mosaicstack/stack
1
0
Fork 0
Code Issues 22 Pull Requests 7 Actions Packages Projects Releases 13 Wiki Activity

fix(mosaic): harden gitea pr wrapper metadata
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details

Browse Source
This commit is contained in:
Hermes Agent
2026-05-22 11:00:34 -05:00
parent 755df9079e
commit 952fab9443
7 changed files with 266 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
packages/mosaic/framework/tools/git/detect-platform.sh
View File

@@ -92,7 +92,7 @@ get_remote_host() {
}
# Resolve a Gitea API token for the given host.
# Priority: Mosaic credential loader → GITEA_TOKEN env → ~/.git-credentials
# Priority: Mosaic credential loader → host-matched GITEA_TOKEN env → ~/.git-credentials
get_gitea_token() {
local host="$1"
local script_dir
@@ -103,16 +103,28 @@ get_gitea_token() {
if [[ -f "$cred_loader" ]]; then
local token
token=$(
# shellcheck source=/dev/null
source "$cred_loader"
# Host-specific wrapper resolution must not inherit a caller/global GITEA_TOKEN.
# load_credentials intentionally preserves existing env vars for interactive use,
# but merge/metadata wrappers need the token matching the remote host.
unset GITEA_TOKEN GITEA_URL
case "$host" in
git.mosaicstack.dev) load_credentials gitea-mosaicstack 2>/dev/null ;;
git.uscllc.com) load_credentials gitea-usc 2>/dev/null ;;
*)
local matched=false
for svc in gitea-mosaicstack gitea-usc; do
load_credentials "$svc" 2>/dev/null || continue
[[ "${GITEA_URL:-}" == *"$host"* ]] && break
unset GITEA_TOKEN GITEA_URL
load_credentials "$svc" 2>/dev/null || continue
if [[ "${GITEA_URL:-}" == "https://$host" || "${GITEA_URL:-}" == "http://$host" || "${GITEA_URL:-}" == *"//$host" ]]; then
matched=true
break
fi
done
if [[ "$matched" != true ]]; then
unset GITEA_TOKEN GITEA_URL
fi
;;
esac
echo "${GITEA_TOKEN:-}"
@@ -123,10 +135,12 @@ get_gitea_token() {
fi
fi
# 2. GITEA_TOKEN env var (may be set by caller)
# 2. GITEA_TOKEN env var (only when GITEA_URL, if present, matches the remote host)
if [[ -n "${GITEA_TOKEN:-}" ]]; then
echo "$GITEA_TOKEN"
return 0
if [[ -z "${GITEA_URL:-}" || "${GITEA_URL:-}" == "https://$host" || "${GITEA_URL:-}" == "http://$host" || "${GITEA_URL:-}" == *"//$host" ]]; then
echo "$GITEA_TOKEN"
return 0
fi
fi
# 3. ~/.git-credentials file

