src-py-lib 0.1.3__tar.gz → 0.1.5__tar.gz

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
 
 permissions:
   contents: read
+  pull-requests: read
 
 concurrency:
   group: ci-${{ github.workflow }}-${{ github.ref }}

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/.github/workflows/release.yml

@@ -12,7 +12,8 @@ on:
         type: string
 
 permissions:
-  contents: write
+  contents: read
+  pull-requests: read
 
 concurrency:
   group: release-${{ github.event.inputs.tag || github.ref_name }}
@@ -50,7 +51,6 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          cache: pip
 
       - name: Cache uv
         uses: actions/cache@v5
@@ -65,8 +65,10 @@ jobs:
 
       - name: Validate release inputs
         id: release
+        env:
+          RELEASE_TAG: ${{ github.event.inputs.tag || github.ref_name }}
         run: |
-          release_tag="${{ github.event.inputs.tag || github.ref_name }}"
+          release_tag="${RELEASE_TAG}"
           if [[ ! "${release_tag}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             echo "::error title=Invalid release tag::Use a vMAJOR.MINOR.PATCH tag, got '${release_tag}'."
             exit 1
@@ -214,6 +216,8 @@ jobs:
     name: Publish GitHub release assets
     needs: [validate, wheel]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
 
     steps:
       - name: Download release assets
@@ -225,8 +229,10 @@ jobs:
       - name: Publish GitHub release assets
         env:
           GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          RELEASE_TAG: ${{ github.event.inputs.tag || github.ref_name }}
         run: |
-          release_tag="${{ github.event.inputs.tag || github.ref_name }}"
+          release_tag="${RELEASE_TAG}"
           notes_path="$(find release-assets -name release-notes.md -print -quit)"
           mapfile -t release_assets < <(find release-assets -type f ! -name release-notes.md | sort)
 

