github2gerrit 1.2.3__tar.gz → 1.2.4__tar.gz

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/.pre-commit-config.yaml

@@ -59,7 +59,7 @@ repos:
         types: [yaml]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: 0671d8ab202c4ac093b78433ae5baf74f3fc7246  # frozen: v0.15.15
+    rev: 3b3f7c3f57fe9925356faf5fe6230835138be230  # frozen: v0.15.17
     hooks:
       - id: ruff
         files: ^(src|scripts|tests)/.+\.py$
@@ -115,18 +115,18 @@ repos:
 
   # Requires a mirror, primary repo lacks .pre-commit-hooks.yaml
   - repo: https://github.com/DetachHead/basedpyright-prek-mirror
-    rev: 78e6efd50b63647fecb7e65fc7032745d861e2c5  # frozen: 1.39.6
+    rev: 5f6f2cb9fa8aec15105f77fd21e8dfe29838b16d  # frozen: 1.39.8
     hooks:
       - id: basedpyright
         files: ^src/.+\.py$
 
   - repo: https://github.com/lfreleng-actions/gha-workflow-linter
-    rev: 2c315e461ec3379bf9c1682360fdc1a3899f88c9  # frozen: v1.0.4
+    rev: 1a307fd9eed98268b11300ab86b1a107e1d3d1ae  # frozen: v1.1.1
     hooks:
       - id: gha-workflow-linter
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 943377262562a12b57292fc98fabd7dbf81451fe  # frozen: 0.37.2
+    rev: 8ef330cbb7204d388aa7a620f9549bcea8009663  # frozen: 0.37.3
     hooks:
       - id: check-github-actions
       - id: check-github-workflows

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: github2gerrit
-Version: 1.2.3
+Version: 1.2.4
 Summary: Submit a GitHub pull request to a Gerrit repository.
 Project-URL: Homepage, https://github.com/lfreleng-actions/github2gerrit-action
 Project-URL: Repository, https://github.com/lfreleng-actions/github2gerrit-action
@@ -23,7 +23,7 @@ Classifier: Topic :: Software Development :: Version Control
 Classifier: Typing :: Typed
 Requires-Python: >=3.11
 Requires-Dist: click>=8.1.7
-Requires-Dist: cryptography>=46.0.5
+Requires-Dist: cryptography>=48.0.1
 Requires-Dist: git-review>=2.5.0
 Requires-Dist: pygerrit2>=2.0.15
 Requires-Dist: pygithub>=2.8.1

github2gerrit-1.2.4/SECURITY.md

@@ -0,0 +1,77 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+SPDX-FileCopyrightText: 2026 The Linux Foundation
+-->
+
+# Security Policy
+
+This document describes the security policy for this repository, including
+which versions receive security updates and how to report vulnerabilities.
+
+## Supported Versions
+
+Maintainers develop and merge security fixes on the default branch
+(`main`) and publish those fixes in the latest tagged release. Older
+releases and tags do not receive security updates. Users should track
+the latest tagged release for security patches.
+
+| Version               | Supported          |
+| --------------------- | ------------------ |
+| Latest tagged release | :white_check_mark: |
+| Older releases/tags   | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it
+**privately** so that maintainers can investigate and release a fix before
+the issue becomes publicly known.
+
+### Preferred: GitHub Private Vulnerability Reporting
+
+Use GitHub's private vulnerability reporting feature:
+
+1. Navigate to the **Security** tab of this repository.
+2. Click **Report a vulnerability**.
+3. Provide as much detail as possible (see below).
+
+This creates a private advisory visible to maintainers.
+
+### Alternative: Email
+
+If you cannot use GitHub's private reporting, send an email to the Linux
+Foundation Release Engineering team at:
+
+- **<releng@linuxfoundation.org>**
+
+Please do **not** report security vulnerabilities through public GitHub
+issues, discussions, or pull requests.
+
+### What to Include
+
+To help maintainers triage and resolve the report, please include:
+
+- A clear description of the vulnerability and its potential impact.
+- Steps to reproduce the issue (proof-of-concept code or commands).
+- The affected version(s), commit SHA, or release tag.
+- Any known mitigations or workarounds.
+- Your name and contact details for follow-up (optional).
+
+## Response Process
+
+Maintainers will acknowledge receipt of vulnerability reports within
+**5 business days**. We aim to:
+
+1. Confirm the vulnerability and determine its severity.
+2. Develop and test a fix in a private branch or advisory.
+3. Coordinate a disclosure timeline with the reporter.
+4. Release a patched version and publish a security advisory.
+
+We follow a responsible disclosure process and credit reporters in the
+published advisory unless they request to remain anonymous.
+
+## Scope
+
+This policy covers the source code, configuration, and documentation
+in this repository. Please report vulnerabilities in upstream
+dependencies to their respective maintainers; this project will update
+affected dependencies once fixes become available.

