github2gerrit 1.2.2__py3-none-any.whl → 1.2.4__py3-none-any.whl

github2gerrit/core.py

@@ -410,9 +410,13 @@ class Orchestrator:
 
             # Check if client has authentication
             if not client.is_authenticated:
+                from .gerrit_rest import warn_gerrit_credentials_unavailable
+
+                warn_gerrit_credentials_unavailable()
                 log.debug(
-                    "Cannot update Gerrit change metadata: "
-                    "No credentials found (check .netrc or environment)"
+                    "Cannot update Gerrit change metadata for %s: "
+                    "no Gerrit REST credentials available",
+                    change_id,
                 )
                 return False
 

github2gerrit/external_api.py

@@ -380,12 +380,26 @@ def external_api_call(
                     reason = (
                         "final attempt" if is_final_attempt else "non-retryable"
                     )
-                    log_exception_conditionally(
-                        log,
+                    failure_msg = (
                         f"[{api_type.value}] {operation} failed ({reason}) "
                         f"after {attempt} attempt(s) in {duration:.2f}s: "
-                        f"{target}",
+                        f"{target}"
                     )
+                    # Authentication/authorization failures (Gerrit REST
+                    # 401/403) are surfaced once, closer to the request, as a
+                    # concise warning. Avoid emitting a duplicate error/
+                    # traceback for them here. Scope this strictly to Gerrit
+                    # REST: other API types (e.g. GitHub) may also expose a
+                    # ``.status`` attribute, and their auth/permission
+                    # failures must retain error-level visibility.
+                    is_gerrit_auth_failure = (
+                        api_type == ApiType.GERRIT_REST
+                        and getattr(exc, "status", None) in (401, 403)
+                    )
+                    if is_gerrit_auth_failure:
+                        log.debug(failure_msg)
+                    else:
+                        log_exception_conditionally(log, failure_msg)
                     _update_metrics(api_type, context, success=False, exc=exc)
                     raise
                 else:

github2gerrit/gerrit_pr_closer.py

@@ -11,6 +11,7 @@ merged and close the corresponding GitHub pull request that originated it.
 from __future__ import annotations
 
 import logging
+import os
 import re
 from typing import Any
 from typing import Literal
@@ -1679,11 +1680,57 @@ def _build_gerrit_abandon_message(pr_obj: Any, pr_url: str) -> str:
         )
 
 
+def _abandon_change_via_ssh_if_possible(
+    client: Any, change_number: str, message: str
+) -> bool:
+    """Attempt to abandon a change over SSH using ambient credentials.
+
+    Reads the Gerrit SSH connection details from the environment
+    (populated by the action) and the host from the REST *client*.
+
+    Returns ``True`` only if the change was abandoned via SSH; ``False``
+    when SSH is not configured or the SSH abandon did not succeed (in
+    which case the caller should fall back to REST).
+    """
+    ssh_privkey = os.getenv("GERRIT_SSH_PRIVKEY_G2G", "").strip()
+    ssh_user = os.getenv("GERRIT_SSH_USER_G2G", "").strip()
+    if not ssh_privkey or not ssh_user:
+        return False
+
+    host = os.getenv("GERRIT_SERVER", "").strip()
+    if not host:
+        host = getattr(client, "host", "") or ""
+    if not host:
+        return False
+
+    try:
+        port = int(os.getenv("GERRIT_SERVER_PORT", "29418") or "29418")
+    except ValueError:
+        port = 29418
+
+    from .gerrit_ssh import abandon_change_via_ssh
+
+    return abandon_change_via_ssh(
+        host=host,
+        change_number=str(change_number),
+        message=message,
+        user=ssh_user,
+        ssh_privkey=ssh_privkey,
+        known_hosts=os.getenv("GERRIT_KNOWN_HOSTS", ""),
+        port=port,
+    )
+
+
 def _abandon_gerrit_change(
     client: Any, change_number: str, message: str
 ) -> None:
     """
-    Abandon a Gerrit change via REST API.
+    Abandon a Gerrit change.
+
+    Prefers SSH (``gerrit review --abandon``) because mutating REST calls
+    are rejected with HTTP 403 on Gerrit servers that do not allow
+    unauthenticated REST writes and where only SSH credentials are
+    configured.  Falls back to the REST API when SSH is unavailable.
 
