feat(scanning): enhance repository synchronization with rename detection and deletion

mackowski · mackowski · commit 57777c970271 · 2025-10-29T15:43:19.000+01:00
- Add automatic repository rename detection and updates when repositories are renamed in GitHub
- Add automatic repository deletion when repositories no longer exist in GitHub organization
- Add cascading deletion of related records (PolicyViolations and ActionLogs) before removing repositories
- Add comprehensive logging for repository operations (add, rename, remove) with detailed information
- Refactor SyncRepositoriesAsync to use dictionary lookups for improved performance
- Add unit tests for repository deletion and rename scenarios
- Update documentation to reflect repository synchronization capabilities

This ensures the database stays in sync with GitHub organization state without manual intervention.
diff --git a/10xGitHubPolicies.App/Services/Scanning/ScanningService.cs b/10xGitHubPolicies.App/Services/Scanning/ScanningService.cs
@@ -118,24 +118,75 @@ private async Task<Dictionary<string, Policy>> SyncPoliciesAsync(IEnumerable<Pol
 
     private async Task SyncRepositoriesAsync(IReadOnlyList<Octokit.Repository> repositories)
     {
-        var githubRepoIds = repositories.Select(r => r.Id).ToList();
-        var reposInDb = await _dbContext.Repositories
-            .Where(r => githubRepoIds.Contains(r.GitHubRepositoryId))
-            .ToListAsync();
-        var reposInDbIds = reposInDb.Select(r => r.GitHubRepositoryId).ToHashSet();
+        var githubRepoIds = repositories.Select(r => r.Id).ToHashSet();
 
+        // Get all repositories from database
+        var allReposInDb = await _dbContext.Repositories.ToListAsync();
+        var reposInDbMap = allReposInDb.ToDictionary(r => r.GitHubRepositoryId);
+
+        // Add new repositories and update existing ones
         foreach (var repo in repositories)
         {
-            if (!reposInDbIds.Contains(repo.Id))
+            if (!reposInDbMap.ContainsKey(repo.Id))
             {
                 _dbContext.Repositories.Add(new Repository
                 {
                     GitHubRepositoryId = repo.Id,
                     Name = repo.FullName,
                     ComplianceStatus = "Pending"
                 });
+                _logger.LogInformation("Added new repository: {RepoName} (GitHub ID: {GitHubRepoId})", repo.FullName, repo.Id);
+            }
+            else
+            {
+                // Update repository name in case it changed (e.g., repo was renamed)
+                var existingRepo = reposInDbMap[repo.Id];
+                if (existingRepo.Name != repo.FullName)
+                {
+                    _logger.LogInformation("Repository renamed: {OldName} -> {NewName} (GitHub ID: {GitHubRepoId})", existingRepo.Name, repo.FullName, repo.Id);
+                    existingRepo.Name = repo.FullName;
+                }
+            }
+        }
+
+        // Find repositories that need to be removed (exist in DB but not in GitHub)
+        var reposToRemove = allReposInDb
+            .Where(r => !githubRepoIds.Contains(r.GitHubRepositoryId))
+            .ToList();
+
+        if (reposToRemove.Any())
+        {
+            _logger.LogInformation(
+                "Removing {Count} repositories that no longer exist in GitHub: {RepoNames}",
+                reposToRemove.Count,
+                string.Join(", ", reposToRemove.Select(r => r.Name)));
+
+            // Delete related records first (PolicyViolations and ActionLogs)
+            var repoIdsToRemove = reposToRemove.Select(r => r.RepositoryId).ToList();
+
+            var violationsToRemove = await _dbContext.PolicyViolations
+                .Where(v => repoIdsToRemove.Contains(v.RepositoryId))
+                .ToListAsync();
+
+            var actionLogsToRemove = await _dbContext.ActionsLogs
+                .Where(a => repoIdsToRemove.Contains(a.RepositoryId))
+                .ToListAsync();
+
+            if (violationsToRemove.Any())
+            {
+                _logger.LogInformation("Removing {Count} policy violations for deleted repositories", violationsToRemove.Count);
+                _dbContext.PolicyViolations.RemoveRange(violationsToRemove);
             }
+
+            if (actionLogsToRemove.Any())
+            {
+                _logger.LogInformation("Removing {Count} action logs for deleted repositories", actionLogsToRemove.Count);
+                _dbContext.ActionsLogs.RemoveRange(actionLogsToRemove);
+            }
+
+            _dbContext.Repositories.RemoveRange(reposToRemove);
         }
+
         await _dbContext.SaveChangesAsync();
     }
 }
diff --git a/10xGitHubPolicies.Tests/Services/Scanning/ScanningServiceTests.cs b/10xGitHubPolicies.Tests/Services/Scanning/ScanningServiceTests.cs
@@ -445,6 +445,168 @@ public async Task PerformScanAsync_WhenRepositoriesExist_SkipsExisting()
         repositories.Should().Contain(r => r.RepositoryId == existingRepo2.RepositoryId);
     }
 
