github2gerrit 1.2.2__tar.gz → 1.2.4__tar.gz

{github2gerrit-1.2.2 → github2gerrit-1.2.4}/.pre-commit-config.yaml

@@ -59,7 +59,7 @@ repos:
         types: [yaml]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: 0c7b6c989466a93942def1f84baf36ddfcd60c83  # frozen: v0.15.14
+    rev: 3b3f7c3f57fe9925356faf5fe6230835138be230  # frozen: v0.15.17
     hooks:
       - id: ruff
         files: ^(src|scripts|tests)/.+\.py$
@@ -115,18 +115,18 @@ repos:
 
   # Requires a mirror, primary repo lacks .pre-commit-hooks.yaml
   - repo: https://github.com/DetachHead/basedpyright-prek-mirror
-    rev: 78e6efd50b63647fecb7e65fc7032745d861e2c5  # frozen: 1.39.6
+    rev: 5f6f2cb9fa8aec15105f77fd21e8dfe29838b16d  # frozen: 1.39.8
     hooks:
       - id: basedpyright
         files: ^src/.+\.py$
 
   - repo: https://github.com/lfreleng-actions/gha-workflow-linter
-    rev: 2c315e461ec3379bf9c1682360fdc1a3899f88c9  # frozen: v1.0.4
+    rev: 1a307fd9eed98268b11300ab86b1a107e1d3d1ae  # frozen: v1.1.1
     hooks:
       - id: gha-workflow-linter
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 943377262562a12b57292fc98fabd7dbf81451fe  # frozen: 0.37.2
+    rev: 8ef330cbb7204d388aa7a620f9549bcea8009663  # frozen: 0.37.3
     hooks:
       - id: check-github-actions
       - id: check-github-workflows

{github2gerrit-1.2.2 → github2gerrit-1.2.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: github2gerrit
-Version: 1.2.2
+Version: 1.2.4
 Summary: Submit a GitHub pull request to a Gerrit repository.
 Project-URL: Homepage, https://github.com/lfreleng-actions/github2gerrit-action
 Project-URL: Repository, https://github.com/lfreleng-actions/github2gerrit-action
@@ -23,7 +23,7 @@ Classifier: Topic :: Software Development :: Version Control
 Classifier: Typing :: Typed
 Requires-Python: >=3.11
 Requires-Dist: click>=8.1.7
-Requires-Dist: cryptography>=46.0.5
+Requires-Dist: cryptography>=48.0.1
 Requires-Dist: git-review>=2.5.0
 Requires-Dist: pygerrit2>=2.0.15
 Requires-Dist: pygithub>=2.8.1
@@ -963,7 +963,7 @@ name: github2gerrit
 
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
   workflow_dispatch:
 
 permissions:
@@ -1192,7 +1192,7 @@ name: github2gerrit (advanced)
 
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
   workflow_dispatch:
 
 permissions:

{github2gerrit-1.2.2 → github2gerrit-1.2.4}/README.md

@@ -917,7 +917,7 @@ name: github2gerrit
 
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
   workflow_dispatch:
 
 permissions:
@@ -1146,7 +1146,7 @@ name: github2gerrit (advanced)
 
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize, closed]
   workflow_dispatch:
 
 permissions:

