@misterhuydo/sentinel 1.5.63 → 1.6.1

package/python/sentinel/git_manager.py

@@ -22,6 +22,86 @@ logger = logging.getLogger(__name__)
 
 GIT_TIMEOUT = 60
 
+# Matches any "repos/<name>/" occurrence at start-of-line or after whitespace.
+# Group 1 captures the repo name (allowed chars: letters, digits, ._-).
+_REPOS_PREFIX_RE = re.compile(
+    r"\brepos/([A-Za-z0-9._-]+)/"
+)
+# Header line listing affected repos (case-insensitive). Whitespace tolerant.
+_AFFECTED_HEADER_RE = re.compile(
+    r"^\s*#\s*affected\s+repos\s*:\s*(.+?)\s*$",
+    re.IGNORECASE | re.MULTILINE,
+)
+
+
+def parse_multi_repo_patch(combined_patch: str) -> dict:
+    """Split a combined diff (paths prefixed `repos/<name>/`) into per-repo sub-patches.
+
+    The `repos/<name>/` prefix is stripped from every path reference inside each
+    sub-patch so it can be `git apply`-ed from the corresponding repo root.
+
+    Returns:
+        {
+          "affected_repos": list[str],   # declared header order, then first-seen
+          "patches":        dict[str, str],  # repo_name -> sub-patch
+          "summary":        str,         # any free text above the header / first diff
+        }
+    """
+    if not combined_patch:
+        return {"affected_repos": [], "patches": {}, "summary": ""}
+
+    # 1. Optional `# Affected repos: a, b, c` header gives declared order.
+    declared: list[str] = []
+    m_hdr = _AFFECTED_HEADER_RE.search(combined_patch)
+    if m_hdr:
+        declared = [s.strip() for s in m_hdr.group(1).split(",") if s.strip()]
+
+    # 2. Free-text summary = everything above the header (or above the first diff
+    #    if no header). Useful for PR bodies / Slack messages.
+    if m_hdr:
+        cut = m_hdr.start()
+    else:
+        first_diff = combined_patch.find("diff --git")
+        cut = first_diff if first_diff >= 0 else len(combined_patch)
+    summary = combined_patch[:cut].strip()
+
+    # 3. Split body by `diff --git` markers; non-matching preamble is dropped.
+    body = combined_patch[m_hdr.end():] if m_hdr else combined_patch
+    chunks = re.split(r"^(?=diff --git )", body, flags=re.MULTILINE)
+    chunks = [c for c in chunks if c.startswith("diff --git ")]
+
+    # 4. For each chunk, derive the repo name from the first repos/<name>/
+    #    match. Strip every repos/<repo>/ occurrence in the chunk so the diff
+    #    is applyable from the repo root.
+    seen_order: list[str] = []
+    grouped: dict[str, list[str]] = {}
+    for chunk in chunks:
+        m = _REPOS_PREFIX_RE.search(chunk)
+        if not m:
+            continue
+        repo = m.group(1)
+        stripped = re.sub(
+            rf"\brepos/{re.escape(repo)}/", "", chunk,
+        )
+        if repo not in grouped:
+            grouped[repo] = []
+            seen_order.append(repo)
+        grouped[repo].append(stripped)
+
+    patches = {repo: "".join(parts) for repo, parts in grouped.items()}
+
+    # 5. Order: declared header first (only repos that actually produced a diff),
+    #    then any repo that appeared only via diffs.
+    ordered: list[str] = []
+    for r in declared:
+        if r in patches and r not in ordered:
+            ordered.append(r)
+    for r in seen_order:
+        if r not in ordered:
+            ordered.append(r)
+
+    return {"affected_repos": ordered, "patches": patches, "summary": summary}
+
 
 class MissingToolError(Exception):
     """Raised when a required build tool (e.g. mvn, gradle) is not installed."""
@@ -180,6 +260,174 @@ def apply_and_commit(
     return "committed", commit_hash
 