+    [Fact]
+    [Trait("Category", "Unit")]
+    [Trait("Feature", "Scanning")]
+    public async Task PerformScanAsync_WhenRepositoriesDeletedInGitHub_RemovesFromDatabase()
+    {
+        // Arrange
+        var existingRepo1 = new Repository
+        {
+            GitHubRepositoryId = 100,
+            Name = "test-org/existing-repo-1",
+            ComplianceStatus = "Compliant"
+        };
+        var deletedRepo = new Repository
+        {
+            GitHubRepositoryId = 200,
+            Name = "test-org/deleted-repo",
+            ComplianceStatus = "NonCompliant"
+        };
+        var archivedRepo = new Repository
+        {
+            GitHubRepositoryId = 300,
+            Name = "test-org/archived-repo",
+            ComplianceStatus = "Pending"
+        };
+        _dbContext.Repositories.AddRange(existingRepo1, deletedRepo, archivedRepo);
+        await _dbContext.SaveChangesAsync();
+
+        // Create related violations and action logs for the deleted repos
+        var policy = new Policy
+        {
+            PolicyKey = "has_agents_md",
+            Description = "Test policy",
+            Action = "create-issue"
+        };
+        _dbContext.Policies.Add(policy);
+        await _dbContext.SaveChangesAsync();
+
+        var scan = new Scan
+        {
+            Status = "Completed",
+            StartedAt = DateTime.UtcNow.AddHours(-1),
+            CompletedAt = DateTime.UtcNow.AddHours(-1)
+        };
+        _dbContext.Scans.Add(scan);
+        await _dbContext.SaveChangesAsync();
+
+        var violationForDeletedRepo = new PolicyViolation
+        {
+            ScanId = scan.ScanId,
+            RepositoryId = deletedRepo.RepositoryId,
+            PolicyId = policy.PolicyId,
+            PolicyType = "has_agents_md"
+        };
+        var violationForArchivedRepo = new PolicyViolation
+        {
+            ScanId = scan.ScanId,
+            RepositoryId = archivedRepo.RepositoryId,
+            PolicyId = policy.PolicyId,
+            PolicyType = "has_agents_md"
+        };
+        _dbContext.PolicyViolations.AddRange(violationForDeletedRepo, violationForArchivedRepo);
+
+        var actionLogForDeletedRepo = new ActionLog
+        {
+            RepositoryId = deletedRepo.RepositoryId,
+            PolicyId = policy.PolicyId,
+            ActionType = "create-issue",
+            Timestamp = DateTime.UtcNow,
+            Status = "Completed",
+            Details = "Test action"
+        };
+        var actionLogForArchivedRepo = new ActionLog
+        {
+            RepositoryId = archivedRepo.RepositoryId,
+            PolicyId = policy.PolicyId,
+            ActionType = "log-only",
+            Timestamp = DateTime.UtcNow,
+            Status = "Completed",
+            Details = "Test action"
+        };
+        _dbContext.ActionsLogs.AddRange(actionLogForDeletedRepo, actionLogForArchivedRepo);
+        await _dbContext.SaveChangesAsync();
+
+        var config = CreateTestConfig(
+            new PolicyConfig { Type = "has_agents_md", Action = "create-issue" }
+        );
+
+        // Only repo1 exists in GitHub now (repo2 and repo3 were deleted/archived)
+        var repos = new List<Octokit.Repository>
+        {
+            CreateTestRepository(100, "existing-repo-1")
+        };
+
+        _configurationService.GetConfigAsync(Arg.Any<bool>()).Returns(config);
+        _githubService.GetOrganizationRepositoriesAsync().Returns(repos);
+        _policyEvaluationService.EvaluateRepositoryAsync(
+            Arg.Any<Octokit.Repository>(),
+            Arg.Any<IEnumerable<PolicyConfig>>()
+        ).Returns(Task.FromResult<IEnumerable<PolicyViolation>>(new List<PolicyViolation>()));
+
+        // Act
+        await _sut.PerformScanAsync();
+
+        // Assert
+        var repositories = await _dbContext.Repositories.ToListAsync();
+        repositories.Should().HaveCount(1, because: "only existing repository should remain");
+        repositories.Should().Contain(r => r.RepositoryId == existingRepo1.RepositoryId);
+        repositories.Should().NotContain(r => r.RepositoryId == deletedRepo.RepositoryId);
+        repositories.Should().NotContain(r => r.RepositoryId == archivedRepo.RepositoryId);
+
+        // Verify related violations were removed
+        var violations = await _dbContext.PolicyViolations.ToListAsync();
+        violations.Should().NotContain(v => v.RepositoryId == deletedRepo.RepositoryId);
+        violations.Should().NotContain(v => v.RepositoryId == archivedRepo.RepositoryId);
+
+        // Verify related action logs were removed
+        var actionLogs = await _dbContext.ActionsLogs.ToListAsync();
+        actionLogs.Should().NotContain(a => a.RepositoryId == deletedRepo.RepositoryId);
+        actionLogs.Should().NotContain(a => a.RepositoryId == archivedRepo.RepositoryId);
+    }
+
+    [Fact]
+    [Trait("Category", "Unit")]
+    [Trait("Feature", "Scanning")]
+    public async Task PerformScanAsync_WhenRepositoryRenamed_UpdatesName()
+    {
+        // Arrange
+        var existingRepo = new Repository
+        {
+            GitHubRepositoryId = 100,
+            Name = "test-org/old-repo-name",
+            ComplianceStatus = "Compliant"
+        };
+        _dbContext.Repositories.Add(existingRepo);
+        await _dbContext.SaveChangesAsync();
+
+        var config = CreateTestConfig(
+            new PolicyConfig { Type = "has_agents_md", Action = "create-issue" }
+        );
+
+        // Repository was renamed in GitHub
+        var repos = new List<Octokit.Repository>
+        {
+            CreateTestRepository(100, "new-repo-name")
+        };
+
+        _configurationService.GetConfigAsync(Arg.Any<bool>()).Returns(config);
+        _githubService.GetOrganizationRepositoriesAsync().Returns(repos);
+        _policyEvaluationService.EvaluateRepositoryAsync(
+            Arg.Any<Octokit.Repository>(),
+            Arg.Any<IEnumerable<PolicyConfig>>()
+        ).Returns(Task.FromResult<IEnumerable<PolicyViolation>>(new List<PolicyViolation>()));
+
+        // Act
+        await _sut.PerformScanAsync();
+
+        // Assert
+        var repository = await _dbContext.Repositories.SingleAsync(r => r.GitHubRepositoryId == 100);
+        repository.Name.Should().Be("test-org/new-repo-name", because: "repository name should be updated");
+        repository.RepositoryId.Should().Be(existingRepo.RepositoryId, because: "same repository should be updated, not duplicated");
+    }
+
     [Fact]
     [Trait("Category", "Unit")]
     [Trait("Feature", "Scanning")]
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,32 @@
 