     Args:
         client: Gerrit REST client
@@ -1691,13 +1738,35 @@ def _abandon_gerrit_change(
         message: Abandon message
 
     Raises:
-        Exception: If abandon operation fails
+        Exception: If the abandon operation fails
     """
+    if _abandon_change_via_ssh_if_possible(client, change_number, message):
+        log.debug(
+            "Successfully abandoned Gerrit change %s via SSH", change_number
+        )
+        return
+
     try:
+        log.debug(
+            "Falling back to REST abandon for Gerrit change %s", change_number
+        )
         abandon_path = f"/changes/{change_number}/abandon"
         abandon_data = {"message": message}
         client.post(abandon_path, data=abandon_data)
         log.debug("Successfully abandoned Gerrit change %s", change_number)
+    except GerritRestError as exc:
+        if exc.is_auth_error:
+            # Expected when no Gerrit REST credentials are available; the
+            # REST layer already surfaced this once. Avoid a duplicate
+            # error-level traceback for an authentication failure.
+            log.debug(
+                "REST abandon for Gerrit change %s failed (HTTP %s)",
+                change_number,
+                exc.status,
+            )
+        else:
+            log.exception("Failed to abandon Gerrit change %s", change_number)
+        raise
     except Exception:
         log.exception("Failed to abandon Gerrit change %s", change_number)
         raise

github2gerrit/gerrit_query.py

@@ -13,6 +13,7 @@ from typing import Any
 from urllib.parse import quote
 
 from .gerrit_rest import GerritRestClient
+from .gerrit_rest import warn_gerrit_credentials_unavailable
 
 
 log = logging.getLogger(__name__)
@@ -148,6 +149,20 @@ def query_open_changes_by_project(
     query = f'project:"{_gerrit_quote(project)}" status:open owner:self'
     if branch:
         query += f' branch:"{_gerrit_quote(branch)}"'
+
+    # The ``owner:self`` predicate requires an authenticated Gerrit
+    # session; an anonymous request is rejected with HTTP 403. Skip the
+    # query (warning once per run) instead of issuing a request that is
+    # guaranteed to fail and would otherwise emit error-level noise.
+    if not client.is_authenticated:
+        warn_gerrit_credentials_unavailable()
+        log.debug(
+            "Skipping owner:self query for project '%s': "
+            "no Gerrit REST credentials available",
+            project,
+        )
+        return []
+
     log.debug("Querying Gerrit for open changes: %s", query)
 
     try:

github2gerrit/gerrit_rest.py

@@ -46,6 +46,7 @@ from .gerrit_urls import create_gerrit_url_builder
 from .netrc import GerritCredentials
 from .netrc import resolve_gerrit_credentials
 from .utils import log_exception_conditionally
+from .utils import log_warning_once
 
 
 log = logging.getLogger("github2gerrit.gerrit_rest")
@@ -80,12 +81,79 @@ _TRANSIENT_ERR_SUBSTRINGS: Final[tuple[str, ...]] = (
     "gateway timeout",
 )
 
+# HTTP status codes that indicate an authentication/authorization problem
+# rather than a transient fault or a bug. These are expected when no
+# Gerrit REST credentials are available (or they are insufficient for the
+# requested operation), and are surfaced as concise, default-visible
+# warnings rather than error-level tracebacks.
+_AUTH_ERROR_STATUSES: Final[tuple[int, ...]] = (401, 403)
+
+# Shared dedup key so the "no Gerrit REST credentials" situation is
+# surfaced at most once per run, regardless of how many auth-gated
+# operations are affected.
+_CREDENTIALS_UNAVAILABLE_KEY: Final[str] = "gerrit_rest_credentials_unavailable"
+
+
+def _is_auth_status(status: int | None) -> bool:
+    """Return True if the HTTP status indicates an auth/authorization error."""
+    return status in _AUTH_ERROR_STATUSES
+
+
+def _extract_http_status(exc: BaseException) -> int | None:
+    """Best-effort extraction of an HTTP status code from an exception.
+
+    Handles both the urllib path (``urllib.error.HTTPError.code``) and the
+    pygerrit2/requests path (``HTTPError.response.status_code``).
+    """
+    code = getattr(exc, "code", None)
+    if isinstance(code, int):
+        return code
+    response = getattr(exc, "response", None)
+    status = getattr(response, "status_code", None)
+    if isinstance(status, int):
+        return status
+    return None
+
+
+def warn_gerrit_credentials_unavailable() -> None:
+    """Warn once per run that authenticated Gerrit REST is unavailable.
+
+    Call this from auth-gated code paths before skipping an operation that
+    requires Gerrit REST credentials. The warning is emitted at most once
+    per process to avoid log spam while still making the degraded behavior
+    visible at the default log level.
+    """
+    log_warning_once(
+        log,
+        _CREDENTIALS_UNAVAILABLE_KEY,
+        "Gerrit REST credentials are not available; authenticated Gerrit "
+        "REST operations are disabled. Fallback behavior may apply and "
+        "could degrade performance. Provide GERRIT_HTTP_USER and "
+        "GERRIT_HTTP_PASSWORD (or a .netrc entry) to enable authenticated "
+        "Gerrit REST access.",
+    )
+
 
