feat(integrations): Add Sonar connector support with git submodule

[aaronsteers]

feat(integrations): Add Sonar connector support with git submodule

Summary

This PR adds support for running Sonar connectors in PyAirbyte as a new connector type called "integrations". Sonar connectors are YAML-based connectors that provide API access through resource and verb operations (e.g., customers.list(), customers.get(id="123")), rather than the stream-based model used by sources and destinations.

Key changes:

• Added Integration class that inherits from ConnectorBase but not from Source or Destination
• Created SonarExecutor to run Sonar connectors using the connector-sdk's ConnectorExecutor
• Added get_integration() factory function for easy integration creation
• Configured all GitHub Actions workflows to use Octavia Bot authentication for accessing the private sonar submodule
• Added sonar repo as a git submodule (temporary solution pending PyPI publication)
• Configured ruff, pytest, and deptry to exclude the sonar submodule directory
• Added check-deps poe task for running deptry on the airbyte package only

Architecture:

from airbyte import get_integration

integration = get_integration(
    name="my-api",
    yaml_path="./connectors/my-api.yaml",
    secrets={"api_key": "sk_test_..."}
)

# List available resources and verbs
resources = integration.list_resources()  # ["customers", "products"]
verbs = integration.list_verbs("customers")  # ["list", "get", "create"]

# Execute operations
result = integration.execute("customers", "list", params={"limit": 10})
result = integration.execute("customers", "get", params={"id": "cus_123"})

Review & Testing Checklist for Human

• Test with a real Sonar connector: All tests are mocked. Verify end-to-end functionality with an actual Sonar connector YAML file:

  integration = get_integration(
      name="test-api",
      yaml_path="path/to/real/connector.yaml",
      secrets={"api_key": "..."},
      validate=True  # This will validate the YAML
  )
  integration.check()  # Verify connectivity
  resources = integration.list_resources()
  result = integration.execute(resources[0], "list")

• Verify Octavia Bot secrets are configured: The CI workflows require OCTAVIA_BOT_APP_ID and OCTAVIA_BOT_PRIVATE_KEY secrets to access the private sonar submodule. Verify these are set up in the repo settings.

• Review fork PR behavior: Fork PRs will fail CI because they won't have access to Octavia Bot secrets. Decide if this is acceptable during the temporary submodule phase or if we need to add fork-skip logic to workflows.

• Decide on long-term strategy: The git submodule approach is explicitly temporary. Decide whether to:

  • Publish connector-sdk to PyPI
  • Make the sonar repo public
  • Keep the submodule approach long-term with a dedicated branch

• Review async test configuration: Two async tests have pytest-asyncio configuration issues (test_aexecute and test_aexecute_batch in both test files). The sync wrapper tests pass, so functionality is verified, but decide whether to fix pytest-asyncio configuration or skip async tests temporarily.

Notes

• Temporary solution: The git submodule approach is explicitly temporary. Long-term, the connector-sdk should be published to PyPI or the sonar repo should be made public.
• CI workflow changes: Updated 7 workflows to add Octavia Bot authentication and submodule checkout with submodules: recursive.
• Exclusions added: Configured ruff, pytest, and deptry to exclude the sonar submodule directory to prevent analyzing external code.
• Deptry pre-existing issues: There are 350 DEP003 errors about 'airbyte' importing itself as a transitive dependency. These are pre-existing issues unrelated to this PR.
• Poe task added: Created check-deps poe task that runs deptry airbyte to scan only the package, ensuring deptry respects the exclude configuration.

Requested by: AJ Steers (@aaronsteers)
Session: https://app.devin.ai/sessions/bf60b6038a32425b8d87fdd83198f52a

Summary by CodeRabbit

• New Features

  • Sonar-based Integration for YAML connectors with resource/verb discovery, async/sync execute and batch support, and health checks.
  • get_integration() factory and SonarExecutor to run YAML-based connectors.
  • Exposed integrations, Integration, and get_integration on the top-level public API.
  • Connector type extended to include "integration".

• Tests

  • Comprehensive unit tests for Integration and SonarExecutor.

• Chores

  • CI/workflow updates and repository submodule added for sonar.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[devin-ai-integration]

Original prompt from AJ Steers

Received message in Slack channel #ask-devin-ai:

@Devin - get me up to speed on sonar connectors. Specifically: 
1. How much is built on (aka backwards compatible with) OpenAPI?
2. What additional capabilities exist in the proposed and/or implemented spec additions.
3. Do generic connector tests exist? 
4. What is the minimal Python import necessary to run a connector from its YAML definition?
5. Give me sample code to run a connector in Python.
Thread URL: https://airbytehq-team.slack.com/archives/C08BHPUMEPJ/p1763666804689099

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Testing This PyAirbyte Version

You can test this version of PyAirbyte using the following:

# Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1763667751-add-sonar-integration-support' pyairbyte --help

# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1763667751-add-sonar-integration-support'

Helpful Resources

• PyAirbyte Documentation
• API Reference

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /fix-pr - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test-pr - Runs tests with the updated PyAirbyte

Community Support

Questions? Join the #pyairbyte channel in our Slack workspace.

📝 Edit this welcome message.

[github-actions]

PyTest Results (Fast Tests Only, No Creds)

30 tests   - 290   29 ✅  - 291   3s ⏱️ - 5m 54s
 1 suites ±  0    0 💤 ±  0 
 1 files   ±  0    1 ❌ +  1 

For more details on these failures, see this check.

