github2gerrit 0.1.14__tar.gz → 0.1.15__tar.gz

{github2gerrit-0.1.14 → github2gerrit-0.1.15}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: github2gerrit
-Version: 0.1.14
+Version: 0.1.15
 Summary: Submit a GitHub pull request to a Gerrit repository.
 Project-URL: Homepage, https://github.com/lfreleng-actions/github2gerrit
 Project-URL: Repository, https://github.com/lfreleng-actions/github2gerrit

{github2gerrit-0.1.14 → github2gerrit-0.1.15}/action.yaml

@@ -81,6 +81,10 @@ inputs:
     description: "Normalize commit messages to conventional commit format"
     required: false
     default: "false"
+  VERBOSE:
+    description: "Enable verbose output (sets log level to DEBUG)"
+    required: false
+    default: "false"
   GERRIT_SERVER:
     description: "Gerrit server hostname; derived if not supplied explicitly"
     required: false
@@ -280,6 +284,7 @@ runs:
         DUPLICATE_TYPES: ${{ inputs.DUPLICATE_TYPES }}
         NORMALISE_COMMIT: ${{ inputs.NORMALISE_COMMIT }}
         G2G_USE_SSH_AGENT: ${{ inputs.G2G_USE_SSH_AGENT }}
+        G2G_VERBOSE: ${{ inputs.VERBOSE }}
 
         # Optional Gerrit overrides (when .gitreview is missing)
         GERRIT_SERVER: ${{ inputs.GERRIT_SERVER }}

{github2gerrit-0.1.14 → github2gerrit-0.1.15}/src/github2gerrit/cli.py

@@ -51,6 +51,7 @@ from .ssh_common import build_non_interactive_ssh_env
 from .utils import append_github_output
 from .utils import env_bool
 from .utils import env_str
+from .utils import is_verbose_mode
 from .utils import log_exception_conditionally
 from .utils import parse_bool_env
 
@@ -989,9 +990,19 @@ def _process_single(
                 else:
                     progress_tracker.change_updated()
         except Exception as exc:
+            error_msg = str(exc)
             log.debug("Execution failed; continuing to write outputs: %s", exc)
+
+            # Always show the actual error to the user, not just in debug mode
             if progress_tracker:
-                progress_tracker.add_error("Execution failed")
+                progress_tracker.add_error(f"Execution failed: {error_msg}")
+            else:
+                # If no progress tracker, show error directly
+                safe_console_print(f"❌ Error: {error_msg}", style="red")
+
+            # In verbose mode, also log the full exception with traceback
+            if is_verbose_mode():
+                log.exception("Full exception details:")
 
             result = SubmissionResult(
                 change_urls=[], change_numbers=[], commit_shas=[]

{github2gerrit-0.1.14 → github2gerrit-0.1.15}/src/github2gerrit/core.py

@@ -69,7 +69,7 @@ from .reconcile_matcher import LocalCommit
 from .reconcile_matcher import create_local_commit
 from .ssh_common import merge_known_hosts_content
 from .utils import env_bool
-from .utils import log_exception_conditionally
+from .utils import is_verbose_mode
 
 
 try:
@@ -708,6 +708,8 @@ class Orchestrator:
         self._ssh_known_hosts_path: Path | None = None
         self._ssh_agent_manager: SSHAgentManager | None = None
         self._use_ssh_agent: bool = False
+        # Secure temporary directory for SSH files (outside workspace)
+        self._ssh_temp_dir: Path | None = None
         # Store inputs for access by helper methods
         self._inputs: Inputs | None = None
 
@@ -865,6 +867,9 @@ class Orchestrator:
 
         self._comment_on_pull_request(gh, gerrit, result)
 
+        # Validate that no unexpected files were committed
+        self._validate_committed_files(gh, result)
+
         self._close_pull_request_if_required(gh)
 
         log.debug("Pipeline complete: %s", result)
@@ -1111,10 +1116,15 @@ class Orchestrator:
 
         Does not modify user files.
         """
+        log.debug(
+            "Starting SSH setup for Gerrit %s:%d", gerrit.host, gerrit.port
+        )
         if not inputs.gerrit_ssh_privkey_g2g:
             log.debug("SSH private key not provided, skipping SSH setup")
             return
 
