RomanNikitenko
diff --git a/‎.github/scripts/check-unprotected-changes.sh‎
Lines changed: 176 additions & 0 deletions b/‎.github/scripts/check-unprotected-changes.sh‎
Lines changed: 176 additions & 0 deletions
diff --git a/‎.github/workflows/add-rebase-rules.yml‎
Lines changed: 139 additions & 0 deletions b/‎.github/workflows/add-rebase-rules.yml‎
Lines changed: 139 additions & 0 deletions
@@ -0,0 +1,176 @@
+#!/bin/bash
+# This file was generated using AI assistance (Cursor AI) and reviewed by the maintainers.
+#
+# Detect files under code/ changed in a PR whose modifications are NOT fully
+# protected by rebase rules.  Two categories:
+#   - "Missing rule"  — no rebase rule exists for the file at all
+#   - "Incomplete rule" — a rule exists but doesn't reproduce the current content
+#
+# For "incomplete" detection the script runs the actual rebase handler against
+# upstream content and diffs the result against the working tree, reusing the
+# test infrastructure from .claude/skills/test-rebase-rules/.
+#
+# Usage:
+#   bash check-unprotected-changes.sh --pr-comment <base>..<head>
+#
+# Prerequisites (for incomplete-rule detection):
+#   - upstream-code remote must be fetched for the current upstream version
+#
+# Exit codes:
+#   0 — All modifications are fully covered
+#   1 — Problems found
+#   2 — Error
+set -u
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$REPO_ROOT"
+
+OUTPUT_MODE="text"
+COMMIT_RANGE=""
+for arg in "$@"; do
+  case "$arg" in
+    --pr-comment)   OUTPUT_MODE="pr-comment" ;;
+    *..*)           COMMIT_RANGE="$arg" ;;
+  esac
+done
+
+if [ -z "$COMMIT_RANGE" ]; then
+  REBASE_COMMIT=$(git log --format='%H' --grep="^Rebase against the upstream" -1)
+  if [ -z "$REBASE_COMMIT" ]; then
+    echo "ERROR: Could not find a rebase commit and no commit range provided." >&2
+    exit 2
+  fi
+  COMMIT_RANGE="${REBASE_COMMIT}..HEAD"
+fi
+
+UPSTREAM_VERSION=$(grep '^CURRENT_UPSTREAM_VERSION=' rebase.sh | head -1 | sed 's/.*="\(.*\)"/\1/')
+
+HANDLER_SCRIPT="$REPO_ROOT/.claude/skills/test-rebase-rules/test-rebase-handler.sh"
+RUN_ALL_TESTS="$REPO_ROOT/.claude/skills/test-rebase-rules/run-all-tests.sh"
+
+# --- Build the set of files covered by rebase rules ---
+COVERED_LIST=$(mktemp)
+trap 'rm -f "$COVERED_LIST"' EXIT
+
+while IFS= read -r line; do
+  if [[ "$line" =~ \[\[.*==.*\"([^\"]+)\".*\]\] ]]; then
+    echo "${BASH_REMATCH[1]}"
+  fi
+done < <(sed -n '/^resolve_conflicts()/,/^}/p' rebase.sh) >> "$COVERED_LIST"
+
+find .rebase/replace -name '*.json' -type f 2>/dev/null | while IFS= read -r rule_file; do
+  code_path="${rule_file#.rebase/replace/}"
+  code_path="${code_path%.json}"
+  if [[ "$code_path" != code/* ]]; then
+    code_path="code/$code_path"
+  fi
+  echo "$code_path"
+done >> "$COVERED_LIST"
+
+find .rebase/add -type f 2>/dev/null | while IFS= read -r f; do echo "${f#.rebase/add/}"; done >> "$COVERED_LIST"
+find .rebase/override -type f 2>/dev/null | while IFS= read -r f; do echo "${f#.rebase/override/}"; done >> "$COVERED_LIST"
+
+sort -u -o "$COVERED_LIST" "$COVERED_LIST"
+