Results for commit 1361ab1. ± Comparison against base commit 2981b3d.

This pull request removes 320 and adds 30 tests. Note that renamed tests count towards both.

tests.docs_tests.test_docs_checked_in ‑ test_docs_generation
tests.integration_tests.destinations.test_source_to_destination ‑ test_destination_write_from_read_result
tests.integration_tests.destinations.test_source_to_destination ‑ test_destination_write_from_source_with_cache
tests.integration_tests.destinations.test_source_to_destination ‑ test_destination_write_from_source_without_cache
tests.integration_tests.destinations.test_source_to_destination ‑ test_duckdb_destination_check
tests.integration_tests.destinations.test_source_to_destination ‑ test_duckdb_destination_spec
tests.integration_tests.destinations.test_source_to_destination ‑ test_duckdb_destination_write_components
tests.integration_tests.secrets.test_gsm_secrets ‑ test_first_connector_secret
tests.integration_tests.secrets.test_gsm_secrets ‑ test_get_connector_secrets
tests.integration_tests.secrets.test_gsm_secrets ‑ test_get_gsm_secret
…

tests.unit_tests.integrations.test_integration.TestGetIntegration ‑ test_get_integration
tests.unit_tests.integrations.test_integration.TestGetIntegration ‑ test_get_integration_with_logging
tests.unit_tests.integrations.test_integration.TestGetIntegration ‑ test_get_integration_with_validation
tests.unit_tests.integrations.test_integration.TestIntegration ‑ test_aexecute
tests.unit_tests.integrations.test_integration.TestIntegration ‑ test_aexecute_batch
tests.unit_tests.integrations.test_integration.TestIntegration ‑ test_check_not_implemented
tests.unit_tests.integrations.test_integration.TestIntegration ‑ test_check_with_authorize_verb
tests.unit_tests.integrations.test_integration.TestIntegration ‑ test_execute
tests.unit_tests.integrations.test_integration.TestIntegration ‑ test_execute_batch
tests.unit_tests.integrations.test_integration.TestIntegration ‑ test_init
…

♻️ This comment has been updated with latest results.

[github-actions]

PyTest Results (Full)

422 tests  +33   401 ✅ +28   28m 24s ⏱️ + 1m 18s
  1 suites ± 0    16 💤 ± 0 
  1 files   ± 0     5 ❌ + 5 

For more details on these failures, see this check.

Results for commit 1361ab1. ± Comparison against base commit 2981b3d.

♻️ This comment has been updated with latest results.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Sonar-based YAML integrations: new SonarExecutor, Integration wrapper, and get_integration factory; exposes integrations and types at the package top-level; extends ConnectorBase.connector_type to include "integration"; adds unit tests, a sonar submodule, project deps, and CI/workflow updates for submodule checkout.

Changes

Cohort / File(s)	Summary
Top-level API airbyte/__init__.py, airbyte/integrations/__init__.py	Export the integrations submodule and re-export Integration and get_integration at package top-level; add them to __all__.
Connector type airbyte/_connector_base.py	Extend ConnectorBase.connector_type typing to Literal["destination", "source", "integration"].
Sonar executor airbyte/_executors/sonar.py	Add SonarExecutor: lazy connector-sdk executor creation, secret handling, YAML path validation, async aexecute/aexecute_batch, version retrieval via connector-sdk config loader, no-op install lifecycle, and execute() marked unsupported.
Integration class airbyte/integrations/base.py	Add Integration (subclass of ConnectorBase): YAML validation/loading, list_resources/list_verbs, async/sync aexecute/execute and batch variants, and a health-check path via optional authorize verb.
Factory util airbyte/integrations/util.py	Add get_integration() to construct a SonarExecutor and return an Integration instance.
Project config pyproject.toml	Add connector-sdk to a new integrations poetry group (local path), add pytest-asyncio dev dep, adjust pytest opts/markers, and update DEP002/DEP004 ignores for optional dependency.
Tests tests/unit_tests/integrations/*	Add unit tests for SonarExecutor and Integration: init, YAML loading/validation, async & sync execution, batch ops, health checks, factory behavior, and fixtures/mocks.
Repo metadata / lint .gitmodules, .ruff.toml, sonar	Add sonar submodule entry and commit ref; exclude sonar from Ruff linting.
Tests package header tests/unit_tests/integrations/__init__.py	Add module header and docstring for integration tests.
CI / workflows .github/workflows/*	Add GitHub App token authentication steps and propagate token to actions/checkout; enable recursive submodule checkout across multiple workflows (pytest, lint, docs, autofix, PR commands).

Sequence Diagram(s)

sequenceDiagram
    actor Dev
    participant Factory as get_integration
    participant Int as Integration
    participant SE as SonarExecutor
    participant SDK as connector-sdk

    rect rgb(235,245,235)
    Note over Dev,Factory: Factory creates integration
    Dev->>Factory: get_integration(name, yaml_path, ...)
    Factory->>SE: SonarExecutor(...)
    Factory-->>Int: Integration(SE, name, yaml_path)
    end

    rect rgb(235,245,255)
    Note over Dev,SDK: Lazy YAML load & resource discovery
    Dev->>Int: list_resources()
    Int->>SE: _get_executor() (lazy) / request YAML
    SE->>SDK: config_loader.load_connector_config()
    SDK-->>SE: config
    SE-->>Int: resources
    Int-->>Dev: resources
    end

    rect rgb(255,245,235)
    Note over Dev,SDK: Async execution flow
    Dev->>Int: aexecute(resource,verb,params)
    Int->>SE: aexecute(...)
    SE->>SDK: executor.aexecute(...)
    SDK-->>SE: result
    SE-->>Int: result
    Int-->>Dev: result
    end

    rect rgb(255,245,245)
    Note over Dev,Int: Sync-to-async bridge
    Dev->>Int: execute(...)
    alt no running event loop
        Int->>Int: asyncio.run(aexecute(...))
        Int-->>Dev: result
    else running event loop
        Int-->>Dev: raises PyAirbyteInputError
    end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45–60 minutes