github2gerrit-1.2.4/SECURITY.md

@@ -0,0 +1,77 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+SPDX-FileCopyrightText: 2026 The Linux Foundation
+-->
+
+# Security Policy
+
+This document describes the security policy for this repository, including
+which versions receive security updates and how to report vulnerabilities.
+
+## Supported Versions
+
+Maintainers develop and merge security fixes on the default branch
+(`main`) and publish those fixes in the latest tagged release. Older
+releases and tags do not receive security updates. Users should track
+the latest tagged release for security patches.
+
+| Version               | Supported          |
+| --------------------- | ------------------ |
+| Latest tagged release | :white_check_mark: |
+| Older releases/tags   | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it
+**privately** so that maintainers can investigate and release a fix before
+the issue becomes publicly known.
+
+### Preferred: GitHub Private Vulnerability Reporting
+
+Use GitHub's private vulnerability reporting feature:
+
+1. Navigate to the **Security** tab of this repository.
+2. Click **Report a vulnerability**.
+3. Provide as much detail as possible (see below).
+
+This creates a private advisory visible to maintainers.
+
+### Alternative: Email
+
+If you cannot use GitHub's private reporting, send an email to the Linux
+Foundation Release Engineering team at:
+
+- **<releng@linuxfoundation.org>**
+
+Please do **not** report security vulnerabilities through public GitHub
+issues, discussions, or pull requests.
+
+### What to Include
+
+To help maintainers triage and resolve the report, please include:
+
+- A clear description of the vulnerability and its potential impact.
+- Steps to reproduce the issue (proof-of-concept code or commands).
+- The affected version(s), commit SHA, or release tag.
+- Any known mitigations or workarounds.
+- Your name and contact details for follow-up (optional).
+
+## Response Process
+
+Maintainers will acknowledge receipt of vulnerability reports within
+**5 business days**. We aim to:
+
+1. Confirm the vulnerability and determine its severity.
+2. Develop and test a fix in a private branch or advisory.
+3. Coordinate a disclosure timeline with the reporter.
+4. Release a patched version and publish a security advisory.
+
+We follow a responsible disclosure process and credit reporters in the
+published advisory unless they request to remain anonymous.
+
+## Scope
+
+This policy covers the source code, configuration, and documentation
+in this repository. Please report vulnerabilities in upstream
+dependencies to their respective maintainers; this project will update
+affected dependencies once fixes become available.

{github2gerrit-1.2.2 → github2gerrit-1.2.4}/action.yaml

@@ -179,11 +179,13 @@ runs:
     - name: "Check if GitHub2Gerrit is disabled"
       id: disabled-check
       shell: bash
+      env:
+        INPUT_G2G_DISABLED: ${{ inputs.G2G_DISABLED }}
       run: |
         # Check if GitHub2Gerrit is disabled
         set -euo pipefail
         DISABLED_ENV="${G2G_DISABLED:-}"
-        DISABLED_INPUT="${{ inputs.G2G_DISABLED }}"
+        DISABLED_INPUT="${INPUT_G2G_DISABLED:-}"
         # Normalize: accept the same truthy set as env_bool()
         # (1/true/yes/on, case-insensitive, trimmed)
         _normalize() {
@@ -205,11 +207,15 @@ runs:
     - name: "Checkout repository"
       if: steps.disabled-check.outputs.disabled != 'true'
       # yamllint disable-line rule:line-length
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
       with:
         fetch-depth: ${{ inputs.FETCH_DEPTH }}
         # Ensure we are on the PR's head SHA when triggered by PR events
         ref: ${{ github.event.pull_request.head.sha || github.sha }}
+        # The action authenticates to Gerrit over SSH and to GitHub via an
+        # explicit GITHUB_TOKEN env var, so the checkout token does not need
+        # to be persisted into the local git config.
+        persist-credentials: false
 
     - name: "Setup Python"
       if: steps.disabled-check.outputs.disabled != 'true'
@@ -221,7 +227,7 @@ runs:
     - name: "Setup uv"
       if: steps.disabled-check.outputs.disabled != 'true'
       # yamllint disable-line rule:line-length
-      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
+      uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39  # v8.2.0
       with:
         enable-cache: false
 