 # Removed individual retry logic functions - now using centralized framework
 
 
 class GerritRestError(RuntimeError):
-    """Raised for non-retryable REST errors or exhausted retries."""
+    """Raised for non-retryable REST errors or exhausted retries.
+
+    Args:
+        status: HTTP status code associated with the failure, when known.
+            Used by callers to distinguish authentication/authorization
+            problems (401/403) from transient or unexpected errors.
+    """
+
+    def __init__(self, *args: object, status: int | None = None) -> None:
+        super().__init__(*args)
+        self.status = status
+
+    @property
+    def is_auth_error(self) -> bool:
+        """Return True if this error stems from an auth failure (401/403)."""
+        return _is_auth_status(self.status)
 
 
 @dataclass(frozen=True)
@@ -163,6 +231,19 @@ class GerritRestClient:
         """Return True if client has authentication credentials."""
         return self._auth is not None
 
+    @property
+    def host(self) -> str:
+        """Return the Gerrit hostname derived from the base URL.
+
+        Returns an empty string when the host cannot be determined.
+        """
+        from urllib.parse import urlparse
+
+        try:
+            return urlparse(self._base_url).hostname or ""
+        except Exception:
+            return ""
+
     def get(self, path: str) -> Any:
         """HTTP GET, returning parsed JSON."""
         return self._request_json_with_retry("GET", path)
@@ -251,13 +332,38 @@ class GerritRestClient:
         except urllib.error.HTTPError as http_exc:
             status = getattr(http_exc, "code", None)
             msg = f"Gerrit REST {method} {url} failed with HTTP {status}"
-            log_exception_conditionally(log, msg)
-            raise GerritRestError(msg) from http_exc
+            self._log_request_failure(msg, status)
+            raise GerritRestError(msg, status=status) from http_exc
 
         except Exception as exc:
+            status = _extract_http_status(exc)
             msg = f"Gerrit REST {method} {url} failed: {exc}"
+            self._log_request_failure(msg, status)
+            raise GerritRestError(msg, status=status) from exc
+
+    @staticmethod
+    def _log_request_failure(msg: str, status: int | None) -> None:
+        """Log a failed REST request at an appropriate level.
+
+        Authentication/authorization failures (401/403) are expected when
+        credentials are missing or insufficient; they are surfaced as a
+        single concise warning per run rather than an error-level traceback,
+        since they are neither transient faults nor bugs. All other failures
+        retain the existing conditional error/traceback behavior.
+        """
+        if _is_auth_status(status):
+            log_warning_once(
+                log,
+                f"gerrit_rest_auth_{status}",
+                "Gerrit REST authentication failed (HTTP %s): the configured "
+                "credentials are missing or insufficient for this operation. "
+                "Fallback behavior may apply and could degrade performance. "
+                "Details: %s",
+                status,
+                msg,
+            )
+        else:
             log_exception_conditionally(log, msg)
-            raise GerritRestError(msg) from exc
 
     def __repr__(self) -> str:  # pragma: no cover - convenience
         masked = ""
@@ -372,4 +478,5 @@ __all__ = [
     "GerritRestClient",
     "GerritRestError",
     "build_client_for_host",
+    "warn_gerrit_credentials_unavailable",
 ]