+        log.debug("SSH private key provided, proceeding with SSH configuration")
+
         # Check for ssh-keyscan availability early if auto-discovery needed
         if (
             auto_discover_gerrit_host_keys is not None
@@ -1259,16 +1269,25 @@ class Orchestrator:
 
         # Check if SSH agent authentication is preferred
         use_ssh_agent = env_bool("G2G_USE_SSH_AGENT", default=True)
+        log.debug(
+            "SSH agent preference: use_ssh_agent=%s, "
+            "setup_ssh_agent_auth available=%s",
+            use_ssh_agent,
+            setup_ssh_agent_auth is not None,
+        )
 
         if use_ssh_agent and setup_ssh_agent_auth is not None:
             # Try SSH agent first as it's more secure and avoids file
             # permission issues
+            log.debug("Attempting SSH agent-based authentication")
             if self._try_ssh_agent_setup(inputs, effective_known_hosts):
+                log.debug("SSH agent setup successful")
                 return
 
             # Fall back to file-based SSH if agent setup fails
             log.info("Falling back to file-based SSH authentication")
 
+        log.debug("Using file-based SSH authentication")
         self._setup_file_based_ssh(inputs, effective_known_hosts)
 
     def _try_ssh_agent_setup(
@@ -1288,8 +1307,36 @@ class Orchestrator:
 
         try:
             log.debug("Setting up SSH agent-based authentication (more secure)")
+            log.debug("Workspace: %s", self.workspace)
+            log.debug(
+                "Private key length: %d characters",
+                len(inputs.gerrit_ssh_privkey_g2g),
+            )
+            log.debug(
+                "Known hosts length: %d characters", len(effective_known_hosts)
+            )
+
+            # Create secure separate temp directory for SSH agent if needed
+            import secrets
+            import tempfile
+
+            if not self._ssh_temp_dir:
+                # Use secure random suffix to prevent predictable paths
+                secure_suffix = secrets.token_hex(8)
+                self._ssh_temp_dir = Path(
+                    tempfile.mkdtemp(
+                        prefix=f"g2g_ssh_{secure_suffix}_",
+                        dir=tempfile.gettempdir(),
+                    )
+                )
+                # Ensure directory has restrictive permissions
+                self._ssh_temp_dir.chmod(0o700)
+                log.debug(
+                    "Created secure SSH temp directory: %s", self._ssh_temp_dir
+                )
+
             self._ssh_agent_manager = setup_ssh_agent_auth(
-                workspace=self.workspace,
+                workspace=self._ssh_temp_dir,
                 private_key_content=inputs.gerrit_ssh_privkey_g2g,
                 known_hosts_content=effective_known_hosts,
             )
@@ -1297,6 +1344,7 @@ class Orchestrator:
             log.debug("SSH agent authentication configured successfully")
 
         except Exception as exc:
+            log.debug("SSH agent setup failed: %s", exc)
             log.warning(
                 "SSH agent setup failed, falling back to file-based SSH: %s",
                 exc,
@@ -1317,28 +1365,60 @@ class Orchestrator:
             inputs: Validated input configuration
             effective_known_hosts: Known hosts content
         """
-        log.info("Setting up file-based SSH configuration for Gerrit")
-        log.debug("Using workspace-specific SSH files to avoid user changes")
+        log.debug("Using file-based SSH configuration for Gerrit")
+        log.debug(
+            "Using secure temporary SSH files outside workspace to prevent "
+            "artifacts"
+        )
+        log.debug(
+            "Private key length: %d characters",
+            len(inputs.gerrit_ssh_privkey_g2g),
+        )
+        log.debug(
+            "Known hosts length: %d characters", len(effective_known_hosts)
+        )
 