src_py_lib-0.1.5/.github/workflows/validate.yml

@@ -0,0 +1,280 @@
+name: Validate
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: "Git ref to validate. Defaults to the caller's ref."
+        required: false
+        type: string
+      build-package:
+        description: "Build and smoke-test package artifacts. Release builds do this separately."
+        required: false
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+  pull-requests: read
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  changes:
+    name: Detect changed paths
+    runs-on: ubuntu-24.04
+    outputs:
+      github_actions: ${{ steps.changed_paths.outputs.github_actions }}
+      markdown: ${{ steps.changed_paths.outputs.markdown }}
+      python: ${{ steps.changed_paths.outputs.python }}
+      package: ${{ steps.changed_paths.outputs.package }}
+
+    steps:
+      - name: Detect changed paths
+        id: changed_paths
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          github_actions_changed=false
+          markdown_changed=false
+          python_changed=false
+          package_changed=false
+
+          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
+            github_actions_changed=true
+            markdown_changed=true
+            python_changed=true
+            package_changed=true
+          else
+            changed_files="$(mktemp)"
+            gh api --paginate \
+              "repos/${GITHUB_REPOSITORY}/pulls/${PULL_REQUEST_NUMBER}/files" \
+              --jq '.[].filename' > "${changed_files}"
+
+            while IFS= read -r changed_file; do
+              case "${changed_file}" in
+                .github/workflows/*)
+                  github_actions_changed=true
+                  ;;
+              esac
+
+              case "${changed_file}" in
+                *.md|.markdownlint-cli2.yaml)
+                  markdown_changed=true
+                  ;;
+              esac
+
+              case "${changed_file}" in
+                .python-version|pyproject.toml|uv.lock|src/*|tests/*)
+                  python_changed=true
+                  ;;
+              esac
+
+              case "${changed_file}" in
+                .python-version|LICENSE|README.md|pyproject.toml|uv.lock|src/*)
+                  package_changed=true
+                  ;;
+              esac
+            done < "${changed_files}"
+          fi
+
+          {
+            echo "github_actions=${github_actions_changed}"
+            echo "markdown=${markdown_changed}"
+            echo "python=${python_changed}"
+            echo "package=${package_changed}"
+          } >> "${GITHUB_OUTPUT}"
+
+  github_actions:
+    name: Lint GitHub Actions
+    needs: changes
+    if: needs.changes.outputs.github_actions == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      ACTIONLINT_VERSION: "1.7.12"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Install actionlint
+        run: |
+          mkdir -p "${HOME}/.local/bin"
+          asset="actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
+          checksums="actionlint_${ACTIONLINT_VERSION}_checksums.txt"
+          base_url="https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}"
+
+          curl -fsSLO "${base_url}/${asset}"
+          curl -fsSLO "${base_url}/${checksums}"
+          grep "  ${asset}$" "${checksums}" | sha256sum --check
+          tar -xzf "${asset}" -C "${HOME}/.local/bin" actionlint
+          chmod 0755 "${HOME}/.local/bin/actionlint"
+
+      - name: Lint GitHub Actions
+        run: |
+          "${HOME}/.local/bin/actionlint"
+
+  markdown:
+    name: Lint Markdown
+    needs: changes
+    if: needs.changes.outputs.markdown == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      MARKDOWNLINT_CLI2_VERSION: "0.22.1"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Cache npm
+        uses: actions/cache@v5
+        with:
+          path: ~/.npm
+          key: npm-${{ runner.os }}-markdownlint-cli2-${{ env.MARKDOWNLINT_CLI2_VERSION }}
+
+      - name: Lint Markdown
+        run: npx --yes "markdownlint-cli2@${MARKDOWNLINT_CLI2_VERSION}"
+
+  python:
+    name: Validate Python
+    needs: changes
+    if: needs.changes.outputs.python == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      IMPORT_NAME: src_py_lib
+      PYTHON_VERSION: "3.11"
+      UV_VERSION: "0.11.7"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Cache uv
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/uv
+          key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
+
+      - name: Install uv
+        run: python -m pip install "uv==${UV_VERSION}"
+
+      - name: Validate lockfile
+        run: uv lock --check
+
+      - name: Lint Python
+        run: uv run --frozen ruff check .
+
+      - name: Check Python formatting
+        run: uv run --frozen ruff format --check .
+
+      - name: Type check
+        run: uv run --frozen pyright
+
+      - name: Run tests
+        run: uv run --frozen python -m unittest discover -s tests
+
+      - name: Smoke test source checkout import
+        run: |
+          uv run --frozen python - <<'PY'
+          import os
+
+          import src_py_lib
+
+          if src_py_lib.__name__ != os.environ["IMPORT_NAME"]:
+              raise SystemExit(f"unexpected import name: {src_py_lib.__name__}")
+          PY
+
+  package_build:
+    name: Build and smoke-test package
+    needs: changes
+    if: inputs.build-package && needs.changes.outputs.package == 'true'
+    runs-on: ubuntu-24.04
+    env:
+      IMPORT_NAME: src_py_lib
+      PYTHON_VERSION: "3.11"
+      UV_VERSION: "0.11.7"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Cache uv
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/uv
+          key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
+
+      - name: Install uv
+        run: python -m pip install "uv==${UV_VERSION}"
+
+      - name: Build wheel
+        run: uv build --wheel --out-dir dist --no-create-gitignore
+
+      - name: Smoke test installed wheel
+        run: |
+          python -m venv build/ci-venv
+          . build/ci-venv/bin/activate
+          python -m pip install dist/*.whl
+          python - <<'PY'
+          import os
+
+          import src_py_lib
+
+          if src_py_lib.__name__ != os.environ["IMPORT_NAME"]:
+              raise SystemExit(f"unexpected import name: {src_py_lib.__name__}")
+          PY
+
+  package:
+    name: Validate package
+    needs: [changes, github_actions, markdown, python, package_build]
+    if: always()
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Confirm validation results
+        run: |
+          for validation_result in \
+            "${{ needs.changes.result }}" \
+            "${{ needs.github_actions.result }}" \
+            "${{ needs.markdown.result }}" \
+            "${{ needs.python.result }}" \
+            "${{ needs.package_build.result }}"
+          do
+            case "${validation_result}" in
+              success|skipped)
+                ;;
+              *)
+                echo "::error title=Validation failed::At least one validation job ended with '${validation_result}'."
+                exit 1
+                ;;
+            esac
+          done