62
packages/mosaic/framework/tools/git/pr-merge.sh
View File

@@ -1,10 +1,11 @@
#!/bin/bash
# pr-merge.sh - Merge pull requests on Gitea or GitHub
# Usage: pr-merge.sh -n PR_NUMBER [-m squash] [-d] [--skip-queue-guard]
# Usage: pr-merge.sh -n PR_NUMBER [-m squash] [-d] [--skip-queue-guard] [--dry-run]
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck disable=SC1091
source "$SCRIPT_DIR/detect-platform.sh"
# Default values
@@ -12,6 +13,7 @@ PR_NUMBER=""
MERGE_METHOD="squash"
DELETE_BRANCH=false
SKIP_QUEUE_GUARD=false
DRY_RUN=false
usage() {
cat <<EOF
@@ -24,6 +26,7 @@ Options:
-m, --method METHOD Merge method: squash only (default: squash)
-d, --delete-branch Delete the head branch after merge
--skip-queue-guard Skip CI queue guard wait before merge
--dry-run Validate metadata/auth/preflight without merging
-h, --help Show this help message
Examples:
@@ -54,6 +57,10 @@ while [[ $# -gt 0 ]]; do
SKIP_QUEUE_GUARD=true
shift
;;
--dry-run)
DRY_RUN=true
shift
;;
-h|--help)
usage
;;
@@ -74,7 +81,8 @@ if [[ "$MERGE_METHOD" != "squash" ]]; then
exit 1
fi
BASE_BRANCH="$("$SCRIPT_DIR/pr-metadata.sh" -n "$PR_NUMBER" | python3 -c 'import json, sys; print((json.load(sys.stdin).get("baseRefName") or "").strip())')"
METADATA_JSON="$("$SCRIPT_DIR/pr-metadata.sh" -n "$PR_NUMBER")"
BASE_BRANCH="$(printf '%s' "$METADATA_JSON" | python3 -c 'import json, sys; print((json.load(sys.stdin).get("baseRefName") or "").strip())')"
if [[ "$BASE_BRANCH" != "main" ]]; then
echo "Error: Mosaic policy allows merges only for PRs targeting 'main' (found '$BASE_BRANCH')." >&2
exit 1
@@ -94,19 +102,55 @@ REPO=$(get_repo_name)
case "$PLATFORM" in
github)
CMD="gh pr merge $PR_NUMBER --squash"
[[ "$DELETE_BRANCH" == true ]] && CMD="$CMD --delete-branch"
eval "$CMD"
if [[ "$DRY_RUN" == true ]]; then
echo "Dry run: GitHub merge preflight OK for ${OWNER}/${REPO}#${PR_NUMBER} targeting ${BASE_BRANCH}"
exit 0
fi
CMD=(gh pr merge "$PR_NUMBER" --squash)
[[ "$DELETE_BRANCH" == true ]] && CMD+=(--delete-branch)
"${CMD[@]}"
;;
gitea)
CMD="tea pr merge $PR_NUMBER --style squash --repo $OWNER/$REPO --login ${GITEA_LOGIN:-mosaicstack}"
HOST=$(get_remote_host) || {
echo "Error: Cannot determine host from remote URL" >&2
exit 1
}
TOKEN=$(get_gitea_token "$HOST") || {
echo "Error: Could not resolve Gitea API token for ${HOST}" >&2
exit 1
}
if [[ "$DRY_RUN" == true ]]; then
echo "Dry run: Gitea merge preflight OK for ${OWNER}/${REPO}#${PR_NUMBER} targeting ${BASE_BRANCH} via ${HOST} API"
exit 0
fi
RESPONSE_FILE=$(mktemp)
trap 'rm -f "$RESPONSE_FILE"' EXIT
HTTP_CODE=$(curl -sS \
-X POST \
-H "Authorization: token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"Do":"squash"}' \
-o "$RESPONSE_FILE" \
-w '%{http_code}' \
"https://${HOST}/api/v1/repos/${OWNER}/${REPO}/pulls/${PR_NUMBER}/merge")
RESPONSE_BODY=$(cat "$RESPONSE_FILE")
rm -f "$RESPONSE_FILE"
trap - EXIT
if [[ ! "$HTTP_CODE" =~ ^2 ]]; then
echo "Error: Gitea PR merge failed for ${OWNER}/${REPO}#${PR_NUMBER} (HTTP ${HTTP_CODE})" >&2
if [[ -n "$RESPONSE_BODY" ]]; then
printf '%s\n' "$RESPONSE_BODY" >&2
fi
exit 1
fi
# Delete branch after merge if requested
if [[ "$DELETE_BRANCH" == true ]]; then
echo "Note: Branch deletion after merge may need to be done separately with tea" >&2
echo "Note: Branch deletion after merge may need to be done separately with the Gitea API" >&2
fi
eval "$CMD"
;;
*)
echo "Error: Could not detect git platform" >&2

