Addressing review comments && checking etag

almaleksia · almaleksia · commit 925798d3b8fb · 2025-12-16T15:35:33.000+01:00
diff --git a/pkg/github/repositories.go b/pkg/github/repositories.go
@@ -411,60 +411,66 @@ If the SHA is not provided, the tool will attempt to acquire it by fetching the
 		}
 
 		path = strings.TrimPrefix(path, "/")
-		fileContent, resp, err := client.Repositories.CreateFile(ctx, owner, repo, path, opts)
-		if err != nil {
-			if strings.Contains(err.Error(), `"sha" wasn't supplied`) && sha == "" {
-				// Close the response from the initial failed CreateFile call
-				if resp != nil {
-					_ = resp.Body.Close()
-				}
 
-				// attempt to get the current file SHA by fetching the file contents
-				getOpts := &github.RepositoryContentGetOptions{
-					Ref: branch,
-				}
-				currentFileContent, _, respContents, err := client.Repositories.GetContents(ctx, owner, repo, path, getOpts)
-
-				if err == nil {
-					// Close the GetContents response before making the retry call
-					if respContents != nil {
-						_ = respContents.Body.Close()
-					}
+		// SHA validation using conditional HEAD request (efficient - no body transfer)
+		var previousSHA string
+		contentURL := fmt.Sprintf("repos/%s/%s/contents/%s", owner, repo, url.PathEscape(path))
+		if branch != "" {
+			contentURL += "?ref=" + url.QueryEscape(branch)
+		}
 
-					if currentFileContent != nil && currentFileContent.SHA != nil {
-						opts.SHA = currentFileContent.SHA
-						fileContent, resp, err = client.Repositories.CreateFile(ctx, owner, repo, path, opts)
-						defer func() { _ = resp.Body.Close() }()
-
-						if err != nil {
-							return ghErrors.NewGitHubAPIErrorResponse(ctx,
-								"failed to create/update file after retrieving current SHA",
-								resp,
-								err,
-							), nil, nil
-						}
-					} else {
-						return utils.NewToolResultError("file content SHA is nil, cannot update the file"), nil, nil
+		if sha != "" {
+			// User provided SHA - validate it's still current
+			req, err := client.NewRequest("HEAD", contentURL, nil)
+			if err == nil {
+				req.Header.Set("If-None-Match", fmt.Sprintf(`"%s"`, sha))
+				resp, _ := client.Do(ctx, req, nil)
+				if resp != nil {
+					defer resp.Body.Close()
+
+					switch resp.StatusCode {
+					case http.StatusNotModified:
+						// SHA matches current - proceed
+						opts.SHA = github.Ptr(sha)
+					case http.StatusOK:
+						// SHA is stale - reject with current SHA so user can check diff
+						currentSHA := strings.Trim(resp.Header.Get("ETag"), `"`)
+						return utils.NewToolResultError(fmt.Sprintf(
+							"SHA mismatch: provided SHA %s is stale. Current file SHA is %s. "+
+								"Use get_file_contents or compare commits to review changes before updating.",
+							sha, currentSHA)), nil, nil
+					case http.StatusNotFound:
+						// File doesn't exist - this is a create, ignore provided SHA
 					}
-				} else {
-					// Close the GetContents response before returning error
-					if respContents != nil {
-						_ = respContents.Body.Close()
+				}
+			}
+		} else {
+			// No SHA provided - check if file exists to warn about blind update
+			req, err := client.NewRequest("HEAD", contentURL, nil)
+			if err == nil {
+				resp, _ := client.Do(ctx, req, nil)
+				if resp != nil {
+					defer resp.Body.Close()
+					if resp.StatusCode == http.StatusOK {
+						previousSHA = strings.Trim(resp.Header.Get("ETag"), `"`)
 					}
-					return ghErrors.NewGitHubAPIErrorResponse(ctx,
-						"failed to get file SHA for update",
-						respContents,
-						err,
-					), nil, nil
+					// 404 = new file, no previous SHA needed
 				}
-			} else {
-				return ghErrors.NewGitHubAPIErrorResponse(ctx,
-					"failed to create/update file",
-					resp,
-					err,
-				), nil, nil
 			}
 		}
+
+		if previousSHA != "" {
+			opts.SHA = github.Ptr(previousSHA)
+		}
+
+		fileContent, resp, err := client.Repositories.CreateFile(ctx, owner, repo, path, opts)
+		if err != nil {
+			return ghErrors.NewGitHubAPIErrorResponse(ctx,
+				"failed to create/update file",
+				resp,
+				err,
+			), nil, nil
+		}
 		defer func() { _ = resp.Body.Close() }()
 
 		if resp.StatusCode != 200 && resp.StatusCode != 201 {
@@ -480,6 +486,19 @@ If the SHA is not provided, the tool will attempt to acquire it by fetching the
 			return nil, nil, fmt.Errorf("failed to marshal response: %w", err)
 		}
 
