pcu 0.6.14

A CI tool to update change log in a PR
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336

use super::signature_ops::TrustMap;
use crate::Error;
use octocrate::{Collaborator, GitHubAPI};
use std::process::Command;

/// Fetch trusted collaborators and their GPG keys from GitHub
///
/// This function:
/// 1. Fetches all collaborators with write/admin access
/// 2. For each collaborator, fetches their GPG keys
/// 3. Builds a TrustMap (email -> key IDs)
///
/// Privacy: Only logs aggregate counts, not individual names/emails
pub async fn fetch_trust_list(
    github: &GitHubAPI,
    owner: &str,
    repo: &str,
) -> Result<TrustMap, Error> {
    log::info!("Fetching trusted collaborators from GitHub API");

    // Fetch collaborators with push/admin permissions
    let collaborators = github.repos.list_collaborators(owner, repo).send().await?;

    // Filter to only those with write or admin access
    let trusted_collaborators: Vec<_> = collaborators
        .into_iter()
        .filter(|collab| {
            collab
                .permissions
                .as_ref()
                .is_some_and(|perms| perms.push || perms.admin)
        })
        .collect();

    log::info!(
        "Found {} collaborator(s) with write access",
        trusted_collaborators.len()
    );

    let mut trust_map = TrustMap::new();
    let total_keys = process_collaborators(github, trusted_collaborators, &mut trust_map).await?;

    log::info!("Imported {total_keys} GPG key(s)");
    log::info!(
        "Built trust map with {} email→key mapping(s)",
        trust_map.len()
    );

    // Also add GitHub's web-flow key for merge commits
    add_github_webflow_key(&mut trust_map)?;

    Ok(trust_map)
}

async fn process_collaborators(
    github: &GitHubAPI,
    trusted_collaborators: Vec<octocrate::Collaborator>,
    trust_map: &mut TrustMap,
) -> Result<usize, Error> {
    let mut total_keys = 0;

    for collaborator in trusted_collaborators {
        let username = &collaborator.login;

        // Fetch GPG keys for this user
        let gpg_keys = match github.users.list_gpg_keys_for_user(username).send().await {
            Ok(keys) => keys,
            Err(e) => {
                log::debug!("Failed to fetch GPG keys for user: {e}");
                continue;
            }
        };

        if gpg_keys.is_empty() {
            log::trace!("No GPG keys found for collaborator");
            continue;
        }

        total_keys += process_gpg_keys(gpg_keys, &collaborator, trust_map)?;
    }

    Ok(total_keys)
}

fn process_gpg_keys(
    gpg_keys: Vec<octocrate::GpgKey>,
    collaborator: &Collaborator,
    trust_map: &mut TrustMap,
) -> Result<usize, Error> {
    let username = &collaborator.login;
    let user_id = collaborator.id;
    let key_count = gpg_keys.len();

    // Process each GPG key
    for key in gpg_keys {
        // Extract key ID
        let key_id = &key.key_id;

        // Import the public key into GPG keyring for git verification
        if let Some(ref raw_key) = key.raw_key {
            import_key_to_gpg(raw_key)?;
        }

        // Collect all key IDs: primary key plus all subkeys.
        // git reports the signing subkey's ID in %GK, not the primary key ID.
        // The GitHub API returns subkeys in key.subkeys[].key_id, so we add
        // them all to the trust map so subkey-signed commits verify correctly.
        let mut all_key_ids: Vec<String> = vec![key_id.clone()];
        for subkey in &key.subkeys {
            if let Some(ref subkey_id) = subkey.key_id {
                if !subkey_id.is_empty() {
                    all_key_ids.push(subkey_id.clone());
                }
            }
        }
        log::trace!(
            "Processing GPG key with {} id(s) (primary + subkeys)",
            all_key_ids.len()
        );