-        # Create tool-specific SSH directory in workspace to avoid touching
-        # user files
-        tool_ssh_dir = self.workspace / ".ssh-g2g"
+        # Create secure tool-specific SSH directory outside workspace to prevent
+        # SSH artifacts from being accidentally committed
+        import secrets
+        import tempfile
+
+        if not self._ssh_temp_dir:
+            # Use secure random suffix to prevent predictable paths
+            secure_suffix = secrets.token_hex(8)
+            self._ssh_temp_dir = Path(
+                tempfile.mkdtemp(
+                    prefix=f"g2g_ssh_{secure_suffix}_",
+                    dir=tempfile.gettempdir(),
+                )
+            )
+            # Ensure directory has restrictive permissions
+            self._ssh_temp_dir.chmod(0o700)
+            log.debug(
+                "Created secure SSH temp directory: %s", self._ssh_temp_dir
+            )
+        tool_ssh_dir = self._ssh_temp_dir
         tool_ssh_dir.mkdir(mode=0o700, exist_ok=True)
 
         # Write SSH private key to tool-specific location with secure
         # permissions
         key_path = tool_ssh_dir / "gerrit_key"
+        log.debug("SSH key file path: %s", key_path)
 
         # Use a more robust approach for creating the file with secure
         # permissions
         key_content = inputs.gerrit_ssh_privkey_g2g.strip() + "\n"
 
         # Multiple strategies to create secure key file
+        log.debug("Attempting to create secure key file")
         success = self._create_secure_key_file(key_path, key_content)
+        log.debug("Secure key file creation success: %s", success)
 
         if not success:
             # If all permission strategies fail, create in memory directory
+            log.debug("Falling back to memory-based key file creation")
             success = self._create_key_in_memory_fs(key_path, key_content)
+            log.debug("Memory-based key file creation success: %s", success)
 
         if not success:
             msg = (
@@ -1347,8 +1427,11 @@ class Orchestrator:
                 "Consider using G2G_USE_SSH_AGENT=true (default) for SSH "
                 "agent authentication."
             )
+            log.error("SSH key file creation failed: %s", msg)
             raise RuntimeError(msg)
 
+        log.debug("SSH key file created successfully: %s", key_path)
+
         # Write known hosts to tool-specific location
         known_hosts_path = tool_ssh_dir / "known_hosts"
         with open(known_hosts_path, "w", encoding="utf-8") as f:
@@ -1360,6 +1443,7 @@ class Orchestrator:
         # Store paths for later use in git commands
         self._ssh_key_path = key_path
         self._ssh_known_hosts_path = known_hosts_path
+        log.debug("File-based SSH setup completed successfully")
 
     def _create_secure_key_file(self, key_path: Path, key_content: str) -> bool:
         """Try multiple strategies to create a secure SSH key file.
@@ -1564,29 +1648,46 @@ class Orchestrator:
         """Centralized non-interactive SSH/Git environment."""
         from .ssh_common import build_non_interactive_ssh_env
 
+        log.debug("Building SSH environment for git operations")
         env = build_non_interactive_ssh_env()
 
         # Set GIT_SSH_COMMAND based on available configuration
         cmd = self._build_git_ssh_command
         if cmd:
+            log.debug("Using custom GIT_SSH_COMMAND: %s", cmd)
             env["GIT_SSH_COMMAND"] = cmd
         else:
             # Fallback to basic non-interactive SSH command
             from .ssh_common import build_git_ssh_command
 
-            env["GIT_SSH_COMMAND"] = build_git_ssh_command()
+            fallback_cmd = build_git_ssh_command()
+            log.debug("Using fallback GIT_SSH_COMMAND: %s", fallback_cmd)
+            env["GIT_SSH_COMMAND"] = fallback_cmd
 
         # Override SSH agent settings if using SSH agent
         if self._use_ssh_agent and self._ssh_agent_manager:
-            env.update(self._ssh_agent_manager.get_ssh_env())
+            log.debug("Applying SSH agent environment variables")
+            agent_env = self._ssh_agent_manager.get_ssh_env()
+            log.debug(
+                "SSH agent environment: %s",
+                {k: v for k, v in agent_env.items() if "SSH" in k},
+            )
+            env.update(agent_env)
+        else:
+            log.debug(
+                "Not using SSH agent (use_ssh_agent=%s, manager=%s)",
+                self._use_ssh_agent,
+                self._ssh_agent_manager is not None,
+            )
 
+        log.debug("Final SSH environment contains %d variables", len(env))
         return env
 
     def _cleanup_ssh(self) -> None:
         """Clean up temporary SSH files created by this tool.
 
