github2gerrit 1.2.1__tar.gz → 1.2.3__tar.gz

{github2gerrit-1.2.1 → github2gerrit-1.2.3}/.pre-commit-config.yaml

@@ -59,7 +59,7 @@ repos:
         types: [yaml]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: b831c3dc5d27d9da294ae4e915773b99aa24a7c5  # frozen: v0.15.10
+    rev: 0671d8ab202c4ac093b78433ae5baf74f3fc7246  # frozen: v0.15.15
     hooks:
       - id: ruff
         files: ^(src|scripts|tests)/.+\.py$
@@ -68,7 +68,7 @@ repos:
         files: ^(src|scripts|tests)/.+\.py$
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: 0f369d245750787ce34997d464ed9605391a5283  # frozen: v1.20.1
+    rev: d2823d321df3af8f878f7ee3414dc94d037145b9  # frozen: v2.1.0
     hooks:
       - id: mypy
         files: ^src/.+\.py$
@@ -115,18 +115,18 @@ repos:
 
   # Requires a mirror, primary repo lacks .pre-commit-hooks.yaml
   - repo: https://github.com/DetachHead/basedpyright-prek-mirror
-    rev: 7664ed7e31234c8369d85ee9a13a1ca3361c0aa1  # frozen: 1.39.0
+    rev: 78e6efd50b63647fecb7e65fc7032745d861e2c5  # frozen: 1.39.6
     hooks:
       - id: basedpyright
         files: ^src/.+\.py$
 
   - repo: https://github.com/lfreleng-actions/gha-workflow-linter
-    rev: a7caf8f3a1a05688d1cee46615ff94def617e5a3  # frozen: v1.0.2
+    rev: 2c315e461ec3379bf9c1682360fdc1a3899f88c9  # frozen: v1.0.4
     hooks:
       - id: gha-workflow-linter
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: ed81924a8b1cecdaa570b072528fa80c9c4d6ccd  # frozen: 0.37.1
+    rev: 943377262562a12b57292fc98fabd7dbf81451fe  # frozen: 0.37.2
     hooks:
       - id: check-github-actions
       - id: check-github-workflows

{github2gerrit-1.2.1 → github2gerrit-1.2.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: github2gerrit
-Version: 1.2.1
+Version: 1.2.3
 Summary: Submit a GitHub pull request to a Gerrit repository.
 Project-URL: Homepage, https://github.com/lfreleng-actions/github2gerrit-action
 Project-URL: Repository, https://github.com/lfreleng-actions/github2gerrit-action
@@ -22,6 +22,7 @@ Classifier: Topic :: Software Development :: Build Tools
 Classifier: Topic :: Software Development :: Version Control
 Classifier: Typing :: Typed
 Requires-Python: >=3.11
+Requires-Dist: click>=8.1.7
 Requires-Dist: cryptography>=46.0.5
 Requires-Dist: git-review>=2.5.0
 Requires-Dist: pygerrit2>=2.0.15
@@ -962,7 +963,7 @@ name: github2gerrit
 
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
   workflow_dispatch:
 
 permissions:
@@ -1191,7 +1192,7 @@ name: github2gerrit (advanced)
 
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
   workflow_dispatch:
 
 permissions:

{github2gerrit-1.2.1 → github2gerrit-1.2.3}/README.md

@@ -917,7 +917,7 @@ name: github2gerrit
 
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
   workflow_dispatch:
 
 permissions:
@@ -1146,7 +1146,7 @@ name: github2gerrit (advanced)
 
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
   workflow_dispatch:
 
 permissions:

{github2gerrit-1.2.1 → github2gerrit-1.2.3}/action.yaml

@@ -221,7 +221,7 @@ runs:
     - name: "Setup uv"
       if: steps.disabled-check.outputs.disabled != 'true'
       # yamllint disable-line rule:line-length
-      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0
+      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
       with:
         enable-cache: false
 

{github2gerrit-1.2.1 → github2gerrit-1.2.3}/pyproject.toml

@@ -30,6 +30,13 @@ dependencies = [
   # CLI framework (Typer)
   "typer>=0.20.1",
 
+  # Imported directly by the CLI (click.Group subclass for custom usage
+  # formatting; click.core.ParameterSource to detect explicit CLI flags)
+  # rather than only transitively via typer. Declared as a direct
+  # dependency so our import contract doesn't depend on typer's internal
+  # dependency choices.
+  "click>=8.1.7",
+
   # Rich formatting for CLI output
   "rich>=14.2.0",
 