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/AGENTS.md

@@ -64,7 +64,7 @@ uv run python -m unittest discover -s tests
 ```sh
 set -euo pipefail
 
-VERSION=0.1.2
+VERSION=0.1.4
 BRANCH="release-v${VERSION}"
 
 git fetch origin --tags --prune
@@ -116,7 +116,7 @@ rm -rf /tmp/src-py-lib-release-check
 ```sh
 set -euo pipefail
 
-VERSION=0.1.2
+VERSION=0.1.4
 BRANCH="release-v${VERSION}"
 GH_REPO="sourcegraph/src-py-lib"
 
@@ -140,7 +140,7 @@ gh pr merge "${BRANCH}" --repo "${GH_REPO}" --squash --delete-branch
 ```sh
 set -euo pipefail
 
-VERSION=0.1.2
+VERSION=0.1.4
 
 git fetch origin --tags --prune
 git switch main
@@ -154,7 +154,7 @@ git push origin "v${VERSION}"
 ```sh
 set -euo pipefail
 
-VERSION=0.1.2
+VERSION=0.1.4
 GH_REPO="sourcegraph/src-py-lib"
 
 RUN_ID="$(

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: src-py-lib
-Version: 0.1.3
+Version: 0.1.5
 Summary: Reusable libraries for Sourcegraph projects
 Project-URL: Homepage, https://github.com/sourcegraph/src-py-lib
 Project-URL: Issues, https://github.com/sourcegraph/src-py-lib/issues

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/pyproject.toml

@@ -10,7 +10,7 @@ dev = [
 
 [project]
 name = "src-py-lib"
-version = "0.1.3"
+version = "0.1.5"
 description = "Reusable libraries for Sourcegraph projects"
 readme = "README.md"
 requires-python = ">=3.11"

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/src/src_py_lib/__init__.py

@@ -176,6 +176,7 @@ __all__ = [
     "load_json_cache",
     "load_json_subset",
     "logging",
+    "logging_context",
     "logging_settings_from_config",
     "log",
     "log_context",

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/src/src_py_lib/clients/github.py

@@ -113,6 +113,11 @@ def _normalize_github_url(github_url: str) -> str:
     stripped = github_url.strip().rstrip("/")
     if "://" not in stripped:
         stripped = f"https://{stripped}"
+    split = urlsplit(stripped)
+    if split.scheme != "https":
+        raise ValueError(f"GitHub URL must be an https:// URL (got {split.scheme!r})")
+    if not split.hostname:
+        raise ValueError(f"could not parse hostname from GitHub URL {stripped!r}")
     return stripped
 
 

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/src/src_py_lib/clients/graphql.py

@@ -9,7 +9,7 @@ from dataclasses import dataclass, field
 from pathlib import Path
 from typing import cast
 
-from src_py_lib.utils.http import HTTPClient, HTTPClientError, HTTPResponse
+from src_py_lib.utils.http import HTTPClient, HTTPClientError, HTTPResponse, log_safe_url
 from src_py_lib.utils.json_types import JSONDict, JSONValue, json_dict, json_list, json_str
 from src_py_lib.utils.logging import event
 
@@ -249,7 +249,7 @@ class GraphQLClient:
             page_number=page_number,
             page_size=_int_variable(variables, first_variable),
             cursor_present=variables.get(after_variable) is not None,
-            url=self.url,
+            url=log_safe_url(self.url),
             variable_names=sorted(variables),
             query_bytes=len(query.encode("utf-8")),
         ) as fields:

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/src/src_py_lib/clients/sourcegraph.py

@@ -8,6 +8,7 @@ import json
 import queue
 import time
 from collections.abc import Iterable, Iterator, Mapping, Sequence
+from concurrent.futures import ThreadPoolExecutor, as_completed
 from dataclasses import dataclass, field
 from typing import Final, cast
 from urllib.parse import urlsplit
@@ -19,6 +20,7 @@ from src_py_lib.utils.json_types import JSONDict, JSONValue, json_dict, json_lis
 from src_py_lib.utils.logging import (
     current_trace_context,
     new_trace_context,
+    submit_with_log_context,
     trace_context_from_traceparent,
     traceparent_header,
 )
@@ -180,6 +182,9 @@ class SourcegraphClient:
     `endpoint` should be the instance base URL, for example
     `https://sourcegraph.example.com`.
 
