fix(ci): ruff format + idempotent GitLab release

InvariantSystems · InvariantSystems · commit 2be80ed1f6cc · 2026-03-09T12:23:03.000-04:00
GitHub Security pipeline:
- Apply ruff format to mcp_server.py, test_gitlab.py, test_mcp.py
  (format --check was failing on all three files)

GitLab pipeline:
- Replace declarative 'release:' keyword with REST API call in
  create-release job — now checks if release already exists before
  creating. This prevents cascading failures when the GitHub→GitLab
  sync workflow force-pushes tags (every re-push triggered a new tag
  pipeline that tried to re-create the same release).
- Switch from glab CLI image to python:3.11-slim (lighter, matches
  other jobs) — uses curl + CI_JOB_TOKEN for the API call.
- Strip 'v' prefix for pip install version in release description.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -56,34 +56,42 @@ test:
     - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
 
 # --- Publish release to CI/CD Catalog ---
+# Idempotent: if the release already exists (e.g. from a re-synced tag),
+# the job succeeds immediately.  This prevents cascading failures when
+# the GitHub→GitLab sync workflow force-pushes tags.
 create-release:
   stage: release
-  image: registry.gitlab.com/gitlab-org/cli:latest
+  image: python:3.11-slim
   script:
-    - echo "Publishing release $CI_COMMIT_TAG to CI/CD Catalog"
-  rules:
-    - if: $CI_COMMIT_TAG =~ /^v?\d+\.\d+\.\d+$/
-  allow_failure: false
-  release:
-    tag_name: $CI_COMMIT_TAG
-    description: |
-      ## AIIR $CI_COMMIT_TAG
-
-      AI Integrity Receipts — tamper-evident cryptographic receipts for every AI-generated commit.
+    - |
+      echo "Checking release status for $CI_COMMIT_TAG"
 
-      ### Install
+      # Check if release already exists (REST API with CI_JOB_TOKEN)
+      STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
+        --header "JOB-TOKEN: $CI_JOB_TOKEN" \
+        "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/releases/${CI_COMMIT_TAG}")
 
-      ```
-      pip install aiir==$CI_COMMIT_TAG
-      ```
+      if [ "$STATUS" = "200" ]; then
+        echo "✅ Release $CI_COMMIT_TAG already exists — skipping"
+        exit 0
+      fi
 
-      ### Use as CI/CD Component
+      # Strip 'v' prefix for pip install version
+      VERSION="${CI_COMMIT_TAG#v}"
 
-      ```yaml
-      include:
-        - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/receipt@$CI_COMMIT_TAG
-      ```
+      # Create release via REST API
+      curl -s --fail \
+        --header "JOB-TOKEN: $CI_JOB_TOKEN" \
+        --header "Content-Type: application/json" \
+        --data "{
+          \"tag_name\": \"${CI_COMMIT_TAG}\",
+          \"name\": \"AIIR ${CI_COMMIT_TAG}\",
+          \"description\": \"## AIIR ${CI_COMMIT_TAG}\\n\\nAI Integrity Receipts — tamper-evident cryptographic receipts for every AI-generated commit.\\n\\n### Install\\n\\n\\\`\\\`\\\`\\npip install aiir==${VERSION}\\n\\\`\\\`\\\`\\n\\n### Use as CI/CD Component\\n\\n\\\`\\\`\\\`yaml\\ninclude:\\n  - component: ${CI_SERVER_FQDN}/${CI_PROJECT_PATH}/receipt@${CI_COMMIT_TAG}\\n\\\`\\\`\\\`\\n\\n### Changelog\\n\\nSee [CHANGELOG.md](https://github.com/invariant-systems-ai/aiir/blob/main/CHANGELOG.md)\"
+        }" \
+        "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/releases"
 