        // Map each email to all key IDs (primary and subkeys)
        for email_obj in &key.emails {
            if let Some(email) = &email_obj.email {
                for kid in &all_key_ids {
                    trust_map
                        .entry(email.clone())
                        .or_default()
                        .push(kid.clone());
                }
                log::trace!("Added trust mapping (aggregate count only in logs)");
            }
        }

        // Also add GitHub noreply email formats with all key IDs
        let noreply_email = format!("{username}@users.noreply.github.com");
        let id_email = format!("{user_id}+{username}@users.noreply.github.com");
        for kid in &all_key_ids {
            trust_map
                .entry(noreply_email.clone())
                .or_default()
                .push(kid.clone());
            trust_map
                .entry(id_email.clone())
                .or_default()
                .push(kid.clone());
        }
    }

    Ok(key_count)
}

/// Import a GPG public key into the system keyring
///
/// This is needed so that `git show --show-signature` can verify signatures.
/// The key is imported via `gpg --import`.
fn import_key_to_gpg(raw_key: &str) -> Result<(), Error> {
    let mut child = Command::new("gpg")
        .arg("--import")
        .arg("--quiet")
        .stdin(std::process::Stdio::piped())
        .stdout(std::process::Stdio::null())
        .stderr(std::process::Stdio::null())
        .spawn()
        .map_err(|e| Error::GitError(format!("Failed to spawn gpg: {e}")))?;

    if let Some(mut stdin) = child.stdin.take() {
        use std::io::Write;
        stdin
            .write_all(raw_key.as_bytes())
            .map_err(|e| Error::GitError(format!("Failed to write to gpg stdin: {e}")))?;
    }

    let status = child
        .wait()
        .map_err(|e| Error::GitError(format!("Failed to wait for gpg: {e}")))?;

    if !status.success() {
        return Err(Error::GitError("GPG import failed".to_string()));
    }

    Ok(())
}

/// Add GitHub's web-flow GPG key for merge commits
///
/// GitHub signs merge commits with their web-flow key.
/// Key ID: B5690EEEBB952194
fn add_github_webflow_key(trust_map: &mut TrustMap) -> Result<(), Error> {
    const GITHUB_WEBFLOW_KEY: &str = "B5690EEEBB952194";
    const GITHUB_WEBFLOW_EMAIL: &str = "noreply@github.com";

    log::debug!("Adding GitHub web-flow key for merge commits");

    trust_map
        .entry(GITHUB_WEBFLOW_EMAIL.to_string())
        .or_default()
        .push(GITHUB_WEBFLOW_KEY.to_string());

    // Import GitHub's web-flow key into GPG
    // Fetch from GitHub's public key server
    let webflow_key_url = "https://github.com/web-flow.gpg";

    let output = Command::new("curl")
        .arg("-sL")
        .arg("--proto")
        .arg("=https")
        .arg("--tlsv1.2")
        .arg(webflow_key_url)
        .output()
        .map_err(|e| Error::GitError(format!("Failed to fetch GitHub web-flow key: {e}")))?;

    if output.status.success() {
        let key_data = String::from_utf8_lossy(&output.stdout);
        import_key_to_gpg(&key_data)?;
        log::debug!("Imported GitHub web-flow key");
    } else {
        log::warn!("Failed to fetch GitHub web-flow key, merge commits may not verify");
    }

    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use octocrate::{Collaborator, GpgKey};

    fn make_collaborator(login: &str, id: i64) -> Collaborator {
        serde_json::from_str(&format!(
            r#"{{"login":"{login}","id":{id},"node_id":"","avatar_url":"","gravatar_id":null,
               "url":"","html_url":"","followers_url":"","following_url":"",
               "gists_url":"","starred_url":"","subscriptions_url":"",
               "organizations_url":"","repos_url":"","events_url":"",
               "received_events_url":"","type":"User","site_admin":false,
               "permissions":{{"pull":true,"push":true,"admin":false}},
               "role_name":"write"}}"#
        ))
        .unwrap()
    }