 All notable changes to this project will be documented in this file.
 
+## 1.5
+
+### Added
+- **Enhanced Repository Synchronization**: Improved `ScanningService` repository synchronization logic
+  - Added automatic repository rename detection and updates when repositories are renamed in GitHub
+  - Added automatic repository deletion when repositories no longer exist in GitHub organization
+  - Added cascading deletion of related records (PolicyViolations and ActionLogs) before removing repositories
+  - Added comprehensive logging for repository operations (add, rename, remove) with detailed information
+  - Ensures database stays in sync with GitHub organization state without manual intervention
+- **Repository Synchronization Unit Tests**: Added comprehensive test coverage for repository synchronization scenarios
+  - `PerformScanAsync_WhenRepositoriesDeletedInGitHub_RemovesFromDatabase`: Tests repository deletion with cascading cleanup
+  - `PerformScanAsync_WhenRepositoryRenamed_UpdatesName`: Tests repository rename detection and updates
+
+### Changed
+- **ScanningService**: Refactored `SyncRepositoriesAsync` method for improved repository synchronization
+  - Changed from filtering database repositories by GitHub IDs to loading all repositories and mapping them
+  - Improved performance by using dictionary lookups instead of repeated database queries
+  - Enhanced data consistency by maintaining complete repository state in database
+
+### Technical Details
+- **Repository Synchronization Strategy**: 
+  - Loads all repositories from database into memory for efficient comparison
+  - Uses GitHub repository ID as the unique identifier (preserves identity across renames)
+  - Performs three-phase synchronization: add new repos, update existing repos, remove deleted repos
+  - Cascades deletions to maintain referential integrity (PolicyViolations and ActionLogs removed before repositories)
+
 ## 1.4
 