 
+def apply_and_commit_multi(
+    event: ErrorEvent,
+    patch_path: Path,
+    all_repos: list[RepoConfig],
+    cfg: SentinelConfig,
+) -> list[dict]:
+    """Apply a multi-repo patch atomically at the dry-run stage, per-repo afterwards.
+
+    The combined patch is split with parse_multi_repo_patch(); each affected
+    repo's sub-patch is then dry-run independently. If ANY dry-run fails, every
+    repo is marked "aborted" with no mutations.
+
+    If all dry-runs pass, the patches are applied + tested + committed
+    sequentially per repo. Per-repo failures in this phase only mark that repo
+    as "failed" — they don't roll back commits already made in earlier repos.
+
+    Returns: list of result dicts, one per affected repo, ordered by apply_order:
+        {
+          "repo_name":      str,
+          "repo":           RepoConfig,
+          "status":         "committed" | "failed" | "aborted",
+          "commit_hash":    str,            # filled if committed
+          "branch":         str,            # filled if committed
+          "apply_order":    int,            # 0 = library, higher = consumer
+          "reason":         str,            # filled if failed/aborted
+          "sub_patch_path": Path,           # per-repo .diff written for traceability
+        }
+    """
+    combined = patch_path.read_text(encoding="utf-8", errors="replace")
+    parsed = parse_multi_repo_patch(combined)
+
+    if not parsed["affected_repos"]:
+        logger.warning(
+            "Patch %s declares no recognised repos — nothing to apply",
+            event.fingerprint[:8],
+        )
+        return []
+
+    repo_map = {r.repo_name: r for r in all_repos}
+    affected = []   # list of (repo_name, RepoConfig, sub_patch_text)
+    for i, name in enumerate(parsed["affected_repos"]):
+        if name not in repo_map:
+            logger.warning(
+                "Patch references unknown repo '%s' — not in project config; skipping",
+                name,
+            )
+            continue
+        affected.append((name, repo_map[name], parsed["patches"][name]))
+
+    if not affected:
+        return []
+
+    # Write per-repo sub-patch files for traceability + reuse by `git apply`.
+    sub_patch_files: dict[str, Path] = {}
+    for name, _repo, sub in affected:
+        sub_path = patch_path.parent / f"{event.fingerprint}-{name}.diff"
+        sub_path.write_text(sub, encoding="utf-8")
+        sub_patch_files[name] = sub_path
+
+    # Protected-path veto runs on the combined patch.
+    if _check_protected_paths(patch_path):
+        return [
+            {
+                "repo_name": name, "repo": repo, "status": "aborted",
+                "commit_hash": "", "branch": "", "apply_order": i,
+                "reason": "patch touches protected path",
+                "sub_patch_path": sub_patch_files[name],
+            }
+            for i, (name, repo, _sub) in enumerate(affected)
+        ]
+
+    # ── PHASE 1: dry-run every repo. Atomic abort on any failure. ─────────
+    dry_run_failures: list[str] = []
+    for name, repo, _sub in affected:
+        env = _git_env(repo)
+        sub_path = sub_patch_files[name]
+        # Discard stale changes from any prior aborted attempt
+        _git(["checkout", "."], cwd=repo.local_path, env=env)
+        # Pull latest
+        r = _git(["pull", "--rebase", "origin", repo.branch],
+                 cwd=repo.local_path, env=env)
+        if r.returncode != 0:
+            dry_run_failures.append(f"{name}: git pull failed: {r.stderr.strip()[:200]}")
+            continue
+        # Dry-run
+        r = _git(["apply", "--check", "--ignore-whitespace", str(sub_path)],
+                 cwd=repo.local_path, env=env)
+        if r.returncode != 0:
+            dry_run_failures.append(f"{name}: dry-run failed: {r.stderr.strip()[:200]}")
+
+    if dry_run_failures:
+        reason = "; ".join(dry_run_failures)
+        logger.error(
+            "Multi-repo dry-run aborted for %s: %s",
+            event.fingerprint[:8], reason,
+        )
+        return [
+            {
+                "repo_name": name, "repo": repo, "status": "aborted",
+                "commit_hash": "", "branch": "", "apply_order": i,
+                "reason": reason,
+                "sub_patch_path": sub_patch_files[name],
+            }
+            for i, (name, repo, _sub) in enumerate(affected)
+        ]
+
+    # ── PHASE 2: per-repo apply + test + commit. Independent per repo. ────
+    results: list[dict] = []
+    for i, (name, repo, _sub) in enumerate(affected):
+        env = _git_env(repo)
+        sub_path = sub_patch_files[name]
+        entry = {
+            "repo_name": name, "repo": repo, "status": "failed",
+            "commit_hash": "", "branch": "", "apply_order": i,
+            "reason": "", "sub_patch_path": sub_path,
+        }
+
+        r = _git(["apply", "--ignore-whitespace", str(sub_path)],
+                 cwd=repo.local_path, env=env)
+        if r.returncode != 0:
+            entry["reason"] = f"apply failed: {r.stderr.strip()[:200]}"
+            results.append(entry); continue
+
+        try:
+            tests_ok = _run_tests(repo, repo.local_path)
+        except (MissingToolError, MavenAuthError, MavenArtifactNotFoundError) as _te:
+            entry["reason"] = f"build error: {type(_te).__name__}: {str(_te)[:200]}"
+            _git(["checkout", "."], cwd=repo.local_path, env=env)
+            results.append(entry); continue
+
+        if not tests_ok:
+            entry["reason"] = "tests failed"
+            _git(["checkout", "."], cwd=repo.local_path, env=env)
+            results.append(entry); continue
+
+        summary = event.short_summary()[:60]
+        commit_msg = (
+            f"fix(sentinel): {summary} [auto]\n\n"
+            f"Error fingerprint: {event.fingerprint}\n"
+            f"Source: {event.source}\n"
+        )
+        if len(affected) > 1:
+            commit_msg += f"Multi-repo: part {i + 1}/{len(affected)}\n"
+        r = _git(["commit", "-am", commit_msg], cwd=repo.local_path, env=env)
+        if r.returncode != 0:
+            entry["reason"] = f"commit failed: {r.stderr.strip()[:200]}"
+            _git(["checkout", "."], cwd=repo.local_path, env=env)
+            results.append(entry); continue
+
+        commit_hash = _git(["rev-parse", "HEAD"], cwd=repo.local_path, env=env).stdout.strip()
+        try:
+            _append_changelog(repo, event, commit_hash)
+        except Exception as _ce:
+            logger.warning("CHANGELOG append failed for %s: %s", name, _ce)
+        entry.update({
+            "status": "committed",
+            "commit_hash": commit_hash,
+            "branch": repo.branch,
+        })
+        logger.info(
+            "Multi-repo: committed %s in %s for %s",
+            commit_hash[:8], name, event.fingerprint[:8],
+        )
+        results.append(entry)
+
+    return results
+
+
 def _run_tests(repo: RepoConfig, local_path: str) -> bool:
     """Run the repo's test suite. Return True if passing."""
     if (Path(local_path) / "pom.xml").exists():
@@ -402,6 +650,88 @@ def publish(
         return branch, pr_url
 