-        Removes the workspace-specific .ssh-g2g directory and all contents.
-        This ensures no temporary files are left behind.
+        Securely removes the separate SSH temporary directory and all contents.
+        This ensures no temporary files or credentials are left behind.
         """
         log.debug("Cleaning up temporary SSH configuration files")
 
@@ -1597,15 +1698,47 @@ class Orchestrator:
                 self._ssh_agent_manager = None
                 self._use_ssh_agent = False
 
-            # Remove temporary SSH directory and all contents
-            tool_ssh_dir = self.workspace / ".ssh-g2g"
-            if tool_ssh_dir.exists():
+            # Securely remove separate SSH temporary directory and all contents
+            if self._ssh_temp_dir and self._ssh_temp_dir.exists():
+                import os
                 import shutil
 
-                shutil.rmtree(tool_ssh_dir)
+                # First, overwrite any key files to prevent recovery
+                try:
+                    for root, _dirs, files in os.walk(self._ssh_temp_dir):
+                        for file in files:
+                            file_path = Path(root) / file
+                            if file_path.exists() and file_path.is_file():
+                                # Overwrite file with random data
+                                try:
+                                    size = file_path.stat().st_size
+                                    if size > 0:
+                                        import secrets
+
+                                        with open(file_path, "wb") as f:
+                                            f.write(secrets.token_bytes(size))
+                                            # Sync to ensure write completes
+                                            os.fsync(f.fileno())
+                                except Exception as overwrite_exc:
+                                    log.debug(
+                                        "Failed to overwrite %s: %s",
+                                        file_path,
+                                        overwrite_exc,
+                                    )
+                except Exception as walk_exc:
+                    log.debug(
+                        "Failed to walk SSH temp directory for secure "
+                        "cleanup: %s",
+                        walk_exc,
+                    )
+
+                # Remove the directory tree
+                shutil.rmtree(self._ssh_temp_dir)
                 log.debug(
-                    "Cleaned up temporary SSH directory: %s", tool_ssh_dir
+                    "Securely cleaned up temporary SSH directory: %s",
+                    self._ssh_temp_dir,
                 )
+                self._ssh_temp_dir = None
         except Exception as exc:
             log.warning("Failed to clean up temporary SSH files: %s", exc)
 
@@ -1821,8 +1954,8 @@ class Orchestrator:
                     cur_msg = _clean_ellipses_from_message(cur_msg)
                     needed = [m for m in meta if m not in cur_msg]
                     if needed:
-                        new_msg = (
-                            cur_msg.rstrip() + "\n" + "\n".join(needed) + "\n"
+                        new_msg = Orchestrator._append_missing_trailers(
+                            cur_msg, needed
                         )
                         git_commit_amend(
                             message=new_msg,
@@ -2113,7 +2246,9 @@ class Orchestrator:
             if meta:
                 needed = [m for m in meta if m not in commit_msg]
                 if needed:
-                    commit_msg = commit_msg.rstrip() + "\n" + "\n".join(needed)
+                    commit_msg = Orchestrator._append_missing_trailers(
+                        commit_msg, needed
+                    )
         except Exception as meta_exc:
             log.debug(
                 "Skipping metadata trailer injection (squash path): %s",
@@ -2314,7 +2449,9 @@ class Orchestrator:
                 ).stdout
                 needed = [m for m in meta if m not in cur_msg]
                 if needed:
-                    new_msg = cur_msg.rstrip() + "\n" + "\n".join(needed) + "\n"
+                    new_msg = Orchestrator._append_missing_trailers(
+                        cur_msg, needed
+                    )
                     git_commit_amend(
                         cwd=self.workspace,
                         no_edit=False,
@@ -2327,6 +2464,32 @@ class Orchestrator:
                 "Skipping post-apply metadata trailer ensure: %s", meta_exc
             )
 