github2gerrit/gerrit_ssh.py

@@ -0,0 +1,284 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
+
+"""
+SSH-based Gerrit operations.
+
+Some Gerrit deployments (notably those fronted by a CDN/WAF, or that
+disallow anonymous REST writes) reject mutating REST calls such as
+``POST /changes/{id}/abandon`` with HTTP 403 unless dedicated HTTP API
+credentials are supplied.  The github2gerrit action authenticates to
+Gerrit over SSH (the same channel used to push changes), so this module
+performs the abandon over SSH instead, reusing the already-configured
+SSH key and known_hosts.
+
+The single public entry point :func:`abandon_change_via_ssh` is designed
+to be used as the preferred path with a REST fallback: it never raises
+and returns ``True`` only when the change was actually abandoned.
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+import os
+import secrets
+import shlex
+import tempfile
+from pathlib import Path
+
+from .gitutils import CommandError
+from .gitutils import run_cmd
+from .ssh_common import augment_known_hosts_with_bracketed_entries
+from .ssh_common import build_non_interactive_ssh_env
+
+
+log = logging.getLogger(__name__)
+
+DEFAULT_GERRIT_SSH_PORT = 29418
+_SSH_TIMEOUT_SECONDS = 30.0
+
+
+def _write_secure_file(path: Path, content: str, mode: int) -> None:
+    """Write *content* to *path* with restrictive *mode* permissions."""
+    # Create with secure permissions from the start (avoid a window where
+    # the file is world-readable).
+    fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, mode)
+    try:
+        handle = os.fdopen(fd, "w", encoding="utf-8")
+    except BaseException:
+        # os.fdopen did not take ownership of fd; close it to avoid a leak.
+        os.close(fd)
+        raise
+    with handle:
+        handle.write(content)
+    # Re-assert mode in case umask altered it.
+    path.chmod(mode)
+
+
+def _build_ssh_base_argv(
+    *,
+    key_path: Path,
+    known_hosts_path: Path | None,
+    port: int,
+    user: str,
+    host: str,
+) -> list[str]:
+    """Build the common ``ssh`` argv prefix for non-interactive auth."""
+    argv: list[str] = [
+        "ssh",
+        "-F",
+        "/dev/null",
+        "-i",
+        str(key_path),
+        "-o",
+        "IdentitiesOnly=yes",
+        "-o",
+        "IdentityAgent=none",
+        "-o",
+        "BatchMode=yes",
+        "-o",
+        "PreferredAuthentications=publickey",
+        "-o",
+        "PasswordAuthentication=no",
+        "-o",
+        "PubkeyAcceptedKeyTypes=+ssh-rsa",
+        "-o",
+        "ConnectTimeout=10",
+    ]
+    if known_hosts_path is not None:
+        argv += [
+            "-o",
+            f"UserKnownHostsFile={known_hosts_path}",
+            "-o",
+            "StrictHostKeyChecking=yes",
+        ]
+    else:
+        # No known_hosts supplied: we cannot verify the host key, but we
+        # still want a non-interactive connection.  accept-new records the
+        # key on first use; pair it with an explicit (throwaway)
+        # UserKnownHostsFile so OpenSSH does not mutate the runner's
+        # default ~/.ssh/known_hosts (which may be missing/unwritable).
+        log.warning(
+            "No GERRIT_KNOWN_HOSTS available for SSH abandon; using "
+            "StrictHostKeyChecking=accept-new with a throwaway known_hosts"
+        )
+        argv += [
+            "-o",
+            "UserKnownHostsFile=/dev/null",
+            "-o",
+            "StrictHostKeyChecking=accept-new",
+        ]
+    argv += ["-n", "-p", str(port), f"{user}@{host}"]
+    return argv
+
+
+def _resolve_current_patchset(
+    base_argv: list[str],
+    change_number: str,
+    env: dict[str, str],
+) -> str | None:
+    """Return the current patch-set number for *change_number*, or None."""
+    remote_cmd = (
+        "gerrit query --format=JSON --current-patch-set "
+        f"change:{shlex.quote(change_number)}"
+    )
+    try:
+        result = run_cmd(
+            [*base_argv, remote_cmd],
+            timeout=_SSH_TIMEOUT_SECONDS,
+            env=env,
+        )
+    except CommandError as exc:
+        log.debug(
+            "Gerrit SSH query for change %s failed: %s",
+            change_number,
+            exc,
+        )
+        return None
+
+    for raw_line in result.stdout.splitlines():
+        line = raw_line.strip()
+        if not line:
+            continue
+        try:
+            record = json.loads(line)
+        except (ValueError, TypeError):
+            continue
+        patch_set = record.get("currentPatchSet")
+        if isinstance(patch_set, dict) and patch_set.get("number") is not None:
+            return str(patch_set["number"])