    fn make_gpg_key(primary_id: &str, email: &str, subkey_ids: &[&str]) -> GpgKey {
        let subkeys_json: String = subkey_ids
            .iter()
            .map(|k| {
                format!(
                    r#"{{"can_certify":null,"can_encrypt_comms":null,"can_encrypt_storage":null,
                        "can_sign":true,"created_at":null,"emails":null,"expires_at":null,
                        "id":null,"key_id":"{k}","primary_key_id":null,"public_key":null,
                        "raw_key":null,"revoked":null,"subkeys":null}}"#
                )
            })
            .collect::<Vec<_>>()
            .join(",");

        serde_json::from_str(&format!(
            r#"{{"can_certify":false,"can_encrypt_comms":false,"can_encrypt_storage":false,
               "can_sign":true,"created_at":"2025-01-01T00:00:00Z",
               "emails":[{{"email":"{email}","verified":true}}],
               "expires_at":null,"id":1,"key_id":"{primary_id}","name":null,
               "primary_key_id":null,"public_key":"test","raw_key":null,
               "revoked":false,"subkeys":[{subkeys_json}]}}"#
        ))
        .unwrap()
    }

    // Test key IDs are fictional hex strings; they are not real GPG keys.
    const TEST_PRIMARY_KEY: &str = "1A2B3C4D5E6F7A8B";
    const TEST_SUBKEY: &str = "9C0D1E2F3A4B5C6D";
    const TEST_USER: &str = "test-user-999";
    const TEST_USER_ID: i64 = 999_000_001;

    #[test]
    fn test_subkey_ids_added_to_trust_map() {
        let collaborator = make_collaborator(TEST_USER, TEST_USER_ID);
        let email = format!("{TEST_USER}@example.test");
        let key = make_gpg_key(TEST_PRIMARY_KEY, &email, &[TEST_SUBKEY]);
        let mut trust_map = TrustMap::new();
        process_gpg_keys(vec![key], &collaborator, &mut trust_map).unwrap();

        let noreply = format!("{TEST_USER}@users.noreply.github.com");
        let keys = trust_map.get(&noreply).unwrap();
        assert!(
            keys.contains(&TEST_PRIMARY_KEY.to_string()),
            "primary key ID should be in trust map"
        );
        assert!(
            keys.contains(&TEST_SUBKEY.to_string()),
            "subkey ID should be in trust map"
        );
    }

    #[test]
    fn test_primary_key_only_still_works() {
        let collaborator = make_collaborator(TEST_USER, TEST_USER_ID);
        let email = format!("{TEST_USER}@example.test");
        let key = make_gpg_key(TEST_PRIMARY_KEY, &email, &[]);
        let mut trust_map = TrustMap::new();
        process_gpg_keys(vec![key], &collaborator, &mut trust_map).unwrap();

        let noreply = format!("{TEST_USER}@users.noreply.github.com");
        let keys = trust_map.get(&noreply).unwrap();
        assert_eq!(keys.len(), 1, "only primary key should be present");
        assert!(keys.contains(&TEST_PRIMARY_KEY.to_string()));
    }

    #[test]
    fn test_add_github_webflow_key() {
        let mut trust_map = TrustMap::new();

        // May fail to fetch/import key in test environment, but should add to trust map
        let _ = add_github_webflow_key(&mut trust_map);

        assert!(trust_map.contains_key("noreply@github.com"));
        assert!(trust_map["noreply@github.com"].contains(&"B5690EEEBB952194".to_string()));
    }

    #[test]
    fn test_trust_map_multiple_keys_per_email() {
        let mut trust_map = TrustMap::new();

        // Simulate multiple keys for same email
        trust_map
            .entry("test@example.test".to_string())
            .or_default()
            .push("KEY1".to_string());

        trust_map
            .entry("test@example.test".to_string())
            .or_default()
            .push("KEY2".to_string());

        assert_eq!(trust_map["test@example.test"].len(), 2);
        assert!(trust_map["test@example.test"].contains(&"KEY1".to_string()));
        assert!(trust_map["test@example.test"].contains(&"KEY2".to_string()));
    }
}