+		// Warn if file was updated without SHA validation (blind update)
+		if sha == "" && previousSHA != "" {
+			return utils.NewToolResultText(fmt.Sprintf(
+				"Warning: File updated without SHA validation. Previous file SHA was %s. "+
+					`Verify no unintended changes were overwritten: 
+1. Extract the SHA of the local version using git ls-tree HEAD %s.
+2. Compare with the previous SHA above.
+3. Revert changes if shas do not match.
+
+%s`,
+				previousSHA, path, string(r))), nil, nil
+		}
+
 		return utils.NewToolResultText(string(r)), nil, nil
 	})
 
diff --git a/pkg/github/repositories_test.go b/pkg/github/repositories_test.go
@@ -1122,81 +1122,179 @@ func Test_CreateOrUpdateFile(t *testing.T) {
 			expectedErrMsg: "failed to create/update file",
 		},
 		{
-			name: "file creation fails with missing sha, then succeeds after fetching sha",
+			name: "sha validation - current sha matches (304 Not Modified)",
 			mockedClient: mock.NewMockedHTTPClient(
 				mock.WithRequestMatchHandler(
-					mock.PutReposContentsByOwnerByRepoByPath,
-					func() http.HandlerFunc {
-						callCount := 0
-						return func(w http.ResponseWriter, _ *http.Request) {
-							callCount++
-							if callCount == 1 {
-								// First call fails with "sha wasn't supplied" error
-								w.WriteHeader(http.StatusUnprocessableEntity)
-								_, _ = w.Write([]byte(`{"message": "\"sha\" wasn't supplied"}`))
-							} else {
-								// Second call succeeds after SHA is retrieved
-								w.WriteHeader(http.StatusOK)
-								respBytes, _ := json.Marshal(mockFileResponse)
-								_, _ = w.Write(respBytes)
-							}
+					mock.EndpointPattern{
+						Pattern: "/repos/owner/repo/contents/docs/example.md",
+						Method:  "HEAD",
+					},
+					http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+						// Verify If-None-Match header is set correctly
+						ifNoneMatch := req.Header.Get("If-None-Match")
+						if ifNoneMatch == `"abc123def456"` {
+							w.WriteHeader(http.StatusNotModified)
+						} else {
+							w.WriteHeader(http.StatusOK)
+							w.Header().Set("ETag", `"abc123def456"`)
 						}
-					}(),
+					}),
 				),
 				mock.WithRequestMatchHandler(
-					mock.GetReposContentsByOwnerByRepoByPath,
+					mock.PutReposContentsByOwnerByRepoByPath,
+					expectRequestBody(t, map[string]interface{}{
+						"message": "Update example file",
+						"content": "IyBVcGRhdGVkIEV4YW1wbGUKClRoaXMgZmlsZSBoYXMgYmVlbiB1cGRhdGVkLg==",
+						"branch":  "main",
+						"sha":     "abc123def456",
+					}).andThen(
+						mockResponse(t, http.StatusOK, mockFileResponse),
+					),
+				),
+			),
+			requestArgs: map[string]interface{}{
+				"owner":   "owner",
+				"repo":    "repo",
+				"path":    "docs/example.md",
+				"content": "# Updated Example\n\nThis file has been updated.",
+				"message": "Update example file",
+				"branch":  "main",
+				"sha":     "abc123def456",
+			},
+			expectError:     false,
+			expectedContent: mockFileResponse,
+		},
+		{
+			name: "sha validation - stale sha detected (200 OK with different ETag)",
+			mockedClient: mock.NewMockedHTTPClient(
+				mock.WithRequestMatchHandler(
+					mock.EndpointPattern{
+						Pattern: "/repos/owner/repo/contents/docs/example.md",
+						Method:  "HEAD",
+					},
 					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						// SHA doesn't match - return 200 with current ETag
+						w.Header().Set("ETag", `"newsha999888"`)
 						w.WriteHeader(http.StatusOK)
-						existingFile := &github.RepositoryContent{
-							Name: github.Ptr("example.md"),
-							Path: github.Ptr("docs/example.md"),
-							SHA:  github.Ptr("abc123def456"),
-							Type: github.Ptr("file"),
-						}
-						contentBytes, _ := json.Marshal(existingFile)
-						_, _ = w.Write(contentBytes)
 					}),
 				),
 			),
 			requestArgs: map[string]interface{}{
 				"owner":   "owner",
 				"repo":    "repo",
 				"path":    "docs/example.md",
-				"content": "# Example\n\nThis is an example file.",
-				"message": "Add example file",
+				"content": "# Updated Example\n\nThis file has been updated.",
+				"message": "Update example file",
+				"branch":  "main",
+				"sha":     "oldsha123456",
+			},
+			expectError:    true,
+			expectedErrMsg: "SHA mismatch: provided SHA oldsha123456 is stale. Current file SHA is newsha999888",
+		},
+		{
+			name: "sha validation - file doesn't exist (404), proceed with create",