37
packages/mosaic/framework/tools/git/pr-metadata.sh
View File

@@ -5,6 +5,7 @@
set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck disable=SC1091
source "$SCRIPT_DIR/detect-platform.sh"
# Parse arguments
@@ -55,39 +56,51 @@ if [[ "$PLATFORM" == "github" ]]; then
elif [[ "$PLATFORM" == "gitea" ]]; then
OWNER=$(get_repo_owner)
REPO=$(get_repo_name)
REMOTE_URL=$(git remote get-url origin 2>/dev/null)
# Extract host from remote URL
if [[ "$REMOTE_URL" == https://* ]]; then
HOST=$(echo "$REMOTE_URL" | sed -E 's|https://([^/]+)/.*|\1|')
elif [[ "$REMOTE_URL" == git@* ]]; then
HOST=$(echo "$REMOTE_URL" | sed -E 's|git@([^:]+):.*|\1|')
else
HOST=$(get_remote_host) || {
echo "Error: Cannot determine host from remote URL" >&2
exit 1
fi
}
API_URL="https://${HOST}/api/v1/repos/${OWNER}/${REPO}/pulls/${PR_NUMBER}"
GITEA_API_TOKEN=$(get_gitea_token "$HOST" || true)
RESPONSE_FILE=$(mktemp)
trap 'rm -f "$RESPONSE_FILE"' EXIT
if [[ -n "$GITEA_API_TOKEN" ]]; then
RAW=$(curl -sS -H "Authorization: token $GITEA_API_TOKEN" "$API_URL")
HTTP_CODE=$(curl -sS -H "Authorization: token $GITEA_API_TOKEN" -o "$RESPONSE_FILE" -w '%{http_code}' "$API_URL")
else
RAW=$(curl -sS "$API_URL")
HTTP_CODE=$(curl -sS -o "$RESPONSE_FILE" -w '%{http_code}' "$API_URL")
fi
RAW=$(cat "$RESPONSE_FILE")
rm -f "$RESPONSE_FILE"
trap - EXIT
if [[ ! "$HTTP_CODE" =~ ^2 ]]; then
echo "Error: Gitea PR metadata request failed for ${OWNER}/${REPO}#${PR_NUMBER} (HTTP ${HTTP_CODE})" >&2
exit 1
fi
# Normalize Gitea response to match our expected schema
METADATA=$(echo "$RAW" | python3 -c "
import json, sys
data = json.load(sys.stdin)
if 'message' in data and not data.get('number'):
raise SystemExit('Error: Gitea PR metadata response did not contain PR data')
head = data.get('head') or {}
head_ref = head.get('ref') or ''
head_label = head.get('label') or ''
# Gitea can report closed/merged PR heads as refs/pull/<n>/head; callers need
# the source branch name equivalent to GitHub headRefName, so prefer label then.
if head_ref.startswith('refs/pull/') and head_label:
head_ref = head_label
normalized = {
'number': data.get('number'),
'title': data.get('title'),
'body': data.get('body', ''),
'state': data.get('state'),
'author': data.get('user', {}).get('login', ''),
'headRefName': data.get('head', {}).get('ref', ''),
'headRefName': head_ref,
'baseRefName': data.get('base', {}).get('ref', ''),
'labels': [l.get('name', '') for l in data.get('labels', [])],
'assignees': [a.get('login', '') for a in data.get('assignees', [])],

116
packages/mosaic/framework/tools/git/tests/pr-gitea-wrapper-regression.sh Executable file
View File

