[releaser] fixed staging untracked files #552

[kirmada1509]

Replaced 'git add .' with '-u' to prevent accidental staging of untracked or sensitive files. The tool now only processes changes to files already tracked by the repository. Fixes #552

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Closes #552

Description of Changes

The releaser tool was using git add ., which staged all files in the directory including untracked files.

I have updated the command to git add -u, which ensures only files already tracked by git are staged for commit

Summary by CodeRabbit

• Bug Fixes
  • Release flow now stages only tracked file changes, preventing accidental inclusion of untracked files.
• Chores
  • Updated release log message to accurately indicate that only tracked changes are being staged.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The release tool's git staging command was changed from git add . to git add -u, and the preceding log message was updated to indicate staging of tracked changes only, preventing untracked files from being added to commits.

Changes

Cohort / File(s)	Summary
Release Tool Git Staging Fix openwisp_utils/releaser/release.py	Replaced git add . with git add -u to stage only tracked file changes instead of all files. Updated log message from "Adding all changed files to git..." to "Adding tracked changes to git..." to match behavior.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 I hopped through commits with a careful paw,
Swapped "add all" for tracked—no surprise or flaw.
Quietly guarding secrets that shouldn't roam,
Now the releaser keeps only tracked files home.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: fixing the releaser tool's staging behavior to avoid untracked files, addressing issue #552.
Description check	✅ Passed	The description covers the key changes and references the linked issue, though manual testing, automated tests, and documentation updates remain incomplete per the checklist.
Linked Issues check	✅ Passed	The changes directly address issue #552 by replacing 'git add .' with 'git add -u' to stage only tracked files, preventing accidental commits of untracked files.
Out of Scope Changes check	✅ Passed	All changes are in-scope: only the git staging command and its log message were modified to address the security issue in #552.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 981a588 and b0bc235.

📒 Files selected for processing (1)

• openwisp_utils/releaser/release.py

🧰 Additional context used

🪛 Ruff (0.14.10)

openwisp_utils/releaser/release.py

362-362: Starting a process with a partial executable path

(S607)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.2.0

🔇 Additional comments (1)

openwisp_utils/releaser/release.py (1)

361-362: LGTM! Changes correctly address the security concern.

The change from git add . to git add -u appropriately restricts staging to only tracked file modifications, preventing accidental inclusion of untracked or sensitive files. The updated log message accurately reflects the new behavior. This implementation aligns perfectly with the PR objective to prevent unintended file commits.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

openwisp_utils/releaser/release.py (1)

361-362: LGTM! Security issue addressed correctly.

The change from git add . to git add -u successfully prevents untracked files from being staged, addressing the security concern in issue #552. The log message update accurately reflects the new behavior.

Consider an even more precise approach:

While git add -u is a significant improvement, it still stages all tracked changes in the repository. For maximum precision, you could explicitly stage only the files modified by the release process (changelog and version files). This follows the pattern used in port_changelog_to_main at Line 215.

🔎 More precise alternative

-    print("Adding tracked changes to git...")
-    subprocess.run(["git", "add", "-u"], check=True, capture_output=True)
+    print("Adding release files to git...")
+    files_to_add = [changelog_path]
+    if was_bumped and config.get("version_files"):
+        files_to_add.extend(config["version_files"])
+    for file_path in files_to_add:
+        subprocess.run(["git", "add", file_path], check=True, capture_output=True)

Note on static analysis: The S607 warning about partial executable paths exists throughout the file for all git commands and is not introduced by this change.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 761112c and 981a588.

📒 Files selected for processing (1)

• openwisp_utils/releaser/release.py

🧰 Additional context used

🪛 Ruff (0.14.10)

openwisp_utils/releaser/release.py

362-362: Starting a process with a partial executable path

(S607)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.2.0

[coveralls]

coverage: 97.253%. remained the same
when pulling b0bc235 on kirmada1509:issues/552-releaser-untracked-changes
into 761112c on openwisp:master.