fix: restore original author on cherry-pick for DCO compliance

[rnetser]

Problem

When the webhook server cherry-picks a squash-merged commit, the DCO check on the cherry-pick PR fails because:

1. GitHub squash-merge rewrites the commit author email to the noreply format (e.g., 86722603+user@users.noreply.github.com)
2. The Signed-off-by trailer preserves the original email (e.g., user@redhat.com)
3. git cherry-pick replays the commit with the mismatched emails
4. The DCO app checks that Signed-off-by email matches the commit author email → fails

This requires manual sign-off approval for every cherry-picked PR.

Solution

Add _restore_original_author_for_cherry_pick() to RunnerHandler that:

• Fetches the original PR's commits via pull_request.get_commits()
• Searches for a Signed-off-by trailer (last commit first)
• Only amends if the original PR actually had a sign-off
• Compares the sign-off email against the cherry-picked commit's author email
• If they differ, amends the commit author to match the original sign-off
• Called after successful cherry-pick (clean or AI-resolved) before push

Testing

• 8 new unit tests in TestRestoreOriginalAuthorForCherryPick covering all paths
• Updated existing cherry-pick integration tests to mock the new method
• All 1539 tests pass, 90.46% coverage

References

• Original PR that was signed off: [Storage] Update owners RedHatQE/openshift-virtualization-tests#4461
• Cherry-pick PR that needed manual sign-off: CherryPicked: [cnv-4.20] [Storage] Update owners RedHatQE/openshift-virtualization-tests#4470

Closes: #1072
Assisted-by: Claude noreply@anthropic.com

Summary by CodeRabbit

• Bug Fixes

  • After resolving a cherry-pick, the system now attempts to restore the original commit author when a Signed-off-by trailer differs; it skips when the trailer matches or is absent, logs warnings on read/amend failures, and performs this restore before pushing the new branch.

• Tests

  • Added comprehensive tests covering successful restores, skips, amend failures, missing trailers, multi-commit selection, warning paths, cancellation, and error handling.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds methods to locate a PR's Signed-off-by: trailer and, after a successful cherry-pick, amend the cherry-picked commit author/message to match the original sign-off when emails differ. Invoked in cherry_pick() after conflict resolution and before pushing the branch. (33 words)

Changes

Cohort / File(s)	Summary
Cherry-pick Author Restoration webhook_server/libs/handlers/runner_handler.py	Added RunnerHandler._find_signoff_source(self, pull_request) to locate the most recent Signed-off-by: from the merge commit or PR commits, and RunnerHandler._restore_original_author_for_cherry_pick(self, pull_request, git_cmd, github_token) which compares current commit author vs sign-off email, optionally rewrites commit message (removing/adding trailers), and runs git commit --amend --author=... returning success/failure. Integrated call into cherry_pick() after conflict resolution and before push.
Tests: Restore Author Behavior webhook_server/tests/test_runner_handler.py	Updated cherry-pick tests to mock/assert _restore_original_author_for_cherry_pick is awaited; added TestRestoreOriginalAuthorForCherryPick suite covering amend vs no-amend flows, missing sign-off/no commits, amend failures, read failures, trailer selection across commits, GitHub API errors, and re-raising asyncio.CancelledError.

Sequence Diagram

sequenceDiagram
    participant WH as Webhook Handler
    participant RH as RunnerHandler
    participant GHA as GitHub API
    participant GIT as Git CLI

    WH->>RH: cherry_pick(pull_request, target_branch, ...)
    RH->>GIT: git cherry-pick <commit>
    alt conflict
        RH->>RH: resolve conflicts (AI/manual)
        RH->>GIT: git cherry-pick --continue
    end
    RH->>GHA: GET /repos/.../pulls/<orig>/commits
    GHA-->>RH: commits[]
    RH->>RH: scan commits newest→oldest for Signed-off-by
    RH->>GIT: git log -1 --format=%an%n%ae
    GIT-->>RH: current_author_name/email
    alt sign-off found AND emails differ
        RH->>GIT: git log -1 --format=%B
        GIT-->>RH: commit_message
        RH->>GIT: git commit --amend --author="Name <email>" [-m / -F / --no-edit]
        GIT-->>RH: amend result (success/fail)
    else no sign-off or emails match
        RH->>RH: skip amend
    end
    RH->>GIT: git push origin <branch>

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• refactor: migrate cherry-pick PR creation from hub to gh CLI #1024 — Also modifies runner_handler.py cherry-pick flow; refactors cherry-pick PR creation and touches related post-cherry-pick logic.
• fix: skip base-branch merge in worktree for cherry-pick operations #1062 — Changes control flow in RunnerHandler.cherry_pick, similar region where helper routines are invoked after cherry-pick.
• fix: handle cherry-pick edge cases after AI conflict resolution #1045 — Updates cherry-pick completion/handling in runner_handler.py; overlaps with push/finish behaviors affected by author restoration.