+    Plain HTTP endpoints are rejected unless `allow_insecure_http=True` is set
+    for local development.
+
     Set `trace=True` to ask Sourcegraph to retain traces for each GraphQL
     request. Traced requests are available through `drain_traces()` and can be
     fetched from the instance's Jaeger/debug endpoint with
@@ -190,12 +195,16 @@ class SourcegraphClient:
     token: str
     http: HTTPClient = field(default_factory=HTTPClient)
     trace: bool = False
+    allow_insecure_http: bool = False
     _traces: queue.Queue[SourcegraphTrace] = field(
         default_factory=lambda: queue.Queue[SourcegraphTrace](), init=False, repr=False
     )
 
     def __post_init__(self) -> None:
-        self.endpoint = normalize_sourcegraph_endpoint(self.endpoint)
+        self.endpoint = normalize_sourcegraph_endpoint(
+            self.endpoint,
+            require_https=not self.allow_insecure_http,
+        )
 
     def graphql(self, query: str, variables: Mapping[str, JSONValue] | None = None) -> JSONDict:
         return self._client().execute(query, variables)
@@ -244,13 +253,27 @@ class SourcegraphClient:
         traces: Iterable[SourcegraphTrace] | None = None,
         *,
         retry_delays_seconds: Sequence[float] = JAEGER_TRACE_RETRY_DELAYS_SECONDS,
+        parallelism: int = 8,
     ) -> Iterator[SourcegraphJaegerTraceSummary]:
         """Yield compact Jaeger/debug summaries for traced Sourcegraph requests."""
-        for trace in self.drain_traces() if traces is None else traces:
-            yield self.fetch_jaeger_trace_summary(
-                trace,
-                retry_delays_seconds=retry_delays_seconds,
-            )
+        if parallelism < 1:
+            raise ValueError("parallelism must be at least 1")
+        pending_traces = list(self.drain_traces() if traces is None else traces)
+        with ThreadPoolExecutor(
+            max_workers=parallelism,
+            thread_name_prefix="SourcegraphJaegerTrace",
+        ) as executor:
+            futures = [
+                submit_with_log_context(
+                    executor,
+                    self.fetch_jaeger_trace_summary,
+                    trace,
+                    retry_delays_seconds=retry_delays_seconds,
+                )
+                for trace in pending_traces
+            ]
+            for future in as_completed(futures):
+                yield future.result()
 
     def fetch_jaeger_trace_summary(
         self,

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/src/src_py_lib/utils/http.py

@@ -33,6 +33,19 @@ SENSITIVE_HEADER_FRAGMENTS: Final[tuple[str, ...]] = (
     "secret",
     "token",
 )
+SENSITIVE_URL_QUERY_FRAGMENTS: Final[tuple[str, ...]] = (
+    "access_token",
+    "api-key",
+    "api_key",
+    "authorization",
+    "code",
+    "credential",
+    "key",
+    "password",
+    "secret",
+    "signature",
+    "token",
+)
 
 logger = logging.getLogger(__name__)
 
@@ -150,7 +163,7 @@ class HTTPClient:
                     "http_request",
                     level="debug",
                     method=method,
-                    url=_safe_url(request_url),
+                    url=log_safe_url(request_url),
                     attempt=attempt,
                     request_headers=_headers_for_log(request_headers),
                     request_bytes=len(body or b""),
@@ -179,7 +192,7 @@ class HTTPClient:
                         if not self._should_retry(response.status_code, attempt):
                             raise HTTPClientError(
                                 f"HTTP {response.status_code} for {method} "
-                                f"{_safe_url(request_url)}: {body_text}",
+                                f"{log_safe_url(request_url)}: {body_text}",
                                 status_code=response.status_code,
                                 body=body_text,
                                 headers=dict(response.headers),
@@ -203,7 +216,7 @@ class HTTPClient:
                         "timed out" if isinstance(exception, httpx.TimeoutException) else "failed"
                     )
                     raise HTTPClientError(
-                        f"HTTP request {failure} for {method} {_safe_url(request_url)}: "
+                        f"HTTP request {failure} for {method} {log_safe_url(request_url)}: "
                         f"{_exception_message(exception)}"
                     ) from exception
                 record_http_retry()
@@ -246,7 +259,7 @@ class HTTPClient:
             ), response
         except json.JSONDecodeError as exception:
             raise HTTPClientError(
-                f"Invalid JSON response from {method} {_safe_url(url)}"
+                f"Invalid JSON response from {method} {log_safe_url(url)}"
             ) from exception
 
     def _should_retry(self, status_code: int | None, attempt: int) -> bool:
@@ -276,9 +289,31 @@ def _with_query(
     return f"{url}{separator}{urllib.parse.urlencode(filtered)}"
 