+    log.debug(
+        "No currentPatchSet found in Gerrit query output for change %s",
+        change_number,
+    )
+    return None
+
+
+def abandon_change_via_ssh(
+    *,
+    host: str,
+    change_number: str,
+    message: str,
+    user: str,
+    ssh_privkey: str,
+    known_hosts: str | None = None,
+    port: int = DEFAULT_GERRIT_SSH_PORT,
+) -> bool:
+    """Abandon a Gerrit change over SSH using ``gerrit review --abandon``.
+
+    This is the preferred abandon path because it uses the same SSH
+    credentials that the action already relies on to push changes, and
+    therefore works on Gerrit servers that reject unauthenticated REST
+    writes.
+
+    Args:
+        host: Gerrit SSH hostname (no scheme).
+        change_number: Numeric Gerrit change number.
+        message: Abandon message (may be multi-line).
+        user: Gerrit SSH username.
+        ssh_privkey: SSH private key content.
+        known_hosts: Optional known_hosts content for host verification.
+        port: Gerrit SSH port (default 29418).
+
+    Returns:
+        ``True`` if the change was abandoned successfully; ``False`` when
+        prerequisites are missing or the SSH operation failed (so the
+        caller may fall back to another mechanism).  This function never
+        raises.
+    """
+    if not (host and user and ssh_privkey and str(change_number).strip()):
+        log.debug(
+            "SSH abandon prerequisites missing (host=%s, user=%s, "
+            "key=%s, change=%s); skipping SSH abandon",
+            bool(host),
+            bool(user),
+            bool(ssh_privkey),
+            change_number,
+        )
+        return False
+
+    change_number = str(change_number).strip()
+    try:
+        tmp_dir = Path(
+            tempfile.mkdtemp(prefix=f"g2g_abandon_{secrets.token_hex(8)}_")
+        )
+    except OSError as exc:
+        # Honor the "never raises" contract so callers can fall back to REST.
+        log.debug("Could not create temp dir for SSH abandon: %s", exc)
+        return False
+    try:
+        tmp_dir.chmod(0o700)
+        key_path = tmp_dir / "gerrit_key"
+        _write_secure_file(key_path, ssh_privkey.strip() + "\n", 0o600)
+
+        known_hosts_path: Path | None = None
+        if known_hosts and known_hosts.strip():
+            # OpenSSH looks up host keys under a bracketed "[host]:port"
+            # entry when connecting on a non-default port (Gerrit uses
+            # 29418).  Augment the provided content with bracketed variants
+            # so StrictHostKeyChecking can verify the key and we don't fall
+            # back to REST unnecessarily.
+            augmented = augment_known_hosts_with_bracketed_entries(
+                known_hosts.strip(), host, port
+            )
+            known_hosts_path = tmp_dir / "known_hosts"
+            _write_secure_file(known_hosts_path, augmented, 0o644)
+
+        base_argv = _build_ssh_base_argv(
+            key_path=key_path,
+            known_hosts_path=known_hosts_path,
+            port=port,
+            user=user,
+            host=host,
+        )
+
+        # Disable any ambient SSH agent so only the provided key is used.
+        ssh_env = build_non_interactive_ssh_env()
+
+        patch_set = _resolve_current_patchset(base_argv, change_number, ssh_env)
+        if patch_set is None:
+            log.debug(
+                "Could not resolve current patch-set for change %s via SSH",
+                change_number,
+            )
+            return False
+
+        target = f"{change_number},{patch_set}"
+        remote_cmd = (
+            "gerrit review --abandon "
+            f"-m {shlex.quote(message)} {shlex.quote(target)}"
+        )
+        try:
+            run_cmd(
+                [*base_argv, remote_cmd],
+                timeout=_SSH_TIMEOUT_SECONDS,
+                env=ssh_env,
+            )
+        except CommandError as exc:
+            log.warning(
+                "SSH abandon failed for change %s: %s",
+                change_number,
+                exc,
+            )
+            return False
+        else:
+            log.debug(
+                "Successfully abandoned Gerrit change %s via SSH",
+                change_number,
+            )
+            return True
+    except Exception:
+        log.warning(
+            "Unexpected error during SSH abandon for change %s",
+            change_number,
+            exc_info=True,
+        )
+        return False
+    finally:
+        try:
+            import shutil
+
+            shutil.rmtree(tmp_dir, ignore_errors=True)
+        except Exception:
+            log.debug("Failed to clean up SSH temp dir %s", tmp_dir)

