RomanNikitenko
diff --git a/‎.github/scripts/check-unprotected-changes.sh‎
Lines changed: 193 additions & 0 deletions b/‎.github/scripts/check-unprotected-changes.sh‎
Lines changed: 193 additions & 0 deletions
diff --git a/‎.github/workflows/add-rebase-rules.yml‎
Lines changed: 139 additions & 0 deletions b/‎.github/workflows/add-rebase-rules.yml‎
Lines changed: 139 additions & 0 deletions
@@ -0,0 +1,193 @@
+#!/bin/bash
+# This file was generated using AI assistance (Cursor AI) and reviewed by the maintainers.
+#
+# Detect files under code/ changed since the last rebase that have no rebase
+# rule.  Such modifications would be silently lost on the next upstream rebase.
+#
+# How it works:
+#   1. Finds the last rebase commit (message starts with "Rebase against the upstream")
+#   2. Lists files in code/ changed since that commit
+#   3. Filters out Che-only additions (che-* extensions, che/ subdirs) and lockfiles
+#   4. For remaining files, checks whether a rebase rule exists in:
+#        - resolve_conflicts() elif chain in rebase.sh
+#        - .rebase/replace/  (from→by rules)
+#        - .rebase/add/      (JSON fragments merged in)
+#        - .rebase/override/  (JSON overrides)
+#   5. Reports any uncovered files
+#
+# Usage:
+#   bash check-unprotected-changes.sh                   # default: changes since last rebase
+#   bash check-unprotected-changes.sh <base>..<head>     # explicit commit range
+#   bash check-unprotected-changes.sh --verbose          # show covered files too
+#   bash check-unprotected-changes.sh --pr-comment       # output as GitHub PR comment (markdown)
+#   bash check-unprotected-changes.sh --list             # output bare file paths only
+#
+# Exit codes:
+#   0 — All modifications are covered by rebase rules (or are Che-only additions)
+#   1 — Unprotected modifications found
+#   2 — Error (can't find rebase commit, etc.)
+set -u
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$REPO_ROOT"
+
+VERBOSE=false
+OUTPUT_MODE="text"
+COMMIT_RANGE=""
+for arg in "$@"; do
+  case "$arg" in
+    --verbose|-v)   VERBOSE=true ;;
+    --pr-comment)   OUTPUT_MODE="pr-comment" ;;
+    --list)         OUTPUT_MODE="list" ;;
+    *..*)           COMMIT_RANGE="$arg" ;;
+  esac
+done
+
+# --- Locate the last rebase commit ---
+if [ -z "$COMMIT_RANGE" ]; then
+  REBASE_COMMIT=$(git log --format='%H' --grep="^Rebase against the upstream" -1)
+  if [ -z "$REBASE_COMMIT" ]; then
+    if [ "$OUTPUT_MODE" = "list" ]; then
+      exit 2
+    fi
+    echo "ERROR: Could not find a rebase commit in the history."
+    echo "Expected a commit whose message starts with 'Rebase against the upstream'."
+    exit 2
+  fi
+  REBASE_MSG=$(git log -1 --format='%s' "$REBASE_COMMIT")
+  COMMIT_RANGE="${REBASE_COMMIT}..HEAD"
+fi
+
+if [ "$OUTPUT_MODE" = "text" ]; then
+  if [ -n "${REBASE_MSG:-}" ]; then
+    echo "=== Unprotected Changes Check ==="
+    echo "Base: $REBASE_COMMIT (${REBASE_MSG})"
+  else
+    echo "=== Unprotected Changes Check ==="
+    echo "Range: $COMMIT_RANGE"
+  fi
+  echo ""
+fi
+
+# --- Build the set of files covered by rebase rules ---
+COVERED_LIST=$(mktemp)
+trap 'rm -f "$COVERED_LIST"' EXIT
+
+# 1. Parse resolve_conflicts() elif chain for explicit file paths.
