([^<]+)</artifactId>", text_no_parent)
     return m.group(1).strip() if m else ""
 
 
@@ -57,6 +59,17 @@ def get_release_version(local_path: str) -> str:
     return get_pom_version(local_path).replace("-SNAPSHOT", "")
 
 
+def _resolve_property(prop_ref: str, text: str) -> str:
+    """Resolve a Maven ${property.name} reference from the <properties> section."""
+    if not prop_ref.startswith("${"):
+        return prop_ref
+    prop_name = prop_ref[2:-1]  # strip ${ and }
+    m = re.search(
+        rf"<{re.escape(prop_name)}>([^<]+)</{re.escape(prop_name)}>", text
+    )
+    return m.group(1).strip() if m else prop_ref
+
+
 def find_dependents(
     artifact_id: str,
     repos: dict,
@@ -75,18 +88,28 @@ def find_dependents(
         if not pom.exists():
             continue
         text = pom.read_text(encoding="utf-8", errors="ignore")
-        pattern = rf"<dependency>.*?<artifactId>{re.escape(artifact_id)}</artifactId>.*?</dependency>"
-        block_m = re.search(pattern, text, re.DOTALL)
-        if block_m:
-            ver_m = re.search(r"<version>([^<]+)</version>", block_m.group(0))
-            current_ver = ver_m.group(1).strip() if ver_m else "?"
+        # Iterate individual blocks to avoid cross-boundary matching
+        for block_m in re.finditer(r"<dependency>(.*?)</dependency>", text, re.DOTALL):
+            inner = block_m.group(1)
+            if not re.search(
+                rf"<artifactId>\s*{re.escape(artifact_id)}\s*</artifactId>", inner
+            ):
+                continue
+            ver_m = re.search(r"<version>([^<]+)</version>", inner)
+            if ver_m:
+                raw = ver_m.group(1).strip()
+                current_ver = _resolve_property(raw, text)
+            else:
+                current_ver = "?"
             results.append((repo, current_ver))
+            break
     return sorted(results, key=lambda t: t[0].repo_name)
 
 
 def update_dependency(local_path: str, artifact_id: str, new_version: str) -> bool:
     """
     Update the <version> inside the <dependency> block for artifact_id in pom.xml.
+    Handles both direct versions and ${property} references (updates <properties> section).
     Returns True if the file was changed.
     """
     pom = Path(local_path) / "pom.xml"
@@ -94,13 +117,58 @@ def update_dependency(local_path: str, artifact_id: str, new_version: str) -> bo
         return False
     text = pom.read_text(encoding="utf-8", errors="ignore")
 
-    def _replace_version(match: re.Match) -> str:
-        block = match.group(0)
-        return re.sub(r"<version>[^<]+</version>", f"<version>{new_version}</version>", block, count=1)
+    # First pass: find the target block and check for property reference
+    prop_name: str | None = None
+    found = False
+    for block_m in re.finditer(r"<dependency>(.*?)</dependency>", text, re.DOTALL):
+        inner = block_m.group(1)
+        if not re.search(
+            rf"<artifactId>\s*{re.escape(artifact_id)}\s*</artifactId>", inner
+        ):
+            continue
+        found = True
+        ver_m = re.search(r"<version>\$\{([^}]+)\}</version>", inner)
+        if ver_m:
+            prop_name = ver_m.group(1)
+        break
+
+    if not found:
+        return False
+
+    if prop_name:
+        # Update the property in <properties> section instead of the inline version
+        new_text, n = re.subn(
+            rf"(<{re.escape(prop_name)}>)[^<]+(</\s*{re.escape(prop_name)}>)",
+            rf"\g<1>{new_version}\2",
+            text,
+        )
+        if n == 0 or new_text == text:
+            logger.warning(
+                "update_dependency: property '%s' not found in <properties> for %s",
+                prop_name, artifact_id,
+            )
+            return False
+    else:
+        # Direct version — replace only inside the matching block, block by block
+        def _replace_block(m: re.Match) -> str:
+            inner = m.group(1)
+            if not re.search(
+                rf"<artifactId>\s*{re.escape(artifact_id)}\s*</artifactId>", inner
+            ):
+                return m.group(0)
+            new_inner = re.sub(
+                r"<version>[^<]+</version>",
+                f"<version>{new_version}</version>",
+                inner,
+                count=1,
+            )
+            return f"<dependency>{new_inner}</dependency>"
+
+        new_text = re.sub(
+            r"<dependency>(.*?)</dependency>", _replace_block, text, flags=re.DOTALL
+        )
 