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/action.yaml

@@ -179,11 +179,13 @@ runs:
     - name: "Check if GitHub2Gerrit is disabled"
       id: disabled-check
       shell: bash
+      env:
+        INPUT_G2G_DISABLED: ${{ inputs.G2G_DISABLED }}
       run: |
         # Check if GitHub2Gerrit is disabled
         set -euo pipefail
         DISABLED_ENV="${G2G_DISABLED:-}"
-        DISABLED_INPUT="${{ inputs.G2G_DISABLED }}"
+        DISABLED_INPUT="${INPUT_G2G_DISABLED:-}"
         # Normalize: accept the same truthy set as env_bool()
         # (1/true/yes/on, case-insensitive, trimmed)
         _normalize() {
@@ -205,11 +207,15 @@ runs:
     - name: "Checkout repository"
       if: steps.disabled-check.outputs.disabled != 'true'
       # yamllint disable-line rule:line-length
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
       with:
         fetch-depth: ${{ inputs.FETCH_DEPTH }}
         # Ensure we are on the PR's head SHA when triggered by PR events
         ref: ${{ github.event.pull_request.head.sha || github.sha }}
+        # The action authenticates to Gerrit over SSH and to GitHub via an
+        # explicit GITHUB_TOKEN env var, so the checkout token does not need
+        # to be persisted into the local git config.
+        persist-credentials: false
 
     - name: "Setup Python"
       if: steps.disabled-check.outputs.disabled != 'true'
@@ -221,7 +227,7 @@ runs:
     - name: "Setup uv"
       if: steps.disabled-check.outputs.disabled != 'true'
       # yamllint disable-line rule:line-length
-      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
+      uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39  # v8.2.0
       with:
         enable-cache: false
 
@@ -233,15 +239,16 @@ runs:
         # when git metadata is unavailable
         # GitHub Actions shallow checkout doesn't include .git history
         SETUPTOOLS_SCM_PRETEND_VERSION: "0.0.0+dev"
+        USE_LOCAL_ACTION: ${{ inputs.USE_LOCAL_ACTION }}
       run: |
         # Setup github2gerrit
         set -euo pipefail
         uv --version
         # Install locally for self-testing, use uvx for external repos
-        if [[ "${{ inputs.USE_LOCAL_ACTION }}" == "true" ]] || \
-           [[ "${{ github.repository }}" =~ lfreleng-actions/github2gerrit-action ]]; then
-          echo "Installing with: uv pip install --system ${{ github.action_path }}"
-          uv pip install --system ${{ github.action_path }}
+        if [[ "${USE_LOCAL_ACTION}" == "true" ]] || \
+           [[ "${GITHUB_REPOSITORY}" =~ lfreleng-actions/github2gerrit-action ]]; then
+          echo "Installing with: uv pip install --system ${GITHUB_ACTION_PATH}"
+          uv pip install --system "${GITHUB_ACTION_PATH}"
         else
           echo "uvx will install GitHub2Gerrit from PyPI"
         fi
@@ -258,11 +265,14 @@ runs:
 