+# --- Collect changed files and classify ---
+MISSING_RULE=()
+TO_TEST=()
+
+while IFS= read -r file_path; do
+  case "$file_path" in
+    */package-lock.json)      continue ;;
+    code/extensions/che-*)    continue ;;
+    */che/*.ts|*/che/*.js)     continue ;;
+  esac
+
+  if grep -qxF "$file_path" "$COVERED_LIST"; then
+    TO_TEST+=("$file_path")
+  else
+    MISSING_RULE+=("$file_path")
+  fi
+done < <(git diff --name-only "$COMMIT_RANGE" -- code/)
+
+# --- Test files that have rules: are rules complete? ---
+INCOMPLETE_RULE=()
+HAS_UPSTREAM=false
+if [ -n "$UPSTREAM_VERSION" ]; then
+  git rev-parse "upstream-code/$UPSTREAM_VERSION" > /dev/null 2>&1 && HAS_UPSTREAM=true
+fi
+
+if [ "$HAS_UPSTREAM" = true ] && [ ${#TO_TEST[@]} -gt 0 ] && [ -f "$RUN_ALL_TESTS" ]; then
+  TEST_OUTPUT=$(bash "$RUN_ALL_TESTS" "${TO_TEST[@]}" 2>&1) || true
+
+  while IFS= read -r line; do
+    if [[ "$line" =~ ^\|\ \`([^\`]+)\`\ \| ]]; then
+      failed_file="${BASH_REMATCH[1]}"
+      INCOMPLETE_RULE+=("$failed_file")
+    fi
+  done < <(echo "$TEST_OUTPUT" | sed -n '/^### Failures/,/^### /p' | grep '^| `')
+fi
+
+# --- Output ---
+TOTAL_ISSUES=$(( ${#MISSING_RULE[@]} + ${#INCOMPLETE_RULE[@]} ))
+
+if [ "$OUTPUT_MODE" = "pr-comment" ]; then
+  if [ $TOTAL_ISSUES -eq 0 ]; then
+    exit 0
+  fi
+
+  echo "<!-- rebase-rules-check -->"
+  echo "### Rebase Rules Check"
+  echo ""
+  echo "The following files were modified in this PR but their changes are **not fully protected** by rebase rules."
+  echo "Without proper rules, these changes **will be lost** during the next upstream rebase."
+  echo ""
+
+  if [ ${#MISSING_RULE[@]} -gt 0 ]; then
+    echo "#### Missing rules (no rebase rule exists)"
+    echo ""
+    echo "| # | File |"
+    echo "|---|------|"
+    i=1
+    for f in "${MISSING_RULE[@]}"; do
+      echo "| $i | \`$f\` |"
+      ((i++))
+    done
+    echo ""
+  fi
+
+  if [ ${#INCOMPLETE_RULE[@]} -gt 0 ]; then
+    echo "#### Incomplete rules (rule exists but doesn't cover new changes)"
+    echo ""
+    echo "| # | File |"
+    echo "|---|------|"
+    i=1
+    for f in "${INCOMPLETE_RULE[@]}"; do
+      echo "| $i | \`$f\` |"
+      ((i++))
+    done
+    echo ""
+  fi
+
+  echo "Comment \`/add-rebase-rules\` on this PR to add or update the rules automatically."
+  exit 1
+fi
+
+# Default text mode
+if [ $TOTAL_ISSUES -eq 0 ]; then
+  echo "All modified files in code/ are fully covered by rebase rules."
+  exit 0
+fi
+
+echo "Found $TOTAL_ISSUES file(s) with rebase rule problems:"
+echo ""
+if [ ${#MISSING_RULE[@]} -gt 0 ]; then
+  echo "Missing rules:"
+  for f in "${MISSING_RULE[@]}"; do echo "  - $f"; done
+  echo ""
+fi
+if [ ${#INCOMPLETE_RULE[@]} -gt 0 ]; then
+  echo "Incomplete rules:"
+  for f in "${INCOMPLETE_RULE[@]}"; do echo "  - $f"; done
+  echo ""
+fi
+echo "Comment /add-rebase-rules on this PR to fix automatically."
+exit 1
@@ -0,0 +1,139 @@
+#
+# Copyright (c) 2026 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+#
+# This file was generated using AI assistance (Cursor AI)
+# and reviewed by the maintainers.