 
+def publish_multi(
+    event: ErrorEvent,
+    results: list[dict],
+    cfg: SentinelConfig,
+) -> list[dict]:
+    """Push committed branches and open per-repo PRs (or push direct on auto_commit).
+
+    Mutates each "committed" entry in `results` in-place, setting `pr_url` and
+    `branch`. Entries with status != "committed" are left untouched.
+
+    For multi-repo fixes (>1 committed entry), each PR's body notes the sibling
+    repos by name so reviewers can locate the matching branch.
+    """
+    committed = [r for r in results if r["status"] == "committed"]
+    if not committed:
+        return results
+
+    repo_names = [r["repo_name"] for r in committed]
+    multi_repo = len(committed) > 1
+
+    for entry in committed:
+        repo: RepoConfig = entry["repo"]
+        commit_hash: str = entry["commit_hash"]
+        env = _git_env(repo)
+        local_path = repo.local_path
+        auto_commit = resolve_auto_commit(repo, cfg)
+
+        if not auto_commit:
+            if remote_fix_exists(repo, event.fingerprint, cfg):
+                logger.info(
+                    "publish_multi: remote fix branch already exists for %s in %s — skipping",
+                    event.fingerprint[:8], repo.repo_name,
+                )
+                entry["pr_url"] = ""
+                continue
+
+        if auto_commit:
+            r = _git(["push", "origin", repo.branch], cwd=local_path, env=env)
+            if r.returncode != 0:
+                logger.error(
+                    "publish_multi: git push failed in %s:\n%s",
+                    repo.repo_name, r.stderr,
+                )
+            entry["branch"] = repo.branch
+            entry["pr_url"] = ""
+            continue
+
+        branch_name = f"{cfg.project_name or 'sentinel'}/fix-{event.fingerprint[:8]}"
+        _git(["checkout", "-B", branch_name], cwd=local_path, env=env)
+        r = _git(["push", "-u", "origin", branch_name], cwd=local_path, env=env)
+        if r.returncode != 0:
+            logger.error(
+                "publish_multi: branch push failed in %s:\n%s",
+                repo.repo_name, r.stderr,
+            )
+            _git(["checkout", repo.branch], cwd=local_path, env=env)
+            entry["branch"] = branch_name
+            entry["pr_url"] = ""
+            continue
+        _git(["checkout", repo.branch], cwd=local_path, env=env)
+
+        # Build the multi-repo cross-reference paragraph (sibling repo names only;
+        # actual URLs are added in a follow-up two-pass update if/when implemented).
+        extra_body = ""
+        if multi_repo:
+            siblings = [n for n in repo_names if n != repo.repo_name]
+            extra_body = (
+                "### Multi-repo fix\n"
+                "This is part of a coordinated fix across multiple repositories.\n"
+                f"Sibling repos with the same fingerprint (`{event.fingerprint[:8]}`) "
+                f"on branch `{branch_name}`:\n"
+                + "\n".join(f"- `{n}`" for n in siblings)
+                + "\n\n_Merge order: lower apply_order first._"
+            )
+
+        pr_url = _open_github_pr(event, repo, cfg, branch_name, commit_hash, extra_body=extra_body)
+        entry["branch"] = branch_name
+        entry["pr_url"] = pr_url
+
+    return results
+
+
 def _alert_github_token_error(cfg: "SentinelConfig", owner_repo: str, status: int, hint: str = "") -> None:
     """Fire a Slack alert when GitHub API rejects the token during PR creation."""
     msg = (
@@ -423,6 +753,7 @@ def _open_github_pr(
     cfg: SentinelConfig,
     branch: str,
     commit_hash: str,
+    extra_body: str = "",
 ) -> str:
     if not cfg.github_token:
         logger.warning("GITHUB_TOKEN not set — cannot open PR")
@@ -445,6 +776,10 @@ def _open_github_pr(
         f"### Commits in this fix\n"
         f"| SHA (short) | Description |\n|---|---|\n"
         f"| `{commit_hash[:8]}` | fix(sentinel): {event.short_summary()[:60]} |\n\n"
+    )
+    if extra_body:
+        body += extra_body + "\n\n"
+    body += (
         f"---\n"
         f"_To apply: merge this PR. To reject: close it. "
         f"Sentinel will not retry this fingerprint for 24 h._"