Suggested labels

size/L, verified, lgtm-coderabbitai[bot], commented-coderabbitai[bot], commented-myakove-bot

Suggested reviewers

• myakove

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 68.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: restoring original author identity on cherry-pick to fix DCO compliance issues caused by GitHub's squash-merge author rewriting.
Linked Issues check	✅ Passed	The PR implementation directly addresses all requirements from issue #1072: adds _restore_original_author_for_cherry_pick() method, integrates it into cherry_pick() before push, includes comprehensive unit tests, and resolves the DCO author mismatch problem.
Out of Scope Changes check	✅ Passed	All changes remain tightly scoped to the stated objective: two new private methods for DCO author restoration, integration into cherry_pick(), and corresponding unit tests with no unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cherry-pick-dco-author-mismatch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[myakove-bot]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: Disabled for this repository
• Pre-commit Checks: pre-commit runs automatically if .pre-commit-config.yaml exists
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified
• Labels: All label categories are enabled (default configuration)

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
• /regenerate-welcome - Regenerate this welcome message

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /automerge - Enable automatic merging when all requirements are met (maintainers and approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest build-container - Rebuild and test container image
• /retest python-module-install - Test Python package installation
• /retest pre-commit - Run pre-commit hooks and checks
• /retest conventional-title - Validate commit message format
• /retest all - Run all available tests

Container Operations

• /build-and-push-container - Build and push container image (tagged with PR number)
  • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 1 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

• myakove
• rnetser

Reviewers:

• myakove
• rnetser

Available Labels

• hold
• verified
• wip
• lgtm
• approve
• automerge

AI Features

• Conventional Title: Mode: fix (claude/claude-opus-4-6[1m])
• Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6[1m])
• Test Oracle: Triggers: approved (claude/claude-opus-4-6[1m]); /test-oracle can be used anytime

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Container Builds: Container images are automatically tagged with the PR number
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@webhook_server/libs/handlers/runner_handler.py`:
- Around line 785-808: The code logs and embeds the full real author identity
when amending commits (see run_command usage building f"{git_cmd} commit --amend
--no-edit --author={shlex.quote(f'{author_name} <{author_email}>')}" and the
subsequent logger.info), which risks leaking personal emails; change this by (1)
adding author_email (and optionally author_name) to the run_command
redact_secrets list so command traces do not contain the raw identity, (2) avoid
emitting the full "Name <email>" in logger.info/logger.warning — instead log a
redacted form (e.g., mask the local-part of the email or only log the domain) or
simply log "Restored original author" without the literal, and (3) optionally
build an author_cmd variable for the commit string and a separate
redacted_author string for logs to keep the commit and logs consistent
(referencing the commit amend call and logger.info in runner_handler.py).
- Around line 760-809: Wrap the external PyGithub calls (the call to
pull_request.get_commits() via github_api_call and the per-commit access to
c.commit.message) in try/except that catches Exception, immediately re-raises
asyncio.CancelledError, and for other exceptions uses self.logger.exception(...)
to log the full traceback and then return False so the cherry-pick flow
continues (best-effort author restore) instead of propagating the error; update
the code around commits = await github_api_call(...) and the loop that reads
commit_msg (referencing pull_request.get_commits(), c.commit.message,
github_api_call, and cherry_pick()/the surrounding method) to implement this
behavior.

In `@webhook_server/tests/test_runner_handler.py`:
- Around line 1038-1041: The test stubs out
_restore_original_author_for_cherry_pick but never asserts it was awaited;
update the patch to assign the AsyncMock to a local variable (e.g., mock_restore
= AsyncMock(return_value=False) and patch.object(runner_handler,
"_restore_original_author_for_cherry_pick", new=mock_restore)), call the code
path (await runner_handler.cherry_pick(...)), then assert the hook was actually
awaited with mock_restore.assert_awaited_once() or
assert_awaited_with(expected_args) to prove cherry_pick awaited the restore
hook.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 035a90c9-e333-45e7-b297-7abf8bec4ecb

📥 Commits

Reviewing files that changed from the base of the PR and between 3275803 and 908b4b0.