-    pattern = rf"<dependency>.*?<artifactId>{re.escape(artifact_id)}</artifactId>.*?</dependency>"
-    new_text, n = re.subn(pattern, _replace_version, text, flags=re.DOTALL)
-    if n == 0 or new_text == text:
+    if new_text == text:
         return False
     pom.write_text(new_text, encoding="utf-8")
     return True
@@ -164,7 +232,8 @@ def execute_cascade(
     Returns one CascadeResult per dependent repo attempted.
     """
     # Import here to avoid circular imports
-    from .git_manager import commit_file_change, push_dep_update, open_dep_pr, _git_env
+    from .git_manager import commit_file_change, push_dep_update, open_dep_pr, _git_env, _git, maven_compile_check, MissingToolError  # noqa: E501
+    from .notify import notify_cascade_build_failed
 
     all_dependents = find_dependents(artifact_id, repos, skip_repo=source_repo_name)
     if target_repo_names:
@@ -175,27 +244,69 @@ def execute_cascade(
     for repo, old_version in all_dependents:
         result = CascadeResult(repo_name=repo.repo_name, success=False, old_version=old_version, new_version=new_version)
         try:
+            # Ensure clean working tree before pulling — a previous failed attempt
+            # may have left pom.xml dirty, which causes git pull --rebase to fail.
+            _git(["checkout", "pom.xml"], cwd=repo.local_path, env=_git_env(repo))
+
+            # Pull BEFORE modifying pom.xml — git pull --rebase fails on dirty working tree
+            pull_r = _git(["pull", "--rebase", "origin", repo.branch], cwd=repo.local_path, env=_git_env(repo))
+            if pull_r.returncode != 0:
+                result.error = f"git pull failed: {pull_r.stderr.strip()[:200]}"
+                results.append(result)
+                continue
+
             changed = update_dependency(repo.local_path, artifact_id, new_version)
             if not changed:
                 result.error = "pom.xml not changed (already up to date?)"
                 results.append(result)
                 continue
 
+            # Dry-run: compile before committing — catch broken deps early
+            try:
+                compile_ok, compile_output = maven_compile_check(repo.local_path)
+            except MissingToolError:
+                compile_ok, compile_output = False, "mvn not installed on this server"
+
+            if not compile_ok:
+                # Revert pom.xml — never commit a broken dep update
+                _git(["checkout", "pom.xml"], cwd=repo.local_path, env=_git_env(repo))
+                result.error = f"Maven compile failed — pom.xml reverted: {compile_output[-200:]}"
+                logger.error(
+                    "Cascade build check failed for %s after bumping %s=%s:\n%s",
+                    repo.repo_name, artifact_id, new_version, compile_output[-500:],
+                )
+                notify_cascade_build_failed(
+                    cfg, repo.repo_name, artifact_id, new_version, compile_output,
+                )
+                results.append(result)
+                continue
+
             commit_msg = (
                 f"chore(deps): update {artifact_id} to {new_version} [sentinel]\n\n"
                 f"Automated dependency bump by Sentinel after {source_repo_name} release."
             )
-            status, commit_hash = commit_file_change(repo, ["pom.xml"], commit_msg)
+            status, commit_hash = commit_file_change(repo, ["pom.xml"], commit_msg, skip_pull=True)
             if status != "committed":
                 result.error = "git commit failed"
                 results.append(result)
                 continue
 
-            branch, pr_url = push_dep_update(repo, cfg, artifact_id, new_version, commit_hash)
-            result.success = True
+            branch, pr_url, push_ok = push_dep_update(repo, cfg, artifact_id, new_version, commit_hash)
             result.branch = branch
             result.pr_url = pr_url
-            logger.info("Cascade updated %s → %s=%s (branch: %s)", repo.repo_name, artifact_id, new_version, branch)
+            if push_ok:
+                result.success = True
+                logger.info(
+                    "Cascade updated %s → %s=%s (branch: %s)",
+                    repo.repo_name, artifact_id, new_version, branch,
+                )
+            else:
+                result.success = False
+                result.error = "commit is local only — no push access; Jenkins will handle its own release push"
+                logger.warning(
+                    "Cascade committed %s → %s=%s locally but push skipped (no write access)",
+                    repo.repo_name, artifact_id, new_version,
+                )
 
         except Exception as exc:
             result.error = str(exc)

package/python/sentinel/git_manager.py

@@ -51,6 +51,27 @@ def _git_env(repo: RepoConfig) -> dict:
     return env
 
 
+def maven_compile_check(local_path: str, timeout: int = 300) -> tuple[bool, str]:
+    """
+    Run `mvn compile -DskipTests -q --batch-mode` to verify the pom.xml is valid
+    and all dependencies resolve before committing.
+    Returns (success, output). Raises MissingToolError if mvn is not installed.
+    """
+    import shutil
+    mvn = shutil.which("mvn")
+    if not mvn:
+        raise MissingToolError("mvn")
+    r = subprocess.run(
+        [mvn, "compile", "-DskipTests", "-q", "--batch-mode"],
+        cwd=local_path,
+        capture_output=True,
+        text=True,
+        timeout=timeout,
+    )
+    output = (r.stdout + r.stderr).strip()
+    return r.returncode == 0, output
+
+
 def _check_protected_paths(patch_path: Path) -> bool:
     text = patch_path.read_text(encoding="utf-8", errors="replace")
     for line in text.splitlines():
@@ -162,19 +183,24 @@ def commit_file_change(
     repo: RepoConfig,
     files: list[str],
     commit_msg: str,
+    skip_pull: bool = False,
 ) -> tuple[str, str]:
     """
-    Pull, stage the given files, and commit.
+    Stage the given files and commit, optionally pulling first.
     Returns (status, commit_hash) — status: "committed" | "failed".
     Does NOT run tests (dependency bumps don't need them).
+
+    skip_pull=True when the caller already pulled before modifying files
+    (git pull --rebase fails on a dirty working tree).
     """
     env = _git_env(repo)
     local_path = repo.local_path
 
