sync: Release candidate v0.40.0

[vikramdevtron]

Description

Fixes #

Checklist:

• The title of the PR states what changed and the related issues number (used for the release note).
• Does this PR requires documentation updates?
• I've updated documentation as required by this PR.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have tested it for all user roles.
• I have added all the required unit/api test cases.

Does this PR introduce a user-facing change?

Summary by Bito

This pull request prepares release candidate v0.40.0 with multiple enhancements focused on API token security, improved error handling, and event payload refinements. It includes extensive refactoring of key modules like UserAttributesService with robust JSON parsing and merging logic. The PR also updates dependencies, streamlines import paths, and incorporates standardized retry mechanisms across Git-related services.

[bito-code-review]

Code Review Agent Run #48c44b

Actionable Suggestions - 0

Review Details

• Files reviewed - 25 · Commit Range: a93ab0e..6bb7bed

  • api/openapi/openapiClient/model_create_api_token_response.go
  • api/openapi/openapiClient/model_update_api_token_response.go
  • api/restHandler/UserAttributesRestHandler.go
  • client/argocdServer/ArgoClientWrapperService.go
  • client/events/EventClient.go
  • cmd/external-app/wire_gen.go
  • go.mod
  • go.sum
  • internal/sql/repository/NotificationSettingsRepository.go
  • pkg/apiToken/ApiTokenService.go
  • pkg/attributes/UserAttributesService.go
  • pkg/attributes/UserAttributesService_test.go
  • pkg/attributes/adapter/adapter.go
  • pkg/attributes/bean/bean.go
  • pkg/build/trigger/HandlerService.go
  • pkg/build/trigger/HandlerService_ent.go
  • pkg/deployment/gitOps/git/GitOperationService.go
  • pkg/deployment/gitOps/git/GitServiceAzure.go
  • pkg/deployment/gitOps/git/GitServiceBitbucket.go
  • pkg/deployment/gitOps/git/GitServiceGithub.go
  • pkg/deployment/gitOps/git/GitServiceGitlab.go
  • pkg/deployment/trigger/devtronApps/postStageHandlerCode.go
  • pkg/k8s/application/k8sApplicationService.go
  • pkg/pipeline/types/Workflow.go
  • wire_gen.go
• Files skipped - 3

  • env_gen.json - Reason: Filter setting
  • env_gen.md - Reason: Filter setting
  • vendor/modules.txt - Reason: Filter setting
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • GOVULNCHECK (Security Vulnerability) - ✖︎ Failed
  • SNYK (Security Vulnerability) - ✔︎ Successful
  • OWASP (Security Vulnerability) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[sonarqubecloud]

Quality Gate passed

Issues
6 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.5% Duplication on New Code

See analysis details on SonarQube Cloud

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted
Feature Improvement - Enhanced API Token Functionality and Event Payloads	- model_create_api_token_response.go - Added hideApiToken field and its accessor methods to secure API token visibility. - model_update_api_token_response.go - Integrated hideApiToken field and corresponding accessors for improved token management. - EventClient.go - Refactored event payload generation to use the new V2 method, deprecating the old payload function. - ApiTokenService.go - Implemented token configuration to conditionally hide API tokens and updated API responses accordingly. - adapter.go - Introduced BuildResponseDTO to convert request DTOs into a standardized response structure. - bean.go - Defined UserPreferencesResourcesKey constant and UserAttributesDto struct to better support resource-based attribute management.
Other Improvements - Code Refactoring and Dependency Updates	- UserAttributesService.go - Refactored PatchUserAttributes along with auxiliary functions to enhance error handling and improve JSON merging logic. - UserAttributesRestHandler.go - Updated to use bean.UserAttributesDto instead of attributes.UserAttributesDto and adjusted imports for consistency. - ArgoClientWrapperService.go - Replaced deprecated retry function import with the updated common-lib retryFunc for consistent dependency management. - go.mod - Updated dependency versions for authenticator and common-lib to ensure compatibility with recent changes. - go.sum - Revised checksum entries to reflect the updated dependency versions. - HandlerService.go - Replaced BuildxCacheFlags with BuildxGlobalFlags and updated the workflow request logic for improved build cache handling. - HandlerService_ent.go - Updated workflow request helper to utilize BuildxGlobalFlags for consistency across build configurations. - GitOperationService.go - Optimized retryable error handling by integrating the common retryFunc utility for Git operations. - GitServiceAzure.go - Updated import paths to use the common-lib retryFunc for improved error management in Azure Git service. - GitServiceBitbucket.go - Replaced deprecated retry function import with the updated common retryFunc to align with new dependency standards. - GitServiceGithub.go - Standardized retry function usage using common-lib utilities, enhancing reliability of GitHub service operations. - GitServiceGitlab.go - Aligned retry function utilization with common retryFunc for consistent error handling in GitLab service.
Bug Fix - Improved Error Handling and Query Correction	- wire_gen.go - Introduced error handling during apiTokenServiceImpl instantiation to capture initialization failures. - NotificationSettingsRepository.go - Removed an unnecessary join from the SQL query, correcting notification settings retrieval. - postStageHandlerCode.go - Fixed missing artifact assignment by setting request.Artifact, ensuring proper downstream processing. - k8sApplicationService.go - Enhanced error logging and added conditional checks for pod status and ephemeral container termination. - wire_gen.go - Updated go:generate directive and improved error handling for apiTokenServiceImpl instantiation to ensure robust dependency injection.
Testing - Robust Testing for Attribute and Resource Merging	- UserAttributesService_test.go - Added comprehensive tests for merging user attributes and resources, validating new JSON parsing and merging logic.
New Feature - Enhanced Workflow Build Configuration	- Workflow.go - Added BuildxInterruptionMaxRetry field for configuring maximum retry attempts during build interruptions.

To fix the problem, we need to ensure that sensitive information such as passwords, private keys, and access tokens are not logged. The most robust solution is to avoid logging the entire workflowRequest object, and instead log only non-sensitive fields, or to sanitize/redact sensitive fields before logging.

Best way to fix:

• Replace the log call on line 874 that logs the entire workflowRequest object with a call that logs only non-sensitive summary information—such as workflowRequest.WorkflowNamePrefix, workflowRequest.PipelineId, or other relevant identifiers.
• If deeper debugging information is needed, explicitly construct a sanitized version of the object for logging, omitting or replacing sensitive fields with redacted values.
• This change should be made in pkg/build/trigger/HandlerService.go at the site of the vulnerable logging call.

No new imports are needed; we simply need to adjust the logger usage to avoid logging sensitive fields.

---