github2gerrit 1.0.3__tar.gz → 1.0.4__tar.gz

{github2gerrit-1.0.3 → github2gerrit-1.0.4}/.pre-commit-config.yaml

@@ -59,7 +59,7 @@ repos:
         types: [yaml]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: 9b1e9a33f1b33f6ecc2fdbb8d7cc894e951106e4  # frozen: v0.14.13
+    rev: 45ef068da5f21267bb2a7ec4a623092959f09ce5  # frozen: v0.14.14
     hooks:
       - id: ruff
         files: ^(src|scripts|tests)/.+\.py$
@@ -121,7 +121,7 @@ repos:
       - id: codespell
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: b035497fb64e3f9faa91e833331688cc185891e6  # frozen: 0.36.0
+    rev: ccf21790019848af3eb4464be2a9d5efed6358f3  # frozen: 0.36.1
     hooks:
       - id: check-github-actions
       - id: check-github-workflows

{github2gerrit-1.0.3 → github2gerrit-1.0.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: github2gerrit
-Version: 1.0.3
+Version: 1.0.4
 Summary: Submit a GitHub pull request to a Gerrit repository.
 Project-URL: Homepage, https://github.com/lfreleng-actions/github2gerrit-action
 Project-URL: Repository, https://github.com/lfreleng-actions/github2gerrit-action
@@ -1270,6 +1270,47 @@ GERRIT_HTTP_USER = "bot-user"
 GERRIT_HTTP_PASSWORD = "${ENV:ODL_GERRIT_TOKEN}"
 ```
 
+### Using .netrc Files
+
+GitHub2Gerrit supports loading Gerrit credentials from `.netrc` files, following
+the standard format used by curl and other tools.
+
+**Search order:**
+
+1. `.netrc` in the current directory
+2. `~/.netrc` in your home directory
+3. `~/_netrc` (Windows fallback)
+
+**Example `.netrc` file:**
+
+```text
+machine gerrit.onap.org login myuser password mytoken
+machine gerrit.opendaylight.org login myuser password anothertoken
+```
+
+**CLI options:**
+
+| Option | Description |
+| ------ | ----------- |
+| `--no-netrc` | Disable .netrc file lookup |
+| `--netrc-file PATH` | Use a specific .netrc file |
+| `--netrc-optional` | Do not fail if .netrc file is missing (default) |
+| `--netrc-required` | Require a .netrc file and fail if missing |
+
+By default, `.netrc` lookup is optional (`--netrc-optional`): if the tool
+finds no `.netrc` file, it continues and falls back to environment variables.
+Use `--netrc-required` to enforce that a `.netrc` file must be present.
+
+When a `.netrc` file is present, the tool loads credentials automatically.
+Explicit environment variables or CLI arguments take precedence over `.netrc`
+entries.
+
+**Credential Priority Order:**
+
+1. **CLI arguments** (highest priority)
+2. **`.netrc` file** (if not disabled with `--no-netrc`)
+3. **Environment variables** (e.g., `GERRIT_HTTP_USER`, `GERRIT_HTTP_PASSWORD`)
+
 The tool loads configuration from `~/.config/github2gerrit/configuration.txt`
 by default, or from the path specified in the `G2G_CONFIG_PATH` environment
 variable.

{github2gerrit-1.0.3 → github2gerrit-1.0.4}/README.md

@@ -1225,6 +1225,47 @@ GERRIT_HTTP_USER = "bot-user"
 GERRIT_HTTP_PASSWORD = "${ENV:ODL_GERRIT_TOKEN}"
 ```
 
