feat(monitoring): Integrate Sentry SDK + docker security fix

[rahuldass19]

🛡️ Security Fixes

• Docker: Removed gosu (which had 4 Critical + 19 High CVEs) and replaced it with native runuser.
• Vulnerability Status: Reduced Docker image CVEs to 0 Critical / 0 High (application-level).

🔭 Monitoring & Observability

• Sentry Integration: added sentry-sdk dependency.
• Auto-Init: Action now automatically initializes Sentry if SENTRY_DSN secret is present.
• Performance: Enabled tracing (traces_sample_rate=1.0) to monitor verification latency.
• Context: Errors are now tagged with GitHub Actor, Run ID, and Commit SHA.

✅ Verification

• Verified locally by triggering a manual ZeroDivisionError.
• Confirmed event arrival in Sentry Dashboard.

Summary by CodeRabbit

• New Features

  • Optional Sentry integration for error reporting, capturing workflow and environment context when configured.

• Bug Fixes

  • Improved exception capture and reporting to aid diagnosis.

• Chores

  • Switched container runtime privilege drop to a native mechanism (removed external helper).
  • Added Sentry dependency and updated dependency lockfile.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds optional Sentry error-reporting to the entrypoint (guarded import, init when SENTRY_DSN set, capture on exception). Adds sentry-sdk to dependencies and updates requirements.txt. Dockerfile removes gosu and switches to runuser for privilege dropping in the container entrypoint.

Changes

Cohort / File(s)	Summary
Entrypoint / Error reporting action_entrypoint.py	Adds guarded sentry_sdk import, initializes Sentry when SENTRY_DSN is present (sets tags and GitHub context), and wraps main() to capture exceptions via Sentry then re-raise.
Dependencies requirements.in, requirements.txt	Adds sentry-sdk to requirements.in; requirements.txt updated with sentry-sdk (v2.52.0) and transitive urllib3 entries plus hashes and metadata.
Container / Startup Dockerfile	Removes gosu installation and updates entrypoint behavior/comments to use native runuser for privilege dropping.

Sequence Diagram

sequenceDiagram
    participant App as Application
    participant SDK as Sentry SDK
    participant Service as Sentry Service

    Note over App: Process startup (__main__)
    App->>App: Read SENTRY_DSN env
    alt SENTRY_DSN set and SDK available
        App->>SDK: Initialize with DSN, tags (repository, actor, run_id) and GitHub context
    else
        Note over App: Sentry not initialized
    end

    rect rgba(100,150,200,0.5)
        App->>App: try: main()
    end

    alt Exception in main()
        App->>SDK: Capture exception
        SDK->>Service: Send error/event
        App->>App: Re-raise exception
    else
        Note over App: Normal exit
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped in with a tiny hop,

Sentry listens from the top,
Runuser hums where gosu fell,
Tags and traces ring the bell,
A rabbit claps — all's running well!

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (4 files): ⚔️ Dockerfile (content) ⚔️ action_entrypoint.py (content) ⚔️ requirements.in (content) ⚔️ requirements.txt (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately covers both main changes: Sentry SDK integration (monitoring feature) and docker security fix (gosu removal). It aligns with the changeset's primary objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/sentry-monitoring

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch feat/sentry-monitoring
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

Dockerfile (1)

22-23: Remove the unused dos2unix dependency from line 23.

The entrypoint script is created inline via printf (lines 44-60) to avoid CRLF issues, so dos2unix is never invoked and is not needed. Removing it reduces image size, dependencies, and attack surface.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

59-68: ⚠️ Potential issue | 🟡 Minor

Update the comment to reflect runuser instead of gosu.

Line 68 still references gosu, which is no longer used after the change on Line 59.

📝 Proposed comment fix

-# in entrypoint.sh, then drop privileges to appuser using gosu.
+# in entrypoint.sh, then drop privileges to appuser using runuser.

🤖 Fix all issues with AI agents

In `@action_entrypoint.py`:
- Around line 13-20: There is a duplicate import of the module name "glob" (two
consecutive "import glob" lines); remove the redundant import so "glob" is only
imported once in the top-level imports (leave the single import glob and keep
the existing pathlib and sentry_sdk try/except intact) to resolve the Ruff F811
duplicate-definition error.
- Around line 445-450: The except block catching exceptions from main() should
re-raise the original exception with its full traceback; in the try/except
around main() (referencing main(), sentry_dsn, sentry_sdk and
sentry_sdk.capture_exception), replace the current "raise e" with a bare "raise"
so the original traceback is preserved after optionally calling
sentry_sdk.capture_exception(e).

In `@requirements.txt`:
- Line 105: Pin the sentry-sdk package in requirements.in by adding a version
constraint (e.g., sentry-sdk==X.Y.Z or a compatible specifier) and then
regenerate the lockfile with hashes by running pip-compile --generate-hashes
--output-file=requirements.txt requirements.in so requirements.txt contains the
pinned sentry-sdk entry with hashes; ensure the chosen version is compatible
with the project before committing.
- Around line 7-55: The requirements.txt currently contains a duplicated package
block; remove the entire first requirements block (the earlier header and
packages) so only the authoritative second block remains (the one containing the
corrected sympy hash and typing-extensions==4.15.0). Ensure the top-of-file
autogenerated header appears only once and that sympy==1.12 retains its
corrected third hash. For the unpinned sentry-sdk entry, either remove that line
or pin sentry-sdk to a specific version and include its --hash entries to
satisfy --require-hashes (i.e., add a version and corresponding sha256 hashes),
then run pip-compile to regenerate hashes if needed.