claude-attribution 1.2.4 → 1.2.5

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "claude-attribution",
-	"version": "1.2.4",
+	"version": "1.2.5",
 	"description": "AI code attribution tracking for Claude Code sessions — checkpoint-based line diff approach",
 	"type": "module",
 	"bin": {

package/src/setup/install.ts

@@ -5,11 +5,21 @@
  *
  * If no path is given, installs into the current working directory.
  */
-import { readFile, writeFile, appendFile, mkdir } from "fs/promises";
+import {
+	readFile,
+	writeFile,
+	appendFile,
+	mkdir,
+	mkdtemp,
+	unlink,
+	rmdir,
+} from "fs/promises";
 import { existsSync } from "fs";
 import { execFile } from "child_process";
 import { promisify } from "util";
 import { resolve, join } from "path";
+import { tmpdir } from "os";
+import { createInterface } from "readline";
 import {
 	ATTRIBUTION_ROOT,
 	mergeHooks,
@@ -24,6 +34,208 @@ const execFileAsync = promisify(execFile);
 
 const CLI_BIN = resolve(ATTRIBUTION_ROOT, "bin", "claude-attribution");
 
+/**
+ * The exact GitHub Actions job name written into our workflow template.
+ * Must match the `name:` field of the `metrics` job in pr-metrics-workflow.yml.
+ */
+const WORKFLOW_CHECK_NAME = "Claude Code Attribution Metrics";
+
+/** Extract "owner/repo" from an origin remote URL (SSH or HTTPS). */
+function remoteUrlToSlug(url: string): string | null {
+	const m =
+		url.match(/github\.com[:/]([^/]+\/[^/]+?)(?:\.git)?$/) ??
+		url.match(/github\.com\/([^/]+\/[^/]+?)(?:\.git)?$/);
+	return m?.[1] ?? null;
+}
+
+/** Call `gh api <path>` and return parsed JSON, or null on any error. */
+async function ghApiGet(path: string): Promise<unknown> {
+	try {
+		const { stdout } = (await execFileAsync("gh", [
+			"api",
+			path,
+		])) as unknown as {
+			stdout: string;
+		};
+		return JSON.parse(stdout) as unknown;
+	} catch {
+		return null;
+	}
+}
+
+/** Prompt the user for a yes/no answer. Returns false in non-TTY contexts. */
+async function promptYesNo(question: string): Promise<boolean> {
+	if (!process.stdin.isTTY) return false;
+	const rl = createInterface({ input: process.stdin, output: process.stdout });
+	return new Promise((resolve) => {
+		rl.question(question, (answer) => {
+			rl.close();
+			resolve(answer.trim().toLowerCase() === "y");
+		});
+	});
+}
+
+function printRequiredCheckNote(branch: string): void {
+	console.log(
+		`\n  ℹ️  To block merges when this workflow fails, add '${WORKFLOW_CHECK_NAME}'`,
+	);
+	console.log(
+		`      to required status checks for '${branch}' in Settings → Branches.`,
+	);
+}
+
+/**
+ * PATCH the required status checks for a branch via the GitHub API.
+ * Writes the JSON body to a temp file to avoid arg-length issues.
+ */
+async function patchRequiredChecks(
+	slug: string,
+	branch: string,
+	body: unknown,
+): Promise<void> {
+	const tmpDir = await mkdtemp(join(tmpdir(), "claude-attribution-api-"));
+	const tmpFile = join(tmpDir, "body.json");
+	try {
+		await writeFile(tmpFile, JSON.stringify(body), { flag: "wx" });
+		await execFileAsync("gh", [
+			"api",
+			`repos/${slug}/branches/${branch}/protection/required_status_checks`,
+			"--method",
+			"PATCH",
+			"--input",
+			tmpFile,
+		]);
+	} finally {
+		await unlink(tmpFile).catch(() => {});
+		await rmdir(tmpDir).catch(() => {});
+	}
+}
+
+/**
+ * After installing the workflow, check branch protection / rulesets and offer
+ * to add our workflow job as a required status check.
+ *
+ * - Classic branch protection: fully automatic (detect → prompt → PATCH)
+ * - Rulesets: detect only → informational note (ruleset API requires full PUT)
+ * - Any error or non-TTY: fall back to informational note
+ */
+async function maybeAddRequiredCheck(repoRoot: string): Promise<void> {
+	try {
+		// Resolve the GitHub slug from the origin remote
+		const { stdout: remoteOut } = (await execFileAsync(
+			"git",