📒 Files selected for processing (2)

• webhook_server/libs/handlers/runner_handler.py
• webhook_server/tests/test_runner_handler.py

[rnetser]

/build-and-push-container

[myakove-bot]

New container for ghcr.io/myk-org/github-webhook-server:pr-1073 published

[rnetser]

/verified

[rnetser]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@webhook_server/libs/handlers/runner_handler.py`:
- Around line 804-811: The warning log at self.logger.warning uses the raw
stderr returned from run_command (err) which can contain sensitive author info;
before logging, redact/mask secrets (github_token, author_spec, author_email,
author_name) from err using the same redaction/masking logic used by run_command
(or a shared redact utility) and then log the redacted message (e.g., compute
redacted_err = redact(err, [github_token, author_spec, author_email,
author_name]) and use that in the f"{self.log_prefix} Failed to amend..." call);
update the code paths around run_command, self.logger.warning, and any helper
used for redaction to ensure stderr is never logged unredacted.

In `@webhook_server/tests/test_runner_handler.py`:
- Around line 1912-2185: Add two tests for
RunnerHandler._restore_original_author_for_cherry_pick that cover
github_api_call failure paths: (1) patch
"webhook_server.libs.handlers.runner_handler.github_api_call" to raise a regular
Exception when calling pull_request.get_commits (use the existing runner_handler
and _make_pr_with_commits helpers), assert the method returns False and that
runner_handler.github_webhook.logger.exception was called; (2) patch
github_api_call to raise asyncio.CancelledError and assert the CancelledError is
propagated (re-raised). Ensure both tests target the same function name
_restore_original_author_for_cherry_pick and verify behavior per
logger.exception and return False for the non-cancelled error path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1cfb4e4d-7a01-450d-882d-84be721a11d7

📥 Commits

Reviewing files that changed from the base of the PR and between 908b4b0 and cff4cf9.

📒 Files selected for processing (2)

• webhook_server/libs/handlers/runner_handler.py
• webhook_server/tests/test_runner_handler.py

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@rnetser: Thanks for the update! Adding mock_restore_author.assert_awaited_once() to both the conflict-resolution and auto-completed AI cherry-pick test paths ensures the DCO author restore hook is exercised on every code path — good coverage for a correctness-critical step.

---

🧠 Learnings used

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 1025
File: webhook_server/libs/handlers/pull_request_handler.py:1080-1088
Timestamp: 2026-03-12T15:01:22.831Z
Learning: In myk-org/github-webhook-server, the label category configuration (e.g., the "cherry-pick" category in `enabled_labels`/`is_label_enabled`) controls only whether labels are displayed or shown in the UI welcome message. It does NOT gate actual label creation. Labels such as `ai-resolved-conflicts` and `CherryPicked-from-<branch>` are always applied via PyGithub `add_to_labels()` in `cherry_pick()` in `webhook_server/libs/handlers/runner_handler.py`, regardless of category settings. Therefore, checking for these labels in `_process_verified_for_update_or_new_pull_request` (e.g., `is_ai_resolved`, `is_cherry_picked`) is safe and reliable even when the cherry-pick label category is "disabled".

---

Learnt from: rnetser
Repo: myk-org/github-webhook-server PR: 1073
File: webhook_server/libs/handlers/runner_handler.py:770-830
Timestamp: 2026-04-16T17:56:43.373Z
Learning: In `webhook_server/libs/handlers/runner_handler.py`, `_restore_original_author_for_cherry_pick()` intentionally uses `source_commit.commit.author.name/email` (the git author object) instead of the parsed `Signed-off-by` trailer identity to restore the cherry-picked commit author. The reason: `Signed-off-by` trailers may contain a short username (e.g., `rnetser`) while DCO validation requires the full GitHub profile name (e.g., `Ruth Netser`). The git commit author object holds the authoritative full name. All existing `Signed-off-by` trailers are intentionally removed and replaced with a single trailer synthesized from the git author identity to guarantee DCO compliance (name in author field matches name in trailer). Do NOT suggest using the parsed trailer identity as the restored author, as that would reintroduce the very DCO mismatch this method is designed to fix.

---

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 1002
File: webhook_server/tests/test_pull_request_review_handler.py:298-344
Timestamp: 2026-02-28T12:05:25.906Z
Learning: In the myk-org/github-webhook-server repository's test-oracle integration (webhook_server/libs/test_oracle.py and webhook_server/libs/handlers/*.py), the 'approved' trigger refers to the `/approve` **command** (user-initiated comment command), NOT GitHub's review approval state. GitHub review approvals without the `/approve` command should NOT trigger the test oracle. This distinction is critical: review state "approved" alone does not trigger oracle; only the explicit `/approve` command does.