@@ -208,7 +215,7 @@ disallow_untyped_calls = false
 
 [tool.coverage.run]
 branch = true
-source = ["src/github2gerrit"]
+source = ["github2gerrit"]
 omit = [
   "tests/*",
   "src/github2gerrit/gerrit_rest.py",

{github2gerrit-1.2.1 → github2gerrit-1.2.3}/src/github2gerrit/gerrit_pr_closer.py

@@ -11,6 +11,7 @@ merged and close the corresponding GitHub pull request that originated it.
 from __future__ import annotations
 
 import logging
+import os
 import re
 from typing import Any
 from typing import Literal
@@ -1679,11 +1680,57 @@ def _build_gerrit_abandon_message(pr_obj: Any, pr_url: str) -> str:
         )
 
 
+def _abandon_change_via_ssh_if_possible(
+    client: Any, change_number: str, message: str
+) -> bool:
+    """Attempt to abandon a change over SSH using ambient credentials.
+
+    Reads the Gerrit SSH connection details from the environment
+    (populated by the action) and the host from the REST *client*.
+
+    Returns ``True`` only if the change was abandoned via SSH; ``False``
+    when SSH is not configured or the SSH abandon did not succeed (in
+    which case the caller should fall back to REST).
+    """
+    ssh_privkey = os.getenv("GERRIT_SSH_PRIVKEY_G2G", "").strip()
+    ssh_user = os.getenv("GERRIT_SSH_USER_G2G", "").strip()
+    if not ssh_privkey or not ssh_user:
+        return False
+
+    host = os.getenv("GERRIT_SERVER", "").strip()
+    if not host:
+        host = getattr(client, "host", "") or ""
+    if not host:
+        return False
+
+    try:
+        port = int(os.getenv("GERRIT_SERVER_PORT", "29418") or "29418")
+    except ValueError:
+        port = 29418
+
+    from .gerrit_ssh import abandon_change_via_ssh
+
+    return abandon_change_via_ssh(
+        host=host,
+        change_number=str(change_number),
+        message=message,
+        user=ssh_user,
+        ssh_privkey=ssh_privkey,
+        known_hosts=os.getenv("GERRIT_KNOWN_HOSTS", ""),
+        port=port,
+    )
+
+
 def _abandon_gerrit_change(
     client: Any, change_number: str, message: str
 ) -> None:
     """
-    Abandon a Gerrit change via REST API.
+    Abandon a Gerrit change.
+
+    Prefers SSH (``gerrit review --abandon``) because mutating REST calls
+    are rejected with HTTP 403 on Gerrit servers that do not allow
+    unauthenticated REST writes and where only SSH credentials are
+    configured.  Falls back to the REST API when SSH is unavailable.
 
     Args:
         client: Gerrit REST client
@@ -1691,9 +1738,18 @@ def _abandon_gerrit_change(
         message: Abandon message
 
     Raises:
-        Exception: If abandon operation fails
+        Exception: If the abandon operation fails
     """
+    if _abandon_change_via_ssh_if_possible(client, change_number, message):
+        log.debug(
+            "Successfully abandoned Gerrit change %s via SSH", change_number
+        )
+        return
+
     try:
+        log.debug(
+            "Falling back to REST abandon for Gerrit change %s", change_number
+        )
         abandon_path = f"/changes/{change_number}/abandon"
         abandon_data = {"message": message}
         client.post(abandon_path, data=abandon_data)

{github2gerrit-1.2.1 → github2gerrit-1.2.3}/src/github2gerrit/gerrit_rest.py

@@ -163,6 +163,19 @@ class GerritRestClient:
         """Return True if client has authentication credentials."""
         return self._auth is not None
 
+    @property
+    def host(self) -> str:
+        """Return the Gerrit hostname derived from the base URL.
+
+        Returns an empty string when the host cannot be determined.
+        """
+        from urllib.parse import urlparse
+
+        try:
+            return urlparse(self._base_url).hostname or ""
+        except Exception:
+            return ""
+
     def get(self, path: str) -> Any:
         """HTTP GET, returning parsed JSON."""
         return self._request_json_with_retry("GET", path)