• Pay extra attention to:
  • Async/sync bridging in Integration.execute and detection of an existing event loop.
  • Lazy connector-sdk import/initialization and ImportError -> PyAirbyteInputError mapping in SonarExecutor._get_executor.
  • YAML loading/validation, caching semantics, and error classification (PyAirbyteInputError vs PyAirbyteInternalError).
  • Tests that heavily mock connector-sdk and asyncio — ensure mocks reflect real connector-sdk signatures.

Possibly related PRs

• ci: Use GitHub App token for CI workflow #687 — similar CI workflow changes adding GitHub App token usage and submodule checkout.
• feat: add experimental MCP server to PyAirbyte, add secrets references and secrets hydration features #696 — touches ConnectorBase and secret-hydration behavior; likely overlaps with connector_type and integration plumbing.
• Chore: Remove Py39 styling #341 — earlier change expanding ConnectorBase.connector_type Literal; related typing change.

Suggested reviewers

• quintonwall
• ChristoGrab

Would you like me to flag specific test cases or source lines for deeper inspection, wdyt?

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding Sonar connector support with a git submodule, which aligns with the PR's core objective of introducing Integration type and SonarExecutor.
Docstring Coverage	✅ Passed	Docstring coverage is 98.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1763667751-add-sonar-integration-support

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8513158 and 1361ab1.

📒 Files selected for processing (2)

• pyproject.toml (6 hunks)
• tests/unit_tests/integrations/test_sonar_executor.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/unit_tests/integrations/test_sonar_executor.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Windows)

🔇 Additional comments (5)

pyproject.toml (5)

58-60: Setup integrations group with connector-sdk path dependency.

The integrations group enables a clean separation for optional Sonar-based integrations. Using develop = true with the path dependency allows local edits during development—is this the intended behavior, or should this be develop = false for CI/release scenarios? This is a good pattern for incubating the connector-sdk before publishing to PyPI. ✨

---

95-95: Appropriately exclude sonar submodule from pytest collection.

Adding --ignore=sonar to pytest addopts prevents the submodule from interfering with test discovery—good call. This aligns with the submodule strategy until connector-sdk is published to PyPI.

---

102-102: Mark asyncio tests with explicit pytest-asyncio marker.

The asyncio marker description is correct and necessary for pytest-asyncio 0.23.0+. Tests using @pytest.mark.asyncio will be properly handled once the pytest-asyncio version incompatibility (see line 72 comment) is resolved.

---

152-152: Add check-deps task for dependency hygiene.

The new check-deps task invoking deptry airbyte is a good addition for catching dependency issues in CI. This pairs well with the deptry configuration updates below.

---

174-189: Configure deptry to handle integrations group and self-imports.

The deptry configuration updates are sound:

• Excluding .venv, sonar, and tests directories prevents false positives from vendored and test-only code.
• DEP003 ignore for airbyte self-imports aligns with the PR note about pre-existing deptry errors.
• DEP004/DEP002 ignores for both connector-sdk and connector_sdk (module vs. package naming) correctly handle the lazy-imported optional dependency in the integrations group.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

pyproject.toml (1)

58-60: Consider long‑term ergonomics of the local connector-sdk path dependency

Using connector-sdk = {path = "../sonar/connector-sdk", develop = true} under an integrations group is nice for local development, but it assumes the Sonar repo is checked out as a sibling directory. For contributors or CI setups that don’t mirror that layout, poetry install --with integrations will fail until they manually arrange the directory. Would it be worth either (a) documenting this expectation explicitly, or (b) planning a follow‑up to switch to a VCS/PyPI requirement once connector-sdk is published and versioned? wdyt?

airbyte/_executors/sonar.py (1)

100-127: Mark intentionally unused parameters to keep linters quiet

In execute() and ensure_installation(), several parameters (args, stdin, suppress_stderr, auto_fix) are intentionally unused, which may trigger ARG002 warnings under ruff. Would you be open to making that intent explicit, e.g.:

     def execute(
         self,
         args: list[str],
         *,
-        stdin: Any = None,  # noqa: ANN401
-        suppress_stderr: bool = False,
+        stdin: Any = None,  # noqa: ANN401
+        suppress_stderr: bool = False,
     ) -> Iterator[str]:
         """Execute is not supported for Sonar connectors."""
-        """Execute is not supported for Sonar connectors.
+        _ = (args, stdin, suppress_stderr)
+        """Execute is not supported for Sonar connectors.
@@
     def ensure_installation(self, *, auto_fix: bool = True) -> None:
         """Ensure connector is available (no-op for YAML connectors)."""
-        pass
+        _ = auto_fix
+        pass

(or alternatively adding # noqa: ARG002 on those parameters)? That would keep static checks clean without changing behavior. wdyt?