     - name: "Normalize PR_NUMBER"
       if: ${{ steps.disabled-check.outputs.disabled != 'true' && github.event_name == 'workflow_dispatch' }}
+      id: normalize
       shell: bash
+      env:
+        INPUT_PR_NUMBER: ${{ inputs.PR_NUMBER }}
       run: |
         # Normalize PR_NUMBER
         set -euo pipefail
-        pr_in="${{ inputs.PR_NUMBER }}"
+        pr_in="${INPUT_PR_NUMBER:-}"
         if [[ -z "${pr_in}" || "${pr_in}" == "null" ]]; then
           pr_in="0"
         fi
@@ -271,51 +281,53 @@ runs:
           exit 2
         fi
         if [[ "${pr_in}" == "0" ]]; then
-          echo "SYNC_ALL_OPEN_PRS=true" >> "$GITHUB_ENV"
+          echo "sync_all=true" >> "$GITHUB_OUTPUT"
         else
-          echo "PR_NUMBER=${pr_in}" >> "$GITHUB_ENV"
+          echo "pr_number=${pr_in}" >> "$GITHUB_OUTPUT"
         fi
 
     - name: "Extract PR number, validate context"
       if: steps.disabled-check.outputs.disabled != 'true'
+      id: extract
       shell: bash
+      env:
+        EVENT_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number || '' }}
+        DISPATCH_PR_NUMBER: ${{ steps.normalize.outputs.pr_number }}
+        DISPATCH_SYNC_ALL: ${{ steps.normalize.outputs.sync_all }}
       run: |
         # Extract PR number, validate context
         set -euo pipefail
 
         # Push events don't need PR_NUMBER (used for closing merged PRs)
         # The CLI handles push events specially via _process_close_merged_prs()
-        if [[ "${{ github.event_name }}" == "push" ]]; then
+        if [[ "${GITHUB_EVENT_NAME}" == "push" ]]; then
           echo "Push event detected - will process merged commits for PR closure"
-          # Set PR_NUMBER to empty to indicate this is intentional for push events
-          echo "PR_NUMBER=" >> "$GITHUB_ENV"
+          # Emit an empty PR number to signal intentional push handling
+          echo "pr_number=" >> "$GITHUB_OUTPUT"
           exit 0
         fi
 
-        # Honor PR_NUMBER or SYNC_ALL_OPEN_PRS set by workflow_dispatch
-        if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-          if [[ -n "${SYNC_ALL_OPEN_PRS:-}" ]]; then
+        # Honor PR_NUMBER or sync-all from workflow_dispatch normalization
+        if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
+          if [[ -n "${DISPATCH_SYNC_ALL:-}" ]]; then
             echo "Processing all open pull requests via workflow_dispatch."
+            echo "sync_all=true" >> "$GITHUB_OUTPUT"
           else
-            if [[ -z "${PR_NUMBER:-}" || "${PR_NUMBER}" == "null" ]]; then
+            if [[ -z "${DISPATCH_PR_NUMBER:-}" || "${DISPATCH_PR_NUMBER}" == "null" ]]; then
               echo "Error: provide PR_NUMBER or set 0 to process all PRs."
               exit 2
             fi
-            echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_ENV"
+            echo "pr_number=${DISPATCH_PR_NUMBER}" >> "$GITHUB_OUTPUT"
           fi
         else
-          PR_NUMBER_EVT="${{ github.event.pull_request.number || github.event.issue.number || '' }}"
-          # Do not override PR_NUMBER if previously set
-          if [[ -z "${PR_NUMBER:-}" ]]; then
-            PR_NUMBER="${PR_NUMBER_EVT}"
-            echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_ENV"
-          fi
-          if [[ -z "${PR_NUMBER}" || "${PR_NUMBER}" == "null" ]]; then
+          pr_number="${EVENT_PR_NUMBER}"
+          if [[ -z "${pr_number}" || "${pr_number}" == "null" ]]; then
             echo "Error: PR_NUMBER is empty."
             echo "This action requires a valid pull request context."
-            echo "Current event: ${{ github.event_name }}"
+            echo "Current event: ${GITHUB_EVENT_NAME}"
             exit 2
           fi
+          echo "pr_number=${pr_number}" >> "$GITHUB_OUTPUT"
         fi
 