 ### Added
diff --git a/docs/hangfire-integration.md b/docs/hangfire-integration.md
@@ -125,6 +125,16 @@ The `ActionService` processes violations by:
 
 This decouples the scanning process from the action-taking process. This is a robust design because even if the action-taking process fails, it can be retried independently from the scan itself, and the scan results are already safely stored in the database.
 
+### Repository Synchronization During Scans
+
+During each scan, the `ScanningService` automatically synchronizes the database with the current state of the GitHub organization:
+
+- **New Repositories**: Detected and added to the database
+- **Renamed Repositories**: Repository names updated automatically (detected by GitHub repository ID)
+- **Deleted Repositories**: Removed from database with cascading cleanup of related records
+
+This ensures that the compliance dashboard always reflects the current state of your GitHub organization, even as repositories are added, renamed, or removed over time.
+
 ## Best Practices
 
 -   **Idempotent Jobs**: Whenever possible, design background jobs to be idempotent. This means that running the job multiple times with the same input will produce the same result. Hangfire has built-in retry mechanisms, so idempotent jobs are safer to run.
diff --git a/docs/policy-evaluation.md b/docs/policy-evaluation.md
@@ -16,12 +16,30 @@ The key components of the architecture are:
 
 1.  The `ScanningService` initiates a scan.
 2.  It retrieves the policy configuration from the `.github/config.yaml` file.
-3.  For each repository in the organization, it calls `IPolicyEvaluationService.EvaluateRepositoryAsync()`.
-4.  The `PolicyEvaluationService` uses dependency injection to get all registered `IPolicyEvaluator` implementations.
-5.  It matches the `type` of each policy in the configuration with the `PolicyType` property of the available evaluators.
-6.  When a match is found, it executes the `EvaluateAsync` method of that specific evaluator.
-7.  If the evaluator finds a violation, it returns a `PolicyViolation` object.
-8.  The `ScanningService` collects all violations and saves them to the database.
+3.  It synchronizes policies from the configuration file with the database (adds new policies if needed).
+4.  It synchronizes repositories between GitHub and the database:
+    - Adds new repositories that exist in GitHub but not in the database
+    - Updates repository names if repositories were renamed in GitHub
+    - Removes repositories that no longer exist in GitHub (with cascading deletion of related PolicyViolations and ActionLogs)
+5.  For each repository in the organization, it calls `IPolicyEvaluationService.EvaluateRepositoryAsync()`.
+6.  The `PolicyEvaluationService` uses dependency injection to get all registered `IPolicyEvaluator` implementations.
+7.  It matches the `type` of each policy in the configuration with the `PolicyType` property of the available evaluators.
+8.  When a match is found, it executes the `EvaluateAsync` method of that specific evaluator.
+9.  If the evaluator finds a violation, it returns a `PolicyViolation` object.
+10. The `ScanningService` collects all violations and saves them to the database.
+11. After the scan completes, it enqueues a background job to process automated actions for the violations found.
+
+### Repository Synchronization
+
+The `ScanningService` ensures that the database repository list stays synchronized with the GitHub organization:
+
+- **New Repositories**: Automatically detected and added to the database with status "Pending"
+- **Renamed Repositories**: Detection based on GitHub repository ID (which remains constant across renames). Repository names are automatically updated in the database.
+- **Deleted Repositories**: Repositories that no longer exist in GitHub are removed from the database, along with their related records:
+  - Policy violations associated with the repository
+  - Action logs for actions taken on the repository
+
+This synchronization happens automatically during each scan, ensuring the database always reflects the current state of the GitHub organization.
 
 ---
 