Also applies to: 163-173

airbyte/integrations/base.py (1)

69-147: Maybe centralize load_connector_config into a module-level helper to simplify imports and testing?

Right now _validate_yaml, list_resources, and list_verbs each do their own inline:

from connector_sdk.config_loader import load_connector_config

and then call it. That keeps the dependency optional, but it also (a) repeats the import logic, and (b) makes it hard for tests to patch airbyte.integrations.base.load_connector_config as they’re currently written, since that symbol doesn’t actually exist at module scope.

Would you consider introducing a single module-level helper or alias (e.g. a load_connector_config variable set inside a try/except ImportError that’s None when connector-sdk isn’t installed) and having these methods call through it? That would both de-duplicate the import/error-handling logic and give tests a stable patch target without changing the external Integration API, wdyt?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2981b3d and ac23073.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (10)

• airbyte/__init__.py (5 hunks)
• airbyte/_connector_base.py (1 hunks)
• airbyte/_executors/sonar.py (1 hunks)
• airbyte/integrations/__init__.py (1 hunks)
• airbyte/integrations/base.py (1 hunks)
• airbyte/integrations/util.py (1 hunks)
• pyproject.toml (2 hunks)
• tests/unit_tests/integrations/__init__.py (1 hunks)
• tests/unit_tests/integrations/test_integration.py (1 hunks)
• tests/unit_tests/integrations/test_sonar_executor.py (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (7)

airbyte/integrations/__init__.py (2)

airbyte/integrations/base.py (1)

• Integration (18-288)

airbyte/integrations/util.py (1)

• get_integration (16-64)

tests/unit_tests/integrations/test_sonar_executor.py (3)

airbyte/_executors/sonar.py (10)

• SonarExecutor (20-195)
• _get_executor (63-98)
• _cli (101-107)
• execute (109-127)
• aexecute (129-146)
• aexecute_batch (148-161)
• ensure_installation (163-165)
• install (167-169)
• uninstall (171-173)
• get_installed_version (175-195)

airbyte/exceptions.py (1)

• PyAirbyteInputError (201-210)

airbyte/integrations/base.py (4)

• execute (177-210)
• aexecute (149-175)
• execute_batch (242-264)
• aexecute_batch (212-240)

airbyte/integrations/util.py (2)

airbyte/_executors/sonar.py (1)

• SonarExecutor (20-195)

airbyte/integrations/base.py (1)

• Integration (18-288)

tests/unit_tests/integrations/test_integration.py (4)

airbyte/_executors/sonar.py (4)

• SonarExecutor (20-195)
• aexecute (129-146)
• execute (109-127)
• aexecute_batch (148-161)

airbyte/integrations/base.py (9)

• Integration (18-288)
• _validate_yaml (69-91)
• list_resources (93-111)
• list_verbs (113-147)
• aexecute (149-175)
• execute (177-210)
• aexecute_batch (212-240)
• execute_batch (242-264)
• check (266-288)

airbyte/integrations/util.py (1)

• get_integration (16-64)

airbyte/exceptions.py (1)

• PyAirbyteInputError (201-210)

airbyte/_executors/sonar.py (5)

airbyte/_executors/base.py (1)

• Executor (159-248)

airbyte/registry.py (1)

• ConnectorMetadata (65-96)

airbyte/exceptions.py (1)

• PyAirbyteInputError (201-210)

airbyte/integrations/base.py (4)

• execute (177-210)
• aexecute (149-175)
• aexecute_batch (212-240)
• execute_batch (242-264)

tests/unit_tests/integrations/test_sonar_executor.py (1)

• executor (31-37)

airbyte/__init__.py (2)

airbyte/integrations/base.py (1)

• Integration (18-288)

airbyte/integrations/util.py (1)

• get_integration (16-64)

airbyte/integrations/base.py (2)

airbyte/_connector_base.py (3)

• ConnectorBase (54-508)
• name (84-86)
• check (327-373)

airbyte/_executors/sonar.py (4)

• SonarExecutor (20-195)
• aexecute (129-146)
• execute (109-127)
• aexecute_batch (148-161)

🔇 Additional comments (8)

tests/unit_tests/integrations/__init__.py (1)

1-2: Test package header and docstring look solid

The minimal module header and focused docstring are exactly what we need here; no further changes from my side.

pyproject.toml (1)

95-102: Async pytest marker looks good; just ensure plugin wiring is in place

The "asyncio" marker description matches how pytest-asyncio works (“automatically applied by pytest-asyncio”), so the config reads cleanly. Can you double‑check that pytest-asyncio (or an equivalent plugin providing this marker) is always installed in environments running these tests so we don’t hit unknown‑marker warnings if someone runs pytest without extras? wdyt?

airbyte/_executors/sonar.py (2)

27-62: Constructor and YAML existence check read cleanly

The constructor wiring and early yaml_path existence guard make the failure mode clear and user‑friendly, especially with input_value populated. I don’t see any changes needed here.

---

63-97: Runtime coupling to connector-sdk API merits a quick real‑world verification

The lazy creation of ConnectorExecutor and the optional dependency behavior look well thought out, and delegating aexecute / aexecute_batch plus version detection to connector-sdk keeps this thin. Since the type relationship to connector-sdk is only duck‑typed, could we explicitly smoke‑test against a real Sonar YAML once available to confirm that:

• ConnectorExecutor.execute(resource, verb, params) and .execute_batch(operations) are indeed awaitable with these exact signatures, and
• load_connector_config(...).connector.version is the right field to read for versioning?

