feat(autofix): Add GitLab repository support

.coderabbit.yaml

@@ -0,0 +1,132 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+# CodeRabbit Configuration for Seer - Sentry's AI/ML Service
+# Documentation: https://docs.coderabbit.ai/guides/configure-coderabbit
+
+language: en-US
+
+early_access: true
+
+reviews:
+  # Enable high-quality reviews
+  high_level_summary: true
+  high_level_summary_placeholder: "@coderabbitai summary"
+
+  # Review profile - assertive for thorough code review
+  profile: assertive
+
+  # Request changes when issues found
+  request_changes_workflow: true
+
+  # Collapse walkthrough for cleaner PR comments
+  collapse_walkthrough: true
+
+  # Enable poem in reviews (fun touch)
+  poem: false
+
+  # Review status - show in PR
+  review_status: true
+
+  # Auto-review settings
+  auto_review:
+    enabled: true
+    auto_incremental_review: true
+    drafts: false  # Don't review draft PRs
+    base_branches:
+      - main
+      - master
+
+  # Path-based review instructions
+  path_instructions:
+    - path: "src/seer/automation/**/*.py"
+      instructions: |
+        Focus on:
+        - LLM prompt injection vulnerabilities
+        - Proper error handling for external API calls (GitHub, GitLab, OpenAI, Anthropic)
+        - Resource cleanup (temp directories, file handles)
+        - Timeout handling for long-running operations
+        - Type safety with abstract base classes
+
+    - path: "src/seer/automation/codebase/**/*.py"
+      instructions: |
+        This is the repository client layer. Pay attention to:
+        - Consistent return types between GitHub and GitLab implementations
+        - Proper authentication token handling (never log tokens)
+        - Rate limiting considerations
+        - Branch/commit SHA validation
+
+    - path: "src/seer/automation/agent/**/*.py"
+      instructions: |
+        This is the LLM client layer. Check for:
+        - Multi-provider compatibility (Anthropic, OpenAI, Google)
+        - Proper streaming/timeout handling
+        - Token counting and context limits
+        - Fallback logic between regions/models
+
+    - path: "tests/**/*.py"
+      instructions: |
+        Ensure tests:
+        - Use real database connections, not mocks (per project guidelines)
+        - Don't test logging or mock behavior
+        - Use dependency injection for isolation
+        - Have meaningful assertions
+
+    - path: "**/*migration*.py"
+      instructions: |
+        Database migrations require extra scrutiny:
+        - Check for data loss risks
+        - Verify rollback capability
+        - Consider performance on large tables
+
+    - path: "src/seer/configuration.py"
+      instructions: |
+        Configuration changes:
+        - Ensure no secrets have default values
+        - Check for proper type annotations
+        - Verify environment variable naming consistency
+
+  # Tools configuration
+  tools:
+    # Enable AST-based analysis
+    ast-grep:
+      enabled: true
+
+    # Python-specific tools
+    ruff:
+      enabled: true
+
+    # Security scanning
+    semgrep:
+      enabled: true
+
+    # Shell script checking
+    shellcheck:
+      enabled: true
+
+    # GitHub Actions validation
+    actionlint:
+      enabled: true
+
+    # Markdown linting
+    markdownlint:
+      enabled: true
+
+    # YAML validation
+    yamllint:
+      enabled: true
+
+    # Biome for any JS/TS
+    biome:
+      enabled: true
+
+chat:
+  auto_reply: true
+
+# Knowledge base for better context
+knowledge_base:
+  opt_out: false
+  learnings:
+    scope: auto
+  issues:
+    scope: auto
+  pull_requests:
+    scope: auto