     - name: "Run github2gerrit Python CLI"
@@ -375,16 +387,17 @@ runs:
         GITHUB_BASE_REF: ${{ github.base_ref }}
         GITHUB_HEAD_REF: ${{ github.head_ref }}
         GITHUB_ACTOR: ${{ github.actor }}
-        SYNC_ALL_OPEN_PRS: ${{ env.SYNC_ALL_OPEN_PRS }}
-        PR_NUMBER: ${{ env.PR_NUMBER }}
+        SYNC_ALL_OPEN_PRS: ${{ steps.extract.outputs.sync_all }}
+        PR_NUMBER: ${{ steps.extract.outputs.pr_number }}
         G2G_TEST_MODE: "false"
         G2G_NO_GERRIT: ${{ inputs.G2G_NO_GERRIT }}
+        USE_LOCAL_ACTION: ${{ inputs.USE_LOCAL_ACTION }}
       run: |
         # Run github2gerrit Python CLI
         set -euo pipefail
         # Use different invocation methods based on repository or USE_LOCAL_ACTION flag
-        if [[ "${{ inputs.USE_LOCAL_ACTION }}" == "true" ]] || \
-           [[ "${{ github.repository }}" =~ lfreleng-actions/github2gerrit-action ]]; then
+        if [[ "${USE_LOCAL_ACTION}" == "true" ]] || \
+           [[ "${GITHUB_REPOSITORY}" =~ lfreleng-actions/github2gerrit-action ]]; then
           echo "Running:python -m github2gerrit.cli"
           python -m github2gerrit.cli
         else

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/pyproject.toml

@@ -58,8 +58,13 @@ dependencies = [
   # Security: Fix CVE-2026-21441 (decompression-bomb vulnerability)
   "urllib3>=2.6.3",
 
-  # Security: Fix CVE-2026-26007 (SECT curve subgroup attack)
-  "cryptography>=46.0.5",
+  # Security: cryptography bundles OpenSSL in its wheels, so OpenSSL
+  # security fixes ship as new cryptography releases. Floor at the
+  # patched release: fixes CVE-2026-26007 (SECT curve subgroup attack,
+  # 46.0.5) and GHSA-537c-gmf6-5ccf (vulnerable OpenSSL in wheels, no
+  # CVE assigned, 48.0.1). No upper bound, so future security releases
+  # are not held back.
+  "cryptography>=48.0.1",
 ]
 
 [project.urls]
@@ -268,6 +273,21 @@ reportUnsupportedDunderAll = "error"
 
 
 [tool.uv]
+# Supply-chain cooldown: do not resolve anything published in the last
+# 7 days (rolling window; uv records it as a relative span in uv.lock).
+# Requires uv >= 0.9.17 for the relative-duration ("7 days") form.
+exclude-newer = "7 days"
+# cryptography bundles OpenSSL directly in its wheels, so OpenSSL security
+# fixes are delivered as new cryptography releases. Exempt it from the
+# supply-chain cooldown above so those patches are not held back by the
+# rolling window.
+#
+# Added 2026-06-15 to unblock GHSA-537c-gmf6-5ccf ("Vulnerable OpenSSL
+# included in cryptography wheels"; no CVE assigned), fixed in 48.0.1,
+# which the 7-day cooldown was excluding. References:
+#   https://github.com/advisories/GHSA-537c-gmf6-5ccf
+#   https://openssl-library.org/news/secadv/20260609.txt
+exclude-newer-package = { cryptography = "0 days" }
 # uv will manage installation based on this pyproject and lockfile.
 # No extra settings are required here; this stanza reserves the
 # namespace for future use if needed.