That would catch any upstream API drift early, given this isn’t enforced at type‑check time. Does that fit with your planned manual verification for this PR? wdyt?

Also applies to: 129-162, 175-195

airbyte/_connector_base.py (1)

57-57: connector_type literal widening aligns with the new Integration

Allowing "integration" in the connector_type literal makes sense for the new Integration subclass and keeps type hints accurate. Given docs_url builds https://docs.airbyte.com/integrations/{self.connector_type}s/..., that will now resolve to an .../integrations/... path for integrations—can you confirm that’s the intended docs location for this new connector type, or should we special‑case integrations later if the docs hierarchy differs? wdyt?

airbyte/integrations/__init__.py (1)

1-11: Clean public facade for integrations

Re‑exporting Integration and get_integration here with a concise module docstring makes the integrations surface discoverable and tidy; this looks good to me as‑is.

airbyte/__init__.py (1)

135-136: Top-level Integration exports look consistent

The new imports and __all__ entries cleanly expose Integration and get_integration at the root package while still keeping the connector-sdk dependency lazy through the underlying modules, so I don’t see any issues here.

Also applies to: 159-159, 181-182, 194-195, 203-204

airbyte/integrations/util.py (1)

1-69: get_integration factory wiring looks good

The factory cleanly instantiates SonarExecutor with the logging flags and wraps it in Integration, matching the executor’s constructor and the Integration API without forcing connector-sdk at import time, so this part looks solid to me.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.gitmodules (1)

1-3: Consider documenting submodule clone instructions.

Adding a git submodule is solid for bringing in the Sonar connector-sdk. However, users cloning the repo may not realize they need to use git clone --recursive or run git submodule update --init --recursive to populate the submodule.

Wdyt about adding a note to the README or CONTRIBUTING guide on cloning with submodules? This will help contributors get up and running smoothly.

.ruff.toml (1)

35-40: Remove duplicate "ICN" rule in the select list.

Line 39 duplicates the "ICN" rule already present on line 35. While duplicates don't break linting, they're a minor code smell that can be cleaned up.

Apply this diff:

     "I",     # isort
     "ICN",   # flake8-import-conventions
     "INP",   # flake8-no-pep420
     "INT",   # flake8-gettext
     "ISC",   # flake8-implicit-str-concat
-    "ICN",   # flake8-import-conventions
     "LOG",   # flake8-logging

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ac23073 and c85fae9.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• .gitmodules (1 hunks)
• .ruff.toml (1 hunks)
• pyproject.toml (4 hunks)
• sonar (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• sonar

🚧 Files skipped from review as they are similar to previous changes (1)

• pyproject.toml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2024-10-10T16:17:57.989Z

Learnt from: aaronsteers
Repo: airbytehq/PyAirbyte PR: 417
File: airbyte/cli.py:503-504
Timestamp: 2024-10-10T16:17:57.989Z
Learning: In the PyAirbyte project, support for Python versions earlier than 3.10 is not necessary, as the project requires Python 3.10 or newer.

Applied to files:

• .ruff.toml

🔇 Additional comments (1)

.ruff.toml (1)

6-8: Correctly excluding the sonar submodule from linting.

Makes sense! Since the sonar submodule is an external project with its own code standards, excluding it from PyAirbyte's Ruff linting keeps the toolchain clean.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/python_pytest.yml (1)

28-35: Consider using YAML anchors to reduce duplication of GitHub App authentication.

The GitHub App authentication pattern is repeated identically across 4 jobs. This creates maintenance burden if credentials or permissions need to change later.

Would you consider refactoring using YAML anchors (e.g., &auth-step and *auth-step) to DRY this up? For example:

# At the top level (outside jobs):
.github-app-auth: &github-app-auth
  - name: Authenticate as GitHub App
    uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42
    id: get-app-token
    with:
      owner: "airbytehq"
      repositories: "PyAirbyte,sonar"
      app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
      private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}

# Then in each job:
steps:
  - *github-app-auth

(Not critical for this PR, but something for a follow-up refactor, wdyt?)

Also applies to: 104-111, 193-200, 277-284

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c85fae9 and 1b2883d.

📒 Files selected for processing (1)

• .github/workflows/python_pytest.yml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Windows)
• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (Fast)

🔇 Additional comments (1)

.github/workflows/python_pytest.yml (1)

38-40: Verify GitHub App has permission to recursively clone the sonar submodule.

The submodules: recursive checkout is correctly configured across all jobs. However, ensure that the GitHub App's permissions include access to the sonar repository (which appears to be private based on the PR objectives). If the app's credentials lack the necessary permissions, submodule cloning will fail silently or with a cryptic error.

Can you confirm that OCTAVIA_BOT_* secrets are configured in the organization and the app has access to both PyAirbyte and sonar repositories?

Also applies to: 114-116, 203-205, 287-289

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Verify GitHub App token is available and properly scoped for fork PRs.

The GitHub App authentication pattern looks correct for accessing the private sonar submodule, but the pytest-no-creds job runs on fork PRs where the OCTAVIA_BOT_APP_ID and OCTAVIA_BOT_PRIVATE_KEY secrets won't be available. This will cause the create-github-app-token step to fail on fork PRs.

Do you want to add a conditional check (similar to the pytest job's fork logic) to skip the GitHub App token creation on forks, or does the action gracefully handle missing secrets?