+#
+
+name: Add Rebase Rules via dw-claude-runner
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  add-rebase-rules:
+    if: >-
+      github.event.issue.pull_request
+      && contains(github.event.comment.body, '/add-rebase-rules')
+    runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+      issues: write
+
+    steps:
+      - name: Check author permission
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PERM=$(gh api "repos/${{ github.repository }}/collaborators/${{ github.event.comment.user.login }}/permission" \
+            --jq '.permission')
+          if [[ "$PERM" != "admin" && "$PERM" != "write" ]]; then
+            echo "User ${{ github.event.comment.user.login }} does not have write access (permission: $PERM)"
+            exit 1
+          fi
+
+      - name: Add reaction to command comment
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api "repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions" \
+            -f content='rocket' --silent
+
+      - name: Get PR details
+        id: pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PR_JSON=$(gh api "repos/${{ github.repository }}/pulls/${{ github.event.issue.number }}")
+          HEAD_SHA=$(echo "$PR_JSON" | jq -r '.head.sha')
+          HEAD_REF=$(echo "$PR_JSON" | jq -r '.head.ref')
+          PR_URL=$(echo "$PR_JSON" | jq -r '.html_url')
+          echo "head_sha=${HEAD_SHA}" >> "$GITHUB_OUTPUT"
+          echo "head_ref=${HEAD_REF}" >> "$GITHUB_OUTPUT"
+          echo "pr_url=${PR_URL}" >> "$GITHUB_OUTPUT"
+
+      - name: Find and update bot comment to in-progress
+        id: bot-comment
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RUN_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          COMMENT_ID=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/comments" \
+            --paginate --jq '.[] | select(.body | contains("<!-- rebase-rules-check -->")) | .id' | head -1)
+
+          BODY="<!-- rebase-rules-check -->"$'\n'"### Missing Rebase Rules"$'\n\n'"Adding rebase rules — **in progress**... [View run](${RUN_URL})"
+
+          if [ -n "$COMMENT_ID" ]; then
+            gh api "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
+              -X PATCH -f body="$BODY"
+            echo "comment_id=${COMMENT_ID}" >> "$GITHUB_OUTPUT"
+          else
+            COMMENT_URL=$(gh pr comment "${{ github.event.issue.number }}" \
+              --repo "${{ github.repository }}" \
+              --body "$BODY")
+            NEW_ID=$(echo "$COMMENT_URL" | grep -oE '[0-9]+$')
+            echo "comment_id=${NEW_ID}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Checkout dw-claude-runner
+        uses: actions/checkout@v4
+        with:
+          repository: RomanNikitenko/dw-claude-runner
+          path: dw-claude-runner
+
+      - name: Install oc CLI
+        uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          oc: latest
+
+      - name: Login to OpenShift
+        run: |
+          echo "::add-mask::${{ secrets.OC_SERVER }}"
+          echo "::add-mask::${{ secrets.OC_PROJECT }}"
+          oc login --token=${{ secrets.OC_TOKEN }} \
+                   --server=${{ secrets.OC_SERVER }} > /dev/null
+
+      - name: Select OpenShift project
+        run: oc project ${{ secrets.OC_PROJECT }} > /dev/null
+
+      - name: Run dw-claude-runner
+        working-directory: dw-claude-runner
+        env:
+          PROJECT_URL: '"https://github.com/${{ github.repository }}.git"'
+          TARGET_REPO: ${{ github.repository }}
+          PROMPT: >-
+            Checkout branch '${{ steps.pr.outputs.head_ref }}' first:
+            git fetch origin && git checkout ${{ steps.pr.outputs.head_ref }}
+
+            Then run: add-rebase-rules ${{ steps.pr.outputs.head_sha }}
+
+            After committing, push the changes to the PR branch:
+            git push origin ${{ steps.pr.outputs.head_ref }}
+          TIMEOUT: "600"
+          CLAUDE_TIMEOUT: "600"
+        run: |
+          set -o pipefail
+          ./run.sh -v 2>&1 | tee /tmp/runner-output.txt
+
+      - name: Update comment with result
+        if: always() && steps.bot-comment.outputs.comment_id
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COMMENT_ID: ${{ steps.bot-comment.outputs.comment_id }}
+          RUN_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          if [ "${{ job.status }}" = "success" ]; then
+            BODY="<!-- rebase-rules-check -->"$'\n'"### Missing Rebase Rules"$'\n\n'"Rebase rules have been **added successfully**. [View run](${RUN_URL})"$'\n\n'"Please review the new commit pushed to this PR."
+          else
+            BODY="<!-- rebase-rules-check -->"$'\n'"### Missing Rebase Rules"$'\n\n'"Failed to add rebase rules. [View run](${RUN_URL})"
+          fi
+          gh api "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
+            -X PATCH -f body="$BODY"