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/src/github2gerrit/core.py

@@ -410,9 +410,13 @@ class Orchestrator:
 
             # Check if client has authentication
             if not client.is_authenticated:
+                from .gerrit_rest import warn_gerrit_credentials_unavailable
+
+                warn_gerrit_credentials_unavailable()
                 log.debug(
-                    "Cannot update Gerrit change metadata: "
-                    "No credentials found (check .netrc or environment)"
+                    "Cannot update Gerrit change metadata for %s: "
+                    "no Gerrit REST credentials available",
+                    change_id,
                 )
                 return False
 

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/src/github2gerrit/external_api.py

@@ -380,12 +380,26 @@ def external_api_call(
                     reason = (
                         "final attempt" if is_final_attempt else "non-retryable"
                     )
-                    log_exception_conditionally(
-                        log,
+                    failure_msg = (
                         f"[{api_type.value}] {operation} failed ({reason}) "
                         f"after {attempt} attempt(s) in {duration:.2f}s: "
-                        f"{target}",
+                        f"{target}"
                     )
+                    # Authentication/authorization failures (Gerrit REST
+                    # 401/403) are surfaced once, closer to the request, as a
+                    # concise warning. Avoid emitting a duplicate error/
+                    # traceback for them here. Scope this strictly to Gerrit
+                    # REST: other API types (e.g. GitHub) may also expose a
+                    # ``.status`` attribute, and their auth/permission
+                    # failures must retain error-level visibility.
+                    is_gerrit_auth_failure = (
+                        api_type == ApiType.GERRIT_REST
+                        and getattr(exc, "status", None) in (401, 403)
+                    )
+                    if is_gerrit_auth_failure:
+                        log.debug(failure_msg)
+                    else:
+                        log_exception_conditionally(log, failure_msg)
                     _update_metrics(api_type, context, success=False, exc=exc)
                     raise
                 else:

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/src/github2gerrit/gerrit_pr_closer.py

@@ -1754,6 +1754,19 @@ def _abandon_gerrit_change(
         abandon_data = {"message": message}
         client.post(abandon_path, data=abandon_data)
         log.debug("Successfully abandoned Gerrit change %s", change_number)
+    except GerritRestError as exc:
+        if exc.is_auth_error:
+            # Expected when no Gerrit REST credentials are available; the
+            # REST layer already surfaced this once. Avoid a duplicate
+            # error-level traceback for an authentication failure.
+            log.debug(
+                "REST abandon for Gerrit change %s failed (HTTP %s)",
+                change_number,
+                exc.status,
+            )
+        else:
+            log.exception("Failed to abandon Gerrit change %s", change_number)
+        raise
     except Exception:
         log.exception("Failed to abandon Gerrit change %s", change_number)
         raise

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/src/github2gerrit/gerrit_query.py

@@ -13,6 +13,7 @@ from typing import Any
 from urllib.parse import quote
 
 from .gerrit_rest import GerritRestClient
+from .gerrit_rest import warn_gerrit_credentials_unavailable
 
 
 log = logging.getLogger(__name__)
@@ -148,6 +149,20 @@ def query_open_changes_by_project(
     query = f'project:"{_gerrit_quote(project)}" status:open owner:self'
     if branch:
         query += f' branch:"{_gerrit_quote(branch)}"'
+
+    # The ``owner:self`` predicate requires an authenticated Gerrit
+    # session; an anonymous request is rejected with HTTP 403. Skip the
+    # query (warning once per run) instead of issuing a request that is
+    # guaranteed to fail and would otherwise emit error-level noise.
+    if not client.is_authenticated:
+        warn_gerrit_credentials_unavailable()
+        log.debug(
+            "Skipping owner:self query for project '%s': "
+            "no Gerrit REST credentials available",
+            project,
+        )
+        return []
+
     log.debug("Querying Gerrit for open changes: %s", query)
 
     try:

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/src/github2gerrit/gerrit_rest.py

@@ -46,6 +46,7 @@ from .gerrit_urls import create_gerrit_url_builder
 from .netrc import GerritCredentials
 from .netrc import resolve_gerrit_credentials
 from .utils import log_exception_conditionally
+from .utils import log_warning_once
 
 
 log = logging.getLogger("github2gerrit.gerrit_rest")
@@ -80,12 +81,79 @@ _TRANSIENT_ERR_SUBSTRINGS: Final[tuple[str, ...]] = (
     "gateway timeout",
 )
 