---

I'll verify this concern by examining the workflow file and checking how the GitHub App token action handles missing secrets.

---

🏁 Script executed:

#!/bin/bash
# Inspect the full workflow file to understand pytest-no-creds job config
# and check for existing fork protection conditionals
cat .github/workflows/python_pytest.yml | head -n 350

Length of output: 10302

---

🏁 Script executed:

#!/bin/bash
# Also check if there are any conditional checks (if:) in the workflow
rg -n "if:" .github/workflows/python_pytest.yml -C2

Length of output: 2982

---

🏁 Script executed:

#!/bin/bash
# Search for pytest-no-creds job definition
rg -n "pytest-no-creds" .github/workflows/python_pytest.yml -A15

Length of output: 1924

---

🌐 Web query:

actions/create-github-app-token missing secrets behavior fork PR

💡 Result:

Short answer: actions/create-github-app-token needs the app private key (a secret) to create an installation token — GitHub will NOT provide repository secrets to workflows triggered by a pull request from a fork, so the action will be unable to read the PRIVATE_KEY (and will fail or not produce a usable token) when the workflow runs on a fork PR. [1][2]

What to do (brief):

• If you must run with secrets for fork PRs, use pull_request_target (runs in base repo and can access secrets) — but avoid checking out or running untrusted PR code in that job because of security risks. [3]
• Alternatively require contributors to open branches in the same repo (not a fork) or have a maintainer re-run/approve the workflow so secrets are available.
• Or design the workflow to run a safe, unprivileged check for fork PRs and only run secret-requiring jobs after merge or via a maintainer-triggered workflow_run. [3][1]

Sources:

• actions/create-github-app-token repo (usage/inputs/notes). [1]
• GitHub docs: secrets are not passed to workflows triggered by a pull request from a fork. [2]
• GitHub security docs on pull_request vs pull_request_target and associated risks. [3]

References:
[1] actions/create-github-app-token (GitHub). (github.com)
[2] Understanding GitHub secret types / Secrets limitations (GitHub Docs). (docs.github.com)
[3] GitHub Security Lab / docs on pull_request_target and secrets (GitHub). (securitylab.github.com)

Citations:

• 1: https://github.com/actions/create-github-app-token?utm_source=openai
• 2: https://docs.github.com/en/code-security/getting-started/understanding-github-secret-types?utm_source=openai
• 3: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/?utm_source=openai

---

Add fork protection conditionals to pytest-fast, pytest-no-creds, and dependency-analysis jobs.

Your concern is spot-on—but the issue affects more than pytest-no-creds. GitHub does NOT provide repository secrets to workflows triggered by a pull request from a fork, so all three jobs that use create-github-app-token will fail when triggered on fork PRs.

This is a design contradiction: the workflow comments explicitly state that pytest-no-creds exists to run tests "on forks, where secrets are not available," yet it now requires secrets for GitHub App authentication. The pytest job correctly protects against this with a fork conditional at lines 170–172, but pytest-fast, pytest-no-creds, and dependency-analysis lack this protection.

You'll want to add the same conditional to those three jobs:

if: >
  (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
  (github.event.pull_request.head.repo.fork == false)

Wdyt? Should pytest-no-creds perhaps have different logic if it's meant to be fork-friendly, or is the intent to require these jobs to only run on the main repo going forward?

🤖 Prompt for AI Agents

.github/workflows/python_pytest.yml lines 28-40: the jobs pytest-fast,
pytest-no-creds, and dependency-analysis call create-github-app-token and will
fail on forked PRs because secrets are not provided; add the same
fork-protection conditional used by the pytest job (the check that allows only
pushes to main or pull_request where github.event.pull_request.head.repo.fork ==
false) to each of those three job definitions so they are skipped for forked PR
runs.

[github-actions]

📝 [actionlint] _{reported by reviewdog 🐶}
shellcheck reported issue in this script: SC2086:info:2:27: Double quote to prevent globbing and word splitting [shellcheck]

PyAirbyte/.github/workflows/fix-pr-command.yml

Line 102 in 930434c

run: |

[github-actions]

📝 [actionlint] _{reported by reviewdog 🐶}
shellcheck reported issue in this script: SC2086:info:4:26: Double quote to prevent globbing and word splitting [shellcheck]

PyAirbyte/.github/workflows/fix-pr-command.yml

Line 102 in 930434c

run: |

[github-actions]

📝 [actionlint] _{reported by reviewdog 🐶}
shellcheck reported issue in this script: SC2086:info:2:27: Double quote to prevent globbing and word splitting [shellcheck]

PyAirbyte/.github/workflows/fix-pr-command.yml

Line 131 in 930434c

run: |

[github-actions]

📝 [actionlint] _{reported by reviewdog 🐶}
shellcheck reported issue in this script: SC2086:info:4:26: Double quote to prevent globbing and word splitting [shellcheck]

PyAirbyte/.github/workflows/fix-pr-command.yml

Line 131 in 930434c

run: |

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/test-pr-command.yml (1)

79-93: Update checkout step to use the app token for consistent private submodule access.

The original review comment is correct. I've verified that this is a bug: all 6 other workflows in .github/workflows/ that use submodules: recursive consistently use token: ${{ steps.get-app-token.outputs.token }}, but test-pr-command.yml is the only exception at line 91.

Interestingly, the same workflow creates the app token at line 81 and uses it successfully at lines 108 and 158 for other steps—so the pattern is clear within this very file.