+### Using .netrc Files
+
+GitHub2Gerrit supports loading Gerrit credentials from `.netrc` files, following
+the standard format used by curl and other tools.
+
+**Search order:**
+
+1. `.netrc` in the current directory
+2. `~/.netrc` in your home directory
+3. `~/_netrc` (Windows fallback)
+
+**Example `.netrc` file:**
+
+```text
+machine gerrit.onap.org login myuser password mytoken
+machine gerrit.opendaylight.org login myuser password anothertoken
+```
+
+**CLI options:**
+
+| Option | Description |
+| ------ | ----------- |
+| `--no-netrc` | Disable .netrc file lookup |
+| `--netrc-file PATH` | Use a specific .netrc file |
+| `--netrc-optional` | Do not fail if .netrc file is missing (default) |
+| `--netrc-required` | Require a .netrc file and fail if missing |
+
+By default, `.netrc` lookup is optional (`--netrc-optional`): if the tool
+finds no `.netrc` file, it continues and falls back to environment variables.
+Use `--netrc-required` to enforce that a `.netrc` file must be present.
+
+When a `.netrc` file is present, the tool loads credentials automatically.
+Explicit environment variables or CLI arguments take precedence over `.netrc`
+entries.
+
+**Credential Priority Order:**
+
+1. **CLI arguments** (highest priority)
+2. **`.netrc` file** (if not disabled with `--no-netrc`)
+3. **Environment variables** (e.g., `GERRIT_HTTP_USER`, `GERRIT_HTTP_PASSWORD`)
+
 The tool loads configuration from `~/.config/github2gerrit/configuration.txt`
 by default, or from the path specified in the `G2G_CONFIG_PATH` environment
 variable.

{github2gerrit-1.0.3 → github2gerrit-1.0.4}/action.yaml

@@ -158,19 +158,19 @@ runs:
   steps:
     - name: "Setup Python"
       # yamllint disable-line rule:line-length
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # v6.1.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
       with:
         python-version-file: '${{ github.action_path }}/pyproject.toml'
 
     - name: "Setup uv"
       # yamllint disable-line rule:line-length
-      uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b  # v7.2.0
+      uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41  # v7.2.1
       with:
         enable-cache: false
 
     - name: "Checkout repository"
       # yamllint disable-line rule:line-length
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       with:
         fetch-depth: ${{ inputs.FETCH_DEPTH }}
         # Ensure we are on the PR's head SHA when triggered by PR events

{github2gerrit-1.0.3 → github2gerrit-1.0.4}/src/github2gerrit/cli.py

@@ -69,6 +69,8 @@ from .gitutils import enumerate_reviewer_emails
 from .gitutils import git
 from .models import GitHubContext
 from .models import Inputs
+from .netrc import NetrcParseError
+from .netrc import get_credentials_for_host
 from .rich_display import RICH_AVAILABLE
 from .rich_display import DummyProgressTracker
 from .rich_display import G2GProgressTracker
@@ -778,6 +780,29 @@ def main(
         envvar="AUTOMATION_ONLY",
         help="Accept pull requests from known automation tools.",
     ),
+    no_netrc: bool = typer.Option(
+        False,
+        "--no-netrc",
+        help="Disable .netrc credential lookup for Gerrit HTTP authentication",
+        envvar="G2G_NO_NETRC",
+    ),
+    netrc_file: Path | None = typer.Option(  # noqa: B008
+        None,
+        "--netrc-file",
+        help="Explicit path to .netrc file for Gerrit HTTP credentials",
+        envvar="G2G_NETRC_FILE",
+        exists=True,
+        file_okay=True,
+        dir_okay=False,
+        readable=True,
+        resolve_path=True,
+    ),
+    netrc_optional: bool = typer.Option(
+        True,
+        "--netrc-optional/--netrc-required",
+        help="Whether to fail if .netrc file is not found (default: optional)",
+        envvar="G2G_NETRC_OPTIONAL",
+    ),
 ) -> None:
     """
     Tool to convert GitHub pull requests into Gerrit changes
@@ -836,6 +861,46 @@ def main(
     if os.getenv("AUTOMATION_ONLY"):
         automation_only = parse_bool_env(os.getenv("AUTOMATION_ONLY"))
 