+# HTTP status codes that indicate an authentication/authorization problem
+# rather than a transient fault or a bug. These are expected when no
+# Gerrit REST credentials are available (or they are insufficient for the
+# requested operation), and are surfaced as concise, default-visible
+# warnings rather than error-level tracebacks.
+_AUTH_ERROR_STATUSES: Final[tuple[int, ...]] = (401, 403)
+
+# Shared dedup key so the "no Gerrit REST credentials" situation is
+# surfaced at most once per run, regardless of how many auth-gated
+# operations are affected.
+_CREDENTIALS_UNAVAILABLE_KEY: Final[str] = "gerrit_rest_credentials_unavailable"
+
+
+def _is_auth_status(status: int | None) -> bool:
+    """Return True if the HTTP status indicates an auth/authorization error."""
+    return status in _AUTH_ERROR_STATUSES
+
+
+def _extract_http_status(exc: BaseException) -> int | None:
+    """Best-effort extraction of an HTTP status code from an exception.
+
+    Handles both the urllib path (``urllib.error.HTTPError.code``) and the
+    pygerrit2/requests path (``HTTPError.response.status_code``).
+    """
+    code = getattr(exc, "code", None)
+    if isinstance(code, int):
+        return code
+    response = getattr(exc, "response", None)
+    status = getattr(response, "status_code", None)
+    if isinstance(status, int):
+        return status
+    return None
+
+
+def warn_gerrit_credentials_unavailable() -> None:
+    """Warn once per run that authenticated Gerrit REST is unavailable.
+
+    Call this from auth-gated code paths before skipping an operation that
+    requires Gerrit REST credentials. The warning is emitted at most once
+    per process to avoid log spam while still making the degraded behavior
+    visible at the default log level.
+    """
+    log_warning_once(
+        log,
+        _CREDENTIALS_UNAVAILABLE_KEY,
+        "Gerrit REST credentials are not available; authenticated Gerrit "
+        "REST operations are disabled. Fallback behavior may apply and "
+        "could degrade performance. Provide GERRIT_HTTP_USER and "
+        "GERRIT_HTTP_PASSWORD (or a .netrc entry) to enable authenticated "
+        "Gerrit REST access.",
+    )
+
 
 # Removed individual retry logic functions - now using centralized framework
 
 
 class GerritRestError(RuntimeError):
-    """Raised for non-retryable REST errors or exhausted retries."""
+    """Raised for non-retryable REST errors or exhausted retries.
+
+    Args:
+        status: HTTP status code associated with the failure, when known.
+            Used by callers to distinguish authentication/authorization
+            problems (401/403) from transient or unexpected errors.
+    """
+
+    def __init__(self, *args: object, status: int | None = None) -> None:
+        super().__init__(*args)
+        self.status = status
+
+    @property
+    def is_auth_error(self) -> bool:
+        """Return True if this error stems from an auth failure (401/403)."""
+        return _is_auth_status(self.status)
 
 
 @dataclass(frozen=True)
@@ -264,13 +332,38 @@ class GerritRestClient:
         except urllib.error.HTTPError as http_exc:
             status = getattr(http_exc, "code", None)
             msg = f"Gerrit REST {method} {url} failed with HTTP {status}"
-            log_exception_conditionally(log, msg)
-            raise GerritRestError(msg) from http_exc
+            self._log_request_failure(msg, status)
+            raise GerritRestError(msg, status=status) from http_exc
 
         except Exception as exc:
+            status = _extract_http_status(exc)
             msg = f"Gerrit REST {method} {url} failed: {exc}"
+            self._log_request_failure(msg, status)
+            raise GerritRestError(msg, status=status) from exc
+
+    @staticmethod
+    def _log_request_failure(msg: str, status: int | None) -> None:
+        """Log a failed REST request at an appropriate level.
+
+        Authentication/authorization failures (401/403) are expected when
+        credentials are missing or insufficient; they are surfaced as a
+        single concise warning per run rather than an error-level traceback,
+        since they are neither transient faults nor bugs. All other failures
+        retain the existing conditional error/traceback behavior.
+        """
+        if _is_auth_status(status):
+            log_warning_once(
+                log,
+                f"gerrit_rest_auth_{status}",
+                "Gerrit REST authentication failed (HTTP %s): the configured "
+                "credentials are missing or insufficient for this operation. "
+                "Fallback behavior may apply and could degrade performance. "
+                "Details: %s",
+                status,
+                msg,
+            )
+        else:
             log_exception_conditionally(log, msg)
-            raise GerritRestError(msg) from exc
 