.github/workflows/build-push-gcp.yml

@@ -0,0 +1,117 @@
+name: Build and Push to GCP Artifact Registry
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+      - '.coderabbit.yaml'
+  pull_request:
+    branches:
+      - main
+    types: [closed]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Image tag (defaults to commit SHA)'
+        required: false
+        type: string
+
+env:
+  GCP_PROJECT_ID: kencove-prod
+  GCP_REGION: us-central1
+  REPOSITORY: kencove-docker-repo
+  IMAGE_NAME: seer
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    # Only run on push to main, manual trigger, or merged PRs
+    if: |
+      github.event_name == 'push' ||
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
+
+    permissions:
+      contents: read
+      id-token: write  # Required for Workload Identity Federation
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+          # Alternative: Use Workload Identity Federation (more secure, requires GCP setup)
+          # workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID'
+          # service_account: 'SA_NAME@PROJECT_ID.iam.gserviceaccount.com'
+
+      - name: Configure Docker for Artifact Registry
+        run: gcloud auth configure-docker ${{ env.GCP_REGION }}-docker.pkg.dev --quiet
+
+      - name: Generate image tags
+        id: tags
+        env:
+          # Pass user-controlled inputs through env vars to prevent script injection
+          INPUT_TAG: ${{ inputs.tag }}
+          HEAD_REF: ${{ github.head_ref }}
+        run: |
+          REGISTRY="${{ env.GCP_REGION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.IMAGE_NAME }}"
+          SHA_SHORT=$(git rev-parse --short HEAD)
+
+          # Use input tag if provided, otherwise use commit SHA
+          if [ -n "$INPUT_TAG" ]; then
+            CUSTOM_TAG="$INPUT_TAG"
+          else
+            CUSTOM_TAG="${SHA_SHORT}"
+          fi
+
+          # Build tags list
+          TAGS="${REGISTRY}:${CUSTOM_TAG}"
+          TAGS="${TAGS},${REGISTRY}:${SHA_SHORT}"
+
+          # Add 'latest' tag only on main branch push
+          if [ "${{ github.ref }}" == "refs/heads/main" ] && [ "${{ github.event_name }}" == "push" ]; then
+            TAGS="${TAGS},${REGISTRY}:latest"
+          fi
+
+          # Add branch name tag for PRs
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            BRANCH_TAG=$(echo "$HEAD_REF" | sed 's/[^a-zA-Z0-9]/-/g' | cut -c1-50)
+            TAGS="${TAGS},${REGISTRY}:${BRANCH_TAG}"
+          fi
+
+          echo "tags=${TAGS}" >> $GITHUB_OUTPUT
+          echo "sha_short=${SHA_SHORT}" >> $GITHUB_OUTPUT
+          echo "Generated tags: ${TAGS}"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.tags.outputs.tags }}
+          build-args: |
+            SEER_VERSION_SHA=${{ steps.tags.outputs.sha_short }}
+            SENTRY_ENVIRONMENT=production
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Output image info
+        run: |
+          echo "### Docker Image Published :rocket:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Registry:** ${{ env.GCP_REGION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.IMAGE_NAME }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Tags:**" >> $GITHUB_STEP_SUMMARY
+          echo '${{ steps.tags.outputs.tags }}' | tr ',' '\n' | while read tag; do
+            echo "- \`${tag}\`" >> $GITHUB_STEP_SUMMARY
+          done

.github/workflows/linting.yml

@@ -48,17 +48,18 @@ jobs:
             # --show-diff-on-failure will display what needs to be fixed without making changes
             xargs pre-commit run --show-diff-on-failure --files
 
+      # Auto-fix requires Sentry's internal GitHub App - skip for forks
       - name: Get auth token
         id: token
-        if: ${{ steps.pre-commit_results.outcome == 'failure' }}
+        if: ${{ steps.pre-commit_results.outcome == 'failure' && vars.SENTRY_INTERNAL_APP_ID != '' }}
+        continue-on-error: true
         uses: getsentry/action-github-app-token@d4b5da6c5e37703f8c3b3e43abb5705b46e159cc # v3.0.0
         with:
           app_id: ${{ vars.SENTRY_INTERNAL_APP_ID }}
           private_key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }}
 
       - name: Apply any pre-commit fixed files
-        if: ${{ steps.pre-commit_results.outcome == 'failure' }}
-        # note: this runs "always" or else it's skipped when pre-commit fails
+        if: ${{ steps.pre-commit_results.outcome == 'failure' && steps.token.outputs.token != '' }}
         uses: getsentry/action-github-commit@5972d5f578ad77306063449e718c0c2a6fbc4ae1 # v2.1.0
         with:
           github-token: ${{ steps.token.outputs.token }}

.github/workflows/tests.yml

@@ -31,23 +31,25 @@ jobs:
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
       - id: "auth"
-        uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1
+        uses: google-github-actions/auth@v2
+        continue-on-error: true
         with:
-          workload_identity_provider: "projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool"
-          service_account: "[email protected]"
-          token_format: "id_token"
-          id_token_audience: "610575311308-9bsjtgqg4jm01mt058rncpopujgk3627.apps.googleusercontent.com"
-          id_token_include_email: true
-          create_credentials_file: true
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - name: Compute requirements hash
+        id: req-hash
+        run: echo "hash=$(sha256sum requirements.txt | cut -c1-8)" >> $GITHUB_OUTPUT
 