 
-def _safe_url(url: str) -> str:
+def log_safe_url(url: str) -> str:
+    """Return a URL safe to include in logs and exception messages."""
     split = urllib.parse.urlsplit(url)
-    return urllib.parse.urlunsplit((split.scheme, split.netloc, split.path, split.query, ""))
+    return urllib.parse.urlunsplit(
+        (split.scheme, _safe_netloc(split.netloc), split.path, _safe_query(split.query), "")
+    )
+
+
+def _safe_netloc(netloc: str) -> str:
+    return netloc.rsplit("@", 1)[-1]
+
+
+def _safe_query(query: str) -> str:
+    if not query:
+        return ""
+    parts: list[str] = []
+    for part in query.split("&"):
+        key, separator, _value = part.partition("=")
+        if _is_sensitive_query_parameter(urllib.parse.unquote_plus(key)):
+            parts.append(f"{key}={REDACTED_HEADER_VALUE}")
+        elif separator:
+            parts.append(part)
+        else:
+            parts.append(key)
+    return "&".join(parts)
 
 
 def _headers_for_log(headers: Mapping[str, str] | httpx.Headers) -> dict[str, str | list[str]]:
@@ -311,6 +346,11 @@ def _is_sensitive_header(name: str) -> bool:
     return any(fragment in lowered for fragment in SENSITIVE_HEADER_FRAGMENTS)
 
 
+def _is_sensitive_query_parameter(name: str) -> bool:
+    lowered = name.lower()
+    return any(fragment in lowered for fragment in SENSITIVE_URL_QUERY_FRAGMENTS)
+
+
 def _response_http_version(response: httpx.Response) -> str | None:
     version = response.extensions.get("http_version")
     if isinstance(version, bytes):

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/src/src_py_lib/utils/logging.py

@@ -43,7 +43,9 @@ SRC_LOG_SILENT: Final[str] = "SRC_LOG_SILENT"
 TRACE_ID_BYTES: Final[int] = 16
 SPAN_ID_BYTES: Final[int] = 8
 MEBIBYTE: Final[int] = 1024 * 1024
+REDACTED_LOG_VALUE: Final[str] = "[redacted]"
 SECRET_FIELD_FRAGMENTS: Final[tuple[str, ...]] = (
+    "api-key",
     "api_key",
     "authorization",
     "cookie",
@@ -768,7 +770,7 @@ def sanitized_config_snapshot(config: object) -> dict[str, Any]:
         if callable(value):
             continue
         key_text = str(key)
-        if any(fragment in key_text.lower() for fragment in SECRET_FIELD_FRAGMENTS):
+        if _is_sensitive_log_field(key_text):
             snapshot[key_text] = _secret_state(value)
         elif isinstance(value, Path):
             snapshot[key_text] = str(value)
@@ -937,13 +939,14 @@ def _http_headers(raw_headers: object) -> dict[str, str | list[str]]:
         if name is None or value is None:
             continue
         key = name.lower()
+        logged_value = REDACTED_LOG_VALUE if _is_sensitive_log_field(key) else value
         existing = headers.get(key)
         if existing is None:
-            headers[key] = value
+            headers[key] = logged_value
         elif isinstance(existing, list):
-            existing.append(value)
+            existing.append(logged_value)
         else:
-            headers[key] = [existing, value]
+            headers[key] = [existing, logged_value]
     return {key: headers[key] for key in sorted(headers)}
 
 
@@ -971,6 +974,11 @@ def _is_hex_identifier(value: str, length: int) -> bool:
     )
 
 
+def _is_sensitive_log_field(name: str) -> bool:
+    lowered = name.lower()
+    return any(fragment in lowered for fragment in SECRET_FIELD_FRAGMENTS)
+
+
 def _secret_state(value: object) -> str:
     if value is None or value == "":
         return "missing"