+    @staticmethod
+    def _append_missing_trailers(
+        message: str, trailers: list[str], *, ensure_final_newline: bool = True
+    ) -> str:
+        """Append missing trailers to a commit message with proper formatting.
+
+        Args:
+            message: The base commit message
+            trailers: List of trailer lines to potentially append
+            ensure_final_newline: Whether to ensure the message ends with a
+                newline
+
+        Returns:
+            The message with missing trailers appended, properly formatted
+        """
+        needed = [trailer for trailer in trailers if trailer not in message]
+        if not needed:
+            return message
+
+        result = message.rstrip() + "\n\n" + "\n".join(needed)
+
+        if ensure_final_newline:
+            result = result.rstrip("\n") + "\n"
+
+        return result
+
     def _push_to_gerrit(
         self,
         *,
@@ -2369,6 +2532,7 @@ class Orchestrator:
                 "-t",
                 topic,
             ]
+            log.debug("Building git review command with topic: %s", topic)
             collected_change_ids: list[str] = []
             if prepared:
                 collected_change_ids.extend(prepared.all_change_ids())
@@ -2396,7 +2560,15 @@ class Orchestrator:
                     gerrit, repo, branch, reviewers, topic, env
                 )
                 return
-            log.debug("Executing git review command: %s", " ".join(args))
+
+            log.debug("Final git review command: %s", " ".join(args))
+            log.debug(
+                "Git review environment variables: %s",
+                {k: v for k, v in env.items() if "SSH" in k or "GIT" in k},
+            )
+            log.debug("Working directory: %s", self.workspace)
+
+            # Execute the git review command
             run_cmd(args, cwd=self.workspace, env=env)
             log.debug("Successfully pushed changes to Gerrit")
         except CommandError as exc:
@@ -2498,9 +2670,33 @@ class Orchestrator:
 
             # Analyze the specific failure reason from git review output
             error_details = self._analyze_gerrit_push_failure(exc)
-            log_exception_conditionally(
-                log, "Gerrit push failed: %s", error_details
-            )
+
+            # Always log the error details, even if not in verbose mode
+            log.exception("Gerrit push failed: %s", error_details)
+
+            # In debug mode, also show the raw command output
+            if is_verbose_mode():
+                log.debug("Git review command: %s", " ".join(exc.cmd or []))
+                log.debug("Return code: %s", exc.returncode)
+                if exc.stdout:
+                    log.debug("Command stdout:\n%s", exc.stdout)
+                if exc.stderr:
+                    log.debug("Command stderr:\n%s", exc.stderr)
+
+            # Include raw output in error message if analysis didn't provide
+            # useful info
+            has_raw_output = exc.stdout or exc.stderr
+            if error_details.startswith("Unknown error") and has_raw_output:
+                raw_output = ""
+                if exc.stdout:
+                    raw_output += f"stdout: {exc.stdout.strip()}\n"
+                if exc.stderr:
+                    raw_output += f"stderr: {exc.stderr.strip()}"
+                if raw_output:
+                    error_details = (
+                        f"{error_details}\nRaw output:\n{raw_output}"
+                    )
+
             msg = (
                 f"Failed to push changes to Gerrit with git-review: "
                 f"{error_details}"
@@ -2758,9 +2954,10 @@ class Orchestrator:
                 env=env,
                 check=False,
             )
-            # 2) Clean untracked files/dirs (preserve our SSH known_hosts dir)
+            # 2) Clean untracked files/dirs (SSH files are now outside
+            # workspace)
             run_cmd(
-                ["git", "clean", "-fdx", "-e", ".ssh-g2g", "-e", ".ssh-g2g/**"],
+                ["git", "clean", "-fdx"],
                 cwd=self.workspace,
                 env=env,
                 check=False,
@@ -2968,7 +3165,15 @@ class Orchestrator:
                     return f"Gerrit rejected the push: {line.strip()}"
             return "Gerrit rejected the push for an unknown reason"
         else:
-            return f"Unknown error: {exc}"
+            # For unknown errors, include more context
+            context_parts = []
+            if exc.returncode is not None:
+                context_parts.append(f"exit code {exc.returncode}")
+            if exc.cmd:
+                context_parts.append(f"command: {' '.join(exc.cmd)}")
+
+            context = f" ({', '.join(context_parts)})" if context_parts else ""
+            return f"Unknown error{context}: {exc}"
 
     def _query_gerrit_for_results(
         self,
@@ -3933,6 +4138,128 @@ class Orchestrator:
             out.append(c)
         return out
 