+    # Store netrc options in environment for use by processing functions
+    os.environ["G2G_NO_NETRC"] = "true" if no_netrc else "false"
+    if netrc_file:
+        os.environ["G2G_NETRC_FILE"] = str(netrc_file)
+    os.environ["G2G_NETRC_OPTIONAL"] = "true" if netrc_optional else "false"
+
+    # Handle netrc credential loading if enabled
+    if not no_netrc:
+        # Get the Gerrit server from environment or CLI
+        gerrit_host = gerrit_server or os.getenv("GERRIT_SERVER", "")
+        if gerrit_host:
+            try:
+                netrc_creds = get_credentials_for_host(
+                    host=gerrit_host,
+                    netrc_file=netrc_file,
+                    use_netrc=True,
+                    netrc_optional=netrc_optional,
+                )
+                if netrc_creds:
+                    # Set HTTP credentials from netrc if not already set
+                    if not os.getenv("GERRIT_HTTP_USER"):
+                        os.environ["GERRIT_HTTP_USER"] = netrc_creds.login
+                    if not os.getenv("GERRIT_HTTP_PASSWORD"):
+                        os.environ["GERRIT_HTTP_PASSWORD"] = (
+                            netrc_creds.password
+                        )
+                    log.debug(
+                        "Loaded Gerrit HTTP credentials for %s from .netrc",
+                        gerrit_host,
+                    )
+            except FileNotFoundError:
+                if not netrc_optional:
+                    safe_typer_echo(
+                        "❌ No .netrc file found and --netrc-required set"
+                    )
+                    sys.exit(int(ExitCode.CONFIGURATION_ERROR))
+            except NetrcParseError as e:
+                safe_typer_echo(f"❌ Failed to parse .netrc file: {e}")
+                sys.exit(int(ExitCode.CONFIGURATION_ERROR))
+
     # Set up logging level based on verbose flag
     if verbose:
         os.environ["G2G_LOG_LEVEL"] = "DEBUG"

{github2gerrit-1.0.3 → github2gerrit-1.0.4}/src/github2gerrit/core.py

@@ -307,29 +307,21 @@ class Orchestrator:
             return True
 
         try:
-            # Get credentials if available
-            http_user = (
-                os.getenv("GERRIT_HTTP_USER", "").strip()
-                or os.getenv("GERRIT_SSH_USER_G2G", "").strip()
-            )
-            http_pass = os.getenv("GERRIT_HTTP_PASSWORD", "").strip()
+            # Use centralized URL builder with automatic credential resolution.
+            # Credential priority: CLI args > .netrc > environment variables.
+            # This call uses .netrc > environment (no CLI args passed).
+            from .gerrit_rest import build_client_for_host
 
-            if not http_user or not http_pass:
+            client = build_client_for_host(gerrit.host)
+
+            # Check if client has authentication
+            if not client.is_authenticated:
                 log.debug(
                     "Cannot update Gerrit change metadata: "
-                    "GERRIT_HTTP_USER/PASSWORD not configured"
+                    "No credentials found (check .netrc or environment)"
                 )
                 return False
 
-            # Use centralized URL builder
-            from .gerrit_rest import build_client_for_host
-
-            client = build_client_for_host(
-                gerrit.host,
-                http_user=http_user,
-                http_password=http_pass,
-            )
-
             encoded_id = urllib.parse.quote(change_id, safe="")
 
             # Get current commit message to preserve G2G metadata and trailers
@@ -4229,14 +4221,9 @@ class Orchestrator:
         # Create centralized URL builder (auto-discovers base path)
         url_builder = create_gerrit_url_builder(gerrit.host)
 
-        # Get authentication credentials
-        http_user = (
-            os.getenv("GERRIT_HTTP_USER", "").strip()
-            or os.getenv("GERRIT_SSH_USER_G2G", "").strip()
-        )
-        http_pass = os.getenv("GERRIT_HTTP_PASSWORD", "").strip()
-
         # Query changes using centralized REST client
+        # Credential priority: CLI args > .netrc > environment variables.
+        # This call uses .netrc > environment (no CLI args passed).
         urls: list[str] = []
         nums: list[str] = []
         shas: list[str] = []
@@ -4256,8 +4243,6 @@ class Orchestrator:
                 gerrit.host,
                 timeout=8.0,
                 max_attempts=5,
-                http_user=http_user or None,
-                http_password=http_pass or None,
             )
             try:
                 log.debug("Gerrit API base URL (discovered): %s", api_base_url)
@@ -5349,13 +5334,9 @@ class Orchestrator:
             raise OrchestratorError(msg) from exc
 