github2gerrit/orchestrator/reconciliation.py

@@ -511,13 +511,25 @@ def _abandon_orphan_changes(
 
     from github2gerrit.gerrit_rest import GerritRestError
     from github2gerrit.gerrit_rest import build_client_for_host
+    from github2gerrit.gerrit_rest import warn_gerrit_credentials_unavailable
 
-    abandoned = []
+    abandoned: list[str] = []
     try:
         client = build_client_for_host(
             gerrit.host, timeout=10.0, max_attempts=3
         )
 
+        # Abandoning a change is a mutating REST call that requires
+        # authentication; without credentials every attempt would 403.
+        # Warn once and skip rather than emitting per-change errors.
+        if not client.is_authenticated:
+            warn_gerrit_credentials_unavailable()
+            log.debug(
+                "Skipping orphan-change abandon: "
+                "no Gerrit REST credentials available"
+            )
+            return abandoned
+
         for change_id in orphan_ids:
             try:
                 abandon_message = (
@@ -559,13 +571,25 @@ def _comment_orphan_changes(
 
     from github2gerrit.gerrit_rest import GerritRestError
     from github2gerrit.gerrit_rest import build_client_for_host
+    from github2gerrit.gerrit_rest import warn_gerrit_credentials_unavailable
 
-    commented = []
+    commented: list[str] = []
     try:
         client = build_client_for_host(
             gerrit.host, timeout=10.0, max_attempts=3
         )
 
+        # Posting a review comment is a mutating REST call that requires
+        # authentication; without credentials every attempt would 403.
+        # Warn once and skip rather than emitting per-change errors.
+        if not client.is_authenticated:
+            warn_gerrit_credentials_unavailable()
+            log.debug(
+                "Skipping orphan-change comment: "
+                "no Gerrit REST credentials available"
+            )
+            return commented
+
         for change_id in orphan_ids:
             try:
                 comment_message = (

github2gerrit/pr_content_filter.py

@@ -42,6 +42,13 @@ _DANGEROUS_HTML_PATTERN = re.compile(
 )
 _MULTIPLE_NEWLINES_PATTERN = re.compile(r"\n{3,}")
 _EMOJI_PATTERN = re.compile(r":[a-z_]+:")  # GitHub emoji codes like :sparkles:
+# Dependabot embeds compatibility-score badges proxied through GitHub's
+# camo image host. Detected via a regex rather than a substring membership
+# check (the latter trips CodeQL's incomplete-url-substring-sanitization
+# heuristic and is a weaker way to match a URL).
+_CAMO_IMAGE_URL_PATTERN = re.compile(
+    r"https://camo\.githubusercontent\.com/", re.IGNORECASE
+)
 
 
 @dataclass
@@ -112,7 +119,7 @@ class DependabotRule(FilterRule):
             "Bumps " in title and " from " in title and " to " in title,
             "Dependabot will resolve any conflicts" in body,
             "<details>" in body and "<summary>" in body,
-            "https://camo.githubusercontent.com/" in body,
+            bool(_CAMO_IMAGE_URL_PATTERN.search(body)),
         ]
 
         # Require multiple indicators for confidence

github2gerrit/utils.py

@@ -10,6 +10,7 @@ and ensure consistent behavior.
 
 import logging
 import os
+import threading
 from typing import Any
 
 
@@ -92,6 +93,50 @@ def log_exception_conditionally(
         logger.error(message, *args)
 
 
+_WARNED_ONCE_LOCK = threading.Lock()
+_WARNED_ONCE_KEYS: set[str] = set()
+
+
+def log_warning_once(
+    logger: logging.Logger, dedup_key: str, message: str, *args: Any
+) -> None:
+    """Emit a warning at most once per process for a given dedup key.
+
+    Useful for expected, recurring conditions (for example, an
+    authentication-gated operation that is skipped because no
+    credentials are available) where surfacing the situation once is
+    helpful but repeating it for every affected item would be noisy.
+
+    Thread-safe: PRs may be processed concurrently (see the
+    ``ThreadPoolExecutor`` in ``cli._process_bulk``), so the
+    check-and-record step is guarded by a lock to preserve the
+    warn-once guarantee. The warning itself is emitted outside the lock
+    to avoid holding it during logging I/O.
+
+    Args:
+        logger: Logger instance to use.
+        dedup_key: Stable key identifying the warning; subsequent calls
+            with the same key are suppressed.
+        message: Log message format string.
+        *args: Arguments for message formatting.
+    """
+    with _WARNED_ONCE_LOCK:
+        if dedup_key in _WARNED_ONCE_KEYS:
+            return
+        _WARNED_ONCE_KEYS.add(dedup_key)
+    logger.warning(message, *args)
+
+
+def reset_warning_once() -> None:
+    """Clear the warn-once dedup cache.
+
+    Primarily intended for tests that need to assert warn-once behavior
+    across independent cases within a single process.
+    """
+    with _WARNED_ONCE_LOCK:
+        _WARNED_ONCE_KEYS.clear()
+
+
 def append_github_output(outputs: dict[str, str]) -> None:
     """Append key-value pairs to GitHub Actions output file.
 