@@ -233,15 +239,16 @@ runs:
         # when git metadata is unavailable
         # GitHub Actions shallow checkout doesn't include .git history
         SETUPTOOLS_SCM_PRETEND_VERSION: "0.0.0+dev"
+        USE_LOCAL_ACTION: ${{ inputs.USE_LOCAL_ACTION }}
       run: |
         # Setup github2gerrit
         set -euo pipefail
         uv --version
         # Install locally for self-testing, use uvx for external repos
-        if [[ "${{ inputs.USE_LOCAL_ACTION }}" == "true" ]] || \
-           [[ "${{ github.repository }}" =~ lfreleng-actions/github2gerrit-action ]]; then
-          echo "Installing with: uv pip install --system ${{ github.action_path }}"
-          uv pip install --system ${{ github.action_path }}
+        if [[ "${USE_LOCAL_ACTION}" == "true" ]] || \
+           [[ "${GITHUB_REPOSITORY}" =~ lfreleng-actions/github2gerrit-action ]]; then
+          echo "Installing with: uv pip install --system ${GITHUB_ACTION_PATH}"
+          uv pip install --system "${GITHUB_ACTION_PATH}"
         else
           echo "uvx will install GitHub2Gerrit from PyPI"
         fi
@@ -258,11 +265,14 @@ runs:
 
     - name: "Normalize PR_NUMBER"
       if: ${{ steps.disabled-check.outputs.disabled != 'true' && github.event_name == 'workflow_dispatch' }}
+      id: normalize
       shell: bash
+      env:
+        INPUT_PR_NUMBER: ${{ inputs.PR_NUMBER }}
       run: |
         # Normalize PR_NUMBER
         set -euo pipefail
-        pr_in="${{ inputs.PR_NUMBER }}"
+        pr_in="${INPUT_PR_NUMBER:-}"
         if [[ -z "${pr_in}" || "${pr_in}" == "null" ]]; then
           pr_in="0"
         fi
@@ -271,51 +281,53 @@ runs:
           exit 2
         fi
         if [[ "${pr_in}" == "0" ]]; then
-          echo "SYNC_ALL_OPEN_PRS=true" >> "$GITHUB_ENV"
+          echo "sync_all=true" >> "$GITHUB_OUTPUT"
         else
-          echo "PR_NUMBER=${pr_in}" >> "$GITHUB_ENV"
+          echo "pr_number=${pr_in}" >> "$GITHUB_OUTPUT"
         fi
 
     - name: "Extract PR number, validate context"
       if: steps.disabled-check.outputs.disabled != 'true'
+      id: extract
       shell: bash
+      env:
+        EVENT_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number || '' }}
+        DISPATCH_PR_NUMBER: ${{ steps.normalize.outputs.pr_number }}
+        DISPATCH_SYNC_ALL: ${{ steps.normalize.outputs.sync_all }}
       run: |
         # Extract PR number, validate context
         set -euo pipefail
 
         # Push events don't need PR_NUMBER (used for closing merged PRs)
         # The CLI handles push events specially via _process_close_merged_prs()
-        if [[ "${{ github.event_name }}" == "push" ]]; then
+        if [[ "${GITHUB_EVENT_NAME}" == "push" ]]; then
           echo "Push event detected - will process merged commits for PR closure"
-          # Set PR_NUMBER to empty to indicate this is intentional for push events
-          echo "PR_NUMBER=" >> "$GITHUB_ENV"
+          # Emit an empty PR number to signal intentional push handling
+          echo "pr_number=" >> "$GITHUB_OUTPUT"
           exit 0
         fi
 