         # Gerrit REST reachability and optional auth check
+        # Credential priority: CLI args > .netrc > environment variables.
         base_path = os.getenv("GERRIT_HTTP_BASE_PATH", "").strip().strip("/")
-        http_user = (
-            os.getenv("GERRIT_HTTP_USER", "").strip()
-            or os.getenv("GERRIT_SSH_USER_G2G", "").strip()
-        )
-        http_pass = os.getenv("GERRIT_HTTP_PASSWORD", "").strip()
-        self._verify_gerrit_rest(gerrit.host, base_path, http_user, http_pass)
+        self._verify_gerrit_rest(gerrit.host, base_path)
 
         # GitHub token and metadata checks
         try:
@@ -5403,33 +5384,28 @@ class Orchestrator:
         self,
         host: str,
         base_path: str,
-        http_user: str,
-        http_pass: str,
     ) -> None:
         """Probe Gerrit REST endpoint with optional auth.
 
         Uses the centralized gerrit_rest client to ensure proper base path
         handling and consistent API interactions.
+
+        Credential priority: CLI args > .netrc > environment variables.
         """
         from .gerrit_rest import build_client_for_host
 
         try:
-            # Use centralized client builder that handles base path correctly
+            # Use centralized client builder for base path and credentials
             client = build_client_for_host(
                 host,
                 timeout=8.0,
                 max_attempts=3,
-                http_user=http_user,
-                http_password=http_pass,
             )
 
             # Test connectivity with appropriate endpoint
-            if http_user and http_pass:
+            if client.is_authenticated:
                 _ = client.get("/accounts/self")
-                log.debug(
-                    "Gerrit REST authenticated access verified for user '%s'",
-                    http_user,
-                )
+                log.debug("Gerrit REST authenticated access verified")
             else:
                 _ = client.get("/dashboard/self")
                 log.debug("Gerrit REST endpoint reachable (unauthenticated)")

{github2gerrit-1.0.3 → github2gerrit-1.0.4}/src/github2gerrit/duplicate_detection.py

@@ -268,22 +268,23 @@ class DuplicateDetector:
         return None
 
     def _build_gerrit_rest_client(self, gerrit_host: str) -> Any | None:
-        """Build a Gerrit REST API client using centralized framework."""
-        from .gerrit_rest import build_client_for_host
+        """Build a Gerrit REST API client using centralized framework.
 
-        http_user = (
-            os.getenv("GERRIT_HTTP_USER", "").strip()
-            or os.getenv("GERRIT_SSH_USER_G2G", "").strip()
-        )
-        http_pass = os.getenv("GERRIT_HTTP_PASSWORD", "").strip()
+        Credential resolution is handled by build_client_for_host with priority:
+        1. Explicit CLI arguments (if passed to build_client_for_host)
+        2. .netrc file
+        3. Environment variables (GERRIT_HTTP_USER/GERRIT_HTTP_PASSWORD)
+
+        This method does not pass explicit credentials, so only .netrc and
+        environment variables are used.
+        """
+        from .gerrit_rest import build_client_for_host
 
         try:
             return build_client_for_host(
                 gerrit_host,
                 timeout=8.0,
                 max_attempts=3,
-                http_user=http_user or None,
-                http_password=http_pass or None,
             )
         except Exception as exc:
             log.debug("Failed to create Gerrit REST client: %s", exc)

{github2gerrit-1.0.3 → github2gerrit-1.0.4}/src/github2gerrit/gerrit_rest.py

@@ -30,11 +30,11 @@ from __future__ import annotations
 import base64
 import json
 import logging
-import os
 import urllib.error
 import urllib.parse
 import urllib.request
 from dataclasses import dataclass
+from pathlib import Path
 from typing import Any
 from typing import Final
 from urllib.parse import urljoin
@@ -43,6 +43,8 @@ from .external_api import ApiType
 from .external_api import RetryPolicy
 from .external_api import external_api_call
 from .gerrit_urls import create_gerrit_url_builder
+from .netrc import GerritCredentials
+from .netrc import resolve_gerrit_credentials
 from .utils import log_exception_conditionally
 