+while IFS= read -r line; do
+  if [[ "$line" =~ \[\[.*==.*\"([^\"]+)\".*\]\] ]]; then
+    echo "${BASH_REMATCH[1]}"
+  fi
+done < <(sed -n '/^resolve_conflicts()/,/^}/p' rebase.sh) >> "$COVERED_LIST"
+
+# 2. .rebase/replace/ rules
+find .rebase/replace -name '*.json' -type f 2>/dev/null | while IFS= read -r rule_file; do
+  code_path="${rule_file#.rebase/replace/}"
+  code_path="${code_path%.json}"
+  if [[ "$code_path" != code/* ]]; then
+    code_path="code/$code_path"
+  fi
+  echo "$code_path"
+done >> "$COVERED_LIST"
+
+# 3. .rebase/add/ rules
+find .rebase/add -type f 2>/dev/null | while IFS= read -r rule_file; do
+  echo "${rule_file#.rebase/add/}"
+done >> "$COVERED_LIST"
+
+# 4. .rebase/override/ rules
+find .rebase/override -type f 2>/dev/null | while IFS= read -r rule_file; do
+  echo "${rule_file#.rebase/override/}"
+done >> "$COVERED_LIST"
+
+sort -u -o "$COVERED_LIST" "$COVERED_LIST"
+
+# --- Check changed files ---
+UNCOVERED=()
+COVERED_COUNT=0
+SKIPPED_COUNT=0
+
+while IFS= read -r file_path; do
+  # Skip package-lock.json (handled by resolve_package_lock during rebase)
+  case "$file_path" in
+    */package-lock.json) ((SKIPPED_COUNT++)); continue ;;
+  esac
+
+  # Skip Che-only additions — these don't exist in upstream and won't conflict
+  case "$file_path" in
+    code/extensions/che-*) ((SKIPPED_COUNT++)); continue ;;
+    */che/*.ts|*/che/*.js)  ((SKIPPED_COUNT++)); continue ;;
+  esac
+
+  if grep -qxF "$file_path" "$COVERED_LIST"; then
+    ((COVERED_COUNT++))
+    continue
+  fi
+
+  UNCOVERED+=("$file_path")
+done < <(git diff --name-only "$COMMIT_RANGE" -- code/)
+
+# --- Output ---
+
+# --list mode: bare file paths, nothing else
+if [ "$OUTPUT_MODE" = "list" ]; then
+  for f in "${UNCOVERED[@]+${UNCOVERED[@]}}"; do
+    echo "$f"
+  done
+  [ ${#UNCOVERED[@]} -eq 0 ] && exit 0 || exit 1
+fi
+
+# --pr-comment mode: markdown for a GitHub PR comment
+if [ "$OUTPUT_MODE" = "pr-comment" ]; then
+  if [ ${#UNCOVERED[@]} -eq 0 ]; then
+    exit 0
+  fi
+  cat <<'HEADER'
+<!-- rebase-rules-check -->
+### Missing Rebase Rules
+
+The following files were modified in this PR but do not have corresponding rebase rules.
+Without these rules, the changes **will be lost** during the next upstream rebase.
+
+| # | File |
+|---|------|
+HEADER
+  i=1
+  for f in "${UNCOVERED[@]}"; do
+    echo "| $i | \`$f\` |"
+    ((i++))
+  done
+  echo ""
+  echo "Comment \`/add-rebase-rules\` on this PR to add the missing rules automatically."
+  exit 1
+fi
+
+# Default text mode
+if [ "$VERBOSE" = true ]; then
+  echo "Covered: $COVERED_COUNT | Skipped: $SKIPPED_COUNT | Uncovered: ${#UNCOVERED[@]}"
+  echo ""
+  echo "Rebase rules on file:"
+  sed 's/^/  /' "$COVERED_LIST"
+  echo ""
+fi
+
+if [ ${#UNCOVERED[@]} -eq 0 ]; then
+  echo "All modified files in code/ are covered by rebase rules (or are Che-only additions)."
+  echo "  Covered: $COVERED_COUNT  Skipped (lockfiles/Che-only): $SKIPPED_COUNT"
+  exit 0
+fi
+
+echo "**Found ${#UNCOVERED[@]} file(s) modified since the last rebase without rebase rules:**"
+echo ""
+for f in "${UNCOVERED[@]}"; do
+  echo "  - $f"
+done
+echo ""
+echo "These changes will be lost on the next upstream rebase unless a rule is added."
+echo ""
+echo "To fix, for each file above either:"
+echo "  1. Add a .rebase/replace/<path>.json with {\"from\": ..., \"by\": ...} rules"
+echo "  2. Add a .rebase/add/<path> or .rebase/override/<path> JSON fragment"
+echo "  3. Add an elif branch in resolve_conflicts() in rebase.sh"
+exit 1
@@ -0,0 +1,139 @@
+#
+# Copyright (c) 2026 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+#
+# This file was generated using AI assistance (Cursor AI)
+# and reviewed by the maintainers.
