[releaser] Fix git add to only include release files #552

[Srinath0916]

The releaser tool was using 'git add .' which dangerously adds all files including potentially private ones. Changed to only add specific files that are modified during the release process (changelog and version files).

Fixes #552

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Closes #552.

Description of Changes

I noticed the releaser tool had a security issue where it was using git add . to stage files for commit. This is problematic because it adds every single file in the repository, including things like private config files or temporary files that shouldn't be committed.

The fix was straightforward - instead of adding everything, I made it only add the specific files that actually get modified during a release:

• The changelog file (which always gets updated)
• The version file (if it exists and gets modified)

I also added some comments to explain why we're being selective about which files to add, and updated the console message to be clearer about what's happening.

The change is in the openwisp_utils/releaser/release.py file around lines 361-370. I tested it by running the code quality checks and making sure the syntax is correct.

This should prevent any accidental commits of private files during the release process.

Screenshot

Not applicable since this is a backend code fix.

Summary by CodeRabbit

• Chores
  • Release flow now stages only modified, tracked files instead of all working-tree changes, producing more precise release commits while leaving commit/push/PR steps and overall process unchanged.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The release flow now stages only tracked, modified files by replacing git add . with git add -u. Commit, push, and PR behavior remains unchanged; explanatory comments were added.

Changes

Cohort / File(s)	Summary
Git staging change openwisp_utils/releaser/release.py	Replaced broad git add . with git add -u so only tracked modifications are staged; added comments. Commit/push/PR logic unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 I nibble only what's been chewed,
I leave the hidden seeds alone,
With git add -u I tidy the mew,
Safe hops, neat commits — carrots grown. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: replacing 'git add .' with selective file staging in the releaser tool, and references the related issue #552.
Description check	✅ Passed	The description covers the required template sections including a completed checklist, reference to issue #552, and a clear explanation of the security issue and fix.
Linked Issues check	✅ Passed	The PR successfully addresses issue #552 by replacing 'git add .' with selective staging of only changelog and version files modified during release, preventing accidental commits of private files.
Out of Scope Changes check	✅ Passed	The changes are limited to the releaser tool's git staging logic and directly address the security concern raised in issue #552 without introducing unrelated modifications.

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

coverage: 97.253%. remained the same
when pulling ef21fad on Srinath0916:issues/552-fix-releaser-git-add
into 761112c on openwisp:master.

[Srinath0916]

Hi @nemesifier , I've implemented a fix for the security issue you reported. The dangerous git add . has been replaced with targeted file additions to only include changelog and version files during the release process. Ready for review when you have time. Thanks!

[nemesifier]

Looks good, I'll need to test it on a new bugfix release before merging.

[Srinath0916]

Thanks @nemesifier! sounds good, let me know if anything comes up during testing.

[Srinath0916]

Heyy @nemesifier , i have updated my PR as you suggested, please have a look.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3d57403 and ef21fad.

📒 Files selected for processing (1)

• openwisp_utils/releaser/release.py

🧰 Additional context used

🪛 Ruff (0.14.10)

openwisp_utils/releaser/release.py

362-362: Starting a process with a partial executable path

(S607)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=4.2.0

[coderabbitai]

⚠️ Potential issue | 🟠 Major

git add -u still stages all tracked modified files, not just release files.

While git add -u is an improvement over git add ., it stages all tracked modified files in the repository, not just the changelog and version files modified by the release process. If a developer has other tracked files with uncommitted changes, those will be included in the release commit.

To fully address issue #552, explicitly stage only the files modified during the release process. The changelog file is always modified, and the version file(s) should be staged conditionally based on whether bump_version succeeded.

🔎 Recommended fix to stage only release-modified files

-    print("Adding tracked changes to git...")
-    subprocess.run(["git", "add", "-u"], check=True, capture_output=True)
+    # Stage only the files modified by the release process
+    print("Staging release files (changelog and version files)...")
+    subprocess.run(
+        ["git", "add", changelog_path], check=True, capture_output=True
+    )
+    if was_bumped and config.get("version_file"):
+        subprocess.run(
+            ["git", "add", config["version_file"]], check=True, capture_output=True
+        )

Note: You may need to verify the correct key/path for the version file in the config. If there are multiple version files or a different config structure, adjust accordingly.

Additional observation: The PR description mentions "Comments explaining selective staging were added," but no explanatory comments are present in the code changes.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	print("Adding tracked changes to git...")
	subprocess.run(["git", "add", "-u"], check=True, capture_output=True)
	# Stage only the files modified by the release process
	print("Staging release files (changelog and version files)...")
	subprocess.run(
	["git", "add", changelog_path], check=True, capture_output=True
	)
	if was_bumped and config.get("version_file"):
	subprocess.run(
	["git", "add", config["version_file"]], check=True, capture_output=True
	)

🧰 Tools

🪛 Ruff (0.14.10)

362-362: Starting a process with a partial executable path

(S607)

🤖 Prompt for AI Agents

In openwisp_utils/releaser/release.py around lines 361-362, the code uses "git
add -u" which stages all tracked modified files; change this to explicitly stage
only the changelog file and any version file(s) modified by the release. Modify
the logic to compute the changelog path (always) and, if bump_version succeeded,
determine the version file path(s) from the config and add them too; call
subprocess.run(["git","add", <path>], check=True, capture_output=True) for each
file instead of a single "git add -u". Also add brief comments explaining why we
selectively stage only release-modified files and that version files are added
conditionally when bump_version succeeds.

[Srinath0916]

@nemesifier Thanks, excited for more!