-        # Honor PR_NUMBER or SYNC_ALL_OPEN_PRS set by workflow_dispatch
-        if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-          if [[ -n "${SYNC_ALL_OPEN_PRS:-}" ]]; then
+        # Honor PR_NUMBER or sync-all from workflow_dispatch normalization
+        if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
+          if [[ -n "${DISPATCH_SYNC_ALL:-}" ]]; then
             echo "Processing all open pull requests via workflow_dispatch."
+            echo "sync_all=true" >> "$GITHUB_OUTPUT"
           else
-            if [[ -z "${PR_NUMBER:-}" || "${PR_NUMBER}" == "null" ]]; then
+            if [[ -z "${DISPATCH_PR_NUMBER:-}" || "${DISPATCH_PR_NUMBER}" == "null" ]]; then
               echo "Error: provide PR_NUMBER or set 0 to process all PRs."
               exit 2
             fi
-            echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_ENV"
+            echo "pr_number=${DISPATCH_PR_NUMBER}" >> "$GITHUB_OUTPUT"
           fi
         else
-          PR_NUMBER_EVT="${{ github.event.pull_request.number || github.event.issue.number || '' }}"
-          # Do not override PR_NUMBER if previously set
-          if [[ -z "${PR_NUMBER:-}" ]]; then
-            PR_NUMBER="${PR_NUMBER_EVT}"
-            echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_ENV"
-          fi
-          if [[ -z "${PR_NUMBER}" || "${PR_NUMBER}" == "null" ]]; then
+          pr_number="${EVENT_PR_NUMBER}"
+          if [[ -z "${pr_number}" || "${pr_number}" == "null" ]]; then
             echo "Error: PR_NUMBER is empty."
             echo "This action requires a valid pull request context."
-            echo "Current event: ${{ github.event_name }}"
+            echo "Current event: ${GITHUB_EVENT_NAME}"
             exit 2
           fi
+          echo "pr_number=${pr_number}" >> "$GITHUB_OUTPUT"
         fi
 
     - name: "Run github2gerrit Python CLI"
@@ -375,16 +387,17 @@ runs:
         GITHUB_BASE_REF: ${{ github.base_ref }}
         GITHUB_HEAD_REF: ${{ github.head_ref }}
         GITHUB_ACTOR: ${{ github.actor }}
-        SYNC_ALL_OPEN_PRS: ${{ env.SYNC_ALL_OPEN_PRS }}
-        PR_NUMBER: ${{ env.PR_NUMBER }}
+        SYNC_ALL_OPEN_PRS: ${{ steps.extract.outputs.sync_all }}
+        PR_NUMBER: ${{ steps.extract.outputs.pr_number }}
         G2G_TEST_MODE: "false"
         G2G_NO_GERRIT: ${{ inputs.G2G_NO_GERRIT }}
+        USE_LOCAL_ACTION: ${{ inputs.USE_LOCAL_ACTION }}
       run: |
         # Run github2gerrit Python CLI
         set -euo pipefail
         # Use different invocation methods based on repository or USE_LOCAL_ACTION flag
-        if [[ "${{ inputs.USE_LOCAL_ACTION }}" == "true" ]] || \
-           [[ "${{ github.repository }}" =~ lfreleng-actions/github2gerrit-action ]]; then
+        if [[ "${USE_LOCAL_ACTION}" == "true" ]] || \
+           [[ "${GITHUB_REPOSITORY}" =~ lfreleng-actions/github2gerrit-action ]]; then
           echo "Running:python -m github2gerrit.cli"
           python -m github2gerrit.cli
         else

{github2gerrit-1.2.2 → github2gerrit-1.2.4}/pyproject.toml

@@ -58,8 +58,13 @@ dependencies = [
   # Security: Fix CVE-2026-21441 (decompression-bomb vulnerability)
   "urllib3>=2.6.3",
 
-  # Security: Fix CVE-2026-26007 (SECT curve subgroup attack)
-  "cryptography>=46.0.5",
+  # Security: cryptography bundles OpenSSL in its wheels, so OpenSSL
+  # security fixes ship as new cryptography releases. Floor at the
+  # patched release: fixes CVE-2026-26007 (SECT curve subgroup attack,
+  # 46.0.5) and GHSA-537c-gmf6-5ccf (vulnerable OpenSSL in wheels, no
+  # CVE assigned, 48.0.1). No upper bound, so future security releases
+  # are not held back.
+  "cryptography>=48.0.1",
 ]
 
 [project.urls]
@@ -268,6 +273,21 @@ reportUnsupportedDunderAll = "error"
 