-      ### Changelog
-
-      See [CHANGELOG.md](https://github.com/invariant-systems-ai/aiir/blob/main/CHANGELOG.md)
+      echo ""
+      echo "✅ Release $CI_COMMIT_TAG created"
+  rules:
+    - if: $CI_COMMIT_TAG =~ /^v?\d+\.\d+\.\d+$/
+  allow_failure: false
diff --git a/aiir/mcp_server.py b/aiir/mcp_server.py
@@ -593,9 +593,7 @@ def _handle_aiir_gitlab_summary(args: Dict[str, Any]) -> Dict[str, Any]:
             sast = format_gl_sast_report(receipts)
             summary += (
                 "\n\n<details>\n<summary>🛡️ SAST Report Data</summary>\n\n"
-                "```json\n"
-                + json.dumps(sast, indent=2)
-                + "\n```\n\n</details>"
+                "```json\n" + json.dumps(sast, indent=2) + "\n```\n\n</details>"
             )
 
         # Optionally post to MR (best-effort, non-fatal)
diff --git a/tests/test_gitlab.py b/tests/test_gitlab.py
@@ -759,7 +759,9 @@ def test_successful_query(self):
                 self.assertEqual(result, {"currentUser": {"name": "test-user"}})
                 mock_url.assert_called_once()
                 req = mock_url.call_args[0][0]
-                self.assertEqual(req.get_header("Authorization"), "Bearer glpat-test123")
+                self.assertEqual(
+                    req.get_header("Authorization"), "Bearer glpat-test123"
+                )
                 self.assertIn(b"currentUser", req.data)
 
     def test_custom_api_url(self):
@@ -784,9 +786,9 @@ def test_custom_api_url(self):
 
     def test_graphql_errors_raise(self):
         """GraphQL errors in response raise RuntimeError."""
-        response_data = json.dumps(
-            {"errors": [{"message": "Syntax error"}]}
-        ).encode("utf-8")
+        response_data = json.dumps({"errors": [{"message": "Syntax error"}]}).encode(
+            "utf-8"
+        )
 
         mock_resp = unittest.mock.MagicMock()
         mock_resp.read.return_value = response_data
diff --git a/tests/test_mcp.py b/tests/test_mcp.py
@@ -293,8 +293,16 @@ def _make_test_receipt(
         "version": CLI_VERSION,
         "commit": {
             "sha": sha,
-            "author": {"name": "Test", "email": "t@e.com", "date": "2026-01-01T00:00:00Z"},
-            "committer": {"name": "Test", "email": "t@e.com", "date": "2026-01-01T00:00:00Z"},
+            "author": {
+                "name": "Test",
+                "email": "t@e.com",
+                "date": "2026-01-01T00:00:00Z",
+            },
+            "committer": {
+                "name": "Test",
+                "email": "t@e.com",
+                "date": "2026-01-01T00:00:00Z",
+            },
             "subject": subject,
             "message_hash": "sha256:aaa",
             "diff_hash": "sha256:bbb",
@@ -364,7 +372,12 @@ def test_summary_from_ledger(self):
 
         receipts = [
             _make_test_receipt(sha="aaa111", subject="feat: AI feature", is_ai=True),
-            _make_test_receipt(sha="bbb222", subject="fix: human fix", is_ai=False, authorship_class="human"),
+            _make_test_receipt(
+                sha="bbb222",
+                subject="fix: human fix",
+                is_ai=False,
+                authorship_class="human",
+            ),
         ]
 
         with tempfile.TemporaryDirectory() as tmpdir:
@@ -457,7 +470,9 @@ def test_post_to_mr_in_ci_context(self):
                     "GITLAB_TOKEN": "test-token",
                 }
                 with unittest.mock.patch.dict(os.environ, env, clear=True):
-                    with unittest.mock.patch("aiir.mcp_server.post_mr_comment") as mock_post:
+                    with unittest.mock.patch(
+                        "aiir.mcp_server.post_mr_comment"
+                    ) as mock_post:
                         mock_post.return_value = {"id": 1}
                         result = _handle_aiir_gitlab_summary({"post_to_mr": True})
                         mock_post.assert_called_once()