 
@@ -156,6 +158,11 @@ class GerritRestClient:
 
     # Public API
 
+    @property
+    def is_authenticated(self) -> bool:
+        """Return True if client has authentication credentials."""
+        return self._auth is not None
+
     def get(self, path: str) -> Any:
         """HTTP GET, returning parsed JSON."""
         return self._request_json_with_retry("GET", path)
@@ -290,37 +297,72 @@ def build_client_for_host(
     max_attempts: int = 5,
     http_user: str | None = None,
     http_password: str | None = None,
+    use_netrc: bool = True,
+    netrc_file: Path | None = None,
+    credentials: GerritCredentials | None = None,
 ) -> GerritRestClient:
     """
     Build a GerritRestClient for a given host using the centralized URL builder.
 
     - Uses auto-discovered or environment-provided base path.
-    - Reads HTTP auth from arguments or environment:
-      GERRIT_HTTP_USER / GERRIT_HTTP_PASSWORD
-      If user is not provided, falls back to GERRIT_SSH_USER_G2G per project
-      norms.
+    - Reads HTTP auth from multiple sources in priority order:
+      1. Pre-resolved GerritCredentials object (if provided)
+      2. Explicit http_user/http_password arguments
+      3. .netrc file (if use_netrc=True)
+      4. Environment variables: GERRIT_HTTP_USER / GERRIT_HTTP_PASSWORD
+         If user is not provided, falls back to GERRIT_SSH_USER_G2G per project
+         norms.
 
     Args:
       host: Gerrit hostname (no scheme)
       timeout: Request timeout in seconds.
       max_attempts: Max retry attempts for transient failures.
-      http_user: Optional HTTP user.
-      http_password: Optional HTTP password/token.
+      http_user: Optional HTTP user (deprecated, use credentials).
+      http_password: Optional HTTP password/token (deprecated, use credentials).
+      use_netrc: Whether to try .netrc for credentials (default: True).
+      netrc_file: Explicit path to a .netrc file (optional).
+      credentials: Pre-resolved GerritCredentials object (preferred).
 
     Returns:
       Configured GerritRestClient.
     """
     builder = create_gerrit_url_builder(host)
     base_url = builder.api_url()
-    user = (
-        (http_user or "").strip()
-        or os.getenv("GERRIT_HTTP_USER", "").strip()
-        or os.getenv("GERRIT_SSH_USER_G2G", "").strip()
+
+    # Use pre-resolved credentials if provided
+    if credentials is not None and credentials.is_valid:
+        log.debug(
+            "Using pre-resolved credentials from %s",
+            credentials.auth_method_display(),
+        )
+        auth: tuple[str, str] | None = (
+            credentials.username,
+            credentials.password,
+        )
+        return GerritRestClient(
+            base_url=base_url,
+            auth=auth,
+            timeout=timeout,
+            max_attempts=max_attempts,
+        )
+
+    # Otherwise, resolve credentials using centralized function
+    resolved = resolve_gerrit_credentials(
+        host=host,
+        explicit_username=http_user,
+        explicit_password=http_password,
+        use_netrc=use_netrc,
+        netrc_file=netrc_file,
+        env_username_var="GERRIT_HTTP_USER",
+        env_password_var="GERRIT_HTTP_PASSWORD",  # noqa: S106
+        fallback_env_username_var="GERRIT_SSH_USER_G2G",
+        fallback_env_password_var=None,
     )
-    passwd = (http_password or "").strip() or os.getenv(
-        "GERRIT_HTTP_PASSWORD", ""
-    ).strip()
-    auth: tuple[str, str] | None = (user, passwd) if user and passwd else None
+
+    auth = None
+    if resolved is not None and resolved.is_valid:
+        auth = (resolved.username, resolved.password)
+
     return GerritRestClient(
         base_url=base_url, auth=auth, timeout=timeout, max_attempts=max_attempts
     )