 
 [tool.uv]
+# Supply-chain cooldown: do not resolve anything published in the last
+# 7 days (rolling window; uv records it as a relative span in uv.lock).
+# Requires uv >= 0.9.17 for the relative-duration ("7 days") form.
+exclude-newer = "7 days"
+# cryptography bundles OpenSSL directly in its wheels, so OpenSSL security
+# fixes are delivered as new cryptography releases. Exempt it from the
+# supply-chain cooldown above so those patches are not held back by the
+# rolling window.
+#
+# Added 2026-06-15 to unblock GHSA-537c-gmf6-5ccf ("Vulnerable OpenSSL
+# included in cryptography wheels"; no CVE assigned), fixed in 48.0.1,
+# which the 7-day cooldown was excluding. References:
+#   https://github.com/advisories/GHSA-537c-gmf6-5ccf
+#   https://openssl-library.org/news/secadv/20260609.txt
+exclude-newer-package = { cryptography = "0 days" }
 # uv will manage installation based on this pyproject and lockfile.
 # No extra settings are required here; this stanza reserves the
 # namespace for future use if needed.

{github2gerrit-1.2.2 → github2gerrit-1.2.4}/src/github2gerrit/core.py

@@ -410,9 +410,13 @@ class Orchestrator:
 
             # Check if client has authentication
             if not client.is_authenticated:
+                from .gerrit_rest import warn_gerrit_credentials_unavailable
+
+                warn_gerrit_credentials_unavailable()
                 log.debug(
-                    "Cannot update Gerrit change metadata: "
-                    "No credentials found (check .netrc or environment)"
+                    "Cannot update Gerrit change metadata for %s: "
+                    "no Gerrit REST credentials available",
+                    change_id,
                 )
                 return False
 

{github2gerrit-1.2.2 → github2gerrit-1.2.4}/src/github2gerrit/external_api.py

@@ -380,12 +380,26 @@ def external_api_call(
                     reason = (
                         "final attempt" if is_final_attempt else "non-retryable"
                     )
-                    log_exception_conditionally(
-                        log,
+                    failure_msg = (
                         f"[{api_type.value}] {operation} failed ({reason}) "
                         f"after {attempt} attempt(s) in {duration:.2f}s: "
-                        f"{target}",
+                        f"{target}"
                     )
+                    # Authentication/authorization failures (Gerrit REST
+                    # 401/403) are surfaced once, closer to the request, as a
+                    # concise warning. Avoid emitting a duplicate error/
+                    # traceback for them here. Scope this strictly to Gerrit
+                    # REST: other API types (e.g. GitHub) may also expose a
+                    # ``.status`` attribute, and their auth/permission
+                    # failures must retain error-level visibility.
+                    is_gerrit_auth_failure = (
+                        api_type == ApiType.GERRIT_REST
+                        and getattr(exc, "status", None) in (401, 403)
+                    )
+                    if is_gerrit_auth_failure:
+                        log.debug(failure_msg)
+                    else:
+                        log_exception_conditionally(log, failure_msg)
                     _update_metrics(api_type, context, success=False, exc=exc)
                     raise
                 else:

{github2gerrit-1.2.2 → github2gerrit-1.2.4}/src/github2gerrit/gerrit_pr_closer.py

@@ -11,6 +11,7 @@ merged and close the corresponding GitHub pull request that originated it.
 from __future__ import annotations
 
 import logging
+import os
 import re
 from typing import Any
 from typing import Literal
@@ -1679,11 +1680,57 @@ def _build_gerrit_abandon_message(pr_obj: Any, pr_url: str) -> str:
         )
 