+			["remote", "get-url", "origin"],
+			{ cwd: repoRoot },
+		)) as unknown as { stdout: string };
+		const slug = remoteUrlToSlug(remoteOut.trim());
+		if (!slug) return;
+
+		// Get the default branch name
+		const repoData = await ghApiGet(`repos/${slug}`);
+		const branch = (repoData as { default_branch?: string } | null)
+			?.default_branch;
+		if (!branch) return;
+
+		// --- Classic branch protection ---
+		const protection = await ghApiGet(
+			`repos/${slug}/branches/${branch}/protection`,
+		);
+
+		if (!protection) {
+			// No classic protection — check rulesets (detect-only)
+			const rulesets = await ghApiGet(`repos/${slug}/rulesets`);
+			if (Array.isArray(rulesets) && rulesets.length > 0) {
+				// Check if any ruleset already requires our check
+				const alreadyRequired = (
+					rulesets as Array<{
+						rules?: Array<{
+							type: string;
+							parameters?: {
+								required_status_checks?: Array<{ context: string }>;
+							};
+						}>;
+					}>
+				).some((rs) =>
+					rs.rules?.some(
+						(r) =>
+							r.type === "required_status_checks" &&
+							r.parameters?.required_status_checks?.some(
+								(c) => c.context === WORKFLOW_CHECK_NAME,
+							),
+					),
+				);
+				if (alreadyRequired) {
+					console.log(
+						`✓ '${WORKFLOW_CHECK_NAME}' already a required status check`,
+					);
+					return;
+				}
+				console.log(
+					`\n  ℹ️  Ruleset branch protection detected on '${branch}'.`,
+				);
+				console.log(
+					`      Add '${WORKFLOW_CHECK_NAME}' to required status checks`,
+				);
+				console.log(
+					`      in Settings → Rules to block merges on workflow failure.`,
+				);
+			}
+			return;
+		}
+
+		// Extract current required check names from classic protection
+		type Check = { context: string; app_id: number };
+		const prot = protection as {
+			required_status_checks?: {
+				strict: boolean;
+				contexts?: string[];
+				checks?: Check[];
+			};
+		};
+		const existingChecks: Check[] =
+			prot.required_status_checks?.checks ??
+			(prot.required_status_checks?.contexts ?? []).map((c) => ({
+				context: c,
+				app_id: -1,
+			}));
+		const strict = prot.required_status_checks?.strict ?? false;
+
+		if (existingChecks.some((c) => c.context === WORKFLOW_CHECK_NAME)) {
+			console.log(`✓ '${WORKFLOW_CHECK_NAME}' already a required status check`);
+			return;
+		}
+
+		// Prompt
+		console.log(`\n  Branch protection is active on '${branch}'.`);
+		const yes = await promptYesNo(
+			`  Add '${WORKFLOW_CHECK_NAME}' as a required status check? [y/N] `,
+		);
+		if (!yes) {
+			printRequiredCheckNote(branch);
+			return;
+		}
+
+		await patchRequiredChecks(slug, branch, {
+			strict,
+			checks: [...existingChecks, { context: WORKFLOW_CHECK_NAME, app_id: -1 }],
+		});
+		console.log(
+			`✓ Added '${WORKFLOW_CHECK_NAME}' as a required status check on '${branch}'`,
+		);
+	} catch {
+		// Any failure — don't break install, just print the note
+		console.log(
+			`\n  ℹ️  Could not configure required status checks automatically.`,
+		);
+		console.log(
+			`      To block merges on workflow failure, add '${WORKFLOW_CHECK_NAME}'`,
+		);
+		console.log(
+			`      to required status checks in your branch protection settings.`,
+		);
+	}
+}
+
 async function main() {
 	const args = process.argv.slice(2);
 	const runnerFlagIdx = args.findIndex((a: string) => a === "--runner");
@@ -174,7 +386,10 @@ async function main() {
 		`✓ Installed .github/workflows/claude-attribution-pr.yml — runner: ${runsOn}${detectedNote}`,
 	);
 
-	// 5. Record installed version for auto-upgrade tracking
+	// 5. Check branch protection and offer to add required status check
+	await maybeAddRequiredCheck(targetRepo);
+
+	// 6. Record installed version for auto-upgrade tracking
 	const pkg = JSON.parse(
 		await readFile(join(ATTRIBUTION_ROOT, "package.json"), "utf8"),
 	) as { version: string };