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/tests/test_logging_http_clients.py

@@ -8,6 +8,7 @@ import json
 import logging
 import subprocess
 import tempfile
+import threading
 import unittest
 from collections.abc import Mapping
 from contextlib import redirect_stderr, redirect_stdout
@@ -36,6 +37,7 @@ from src_py_lib.clients.slack import SlackClient
 from src_py_lib.clients.sourcegraph import (
     SourcegraphClient,
     SourcegraphClientConfig,
+    SourcegraphTrace,
     decode_external_service_id,
     decode_repository_id,
     encode_repository_id,
@@ -1207,7 +1209,8 @@ class LoggingTest(unittest.TestCase):
                     "receive_response_headers.complete "
                     "return_value=(b'HTTP/1.1', 200, b'OK', "
                     "[(b'Zed', b'last'), (b'Content-Type', b'application/json'), "
-                    "(b'Alpha', b'first')])"
+                    "(b'Set-Cookie', b'session=secret'), "
+                    "(b'X-Api-Key', b'secret'), (b'Alpha', b'first')])"
                 )
             finally:
                 logger = logging.getLogger(logger_name)
@@ -1224,12 +1227,17 @@ class LoggingTest(unittest.TestCase):
             self.assertEqual(response_headers["http_version"], "HTTP/1.1")
             self.assertEqual(response_headers["status_code"], 200)
             self.assertEqual(response_headers["reason_phrase"], "OK")
-            self.assertEqual(list(response_headers["headers"]), ["alpha", "content-type", "zed"])
+            self.assertEqual(
+                list(response_headers["headers"]),
+                ["alpha", "content-type", "set-cookie", "x-api-key", "zed"],
+            )
             self.assertEqual(
                 response_headers["headers"],
                 {
                     "alpha": "first",
                     "content-type": "application/json",
+                    "set-cookie": "[redacted]",
+                    "x-api-key": "[redacted]",
                     "zed": "last",
                 },
             )
@@ -1309,8 +1317,9 @@ class HTTPClientTest(unittest.TestCase):
                 client = HTTPClient(max_attempts=1, transport=httpx.MockTransport(handler))
                 payload = client.json(
                     "POST",
-                    "https://example.com/api",
+                    "https://user:pass@example.com/api?code=oauth",
                     headers={"Authorization": "Bearer token"},
+                    query={"limit": 10, "access_token": "secret", "signature": "signed"},
                     json_body={"hello": "world"},
                 )
             finally:
@@ -1330,6 +1339,11 @@ class HTTPClientTest(unittest.TestCase):
             self.assertFalse(any(row.get("logger") in {"httpx", "httpcore"} for row in rows))
             self.assertEqual(http_request["status_code"], 200)
             self.assertEqual(http_request["reason_phrase"], "OK")
+            self.assertEqual(
+                http_request["url"],
+                "https://example.com/api?code=[redacted]&limit=10"
+                "&access_token=[redacted]&signature=[redacted]",
+            )
             self.assertEqual(http_request["request_bytes"], len(b'{"hello": "world"}'))
             self.assertEqual(http_request["request_headers"]["authorization"], "[redacted]")
             self.assertEqual(
@@ -1362,10 +1376,13 @@ class HTTPClientTest(unittest.TestCase):
         )
 
         with self.assertRaisesRegex(HTTPClientError, "rate limited") as raised:
-            client.json("GET", "https://example.com/api")
+            client.json("GET", "https://user:pass@example.com/api?access_token=secret")
 
         self.assertEqual(raised.exception.status_code, 429)
         self.assertEqual(raised.exception.body, "rate limited")
+        self.assertIn("https://example.com/api?access_token=[redacted]", str(raised.exception))
+        self.assertNotIn("user:pass", str(raised.exception))
+        self.assertNotIn("secret", str(raised.exception))
 
 
 class ClientTest(unittest.TestCase):
@@ -1407,6 +1424,13 @@ class ClientTest(unittest.TestCase):
         self.assertEqual(http.calls[0]["url"], "https://sourcegraph.example.com/.api/graphql")
         self.assertEqual(http.calls[0]["headers"], {"Authorization": "token token"})
 