github2gerrit-1.2.3/src/github2gerrit/gerrit_ssh.py

@@ -0,0 +1,284 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
+
+"""
+SSH-based Gerrit operations.
+
+Some Gerrit deployments (notably those fronted by a CDN/WAF, or that
+disallow anonymous REST writes) reject mutating REST calls such as
+``POST /changes/{id}/abandon`` with HTTP 403 unless dedicated HTTP API
+credentials are supplied.  The github2gerrit action authenticates to
+Gerrit over SSH (the same channel used to push changes), so this module
+performs the abandon over SSH instead, reusing the already-configured
+SSH key and known_hosts.
+
+The single public entry point :func:`abandon_change_via_ssh` is designed
+to be used as the preferred path with a REST fallback: it never raises
+and returns ``True`` only when the change was actually abandoned.
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+import os
+import secrets
+import shlex
+import tempfile
+from pathlib import Path
+
+from .gitutils import CommandError
+from .gitutils import run_cmd
+from .ssh_common import augment_known_hosts_with_bracketed_entries
+from .ssh_common import build_non_interactive_ssh_env
+
+
+log = logging.getLogger(__name__)
+
+DEFAULT_GERRIT_SSH_PORT = 29418
+_SSH_TIMEOUT_SECONDS = 30.0
+
+
+def _write_secure_file(path: Path, content: str, mode: int) -> None:
+    """Write *content* to *path* with restrictive *mode* permissions."""
+    # Create with secure permissions from the start (avoid a window where
+    # the file is world-readable).
+    fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, mode)
+    try:
+        handle = os.fdopen(fd, "w", encoding="utf-8")
+    except BaseException:
+        # os.fdopen did not take ownership of fd; close it to avoid a leak.
+        os.close(fd)
+        raise
+    with handle:
+        handle.write(content)
+    # Re-assert mode in case umask altered it.
+    path.chmod(mode)
+
+
+def _build_ssh_base_argv(
+    *,
+    key_path: Path,
+    known_hosts_path: Path | None,
+    port: int,
+    user: str,
+    host: str,
+) -> list[str]:
+    """Build the common ``ssh`` argv prefix for non-interactive auth."""
+    argv: list[str] = [
+        "ssh",
+        "-F",
+        "/dev/null",
+        "-i",
+        str(key_path),
+        "-o",
+        "IdentitiesOnly=yes",
+        "-o",
+        "IdentityAgent=none",
+        "-o",
+        "BatchMode=yes",
+        "-o",
+        "PreferredAuthentications=publickey",
+        "-o",
+        "PasswordAuthentication=no",
+        "-o",
+        "PubkeyAcceptedKeyTypes=+ssh-rsa",
+        "-o",
+        "ConnectTimeout=10",
+    ]
+    if known_hosts_path is not None:
+        argv += [
+            "-o",
+            f"UserKnownHostsFile={known_hosts_path}",
+            "-o",
+            "StrictHostKeyChecking=yes",
+        ]
+    else:
+        # No known_hosts supplied: we cannot verify the host key, but we
+        # still want a non-interactive connection.  accept-new records the
+        # key on first use; pair it with an explicit (throwaway)
+        # UserKnownHostsFile so OpenSSH does not mutate the runner's
+        # default ~/.ssh/known_hosts (which may be missing/unwritable).
+        log.warning(
+            "No GERRIT_KNOWN_HOSTS available for SSH abandon; using "
+            "StrictHostKeyChecking=accept-new with a throwaway known_hosts"
+        )
+        argv += [
+            "-o",
+            "UserKnownHostsFile=/dev/null",
+            "-o",
+            "StrictHostKeyChecking=accept-new",
+        ]
+    argv += ["-n", "-p", str(port), f"{user}@{host}"]
+    return argv
+
+
+def _resolve_current_patchset(
+    base_argv: list[str],
+    change_number: str,
+    env: dict[str, str],
+) -> str | None:
+    """Return the current patch-set number for *change_number*, or None."""
+    remote_cmd = (
+        "gerrit query --format=JSON --current-patch-set "
+        f"change:{shlex.quote(change_number)}"
+    )
+    try:
+        result = run_cmd(
+            [*base_argv, remote_cmd],
+            timeout=_SSH_TIMEOUT_SECONDS,
+            env=env,
+        )
+    except CommandError as exc:
+        log.debug(
+            "Gerrit SSH query for change %s failed: %s",
+            change_number,
+            exc,
+        )
+        return None
+
+    for raw_line in result.stdout.splitlines():
+        line = raw_line.strip()
+        if not line:
+            continue
+        try:
+            record = json.loads(line)
+        except (ValueError, TypeError):
+            continue
+        patch_set = record.get("currentPatchSet")
+        if isinstance(patch_set, dict) and patch_set.get("number") is not None:
+            return str(patch_set["number"])