@@ -0,0 +1,116 @@
#!/usr/bin/env bash
# Regression harness for Gitea PR metadata normalization and merge preflight.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
GIT_TOOLS_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
TEST_ROOT="${TEST_ROOT:-$(pwd)/.test-output/pr-gitea-wrapper-regression}"
FAKE_BIN="$TEST_ROOT/bin"
FAKE_REPO="$TEST_ROOT/repo"
rm -rf "$TEST_ROOT"
mkdir -p "$FAKE_BIN" "$FAKE_REPO" "$TEST_ROOT/state"
cat > "$FAKE_BIN/git" <<'SH'
#!/usr/bin/env bash
set -euo pipefail
if [[ "$*" == "remote get-url origin" ]]; then
echo "https://git.uscllc.com/usc/uconnect.git"
exit 0
fi
echo "unexpected git invocation: $*" >&2
exit 2
SH
chmod +x "$FAKE_BIN/git"
cat > "$FAKE_BIN/curl" <<'SH'
#!/usr/bin/env bash
set -euo pipefail
method="GET"
out_file=""
write_format=""
url=""
while [[ $# -gt 0 ]]; do
case "$1" in
-X)
method="$2"; shift 2 ;;
-o)
out_file="$2"; shift 2 ;;
-w)
write_format="$2"; shift 2 ;;
-H|-d)
shift 2 ;;
-s|-S|-f|-k|-sS|-fsS)
shift ;;
http*)
url="$1"; shift ;;
*)
shift ;;
esac
done
body='{}'
code="200"
if [[ "$method" == "GET" && "$url" == *"/api/v1/repos/usc/uconnect/pulls/1908" ]]; then
body='{"number":1908,"title":"Test PR","body":"","state":"open","user":{"login":"edith"},"head":{"label":"fix/t_23fa9e1d-portal-health-backend","ref":"refs/pull/1908/head","sha":"abc123"},"base":{"label":"main","ref":"main","sha":"def456"},"labels":[],"assignees":[],"created_at":"2026-05-22T00:00:00Z","updated_at":"2026-05-22T00:00:00Z","html_url":"https://git.uscllc.com/usc/uconnect/pulls/1908","draft":false,"mergeable":true,"diff_url":"https://git.uscllc.com/usc/uconnect/pulls/1908.diff"}'
elif [[ "$method" == "POST" && "$url" == *"/api/v1/repos/usc/uconnect/pulls/1908/merge" ]]; then
echo "$url" > "${TEST_ROOT:?}/state/merge-url"
body='{"merged":true}'
else
code="404"
body='{"message":"not found"}'
fi
if [[ -n "$out_file" ]]; then
printf '%s' "$body" > "$out_file"
else
printf '%s' "$body"
fi
if [[ -n "$write_format" ]]; then
printf '%s' "$code"
fi
SH
chmod +x "$FAKE_BIN/curl"
cat > "$FAKE_BIN/tea" <<'SH'
#!/usr/bin/env bash
echo "tea must not be invoked by Gitea merge preflight" >&2
exit 99
SH
chmod +x "$FAKE_BIN/tea"
cat > "$TEST_ROOT/credentials.json" <<'JSON'
{
"gitea": {
"usc": {"url": "https://git.uscllc.com", "token": "fake-token-usc"},
"mosaicstack": {"url": "https://git.mosaicstack.dev", "token": "fake-token-mosaic"}
}
}
JSON
export PATH="$FAKE_BIN:$PATH"
export TEST_ROOT
export MOSAIC_CREDENTIALS_FILE="$TEST_ROOT/credentials.json"
cd "$FAKE_REPO"
metadata="$("$GIT_TOOLS_DIR/pr-metadata.sh" -n 1908)"
python3 - "$metadata" <<'PY'
import json
import sys
metadata = json.loads(sys.argv[1])
assert metadata["baseRefName"] == "main", metadata
assert metadata["headRefName"] == "fix/t_23fa9e1d-portal-health-backend", metadata
PY
merge_output="$("$GIT_TOOLS_DIR/pr-merge.sh" -n 1908 -m squash --skip-queue-guard --dry-run 2>&1)"
if grep -q "mosaicstack\|Login name\|tea must not" <<<"$merge_output"; then
echo "$merge_output" >&2
exit 1
fi
if ! grep -q "Dry run: Gitea merge preflight OK" <<<"$merge_output"; then
echo "$merge_output" >&2
exit 1
fi
printf 'Gitea PR metadata and merge preflight regression passed\n'