PyPI - github2gerrit - Versions diffs - 1.0.5__tar.gz → 1.0.7__tar.gz - Mend

github2gerrit 1.0.5tar.gz → 1.0.7tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (120) hide show

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/.pre-commit-config.yaml RENAMED Viewed

@@ -59,7 +59,7 @@ repos:
         types: [yaml]
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: 45ef068da5f21267bb2a7ec4a623092959f09ce5  # frozen: v0.14.14
+    rev: 0839f92796ae388643a08a21640a029b322be5c2  # frozen: v0.15.2
     hooks:
       - id: ruff
         files: ^(src|scripts|tests)/.+\.py$
@@ -110,7 +110,7 @@ repos:
   # Replaces: https://github.com/rhysd/actionlint
   # Permits actionlint to run both locally and with precommit.ci/GitHub
   - repo: https://github.com/Mateusz-Grzelinski/actionlint-py
-    rev: 85c37735ea69e5baf0681530e57e63deee0ce733  # frozen: v1.7.10.24
+    rev: 694e2c0dfb4253d51f3c6c54b8f9fec0a16764dc  # frozen: v1.7.11.24
     hooks:
       - id: actionlint
@@ -121,7 +121,7 @@ repos:
       - id: codespell
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: ccf21790019848af3eb4464be2a9d5efed6358f3  # frozen: 0.36.1
+    rev: ec368acd16deee9c560c105ab6d27db4ee19a5ec  # frozen: 0.36.2
     hooks:
       - id: check-github-actions
       - id: check-github-workflows

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: github2gerrit
-Version: 1.0.5
+Version: 1.0.7
 Summary: Submit a GitHub pull request to a Gerrit repository.
 Project-URL: Homepage, https://github.com/lfreleng-actions/github2gerrit-action
 Project-URL: Repository, https://github.com/lfreleng-actions/github2gerrit-action
@@ -22,6 +22,7 @@ Classifier: Topic :: Software Development :: Build Tools
 Classifier: Topic :: Software Development :: Version Control
 Classifier: Typing :: Typed
 Requires-Python: >=3.11
+Requires-Dist: cryptography>=46.0.5
 Requires-Dist: git-review>=2.5.0
 Requires-Dist: pygerrit2>=2.0.15
 Requires-Dist: pygithub>=2.8.1

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/action.yaml RENAMED Viewed

@@ -164,7 +164,7 @@ runs:
     - name: "Setup uv"
       # yamllint disable-line rule:line-length
-      uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41  # v7.2.1
+      uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b  # v7.3.0
       with:
         enable-cache: false

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/pyproject.toml RENAMED Viewed

@@ -50,6 +50,9 @@ dependencies = [
   # Security: Fix CVE-2026-21441 (decompression-bomb vulnerability)
   "urllib3>=2.6.3",
+  # Security: Fix CVE-2026-26007 (SECT curve subgroup attack)
+  "cryptography>=46.0.5",
 ]
 [project.urls]

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/src/github2gerrit/core.py RENAMED Viewed