+    log.debug(
+        "No currentPatchSet found in Gerrit query output for change %s",
+        change_number,
+    )
+    return None
+
+
+def abandon_change_via_ssh(
+    *,
+    host: str,
+    change_number: str,
+    message: str,
+    user: str,
+    ssh_privkey: str,
+    known_hosts: str | None = None,
+    port: int = DEFAULT_GERRIT_SSH_PORT,
+) -> bool:
+    """Abandon a Gerrit change over SSH using ``gerrit review --abandon``.
+
+    This is the preferred abandon path because it uses the same SSH
+    credentials that the action already relies on to push changes, and
+    therefore works on Gerrit servers that reject unauthenticated REST
+    writes.
+
+    Args:
+        host: Gerrit SSH hostname (no scheme).
+        change_number: Numeric Gerrit change number.
+        message: Abandon message (may be multi-line).
+        user: Gerrit SSH username.
+        ssh_privkey: SSH private key content.
+        known_hosts: Optional known_hosts content for host verification.
+        port: Gerrit SSH port (default 29418).
+
+    Returns:
+        ``True`` if the change was abandoned successfully; ``False`` when
+        prerequisites are missing or the SSH operation failed (so the
+        caller may fall back to another mechanism).  This function never
+        raises.
+    """
+    if not (host and user and ssh_privkey and str(change_number).strip()):
+        log.debug(
+            "SSH abandon prerequisites missing (host=%s, user=%s, "
+            "key=%s, change=%s); skipping SSH abandon",
+            bool(host),
+            bool(user),
+            bool(ssh_privkey),
+            change_number,
+        )
+        return False
+
+    change_number = str(change_number).strip()
+    try:
+        tmp_dir = Path(
+            tempfile.mkdtemp(prefix=f"g2g_abandon_{secrets.token_hex(8)}_")
+        )
+    except OSError as exc:
+        # Honor the "never raises" contract so callers can fall back to REST.
+        log.debug("Could not create temp dir for SSH abandon: %s", exc)
+        return False
+    try:
+        tmp_dir.chmod(0o700)
+        key_path = tmp_dir / "gerrit_key"
+        _write_secure_file(key_path, ssh_privkey.strip() + "\n", 0o600)
+
+        known_hosts_path: Path | None = None
+        if known_hosts and known_hosts.strip():
+            # OpenSSH looks up host keys under a bracketed "[host]:port"
+            # entry when connecting on a non-default port (Gerrit uses
+            # 29418).  Augment the provided content with bracketed variants
+            # so StrictHostKeyChecking can verify the key and we don't fall
+            # back to REST unnecessarily.
+            augmented = augment_known_hosts_with_bracketed_entries(
+                known_hosts.strip(), host, port
+            )
+            known_hosts_path = tmp_dir / "known_hosts"
+            _write_secure_file(known_hosts_path, augmented, 0o644)
+
+        base_argv = _build_ssh_base_argv(
+            key_path=key_path,
+            known_hosts_path=known_hosts_path,
+            port=port,
+            user=user,
+            host=host,
+        )
+
+        # Disable any ambient SSH agent so only the provided key is used.
+        ssh_env = build_non_interactive_ssh_env()
+
+        patch_set = _resolve_current_patchset(base_argv, change_number, ssh_env)
+        if patch_set is None:
+            log.debug(
+                "Could not resolve current patch-set for change %s via SSH",
+                change_number,
+            )
+            return False
+
+        target = f"{change_number},{patch_set}"
+        remote_cmd = (
+            "gerrit review --abandon "
+            f"-m {shlex.quote(message)} {shlex.quote(target)}"
+        )
+        try:
+            run_cmd(
+                [*base_argv, remote_cmd],
+                timeout=_SSH_TIMEOUT_SECONDS,
+                env=ssh_env,
+            )
+        except CommandError as exc:
+            log.warning(
+                "SSH abandon failed for change %s: %s",
+                change_number,
+                exc,
+            )
+            return False
+        else:
+            log.debug(
+                "Successfully abandoned Gerrit change %s via SSH",
+                change_number,
+            )
+            return True
+    except Exception:
+        log.warning(
+            "Unexpected error during SSH abandon for change %s",
+            change_number,
+            exc_info=True,
+        )
+        return False
+    finally:
+        try:
+            import shutil
+
+            shutil.rmtree(tmp_dir, ignore_errors=True)
+        except Exception:
+            log.debug("Failed to clean up SSH temp dir %s", tmp_dir)