+    def test_sourcegraph_client_rejects_http_endpoint_by_default(self) -> None:
+        with self.assertRaisesRegex(ValueError, "https:// URL"):
+            SourcegraphClient("http://sourcegraph.example.com", "token")
+
+        client = SourcegraphClient("http://localhost:3080", "token", allow_insecure_http=True)
+        self.assertEqual(client.endpoint, "http://localhost:3080")
+
     def test_sourcegraph_client_streams_connection_nodes(self) -> None:
         http = RecordingHTTP(
             [
@@ -1535,6 +1559,50 @@ class ClientTest(unittest.TestCase):
         self.assertEqual(summaries[0].graphql_operations[0]["operation"], "Viewer")
         self.assertEqual(summaries[0].errored_spans[0]["description"], "boom")
 
+    def test_sourcegraph_streams_jaeger_summaries_in_parallel(self) -> None:
+        trace_ids = ("1" * 32, "2" * 32, "3" * 32)
+        requested_trace_ids: list[str] = []
+        first_batch_barrier = threading.Barrier(2, timeout=1)
+
+        def handler(request: httpx.Request) -> httpx.Response:
+            trace_id = request.url.path.rsplit("/", 1)[-1]
+            requested_trace_ids.append(trace_id)
+            if trace_id in trace_ids[:2]:
+                first_batch_barrier.wait()
+            return httpx.Response(
+                200,
+                json={
+                    "data": [
+                        {
+                            "spans": [
+                                {
+                                    "operationName": f"trace {trace_id[0]}",
+                                    "duration": 1_000,
+                                    "tags": [],
+                                }
+                            ]
+                        }
+                    ]
+                },
+            )
+
+        client = SourcegraphClient(
+            "https://sourcegraph.example.com/",
+            "token",
+            http=HTTPClient(max_attempts=1, transport=httpx.MockTransport(handler)),
+        )
+
+        summaries = list(
+            client.stream_jaeger_trace_summaries(
+                [SourcegraphTrace(trace_id) for trace_id in trace_ids],
+                retry_delays_seconds=(0,),
+                parallelism=2,
+            )
+        )
+
+        self.assertCountEqual(requested_trace_ids, trace_ids)
+        self.assertCountEqual([summary.trace.trace_id for summary in summaries], trace_ids)
+
     def test_graphql_client_paginates_cursor_results(self) -> None:
         http = RecordingHTTP(
             [
@@ -1734,7 +1802,12 @@ query Items($first: Int!, $after: String, $userId: ID!) {
                 },
             ]
         )
-        client = GraphQLClient("https://example.com/graphql", {}, "Example", http=http)
+        client = GraphQLClient(
+            "https://user:pass@example.com/graphql?access_token=secret&query=ok",
+            {},
+            "Example",
+            http=http,
+        )
         query = """
 query Items($first: Int!, $after: String, $userId: ID!) {
   viewer { items { nodes { id } pageInfo { hasNextPage endCursor } } }
@@ -1776,6 +1849,10 @@ query Items($first: Int!, $after: String, $userId: ID!) {
             self.assertEqual([row["page_size"] for row in starts], [2, 2])
             self.assertEqual([row["cursor_present"] for row in starts], [False, True])
             self.assertEqual(starts[0]["graphql_client"], "Example")
+            self.assertEqual(
+                starts[0]["url"],
+                "https://example.com/graphql?access_token=[redacted]&query=ok",
+            )
             self.assertEqual(starts[0]["variable_names"], ["after", "first", "userId"])
             self.assertEqual(ends[0]["response_fields"], ["viewer"])
 
@@ -1900,6 +1977,10 @@ query Items($first: Int!, $after: String) {
             graphql_api_url("github.example.com"), "https://github.example.com/api/graphql"
         )
 
+    def test_github_client_rejects_http_enterprise_url(self) -> None:
+        with self.assertRaisesRegex(ValueError, "https:// URL"):
+            graphql_api_url("http://github.example.com")
+
     def test_github_client_validate_queries_viewer(self) -> None:
         http = RecordingHTTP([{"data": {"viewer": {"login": "alice"}}}])
         client = GitHubClient("token", http=http)