@@ -2739,6 +2739,113 @@ class Orchestrator:
         run_cmd(cmd, cwd=self.workspace)
         log.info("Checkout succeeded after full unshallow")
+    def _merge_squash_with_unshallow_fallback(self, head_sha: str) -> None:
+        """Perform git merge --squash with graduated deepening fallback.
+        If the initial merge fails because the shallow clone lacks a common
+        ancestor between the base and head (causing "refusing to merge
+        unrelated histories"), this method will:
+        1. First try to deepen the repository (fetch 100 more commits)
+        2. If that fails, fully unshallow the repository
+        3. Retry the merge after each attempt
+        This mirrors the graduated approach used by
+        ``_checkout_with_unshallow_fallback`` but for merge operations,
+        which are equally susceptible to shallow clone limitations.
+        Args:
+            head_sha: The SHA to merge (PR head commit)
+        Raises:
+            CommandError: If merge fails even after unshallowing, or if
+                the failure is not related to shallow clone history
+        """
+        merge_cmd = ["git", "merge", "--squash", head_sha]
+        merge_exc: CommandError | None = None
+        try:
+            run_cmd(merge_cmd, cwd=self.workspace)
+        except CommandError as exc:
+            merge_exc = exc
+        if merge_exc is None:
+            return  # Success on first attempt
+        # Check if the failure is due to unrelated histories in a shallow clone
+        error_str = str(merge_exc).lower()
+        stderr_str = (merge_exc.stderr or "").lower()
+        combined = f"{error_str} {stderr_str}"
+        is_unrelated_histories = (
+            "refusing to merge unrelated histories" in combined
+            or "unrelated histories" in combined
+            or "no common ancestor" in combined
+        )
+        if not is_unrelated_histories or not self._is_shallow_clone():
+            # Not a shallow clone issue — let the caller handle the error
+            raise merge_exc
+        log.warning(
+            "Merge --squash failed due to unrelated histories in shallow "
+            "clone. Attempting graduated deepening to recover..."
+        )
+        # Step 1: Try deepening first (cheaper than full unshallow)
+        if self._deepen_repository(depth=100):
+            log.debug("Retrying merge --squash after deepening...")
+            # Reset the failed merge state before retrying
+            run_cmd(
+                ["git", "merge", "--abort"],
+                cwd=self.workspace,
+                check=False,
+            )
+            try:
+                run_cmd(merge_cmd, cwd=self.workspace)
+            except CommandError as deepen_exc:
+                log.debug(
+                    "Merge --squash still failed after deepening: %s",
+                    deepen_exc,
+                )
+                # Re-check whether this is still a shallow-history problem;
+                # if the error has changed (e.g. real merge conflict), an
+                # expensive full unshallow cannot help — propagate immediately.
+                deepen_combined = (
+                    f"{deepen_exc} {deepen_exc.stderr or ''}".lower()
+                )
+                deepen_is_unrelated = (
+                    "refusing to merge unrelated histories" in deepen_combined
+                    or "unrelated histories" in deepen_combined
+                    or "no common ancestor" in deepen_combined
+                )
+                if not deepen_is_unrelated:
+                    raise
+            else:
+                log.info("Merge --squash succeeded after deepening repository")
+                return
+        # Step 2: Full unshallow as last resort
+        log.info(
+            "Deepening insufficient, performing full unshallow for merge..."
+        )
+        # Reset the failed merge state before retrying
+        run_cmd(
+            ["git", "merge", "--abort"],
+            cwd=self.workspace,
+            check=False,
+        )
+        if not self._unshallow_repository():
+            log.error(
+                "Failed to unshallow repository. Cannot merge SHA: %s",
+                head_sha,
+            )
+            raise merge_exc
+        # Retry the merge after full unshallow
+        log.debug("Retrying merge --squash after full unshallow...")
+        run_cmd(merge_cmd, cwd=self.workspace)
+        log.info("Merge --squash succeeded after full unshallow")
     def _cleanup_ssh(self) -> None:
         """Clean up temporary SSH files created by this tool.
@@ -3103,6 +3210,15 @@ class Orchestrator:
         except Exception as debug_exc:
             log.warning("Failed to analyze merge situation: %s", debug_exc)
+            # Proactively deepen if merge-base fails in a shallow clone,
+            # as this strongly indicates the shallow history is insufficient
+            # for the upcoming merge --squash operation.
+            if self._is_shallow_clone():
+                log.info(
+                    "merge-base failed in shallow clone — proactively "
+                    "deepening repository to improve merge success chances"
+                )
+                self._deepen_repository(depth=100)
         self._checkout_with_unshallow_fallback(
             branch_name=tmp_branch,
@@ -3134,7 +3250,7 @@ class Orchestrator:
         log.debug("About to run: git merge --squash %s", head_sha)
         try:
-            run_cmd(["git", "merge", "--squash", head_sha], cwd=self.workspace)
+            self._merge_squash_with_unshallow_fallback(head_sha)
         except CommandError as merge_exc:
             # Enhanced error handling for git merge failures
             error_details = self._analyze_merge_failure(
@@ -3308,7 +3424,7 @@ class Orchestrator:
             )
             if (
                 not sync_all_prs
-                and gh.event_name == "pull_request_target"
+                and gh.event_name in ("pull_request", "pull_request_target")
                 and gh.event_action in ("reopened", "synchronize")
             ):
                 try:
@@ -5402,8 +5518,9 @@ class Orchestrator:
         self,
         gh: GitHubContext,
     ) -> None:
-        """Close the PR if policy requires (pull_request_target events).
+        """Close the PR if policy requires.
+        Supports both ``pull_request`` and ``pull_request_target`` triggers.
         When PRESERVE_GITHUB_PRS is true, skip closing PRs (useful for testing).
         """
         # Respect PRESERVE_GITHUB_PRS to avoid closing PRs during tests
@@ -5414,9 +5531,9 @@ class Orchestrator:
                 gh.pr_number,
             )
             return
-        # The current shell action closes PR on pull_request_target events.
-        if gh.event_name != "pull_request_target":
-            log.debug("Event is not pull_request_target; not closing PR")
+        # Close PRs on pull_request or pull_request_target events.
+        if gh.event_name not in ("pull_request", "pull_request_target"):
+            log.debug("Event is not a pull_request event; not closing PR")
             return
         log.info("Closing PR #%s", gh.pr_number)
         try:

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/src/github2gerrit/models.py RENAMED Viewed