+			mockedClient: mock.NewMockedHTTPClient(
+				mock.WithRequestMatchHandler(
+					mock.EndpointPattern{
+						Pattern: "/repos/owner/repo/contents/docs/example.md",
+						Method:  "HEAD",
+					},
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusNotFound)
+					}),
+				),
+				mock.WithRequestMatchHandler(
+					mock.PutReposContentsByOwnerByRepoByPath,
+					expectRequestBody(t, map[string]interface{}{
+						"message": "Create new file",
+						"content": "IyBOZXcgRmlsZQoKVGhpcyBpcyBhIG5ldyBmaWxlLg==",
+						"branch":  "main",
+						"sha":     "ignoredsha", // SHA is sent but GitHub API ignores it for new files
+					}).andThen(
+						mockResponse(t, http.StatusCreated, mockFileResponse),
+					),
+				),
+			),
+			requestArgs: map[string]interface{}{
+				"owner":   "owner",
+				"repo":    "repo",
+				"path":    "docs/example.md",
+				"content": "# New File\n\nThis is a new file.",
+				"message": "Create new file",
 				"branch":  "main",
+				"sha":     "ignoredsha",
 			},
 			expectError:     false,
 			expectedContent: mockFileResponse,
 		},
 		{
-			name: "file creation fails with missing sha and GetContents also fails",
+			name: "no sha provided - file exists, returns warning",
 			mockedClient: mock.NewMockedHTTPClient(
 				mock.WithRequestMatchHandler(
-					mock.PutReposContentsByOwnerByRepoByPath,
+					mock.EndpointPattern{
+						Pattern: "/repos/owner/repo/contents/docs/example.md",
+						Method:  "HEAD",
+					},
 					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-						w.WriteHeader(http.StatusUnprocessableEntity)
-						_, _ = w.Write([]byte(`{"message": "\"sha\" wasn't supplied"}`))
+						w.Header().Set("ETag", `"existing123"`)
+						w.WriteHeader(http.StatusOK)
 					}),
 				),
 				mock.WithRequestMatchHandler(
-					mock.GetReposContentsByOwnerByRepoByPath,
+					mock.PutReposContentsByOwnerByRepoByPath,
+					expectRequestBody(t, map[string]interface{}{
+						"message": "Update without SHA",
+						"content": "IyBVcGRhdGVkCgpVcGRhdGVkIHdpdGhvdXQgU0hBLg==",
+						"branch":  "main",
+					}).andThen(
+						mockResponse(t, http.StatusOK, mockFileResponse),
+					),
+				),
+			),
+			requestArgs: map[string]interface{}{
+				"owner":   "owner",
+				"repo":    "repo",
+				"path":    "docs/example.md",
+				"content": "# Updated\n\nUpdated without SHA.",
+				"message": "Update without SHA",
+				"branch":  "main",
+			},
+			expectError:    false,
+			expectedErrMsg: "Warning: File updated without SHA validation. Previous file SHA was existing123",
+		},
+		{
+			name: "no sha provided - file doesn't exist, no warning",
+			mockedClient: mock.NewMockedHTTPClient(
+				mock.WithRequestMatchHandler(
+					mock.EndpointPattern{
+						Pattern: "/repos/owner/repo/contents/docs/example.md",
+						Method:  "HEAD",
+					},
 					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 						w.WriteHeader(http.StatusNotFound)
-						_, _ = w.Write([]byte(`{"message": "Not Found"}`))
 					}),
 				),
+				mock.WithRequestMatchHandler(
+					mock.PutReposContentsByOwnerByRepoByPath,
+					expectRequestBody(t, map[string]interface{}{
+						"message": "Create new file",
+						"content": "IyBOZXcgRmlsZQoKQ3JlYXRlZCB3aXRob3V0IFNIQQ==",
+						"branch":  "main",
+					}).andThen(
+						mockResponse(t, http.StatusCreated, mockFileResponse),
+					),
+				),
 			),
 			requestArgs: map[string]interface{}{
 				"owner":   "owner",
 				"repo":    "repo",
 				"path":    "docs/example.md",
-				"content": "# Example\n\nThis is an example file.",
-				"message": "Add example file",
+				"content": "# New File\n\nCreated without SHA",
+				"message": "Create new file",
 				"branch":  "main",
 			},
-			expectError:    true,
-			expectedErrMsg: "failed to get file SHA for update",
+			expectError:     false,
+			expectedContent: mockFileResponse,
 		},
 	}
 
@@ -1227,6 +1325,12 @@ func Test_CreateOrUpdateFile(t *testing.T) {
 			// Parse the result and get the text content if no error
 			textContent := getTextResult(t, result)
 
+			// If expectedErrMsg is set (but expectError is false), this is a warning case
+			if tc.expectedErrMsg != "" {
+				assert.Contains(t, textContent.Text, tc.expectedErrMsg)
+				return
+			}
+
 			// Unmarshal and verify the result
 			var returnedContent github.RepositoryContentResponse
 			err = json.Unmarshal([]byte(textContent.Text), &returnedContent)