       - name: Build and push Docker image
         run: |
           make .env
+          # Use requirements hash in cache key to invalidate when deps change
+          CACHE_KEY="ghcr.io/${{ github.repository_owner }}/seer:cache-${{ steps.req-hash.outputs.hash }}"
           docker buildx bake --file docker-compose.yml --file docker-compose-cache.json \
-            --set *.cache-to=type=registry,ref=ghcr.io/getsentry/seer:cache,mode=max \
-            --set *.cache-from=type=registry,ref=ghcr.io/getsentry/seer:cache \
+            --set *.cache-to=type=registry,ref=${CACHE_KEY},mode=max \
+            --set *.cache-from=type=registry,ref=${CACHE_KEY} \
             --set *.output=type=registry \
-            --set *.tags=ghcr.io/getsentry/seer:cache-${{ github.sha }}
+            --set *.tags=ghcr.io/${{ github.repository_owner }}/seer:cache-${{ github.sha }}
 
   typecheck:
     needs: [build_and_push]
@@ -70,7 +72,7 @@ jobs:
 
       - name: Pull pre-built Docker image
         run: |
-          docker pull ghcr.io/getsentry/seer:${IMAGE_TAG}
+          docker pull ghcr.io/${{ github.repository_owner }}/seer:${IMAGE_TAG}
           cp docker-compose.ci.yml docker-compose.override.yml
 
       - name: Create blank .env
@@ -105,21 +107,17 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - id: "auth"
-        uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1
+        uses: google-github-actions/auth@v2
+        continue-on-error: true
         with:
-          workload_identity_provider: "projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool"
-          service_account: "[email protected]"
-          token_format: "id_token"
-          id_token_audience: "610575311308-9bsjtgqg4jm01mt058rncpopujgk3627.apps.googleusercontent.com"
-          id_token_include_email: true
-          create_credentials_file: true
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
 
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1
 
       - name: Pull pre-built Docker image
         run: |
-          docker pull ghcr.io/getsentry/seer:${IMAGE_TAG}
+          docker pull ghcr.io/${{ github.repository_owner }}/seer:${IMAGE_TAG}
           cp docker-compose.ci.yml docker-compose.override.yml
 
       - name: Create blank .env
@@ -138,16 +136,22 @@ jobs:
 
       - name: Fetch models
         if: github.event_name == 'push'
+        continue-on-error: true
         run: |
           rm -rf ./models
-          gcloud storage cp -r gs://sentry-ml/seer/models ./
+          gcloud storage cp -r gs://sentry-ml/seer/models ./ || {
+            echo "Models not accessible, using NO_REAL_MODELS mode"
+            mkdir -p models
+            echo "# Placeholder" > models/.keep
+          }
 
       - name: Set test environment flags
         run: |
-          if [[ "${{ github.event_name }}" == "push" ]]; then
-            echo "EXTRA_COMPOSE_TEST_OPTIONS=-e NO_SENTRY_INTEGRATION=1 -e CI=1" >> $GITHUB_ENV
+          # Check if models directory has real models (not just placeholder)
+          if [[ -d "./models" && $(find ./models -type f ! -name '.keep' ! -name '.gitignore' | head -1) ]]; then
+            echo "EXTRA_COMPOSE_TEST_OPTIONS=-e NO_SENTRY_INTEGRATION=1 -e CI=1 -e GITHUB_TOKEN=${{ secrets.GH_PAT }}" >> $GITHUB_ENV
           else
-            echo "EXTRA_COMPOSE_TEST_OPTIONS=-e NO_REAL_MODELS=1 -e NO_SENTRY_INTEGRATION=1 -e CI=1" >> $GITHUB_ENV
+            echo "EXTRA_COMPOSE_TEST_OPTIONS=-e NO_REAL_MODELS=1 -e NO_SENTRY_INTEGRATION=1 -e CI=1 -e GITHUB_TOKEN=${{ secrets.GH_PAT }}" >> $GITHUB_ENV
           fi
 
       - name: Test with pytest

.gitignore

@@ -151,3 +151,7 @@ dmypy.json
 
 # Cassettes
 tests/**/cassettes/
+
+# Local config files
+CLAUDE.md
+entrypoint.sh