Should line 91 be updated to use token: ${{ steps.get-app-token.outputs.token }}? This ensures the sonar submodule checkout has proper authentication to any private repositories, matching the established pattern across all other workflows. Wdyt?

🧹 Nitpick comments (1)

.github/workflows/pydoc_publish.yml (1)

44-46: Recursive submodule checkout may impact workflow performance and reliability.

Using submodules: recursive will fetch all nested submodules. While this ensures complete checkout, it could:

• Slow down the workflow if there are many nested submodules
• Increase the likelihood of transient failures if any nested submodule is temporarily unavailable

Should we consider using a non-recursive checkout if only the top-level sonar submodule is needed?

  - name: Checkout code
    uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
    with:
      token: ${{ steps.get-app-token.outputs.token }}
-     submodules: recursive
+     submodules: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b2883d and 930434c.

📒 Files selected for processing (6)

• .github/workflows/autofix.yml (1 hunks)
• .github/workflows/fix-pr-command.yml (2 hunks)
• .github/workflows/pydoc_preview.yml (1 hunks)
• .github/workflows/pydoc_publish.yml (1 hunks)
• .github/workflows/python_lint.yml (3 hunks)
• .github/workflows/test-pr-command.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (All, Python 3.10, Windows)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)

🔇 Additional comments (9)

.github/workflows/pydoc_preview.yml (1)

17-29: Verify that required GitHub App secrets are configured and have sufficient permissions.

The changes correctly implement GitHub App authentication and recursive submodule checkout to support the new sonar submodule. However, this requires:

1. Repository secrets OCTAVIA_BOT_APP_ID and OCTAVIA_BOT_PRIVATE_KEY to be configured in the repository settings
2. The GitHub App to have read access to both "PyAirbyte" and "sonar" repositories
3. The app token to have sufficient permissions (at minimum, read access to repository contents and metadata)

Could you verify that these prerequisites are in place, especially if this is the first workflow to use this GitHub App? Also, have you confirmed that similar configurations are applied consistently across other workflows (per the PR description, other workflow files receive similar updates)?

.github/workflows/python_lint.yml (2)

20-32: Verify GitHub App secrets are configured with appropriate permissions.

The three jobs (ruff-lint-check, ruff-format-check, python-type-checks) now require OCTAVIA_BOT_APP_ID and OCTAVIA_BOT_PRIVATE_KEY secrets to authenticate and checkout the private sonar submodule.

Before merging, confirm:

• These secrets exist in the repository settings
• The GitHub App has permissions to access both PyAirbyte and sonar repos
• The app token scope in the "repositories" field covers both repos (✓ already present: "PyAirbyte,sonar")

Without proper secrets, all linting jobs will fail during the GitHub App authentication step.

Wdyt on documenting these secret setup steps somewhere in the repo (e.g., CONTRIBUTING.md or in PR comments) for future maintainers?

---

30-32: Assess CI performance impact of recursive submodule checkout.

The submodules: recursive flag will recursively clone all nested submodules. If the sonar repo itself has submodules, this could add non-trivial time to checkout across three jobs.

Could you verify that:

• The sonar submodule doesn't have nested submodules that would bloat CI time?
• Or, if needed, consider submodules: true (non-recursive) if only the top-level sonar submodule is required?

Also applies to: 67-69, 100-102

.github/workflows/autofix.yml (2)

15-22: GitHub App authentication approach looks solid.

The app token strategy with explicit repository access (both PyAirbyte and sonar) is the right way to handle private submodule checkout. The action version is properly pinned, and the secrets reference is clean.

---

23-27: Potential credential mismatch between checkout and push—wdyt?

The checkout step uses the app token (from steps.get-app-token), but the push step still uses the default secrets.GITHUB_TOKEN. While this should work for the main PyAirbyte repo, I'm wondering if you should pass the app token to the push action for consistency, especially if the git configuration from the authenticated checkout expects the same credentials downstream.

- name: Push changes
  uses: ad-m/github-push-action@77c5b412c50b723d2a4fbc6d71fb5723bcd439aa # v1.0.0
  with:
-   github_token: ${{ secrets.GITHUB_TOKEN }}
+   github_token: ${{ steps.get-app-token.outputs.token }}

This is particularly relevant if any git operations later read from the sonar submodule or if the workflow ever needs to modify submodule references. Have you tested this with the submodule in place, or is this a case where GITHUB_TOKEN is expected to be sufficient?

Also applies to: 50-53

.github/workflows/fix-pr-command.yml (2)

43-43: Adding "sonar" repository to token scope looks good.

This change correctly grants the GitHub App permission to authenticate when cloning the private sonar submodule during checkout. Makes sense for the new dependency management approach.

Wdyt about verifying that the corresponding .gitmodules configuration is correctly set up elsewhere in the PR? That would confirm the end-to-end submodule setup is complete.

---

52-52: Recursive submodule checkout is consistent across CI workflows.

Verification confirms that submodules: recursive and the sonar repository scope are already established in all major workflows (python_pytest.yml, test-pr-command.yml, python_lint.yml, pydoc_publish.yml, pydoc_preview.yml, and autofix.yml). This change aligns perfectly with the existing pattern, ensuring the sonar submodule and any nested dependencies are properly fetched during CI jobs.

.github/workflows/pydoc_publish.yml (2)

39-39: Scoping verified: repository names in token match submodule configuration.

The verification confirms that the GitHub App token scoping is correct. The sonar repository name in the token scope matches the submodule configuration in .gitmodules exactly (sourced from https://github.com/airbytehq/sonar.git). The configuration is consistent and ready to go.

---

34-46: GitHub App authentication pattern is consistent with existing workflows; no action needed.

The OCTAVIA_BOT_APP_ID and OCTAVIA_BOT_PRIVATE_KEY secrets are already configured and in active use across nine other workflows (python_pytest.yml, python_lint.yml, autofix.yml, pydoc_preview.yml, and others). The pydoc_publish.yml changes follow the same established pattern, so there's no risk of CI failures due to missing secrets.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 930434c and 8513158.

📒 Files selected for processing (3)

• .github/workflows/python_pytest.yml (5 hunks)
• pyproject.toml (6 hunks)
• tests/unit_tests/integrations/test_integration.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/python_pytest.yml
• tests/unit_tests/integrations/test_integration.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Windows)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (Fast)

🔇 Additional comments (3)

pyproject.toml (3)

58-59: Integrations group with path dependency looks good—how will users install it?

The setup is structurally correct: connector-sdk as a path dependency with develop = true is the right pattern for a temporary local/submodule dependency. However, users won't automatically get this group unless they explicitly install with --with integrations or similar.

Wdyt about clarifying in docs/README that users interested in Sonar integrations need to install with the integrations group? This could prevent confusion.

---

174-175: Sonar directory properly excluded from deptry analysis.

The deptry configuration correctly excludes the sonar submodule, which aligns with the PR objective to keep connector-sdk (still in submodule form) out of dependency checks. ✓

---

183-184: Connector-SDK properly ignored in optional-dependency rules.

Adding connector-sdk to both DEP004 (misplaced) and DEP002 (unused) ignore lists is sensible: it's an optional, lazily-imported integration dependency. The comments clearly explain why it's ignored, which helps maintainability.

Also applies to: 194-195

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Verify pytest-asyncio 0.23.0 compatibility with pytest 8.2.0.

You've added pytest-asyncio 0.23.0 and the corresponding asyncio marker, plus the --ignore=sonar flag. However, the PR notes mention two async tests are failing locally due to pytest-asyncio configuration issues. Please confirm that this version pairing is compatible and that the test failures are resolved, wdyt?

Also applies to: 95-95, 102-102

---

🌐 Web query:

Is pytest-asyncio 0.23.0 compatible with pytest 8.2.0? What configuration is needed?

💡 Result:

Short answer: No — pytest-asyncio 0.23.0 is not guaranteed fully compatible with pytest 8.2.0. The project fixed compatibility with pytest 8.2 in later 0.23.x releases (0.23.6) and bumped minimum pytest to 8.2.0 in 0.24.0, so you should upgrade pytest-asyncio to >=0.23.6 (better: >=0.24.0) when using pytest 8.2.0. [1][2]

Required/configuration notes:

• 0.23.0 removed the old asyncio_event_loop mark — use pytest.mark.asyncio(scope="module"|"class"|...) to request non-function loop scopes. You can also use the event_loop_policy fixture introduced in 0.23.0. [3][1]
• From 0.24.0 onward the API prefers loop_scope (instead of scope) for pytest.mark.asyncio and adds the asyncio_default_fixture_loop_scope config option; upgrade if you want the newer config options and explicit support for pytest ≥8.2.0. [2][1]

References:

• pytest-asyncio changelog (0.23.x / fixes for pytest 8.2 / 0.24.0 notes). [1][2]
• pytest-asyncio markers/docs (usage of pytest.mark.asyncio with scope). [3]

---

---

🏁 Script executed:

#!/bin/bash
# Examine pyproject.toml at relevant lines and surrounding context
cat pyproject.toml | head -110 | tail -40

Length of output: 46

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Search for pyproject.toml in repository
find . -name "pyproject.toml" -type f 2>/dev/null | head -5

Length of output: 65

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Examine pyproject.toml to see pytest and pytest-asyncio versions and configuration
cat ./pyproject.toml | sed -n '60,110p'

Length of output: 2085

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Search for pytest.mark.asyncio usage in test files
rg -n "pytest\.mark\.asyncio|@asyncio|async def test_" --type py tests/ | head -20

Length of output: 829

---

Upgrade pytest-asyncio to at least 0.23.6 or 0.24.0 to resolve pytest 8.2.0 compatibility issues.

The pytest-asyncio 0.23.0 you've specified is not guaranteed fully compatible with pytest 8.2.0—compatibility was fixed in later 0.23.x releases (0.23.6) and in 0.24.0. This aligns with your note that async tests are failing locally.

Your tests are using the correct @pytest.mark.asyncio marker (the proper API for 0.23.0+), so the marker configuration is right. However, the version pairing itself is the issue.

Consider updating your constraint from "^0.23.0" to "^0.23.6" or "^0.24.0" in pyproject.toml (line 71). From 0.24.0 onward, the API prefers loop_scope instead of scope for pytest.mark.asyncio and adds the asyncio_default_fixture_loop_scope config option, which gives you more explicit control, wdyt?

🤖 Prompt for AI Agents

In pyproject.toml around line 72, the pytest-asyncio dependency is pinned to
"^0.23.0" which is incompatible with pytest 8.2.0; update the constraint to a
compatible release such as "^0.23.6" or "^0.24.0" to resolve async test
failures, then run dependency install and tests to verify the issue is fixed.