@@ -117,10 +117,15 @@ class GitHubContext:
     def get_operation_mode(self) -> PROperationMode:
         """Determine the operation mode based on event type and action.
+        Supports both ``pull_request`` and ``pull_request_target`` triggers.
+        Using ``pull_request`` is preferred for security (avoids granting
+        secrets to untrusted fork code), while ``pull_request_target`` is
+        accepted for backward compatibility.
         Returns:
             PROperationMode enum indicating the type of operation
         """
-        if self.event_name != "pull_request_target":
+        if self.event_name not in ("pull_request", "pull_request_target"):
             return PROperationMode.UNKNOWN
         action = self.event_action.lower() if self.event_action else ""

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/src/github2gerrit/pr_content_filter.py RENAMED Viewed

@@ -44,27 +44,6 @@ _MULTIPLE_NEWLINES_PATTERN = re.compile(r"\n{3,}")
 _EMOJI_PATTERN = re.compile(r":[a-z_]+:")  # GitHub emoji codes like :sparkles:
-@dataclass
-class FilterConfig:
-    """Configuration for PR content filtering."""
-    # Global options
-    enabled: bool = True
-    remove_emoji_codes: bool = True
-    deduplicate_title_in_body: bool = True
-    # Author-specific filtering
-    author_rules: dict[str, str] = field(default_factory=dict)
-    # Rule-specific configurations
-    dependabot_config: DependabotConfig = field(
-        default_factory=lambda: DependabotConfig()
-    )
-    precommit_config: PrecommitConfig = field(
-        default_factory=lambda: PrecommitConfig()
-    )
 @dataclass
 class DependabotConfig:
     """Configuration for Dependabot PR filtering."""
@@ -85,6 +64,25 @@ class PrecommitConfig:
     # Future: add pre-commit.ci specific options
+@dataclass
+class FilterConfig:
+    """Configuration for PR content filtering."""
+    # Global options
+    enabled: bool = True
+    remove_emoji_codes: bool = True
+    deduplicate_title_in_body: bool = True
+    # Author-specific filtering
+    author_rules: dict[str, str] = field(default_factory=dict)
+    # Rule-specific configurations
+    dependabot_config: DependabotConfig = field(
+        default_factory=DependabotConfig
+    )
+    precommit_config: PrecommitConfig = field(default_factory=PrecommitConfig)
 class FilterRule(ABC):
     """Abstract base class for PR content filtering rules."""

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/tests/test_change_id_deduplication.py RENAMED Viewed

@@ -275,7 +275,7 @@ Change-Id: {reused_change_id}
     monkeypatch.setattr("github2gerrit.core.run_cmd", mock_run_cmd)
     # Mock GitHub API for Change-ID reuse
-    monkeypatch.setattr("github2gerrit.core.build_client", lambda: object())
+    monkeypatch.setattr("github2gerrit.core.build_client", object)
     monkeypatch.setattr(
         "github2gerrit.core.get_repo_from_env", lambda _: object()
     )

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/tests/test_cli_outputs_file.py RENAMED Viewed

@@ -232,7 +232,7 @@ def test_multi_pr_url_mode_writes_aggregated_outputs(
         def __init__(self, number: int) -> None:
             self.number = number
-    monkeypatch.setattr(cli_mod, "build_client", lambda: object())
+    monkeypatch.setattr(cli_mod, "build_client", object)
     monkeypatch.setattr(cli_mod, "get_repo_from_env", lambda _client: object())
     monkeypatch.setattr(
         cli_mod,

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/tests/test_cli_url_and_dryrun.py RENAMED Viewed

@@ -168,7 +168,7 @@ def test_repo_url_dry_run_invokes_for_each_open_pr(
     monkeypatch.setattr(cli_mod, "Orchestrator", _DummyOrchestrator)
     # Patch PyGithub wrapper functions used by CLI bulk path
-    monkeypatch.setattr(cli_mod, "build_client", lambda: object())
+    monkeypatch.setattr(cli_mod, "build_client", object)
     monkeypatch.setattr(cli_mod, "get_repo_from_env", lambda _client: object())
     monkeypatch.setattr(
         cli_mod, "iter_open_pulls", lambda _repo: iter(dummy_prs)
@@ -212,7 +212,7 @@ def test_url_mode_sets_environment_for_config_resolution(
     monkeypatch.setattr(cli_mod, "Orchestrator", _DummyOrchestrator)
     # Minimal patches for bulk flow
-    monkeypatch.setattr(cli_mod, "build_client", lambda: object())
+    monkeypatch.setattr(cli_mod, "build_client", object)
     monkeypatch.setattr(cli_mod, "get_repo_from_env", lambda _client: object())
     monkeypatch.setattr(
         cli_mod,

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/tests/test_core_close_pr_policy.py RENAMED Viewed