 
+def _abandon_change_via_ssh_if_possible(
+    client: Any, change_number: str, message: str
+) -> bool:
+    """Attempt to abandon a change over SSH using ambient credentials.
+
+    Reads the Gerrit SSH connection details from the environment
+    (populated by the action) and the host from the REST *client*.
+
+    Returns ``True`` only if the change was abandoned via SSH; ``False``
+    when SSH is not configured or the SSH abandon did not succeed (in
+    which case the caller should fall back to REST).
+    """
+    ssh_privkey = os.getenv("GERRIT_SSH_PRIVKEY_G2G", "").strip()
+    ssh_user = os.getenv("GERRIT_SSH_USER_G2G", "").strip()
+    if not ssh_privkey or not ssh_user:
+        return False
+
+    host = os.getenv("GERRIT_SERVER", "").strip()
+    if not host:
+        host = getattr(client, "host", "") or ""
+    if not host:
+        return False
+
+    try:
+        port = int(os.getenv("GERRIT_SERVER_PORT", "29418") or "29418")
+    except ValueError:
+        port = 29418
+
+    from .gerrit_ssh import abandon_change_via_ssh
+
+    return abandon_change_via_ssh(
+        host=host,
+        change_number=str(change_number),
+        message=message,
+        user=ssh_user,
+        ssh_privkey=ssh_privkey,
+        known_hosts=os.getenv("GERRIT_KNOWN_HOSTS", ""),
+        port=port,
+    )
+
+
 def _abandon_gerrit_change(
     client: Any, change_number: str, message: str
 ) -> None:
     """
-    Abandon a Gerrit change via REST API.
+    Abandon a Gerrit change.
+
+    Prefers SSH (``gerrit review --abandon``) because mutating REST calls
+    are rejected with HTTP 403 on Gerrit servers that do not allow
+    unauthenticated REST writes and where only SSH credentials are
+    configured.  Falls back to the REST API when SSH is unavailable.
 
     Args:
         client: Gerrit REST client
@@ -1691,13 +1738,35 @@ def _abandon_gerrit_change(
         message: Abandon message
 
     Raises:
-        Exception: If abandon operation fails
+        Exception: If the abandon operation fails
     """
+    if _abandon_change_via_ssh_if_possible(client, change_number, message):
+        log.debug(
+            "Successfully abandoned Gerrit change %s via SSH", change_number
+        )
+        return
+
     try:
+        log.debug(
+            "Falling back to REST abandon for Gerrit change %s", change_number
+        )
         abandon_path = f"/changes/{change_number}/abandon"
         abandon_data = {"message": message}
         client.post(abandon_path, data=abandon_data)
         log.debug("Successfully abandoned Gerrit change %s", change_number)
+    except GerritRestError as exc:
+        if exc.is_auth_error:
+            # Expected when no Gerrit REST credentials are available; the
+            # REST layer already surfaced this once. Avoid a duplicate
+            # error-level traceback for an authentication failure.
+            log.debug(
+                "REST abandon for Gerrit change %s failed (HTTP %s)",
+                change_number,
+                exc.status,
+            )
+        else:
+            log.exception("Failed to abandon Gerrit change %s", change_number)
+        raise
     except Exception:
         log.exception("Failed to abandon Gerrit change %s", change_number)
         raise

{github2gerrit-1.2.2 → github2gerrit-1.2.4}/src/github2gerrit/gerrit_query.py

@@ -13,6 +13,7 @@ from typing import Any
 from urllib.parse import quote
 
 from .gerrit_rest import GerritRestClient
+from .gerrit_rest import warn_gerrit_credentials_unavailable
 
 
 log = logging.getLogger(__name__)
@@ -148,6 +149,20 @@ def query_open_changes_by_project(
     query = f'project:"{_gerrit_quote(project)}" status:open owner:self'
     if branch:
         query += f' branch:"{_gerrit_quote(branch)}"'
+
+    # The ``owner:self`` predicate requires an authenticated Gerrit
+    # session; an anonymous request is rejected with HTTP 403. Skip the
+    # query (warning once per run) instead of issuing a request that is
+    # guaranteed to fail and would otherwise emit error-level noise.
+    if not client.is_authenticated:
+        warn_gerrit_credentials_unavailable()
+        log.debug(
+            "Skipping owner:self query for project '%s': "
+            "no Gerrit REST credentials available",
+            project,
+        )
+        return []
+
     log.debug("Querying Gerrit for open changes: %s", query)
 
     try: