fix(deploy): guard GitHub OAuth callback route registration (#1146)#1185
fix(deploy): guard GitHub OAuth callback route registration (#1146)#1185yanyishuai wants to merge 1 commit into
Conversation
|
Warning Review limit reached
Next review available in: 59 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (7)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
JeremyZeng77
left a comment
There was a problem hiding this comment.
The current head is not merge-ready because the new public link checker imports a helper module that is not present in this PR.
Evidence checked:
- Reviewed the changed files:
scripts/check_public_mrwk_links.py,tests/test_check_public_mrwk_links.py,tests/test_oauth_deploy_smoke.py,app/oauth_deploy_smoke.py, deploy-ready wiring, runbook notes, and the public link fixture. - CI run
28415796267fails during pytest collection before the suite can run. - Both
tests/test_check_public_mrwk_links.pyandtests/test_oauth_deploy_smoke.pyimportscripts.check_public_mrwk_links; that module importsGH_TIMEOUT_SECONDSfromscripts.gh_cli_constants. scripts/gh_cli_constants.pyis not included in this PR's changed-file list, so collection stops withModuleNotFoundError: No module named 'scripts.gh_cli_constants'.
Suggested fix: include the shared scripts/gh_cli_constants.py helper in this branch, or keep this PR self-contained by defining a local timeout constant for the public link checker.
b1cf950 to
6cdd8c9
Compare
qingfeng312
left a comment
There was a problem hiding this comment.
Reviewed updated head 6cdd8c9f4b86267882fd305d83df16b4fa9f7779.
This still needs changes before merge. Hosted pytest fails during collection because scripts/check_public_mrwk_links.py imports GH_TIMEOUT_SECONDS from scripts.gh_cli_constants, but this PR still does not add that module. The import blocks both tests/test_check_public_mrwk_links.py and tests/test_oauth_deploy_smoke.py before the new guardrails can run.
There is also a functional gap in the deploy link check: --input still appends load_input_rows(args.input) directly to rows, so the runbook fixture analyzes cached status_code/body values instead of live-probing the published bounty/proposal/proof/OAuth URLs. The post-deploy command should normalize input rows and call probe_url() for each URL, with regression coverage for that path.
670d115 to
9356b27
Compare
|
OAuth deploy smoke guard for #1146 is green on Includes Wallet: |
qingfeng312
left a comment
There was a problem hiding this comment.
Reviewed updated head 9356b27fe0dc39ab015d15014238d1e7ad6f34e3.
The import blocker is fixed and hosted checks are green, but the deploy health check still needs one functional change before merge: the runbook --input fixtures/public_mrwk_links.json --fail-on-issues path still does not live-probe those URLs. main() extends rows directly with load_input_rows(args.input), so the deploy gate analyzes cached status_code/body values from the fixture instead of checking the current public OAuth/bounty/proposal/proof endpoints.
Please normalize input rows to URL/type/source and call probe_url() for each --input URL before analyze_probe_results(). The fixture should describe targets, not pre-bake healthy results. Add focused regression coverage proving --input invokes probing and that --fail-on-issues exits nonzero on unhealthy live-probe results.
9356b27 to
120ecdc
Compare
akmhatey-ai
left a comment
There was a problem hiding this comment.
Reviewed current head 120ecdcffc5bdf8191c355ddce5b15f1540f34b8.
Requesting changes; two local gates still fail on this patch:
git diff --check origin/main...HEADreports trailing-whitespace/CRLF issues across the newly added files, includingapp/oauth_deploy_smoke.py,scripts/check_public_mrwk_links.py,fixtures/public_mrwk_links.json, and the new tests. Normalizing those new files to LF should clear it.python -m mypy app scripts/check_deploy_ready.py scripts/check_public_mrwk_links.pyreports:
scripts\check_public_mrwk_links.py:103: error: Returning Any from function declared to return "list[dict[str, Any]]" [no-any-return]
Validation run locally:
python -m pytest tests/test_oauth_deploy_smoke.py tests/test_check_public_mrwk_links.py -q->10 passed, 1 warningpython -m pytest -q->915 passed, 1 warningpython -m ruff format --check .->130 files already formatted(cache write warning only)python -m ruff check .->All checks passed!(cache write warning only)python scripts/check_public_mrwk_links.py --input fixtures/public_mrwk_links.json --fail-on-issues->checked: 5,unhealthy: 0python scripts/check_deploy_ready.pywith local sqlite/test env ->Deploy readiness check passed.gitleaks git --log-opts="origin/main..HEAD" --redact --no-banner->no leaks found
The mypy fix should be small: validate or cast the loaded links array before returning it from load_input_rows.
qingfeng312
left a comment
There was a problem hiding this comment.
Reviewed current head 120ecdcffc5bdf8191c355ddce5b15f1540f34b8.
Requesting changes. The OAuth deploy smoke and public-link fixture pieces are present now, and the hosted quality check is green, but the runbook still documents commands that this PR does not provide. The diff adds instructions for scripts/flag_superseded_review_rounds.py, fixtures/review-rounds.json, and scripts/template_text_smoke.py; none of those files are added by this PR, and they are not present on the base branch. Merging this as-is would publish admin-runbook commands that fail immediately for maintainers.
Please either remove those unrelated runbook sections from this PR or include the referenced scripts and fixtures with tests.
|
External bounty ready for maintainer review — acceptance criteria documented in PR body. Happy to address feedback immediately. |
|
@qingfeng312 @JeremyZeng77 @akmhatey-ai — addressed the review feedback on the current head:
Please recheck when convenient. Wallet: |
120ecdc to
b4911f8
Compare
Summary
Production
/auth/github/callbackwas returning an ExpressCannot GETshell,which means the public host was not serving the MergeWork FastAPI app. This PR
adds deploy-time and link-health guardrails so that regression is caught before
contributor sign-in breaks again. Closes #1146.
Changes
app/oauth_deploy_smoke.py— verify login/callback routes are registered(503/422 from FastAPI, not 404 / Express shell)
scripts/check_deploy_ready.py— run OAuth route registration gate on deployscripts/check_public_mrwk_links.py— OAuth-specific health rules (422/503 OK)fixtures/public_mrwk_links.json— representative public URLs incl. OAuthWhy
Issue #1146 blocked
/meGitHub sign-in when production served the wrong appfor the OAuth callback path. The routes already exist in
app/auth.py; thischange makes a bad deploy fail fast instead of silently breaking payouts.
Test plan
Wallet
Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpECloses #1146