{github2gerrit-1.2.2.dist-info → github2gerrit-1.2.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: github2gerrit
-Version: 1.2.2
+Version: 1.2.4
 Summary: Submit a GitHub pull request to a Gerrit repository.
 Project-URL: Homepage, https://github.com/lfreleng-actions/github2gerrit-action
 Project-URL: Repository, https://github.com/lfreleng-actions/github2gerrit-action
@@ -23,7 +23,7 @@ Classifier: Topic :: Software Development :: Version Control
 Classifier: Typing :: Typed
 Requires-Python: >=3.11
 Requires-Dist: click>=8.1.7
-Requires-Dist: cryptography>=46.0.5
+Requires-Dist: cryptography>=48.0.1
 Requires-Dist: git-review>=2.5.0
 Requires-Dist: pygerrit2>=2.0.15
 Requires-Dist: pygithub>=2.8.1
@@ -963,7 +963,7 @@ name: github2gerrit
 
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
   workflow_dispatch:
 
 permissions:
@@ -1192,7 +1192,7 @@ name: github2gerrit (advanced)
 
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
   workflow_dispatch:
 
 permissions:

{github2gerrit-1.2.2.dist-info → github2gerrit-1.2.4.dist-info}/RECORD

@@ -4,13 +4,14 @@ github2gerrit/commit_normalization.py,sha256=6FOkNfYvR_wicBAhbd4gcwVlkgnqdVFWvUF
 github2gerrit/commit_rules.py,sha256=GMlCYwuZb-RcEP1SwMfI3r4i_Dy2yqK6f0RwnYFMGH4,16297
 github2gerrit/config.py,sha256=nvSc9e_wJM2GS5whFE5R3UwmZjYPZgucaS8s6rrEbjY,26469
 github2gerrit/constants.py,sha256=uCAx-lZiyxlVSHaGmDx6TFbCajkK3VO2ggCOej0EeXk,1306
-github2gerrit/core.py,sha256=W08u18H9Uhsy1_0cm7hiXZmuXljr6AwGI03ybNcUO-Y,254613
+github2gerrit/core.py,sha256=-pUwvP2urkfddmNP2KxoV6UGkYXOVEXApFAnZcsMkkk,254770
 github2gerrit/duplicate_detection.py,sha256=CTrzD3YLc-AyPmaR5bSC5b22LpBDpCcNbVxMv2X0o7A,32127
 github2gerrit/error_codes.py,sha256=MclL3tiOSR4R61c3J642CYDyJJ10tzEQmI2YW7Wkqjw,19098
-github2gerrit/external_api.py,sha256=9483kkgIs1ECOl_f0lcGb8GrJQF9IfYmWfBQwUJT9hk,18480
-github2gerrit/gerrit_pr_closer.py,sha256=irsAI4eNJWi66P39q1gRibpV5SdhiVKv11u-G8yD9a0,61591
-github2gerrit/gerrit_query.py,sha256=pn44IN46tgKPq-s48XnGXpS6kfeQyiECQP75CnJSOr8,10472
-github2gerrit/gerrit_rest.py,sha256=FyQAMCSuZmJ7ClLuPRgkwapXbJnhW41TYdgkB6UGKQY,12612
+github2gerrit/external_api.py,sha256=nVZBQoPbsKKal2c9Wdsj-oWnl5wv9aNNdCG0qhyvKNA,19338
+github2gerrit/gerrit_pr_closer.py,sha256=hNX13ekFai0mYWCdrmijdEikkzI6Xnp8CypMUuJtieQ,64019
+github2gerrit/gerrit_query.py,sha256=2FvYcf8gt2rZ22nJLklBVKuZamp8ke9TaEzq2UKRHwY,11077
+github2gerrit/gerrit_rest.py,sha256=69c1EsIOjUaNy_x3gL-OtQLqAmQN4fo9Bl6es4GNvVw,16858
+github2gerrit/gerrit_ssh.py,sha256=TGpXF2REZWaya-uQPhd_jqE4kLhPWxJK-l75Bhi2hSg,9116
 github2gerrit/gerrit_urls.py,sha256=aoPuUOCysHffVr9qkBRIPCZEUoSBMHmfviydy1U1uSQ,13843
 github2gerrit/github_api.py,sha256=wYKWRMQsYu7zbxyRQRO7N4cTqBvE6vYf8SdN_3C6XTo,11486