+#
+
+name: Add Rebase Rules via dw-claude-runner
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  add-rebase-rules:
+    if: >-
+      github.event.issue.pull_request
+      && contains(github.event.comment.body, '/add-rebase-rules')
+    runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+      issues: write
+
+    steps:
+      - name: Check author permission
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PERM=$(gh api "repos/${{ github.repository }}/collaborators/${{ github.event.comment.user.login }}/permission" \
+            --jq '.permission')
+          if [[ "$PERM" != "admin" && "$PERM" != "write" ]]; then
+            echo "User ${{ github.event.comment.user.login }} does not have write access (permission: $PERM)"
+            exit 1
+          fi
+
+      - name: Add reaction to command comment
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api "repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions" \
+            -f content='rocket' --silent
+
+      - name: Get PR details
+        id: pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PR_JSON=$(gh api "repos/${{ github.repository }}/pulls/${{ github.event.issue.number }}")
+          HEAD_SHA=$(echo "$PR_JSON" | jq -r '.head.sha')
+          HEAD_REF=$(echo "$PR_JSON" | jq -r '.head.ref')
+          PR_URL=$(echo "$PR_JSON" | jq -r '.html_url')
+          echo "head_sha=${HEAD_SHA}" >> "$GITHUB_OUTPUT"
+          echo "head_ref=${HEAD_REF}" >> "$GITHUB_OUTPUT"
+          echo "pr_url=${PR_URL}" >> "$GITHUB_OUTPUT"
+
+      - name: Find and update bot comment to in-progress
+        id: bot-comment
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RUN_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          COMMENT_ID=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/comments" \
+            --paginate --jq '.[] | select(.body | contains("<!-- rebase-rules-check -->")) | .id' | head -1)
+
+          BODY="<!-- rebase-rules-check -->"$'\n'"### Missing Rebase Rules"$'\n\n'"Adding rebase rules — **in progress**... [View run](${RUN_URL})"
+
+          if [ -n "$COMMENT_ID" ]; then
+            gh api "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
+              -X PATCH -f body="$BODY"
+            echo "comment_id=${COMMENT_ID}" >> "$GITHUB_OUTPUT"
+          else
+            COMMENT_URL=$(gh pr comment "${{ github.event.issue.number }}" \
+              --repo "${{ github.repository }}" \
+              --body "$BODY")
+            NEW_ID=$(echo "$COMMENT_URL" | grep -oE '[0-9]+$')
+            echo "comment_id=${NEW_ID}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Checkout dw-claude-runner
+        uses: actions/checkout@v4
+        with:
+          repository: RomanNikitenko/dw-claude-runner
+          path: dw-claude-runner
+
+      - name: Install oc CLI
+        uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          oc: latest
+
+      - name: Login to OpenShift
+        run: |
+          echo "::add-mask::${{ secrets.OC_SERVER }}"
+          echo "::add-mask::${{ secrets.OC_PROJECT }}"
+          oc login --token=${{ secrets.OC_TOKEN }} \
+                   --server=${{ secrets.OC_SERVER }} > /dev/null
+
+      - name: Select OpenShift project
+        run: oc project ${{ secrets.OC_PROJECT }} > /dev/null
+
+      - name: Run dw-claude-runner
+        working-directory: dw-claude-runner
+        env:
+          PROJECT_URL: '"https://github.com/${{ github.repository }}.git"'
+          TARGET_REPO: ${{ github.repository }}
+          PROMPT: >-
+            Checkout branch '${{ steps.pr.outputs.head_ref }}' first:
+            git fetch origin && git checkout ${{ steps.pr.outputs.head_ref }}
+
+            Then run: add-rebase-rules ${{ steps.pr.outputs.head_sha }}
+
+            After committing, push the changes to the PR branch:
+            git push origin ${{ steps.pr.outputs.head_ref }}
+          TIMEOUT: "600"
+          CLAUDE_TIMEOUT: "600"
+        run: |
+          set -o pipefail
+          ./run.sh -v 2>&1 | tee /tmp/runner-output.txt
+
+      - name: Update comment with result
+        if: always() && steps.bot-comment.outputs.comment_id
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COMMENT_ID: ${{ steps.bot-comment.outputs.comment_id }}
+          RUN_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          if [ "${{ job.status }}" = "success" ]; then
+            BODY="<!-- rebase-rules-check -->"$'\n'"### Missing Rebase Rules"$'\n\n'"Rebase rules have been **added successfully**. [View run](${RUN_URL})"$'\n\n'"Please review the new commit pushed to this PR."
+          else
+            BODY="<!-- rebase-rules-check -->"$'\n'"### Missing Rebase Rules"$'\n\n'"Failed to add rebase rules. [View run](${RUN_URL})"
+          fi
+          gh api "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
+            -X PATCH -f body="$BODY"