---

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 612
File: webhook_server_container/libs/github_api.py:2089-2100
Timestamp: 2024-10-29T08:09:57.157Z
Learning: In `webhook_server_container/libs/github_api.py`, when the function `_keep_approved_by_approvers_after_rebase` is called, existing approval labels have already been cleared after pushing new changes, so there's no need to check for existing approvals within this function.

---

Learnt from: CR
Repo: myk-org/github-webhook-server PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-14T12:01:31.249Z
Learning: Applies to webhook_server/libs/handlers/**/*.py : PR test oracle integration via `/test-oracle` command uses shared `call_test_oracle()` helper from `webhook_server/libs/test_oracle.py`

---

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 586
File: webhook_server_container/libs/github_api.py:1947-1956
Timestamp: 2024-10-08T09:19:56.185Z
Learning: In `webhook_server_container/libs/github_api.py`, the indentation style used in the `set_pull_request_automerge` method is acceptable as per the project's coding standards.

---

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 612
File: webhook_server_container/libs/github_api.py:925-926
Timestamp: 2024-10-29T10:42:50.163Z
Learning: In `webhook_server_container/libs/github_api.py`, the method `self._keep_approved_by_approvers_after_rebase()` must be called after removing labels when synchronizing a pull request. Therefore, it should be placed outside the `ThreadPoolExecutor` to ensure it runs sequentially after label removal.

---

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 1036
File: webhook_server/libs/github_api.py:609-630
Timestamp: 2026-03-17T14:45:44.692Z
Learning: In myk-org/github-webhook-server, in the `status` event handler inside `process()` in `webhook_server/libs/github_api.py`, only `pending` state is skipped. Terminal states `success`, `failure`, and `error` all trigger `check_if_can_be_merged()` re-evaluation so that the `can-be-merged` check always reflects the current status check outcome. Do NOT flag `failure`/`error` states as incorrectly triggering re-evaluation — this is intentional by design.

---

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 1071
File: webhook_server/libs/handlers/pull_request_handler.py:224-226
Timestamp: 2026-04-14T10:11:43.829Z
Learning: In myk-org/github-webhook-server, retrying non-idempotent GitHub write operations (e.g., `create_issue_comment`, `create_issue`, `create_review_request`) through `github_api_call()` in `webhook_server/utils/github_retry.py` is an accepted and documented tradeoff. The risk of duplicate comments or issues on retry after a transient 5xx error is knowingly accepted in exchange for resilience against transient GitHub API failures. Do NOT flag this pattern as a bug or suggest adding idempotency markers — the decision is intentional and documented in a comment in `github_retry.py` above the retry loop.

---

Learnt from: CR
Repo: myk-org/github-webhook-server PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-14T12:01:31.249Z
Learning: Applies to webhook_server/tests/**/*.py : Test files should mock `asyncio.to_thread` when testing functions that use `github_api_call()` internally

---

Learnt from: CR
Repo: myk-org/github-webhook-server PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-14T12:01:31.249Z
Learning: Applies to webhook_server/**/*.py : Maintain 90% code coverage minimum; new code without tests fails CI

---

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 1071
File: webhook_server/utils/github_retry.py:96-98
Timestamp: 2026-04-14T10:10:35.508Z
Learning: In myk-org/github-webhook-server, the `github_api_call()` wrapper in `webhook_server/utils/github_retry.py` intentionally retries ALL GitHub API calls including non-idempotent/mutating ones (e.g., `create_issue_comment`, `create_issue`, `create_review_request`, `create_check_run`, `merge`) on transient 5xx errors. This is an accepted and documented tradeoff — rare duplicate side effects are considered preferable to hard failures. Do NOT flag this as an issue or suggest splitting read/write retry policies; the maintainer explicitly rejected that approach as adding unnecessary complexity for minimal benefit.

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

[rnetser]

/build-and-push-container

[myakove-bot]

New container for ghcr.io/myk-org/github-webhook-server:pr-1073 published

[rnetser]

/verified

[myakove]

Is this flow happen on any cherry pick or just on PR with dco?
Also in the PR description please remove the redhat.com from the email and use example.com

[myakove-bot]

Clean rebase detected — no code changes compared to previous head (e6b5ad8).
The following labels were preserved: verified, commented-rnetser, commented-coderabbitai[bot], lgtm-coderabbitai[bot].

[myakove-bot]

Clean rebase detected — no code changes compared to previous head (e9f29fa).
The following labels were preserved: verified, commented-rnetser, commented-coderabbitai[bot], lgtm-coderabbitai[bot].

[myakove]

/lgtm
/approve

[myakove-bot]

Successfully removed PR tag: ghcr.io/myk-org/github-webhook-server:pr-1073.

[myakove-bot]

New container for ghcr.io/myk-org/github-webhook-server:latest published