@@ -58,16 +58,16 @@ def test_close_pr_skipped_when_preserve_github_prs_true(
     orch._close_pull_request_if_required(gh)
-def test_close_pr_not_invoked_for_non_target_event(
+def test_close_pr_not_invoked_for_non_pr_event(
     tmp_path: Path, monkeypatch: pytest.MonkeyPatch
 ) -> None:
     # Ensure preservation is disabled so only event controls behavior
     monkeypatch.delenv("PRESERVE_GITHUB_PRS", raising=False)
-    # Non-target event should not attempt to close
+    # Non-PR events (e.g. workflow_dispatch, push) should not attempt to close
     def _fail(*args: Any, **kwargs: Any) -> Any:
         raise AssertionError(
-            "GitHub API should not be called for non-target events"
+            "GitHub API should not be called for non-PR events"
         )
     monkeypatch.setattr("github2gerrit.core.build_client", _fail)
@@ -76,15 +76,20 @@ def test_close_pr_not_invoked_for_non_target_event(
     monkeypatch.setattr("github2gerrit.core.close_pr", _fail)
     orch = Orchestrator(workspace=tmp_path)
-    gh = _gh_ctx(event_name="pull_request", pr_number=42)
+    gh = _gh_ctx(event_name="workflow_dispatch", pr_number=42)
-    # Act: should no-op
+    # Act: should no-op for non-PR events
     orch._close_pull_request_if_required(gh)
-def test_close_pr_invoked_for_pull_request_target_event(
+def test_close_pr_invoked_for_pull_request_event(
     tmp_path: Path, monkeypatch: pytest.MonkeyPatch
 ) -> None:
+    """Verify that pull_request events (not just pull_request_target) close PRs.
+    The code now supports both ``pull_request`` and ``pull_request_target``
+    triggers.  Using ``pull_request`` is preferred for security.
+    """
     # Ensure preservation is disabled so closing is allowed
     monkeypatch.delenv("PRESERVE_GITHUB_PRS", raising=False)
@@ -102,9 +107,56 @@ def test_close_pr_invoked_for_pull_request_target_event(
             self.closed_state: str | None = None
     # Patch the GitHub helper functions used by the close path
+    monkeypatch.setattr("github2gerrit.core.build_client", DummyClient)
     monkeypatch.setattr(
-        "github2gerrit.core.build_client", lambda: DummyClient()
+        "github2gerrit.core.get_repo_from_env", lambda _c: DummyRepo()
     )
+    def _get_pull(_repo: DummyRepo, number: int) -> DummyPR:
+        calls["get_pull_number"] = number
+        return DummyPR(number)
+    def _close_pr(pr: DummyPR, *, comment: str | None = None) -> None:
+        calls["closed_pr_number"] = pr.number
+        calls["comment"] = comment
+        pr.closed_state = "closed"
+    monkeypatch.setattr("github2gerrit.core.get_pull", _get_pull)
+    monkeypatch.setattr("github2gerrit.core.close_pr", _close_pr)
+    orch = Orchestrator(workspace=tmp_path)
+    gh = _gh_ctx(event_name="pull_request", pr_number=42)
+    # Act: pull_request events should now close the PR
+    orch._close_pull_request_if_required(gh)
+    # Assert
+    assert calls.get("get_pull_number") == 42
+    assert calls.get("closed_pr_number") == 42
+    assert calls.get("comment") == "Auto-closing pull request"
+def test_close_pr_invoked_for_pull_request_target_event(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    # Ensure preservation is disabled so closing is allowed
+    monkeypatch.delenv("PRESERVE_GITHUB_PRS", raising=False)
+    calls: dict[str, Any] = {}
+    class DummyClient:
+        pass
+    class DummyRepo:
+        pass
+    class DummyPR:
+        def __init__(self, number: int) -> None:
+            self.number = number
+            self.closed_state: str | None = None
+    # Patch the GitHub helper functions used by the close path
+    monkeypatch.setattr("github2gerrit.core.build_client", DummyClient)
     monkeypatch.setattr(
         "github2gerrit.core.get_repo_from_env", lambda _c: DummyRepo()
     )

{github2gerrit-1.0.5 → github2gerrit-1.0.7}/tests/test_core_prepare_commits.py RENAMED Viewed

@@ -237,7 +237,7 @@ def test_prepare_squashed_commit_reuses_change_id_from_comments(
     monkeypatch.setattr("github2gerrit.core.run_cmd", fake_run_cmd)
     # GitHub API helpers used to fetch PR comments
-    monkeypatch.setattr("github2gerrit.core.build_client", lambda: object())
+    monkeypatch.setattr("github2gerrit.core.build_client", object)
     monkeypatch.setattr(
         "github2gerrit.core.get_repo_from_env", lambda _c: object()
     )

github2gerrit 1.0.5__tar.gz → 1.0.7__tar.gz

github2gerrit 1.0.5tar.gz → 1.0.7tar.gz