 github2gerrit/gitreview.py,sha256=I1FPsYjkPttj6DdjqHI0HkWOwsnInhmijLeGjnD658I,23464
@@ -19,7 +20,7 @@ github2gerrit/mapping_comment.py,sha256=3WAL3KQgjfPnUMZS_-aqNL7qtD0jNXr0VTK_GPEc
 github2gerrit/models.py,sha256=beZ1C3S8v-qA4tD3Niq6trpoHofxLx6q3VQgvOz0WyI,4304
 github2gerrit/netrc.py,sha256=x8l53j-t1kl-v1YZEPaDT2Mmf5qUfgP5J0YZzE7fkIY,27534
 github2gerrit/pr_commands.py,sha256=VZNEvzK1MHnXul3SbkjjoY_HW34M9QFyt74RxcRZpQU,12440
-github2gerrit/pr_content_filter.py,sha256=WUeYiTTYbIgz4Kb0u8M5e3vEoNU5L2WQ9h27xV1iNwE,19278
+github2gerrit/pr_content_filter.py,sha256=9O2jiRM0XhaP2CD9QgKU2C4UQfyQggR14uYprBjgFWE,19644
 github2gerrit/reconcile_matcher.py,sha256=s7v3LJdv5CZmi7LvhENFoXlQ-GCxFS-CtkuOCUsD5ow,20466
 github2gerrit/rich_display.py,sha256=Y2rtJNLP_EG9zdR29NiSqM3j_o_51gpQVeTNBqZch5o,16038
 github2gerrit/rich_logging.py,sha256=D8yyV4NrsLf74fZH5-AFr1c-Im7MyNyx3LbJTLqepHs,10991
@@ -29,11 +30,11 @@ github2gerrit/ssh_common.py,sha256=OC20SQsX_AP3yTUJ_tqz6XAN30O5GbgtZwzwUzyX4DQ,8
 github2gerrit/ssh_config_parser.py,sha256=Yd6yoh95lSfUXHRHw2mrgNlY0yizz1A7GmQod30dCT8,15523
 github2gerrit/ssh_discovery.py,sha256=G94d129GM2kOmVVh-wZXqBybKLGr0s_CPjrJW6_j3k8,17847
 github2gerrit/trailers.py,sha256=9w0vIxPNBNQp56sIy-MF62d22Rm6vY-msh9ao1lX0rQ,8384
-github2gerrit/utils.py,sha256=zNH1qcxyOYdhIn4Ku0o5p9pbwYWdQfboLNqzADDts8A,3804
+github2gerrit/utils.py,sha256=5DvwiDZmYsvyEp3VegTkLczlDX_Efoa6LogJ-pG9L9k,5344
 github2gerrit/orchestrator/__init__.py,sha256=HAEcdCAHOFr8LsdIwAdcIcFZn_ayMbX9rdVUULp8410,864
-github2gerrit/orchestrator/reconciliation.py,sha256=-JQre_PUx6aZeX8Qs6uHqzujKAXXCj9wNv7Cy-543Z8,19391
-github2gerrit-1.2.2.dist-info/METADATA,sha256=JUrvlCF0qFREPgEa7h_tgro6fp9VT0FO3zUF5c0Jjjs,70210
-github2gerrit-1.2.2.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
-github2gerrit-1.2.2.dist-info/entry_points.txt,sha256=MxN2_liIKo3-xJwtAulAeS5GcOS6JS96nvwOQIkP3W8,56
-github2gerrit-1.2.2.dist-info/licenses/LICENSE,sha256=xx0jnfkXJvxRnG63LTGOxlggYnIysveWIZ6H3PNdCrQ,11357
-github2gerrit-1.2.2.dist-info/RECORD,,
+github2gerrit/orchestrator/reconciliation.py,sha256=qo5IGQu11fszzOMbVwBH12VG5zQz9jjjjIvAapLi92g,20516
+github2gerrit-1.2.4.dist-info/METADATA,sha256=3716GdviZ62NgbN3r9BZgOZKhFeXdEOxnare-JhE480,70226
+github2gerrit-1.2.4.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+github2gerrit-1.2.4.dist-info/entry_points.txt,sha256=MxN2_liIKo3-xJwtAulAeS5GcOS6JS96nvwOQIkP3W8,56
+github2gerrit-1.2.4.dist-info/licenses/LICENSE,sha256=xx0jnfkXJvxRnG63LTGOxlggYnIysveWIZ6H3PNdCrQ,11357
+github2gerrit-1.2.4.dist-info/RECORD,,

{github2gerrit-1.2.2.dist-info → github2gerrit-1.2.4.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: hatchling 1.29.0
+Generator: hatchling 1.30.1
 Root-Is-Purelib: true
 Tag: py3-none-any