+    def _validate_committed_files(
+        self, gh: GitHubContext, result: SubmissionResult
+    ) -> None:
+        """Validate that only expected files from the GitHub PR were
+        committed to Gerrit.
+
+        This is a safety check to ensure no tool artifacts (like SSH keys) were
+        accidentally included in the Gerrit change.
+        """
+        if not gh.pr_number or not result.commit_shas:
+            log.debug("Skipping file validation - no PR number or commit SHAs")
+            return
+
+        try:
+            # Get files changed in the GitHub PR
+            from .github_api import build_client
+            from .github_api import get_pull
+            from .github_api import get_repo_from_env
+
+            client = build_client()
+            repo = get_repo_from_env(client)
+            pr_obj = get_pull(repo, int(gh.pr_number))
+
+            # Get list of files changed in the PR
+            github_files = set()
+            for file in pr_obj.get_files():  # type: ignore[attr-defined]
+                github_files.add(file.filename)
+
+            log.debug(
+                "GitHub PR files (%d): %s",
+                len(github_files),
+                sorted(github_files),
+            )
+
+            # Check files in each commit SHA that was pushed to Gerrit
+            for commit_sha in result.commit_shas:
+                try:
+                    # Get files changed in the Gerrit commit
+                    from .gitutils import run_cmd
+
+                    files_output = run_cmd(
+                        [
+                            "git",
+                            "show",
+                            "--name-only",
+                            "--pretty=format:",
+                            commit_sha,
+                        ],
+                        cwd=self.workspace,
+                    ).stdout.strip()
+
+                    if not files_output:
+                        continue
+
+                    gerrit_files = {
+                        f.strip() for f in files_output.split("\n") if f.strip()
+                    }
+                    log.debug(
+                        "Gerrit commit %s files (%d): %s",
+                        commit_sha[:8],
+                        len(gerrit_files),
+                        sorted(gerrit_files),
+                    )
+
+                    # Check for unexpected files
+                    unexpected_files = gerrit_files - github_files
+                    if unexpected_files:
+                        # Filter out known safe files that might legitimately
+                        # differ
+                        suspicious_files = []
+                        for f in unexpected_files:
+                            # Skip files that are legitimately different
+                            if f in [".gitreview", ".gitignore"]:
+                                continue
+                            # Flag SSH artifacts and other suspicious files
+                            if (
+                                ".ssh" in f
+                                or "known_hosts" in f
+                                or f.startswith("gerrit_key")
+                            ):
+                                suspicious_files.append(f)
+                            else:
+                                # Other unexpected files - log but don't error
+                                log.warning(
+                                    "Unexpected file in Gerrit commit: %s", f
+                                )
+
+                        if suspicious_files:
+                            log.error(
+                                "❌ CRITICAL: SSH artifacts detected in Gerrit "
+                                "commit %s: %s",
+                                commit_sha[:8],
+                                suspicious_files,
+                            )
+                            log.error(
+                                "This indicates a serious bug where tool "
+                                "artifacts were committed. The Gerrit change "
+                                "may need manual cleanup."
+                            )
+                            # Don't fail the pipeline, but log prominently for
+                            # monitoring
+
+                    # Also check if we're missing expected files
+                    missing_files = github_files - gerrit_files
+                    if missing_files:
+                        log.warning(
+                            "Files in GitHub PR but not in Gerrit commit "
+                            "%s: %s",
+                            commit_sha[:8],
+                            sorted(missing_files),
+                        )
+
+                except Exception as commit_exc:
+                    log.debug(
+                        "Failed to validate files for commit %s: %s",
+                        commit_sha[:8],
+                        commit_exc,
+                    )
+
+        except Exception as exc:
+            log.debug("File validation failed (non-critical): %s", exc)
+
 
 # ---------------------
 # Utility functions