{src_py_lib-0.1.3 → src_py_lib-0.1.5}/uv.lock

@@ -254,7 +254,7 @@ wheels = [
 
 [[package]]
 name = "src-py-lib"
-version = "0.1.3"
+version = "0.1.5"
 source = { editable = "." }
 dependencies = [
     { name = "httpx" },

src_py_lib-0.1.3/.github/workflows/validate.yml

@@ -1,135 +0,0 @@
-name: Validate
-
-on:
-  workflow_call:
-    inputs:
-      ref:
-        description: "Git ref to validate. Defaults to the caller's ref."
-        required: false
-        type: string
-      build-package:
-        description: "Build and smoke-test package artifacts. Release builds do this separately."
-        required: false
-        type: boolean
-        default: true
-
-permissions:
-  contents: read
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  package:
-    name: Validate package
-    runs-on: ubuntu-24.04
-    env:
-      ACTIONLINT_VERSION: "1.7.12"
-      IMPORT_NAME: src_py_lib
-      MARKDOWNLINT_CLI2_VERSION: "0.22.1"
-      PYTHON_VERSION: "3.11"
-      UV_VERSION: "0.11.7"
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Cache actionlint
-        id: cache-actionlint
-        uses: actions/cache@v5
-        with:
-          path: ~/.local/bin/actionlint
-          key: actionlint-${{ runner.os }}-${{ runner.arch }}-${{ env.ACTIONLINT_VERSION }}
-
-      - name: Install actionlint
-        if: steps.cache-actionlint.outputs.cache-hit != 'true'
-        run: |
-          mkdir -p "${HOME}/.local/bin"
-          asset="actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
-          checksums="actionlint_${ACTIONLINT_VERSION}_checksums.txt"
-          base_url="https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}"
-
-          curl -fsSLO "${base_url}/${asset}"
-          curl -fsSLO "${base_url}/${checksums}"
-          grep "  ${asset}$" "${checksums}" | sha256sum --check
-          tar -xzf "${asset}" -C "${HOME}/.local/bin" actionlint
-          chmod 0755 "${HOME}/.local/bin/actionlint"
-
-      - name: Lint GitHub Actions
-        run: |
-          "${HOME}/.local/bin/actionlint"
-
-      - name: Cache npm
-        uses: actions/cache@v5
-        with:
-          path: ~/.npm
-          key: npm-${{ runner.os }}-markdownlint-cli2-${{ env.MARKDOWNLINT_CLI2_VERSION }}
-
-      - name: Lint Markdown
-        run: npx --yes "markdownlint-cli2@${MARKDOWNLINT_CLI2_VERSION}"
-
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-          cache: pip
-
-      - name: Cache uv
-        uses: actions/cache@v5
-        with:
-          path: ~/.cache/uv
-          key: uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-${{ hashFiles('uv.lock') }}
-          restore-keys: |
-            uv-${{ runner.os }}-py${{ env.PYTHON_VERSION }}-
-
-      - name: Install uv
-        run: python -m pip install "uv==${UV_VERSION}"
-
-      - name: Validate lockfile
-        run: uv lock --check
-
-      - name: Lint Python
-        run: uv run --frozen ruff check .
-
-      - name: Check Python formatting
-        run: uv run --frozen ruff format --check .
-
-      - name: Type check
-        run: uv run --frozen pyright
-
-      - name: Run tests
-        run: uv run --frozen python -m unittest discover -s tests
-
-      - name: Smoke test source checkout import
-        run: |
-          uv run --frozen python - <<'PY'
-          import os
-
-          import src_py_lib
-
-          if src_py_lib.__name__ != os.environ["IMPORT_NAME"]:
-              raise SystemExit(f"unexpected import name: {src_py_lib.__name__}")
-          PY
-
-      - name: Build wheel
-        if: inputs.build-package
-        run: uv build --wheel --out-dir dist --no-create-gitignore
-
-      - name: Smoke test installed wheel
-        if: inputs.build-package
-        run: |
-          python -m venv build/ci-venv
-          . build/ci-venv/bin/activate
-          python -m pip install dist/*.whl
-          python - <<'PY'
-          import os
-
-          import src_py_lib
-
-          if src_py_lib.__name__ != os.environ["IMPORT_NAME"]:
-              raise SystemExit(f"unexpected import name: {src_py_lib.__name__}")
-          PY