-    r = _git(["pull", "--rebase", "origin", repo.branch], cwd=local_path, env=env)
-    if r.returncode != 0:
-        logger.error("git pull failed for %s:\n%s", repo.repo_name, r.stderr)
-        return "failed", ""
+    if not skip_pull:
+        r = _git(["pull", "--rebase", "origin", repo.branch], cwd=local_path, env=env)
+        if r.returncode != 0:
+            logger.error("git pull failed for %s:\n%s", repo.repo_name, r.stderr)
+            return "failed", ""
 
     _git(["add"] + files, cwd=local_path, env=env)
     r = _git(["commit", "-m", commit_msg], cwd=local_path, env=env)
@@ -194,11 +220,12 @@ def push_dep_update(
     artifact_id: str,
     new_version: str,
     commit_hash: str,
-) -> tuple[str, str]:
+) -> tuple[str, str, bool]:
     """
     Push a dependency update commit. AUTO_PUBLISH=true → main branch.
     AUTO_PUBLISH=false → sentinel/dep-<artifact>-<version> branch + open PR.
-    Returns (branch, pr_url).
+    Returns (branch, pr_url, push_ok).
+    push_ok=False means the commit is local only (no write access) — chain release continues.
     """
     env = _git_env(repo)
     local_path = repo.local_path
@@ -206,8 +233,12 @@ def push_dep_update(
     if repo.auto_publish:
         r = _git(["push", "origin", repo.branch], cwd=local_path, env=env)
         if r.returncode != 0:
-            logger.error("git push failed for %s:\n%s", repo.repo_name, r.stderr)
-        return repo.branch, ""
+            logger.warning(
+                "git push failed for %s (commit is local only): %s",
+                repo.repo_name, r.stderr.strip().splitlines()[0] if r.stderr else "",
+            )
+            return repo.branch, "", False
+        return repo.branch, "", True
     else:
         safe_artifact = re.sub(r"[^a-zA-Z0-9_-]", "-", artifact_id)
         safe_version = re.sub(r"[^a-zA-Z0-9._-]", "-", new_version)
@@ -215,12 +246,15 @@ def push_dep_update(
         _git(["checkout", "-B", branch], cwd=local_path, env=env)
         r = _git(["push", "-u", "origin", branch], cwd=local_path, env=env)
         if r.returncode != 0:
-            logger.error("git push branch failed for %s:\n%s", repo.repo_name, r.stderr)
+            logger.warning(
+                "git push branch failed for %s (commit is local only): %s",
+                repo.repo_name, r.stderr.strip().splitlines()[0] if r.stderr else "",
+            )
             _git(["checkout", repo.branch], cwd=local_path, env=env)
-            return branch, ""
+            return branch, "", False
         _git(["checkout", repo.branch], cwd=local_path, env=env)
         pr_url = open_dep_pr(repo, cfg, branch, artifact_id, new_version, commit_hash)
-        return branch, pr_url
+        return branch, pr_url, True
 
 
 def open_dep_pr(

package/python/sentinel/notify.py

@@ -355,6 +355,40 @@ def notify_cascade_result(
         slack_alert(cfg.slack_bot_token, cfg.slack_channel, text)
 
 
+def notify_cascade_build_failed(
+    cfg,
+    repo_name: str,
+    artifact_id: str,
+    new_version: str,
+    build_output: str,
+    user_id: str = "",
+) -> None:
+    """Alert admin when a Maven compile check fails after a dep bump — pom.xml was reverted."""
+    # Maven errors accumulate at the bottom — show the last 600 chars
+    snippet = build_output.strip()[-600:]
+    text = (
+        f":x: *Cascade build check failed — `{repo_name}`*\n"
+        f"Bumping `{artifact_id}` \u2192 `{new_version}` caused a compile error.\n"
+        f"`pom.xml` has been reverted. Manual intervention required.\n"
+        f"```{snippet}```"
+    )
+    if user_id:
+        slack_alert(cfg.slack_bot_token, cfg.slack_channel, f"<@{user_id}> {text}")
+    else:
+        slack_alert(cfg.slack_bot_token, cfg.slack_channel, f"<!channel> {text}")
+    try:
+        from .reporter import send_failure_notification
+        send_failure_notification(cfg, {
+            "source":    repo_name,
+            "message":   f"Cascade dep bump {artifact_id}={new_version} failed Maven compile",
+            "repo_name": repo_name,
+            "reason":    f"Maven compile error after dep bump: {build_output[:300]}",
+            "body":      build_output,
+        })
+    except Exception as exc:
+        logger.warning("notify_cascade_build_failed: email notification failed: %s", exc)
+
+
 def alert_if_rate_limited(
     bot_token: str,
     channel: str,