     def __repr__(self) -> str:  # pragma: no cover - convenience
         masked = ""
@@ -385,4 +478,5 @@ __all__ = [
     "GerritRestClient",
     "GerritRestError",
     "build_client_for_host",
+    "warn_gerrit_credentials_unavailable",
 ]

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/src/github2gerrit/orchestrator/reconciliation.py

@@ -511,13 +511,25 @@ def _abandon_orphan_changes(
 
     from github2gerrit.gerrit_rest import GerritRestError
     from github2gerrit.gerrit_rest import build_client_for_host
+    from github2gerrit.gerrit_rest import warn_gerrit_credentials_unavailable
 
-    abandoned = []
+    abandoned: list[str] = []
     try:
         client = build_client_for_host(
             gerrit.host, timeout=10.0, max_attempts=3
         )
 
+        # Abandoning a change is a mutating REST call that requires
+        # authentication; without credentials every attempt would 403.
+        # Warn once and skip rather than emitting per-change errors.
+        if not client.is_authenticated:
+            warn_gerrit_credentials_unavailable()
+            log.debug(
+                "Skipping orphan-change abandon: "
+                "no Gerrit REST credentials available"
+            )
+            return abandoned
+
         for change_id in orphan_ids:
             try:
                 abandon_message = (
@@ -559,13 +571,25 @@ def _comment_orphan_changes(
 
     from github2gerrit.gerrit_rest import GerritRestError
     from github2gerrit.gerrit_rest import build_client_for_host
+    from github2gerrit.gerrit_rest import warn_gerrit_credentials_unavailable
 
-    commented = []
+    commented: list[str] = []
     try:
         client = build_client_for_host(
             gerrit.host, timeout=10.0, max_attempts=3
         )
 
+        # Posting a review comment is a mutating REST call that requires
+        # authentication; without credentials every attempt would 403.
+        # Warn once and skip rather than emitting per-change errors.
+        if not client.is_authenticated:
+            warn_gerrit_credentials_unavailable()
+            log.debug(
+                "Skipping orphan-change comment: "
+                "no Gerrit REST credentials available"
+            )
+            return commented
+
         for change_id in orphan_ids:
             try:
                 comment_message = (

{github2gerrit-1.2.3 → github2gerrit-1.2.4}/src/github2gerrit/pr_content_filter.py

@@ -42,6 +42,13 @@ _DANGEROUS_HTML_PATTERN = re.compile(
 )
 _MULTIPLE_NEWLINES_PATTERN = re.compile(r"\n{3,}")
 _EMOJI_PATTERN = re.compile(r":[a-z_]+:")  # GitHub emoji codes like :sparkles:
+# Dependabot embeds compatibility-score badges proxied through GitHub's
+# camo image host. Detected via a regex rather than a substring membership
+# check (the latter trips CodeQL's incomplete-url-substring-sanitization
+# heuristic and is a weaker way to match a URL).
+_CAMO_IMAGE_URL_PATTERN = re.compile(
+    r"https://camo\.githubusercontent\.com/", re.IGNORECASE
+)
 
 
 @dataclass
@@ -112,7 +119,7 @@ class DependabotRule(FilterRule):
             "Bumps " in title and " from " in title and " to " in title,
             "Dependabot will resolve any conflicts" in body,
             "<details>" in body and "<summary>" in body,
-            "https://camo.githubusercontent.com/" in body,
+            bool(_CAMO_IMAGE_URL_PATTERN.search(body)),
         ]
 
         # Require multiple indicators for confidence