feat(integrations): Expand org:ci token permissions to Bulk Code Mapping API endpoints#109783
feat(integrations): Expand org:ci token permissions to Bulk Code Mapping API endpoints#109783
org:ci token permissions to Bulk Code Mapping API endpoints#109783Conversation
github-actions
bot
added
the
Scope: Backend
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: New permission class exported but never used
- Removed the unused OrganizationCodeMappingsBulkPermission class from organization.py.
Or push these changes by commenting:
@cursor push ae8667b7aa
Preview (ae8667b7aa)
diff --git a/src/sentry/api/bases/organization.py b/src/sentry/api/bases/organization.py
--- a/src/sentry/api/bases/organization.py
+++ b/src/sentry/api/bases/organization.py
@@ -164,15 +164,6 @@
}
-class OrganizationCodeMappingsBulkPermission(OrganizationPermission):
- scope_map = {
- "GET": ["org:read", "org:write", "org:admin", "org:integrations", "org:ci"],
- "POST": ["org:read", "org:write", "org:admin", "org:integrations", "org:ci"],
- "PUT": ["org:read", "org:write", "org:admin", "org:integrations"],
- "DELETE": ["org:admin", "org:integrations"],
- }
-
-
class OrganizationAdminPermission(OrganizationPermission):
scope_map = {
"GET": ["org:admin"],![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Add a new permission class that includes `org:ci` in GET and POST scopes, allowing auth tokens used by sentry-cli in CI to call the upcoming bulk code mappings endpoint. Follows the precedent of OrganizationReleasePermission.
Only GET and POST are needed since the endpoint only supports POST.
romtsn
force-pushed
the
rz/feat/bulk-code-mappings-permission
branch
from
b8527e4 to
348a1fc
Compare
|
Hello @romtsn ! Can you give a bit more context into this feature? The current |
armenzg
left a comment
armenzg
left a comment
There was a problem hiding this comment.
Thank you for splitting the PRs!
| class OrganizationCodeMappingsBulkPermission(OrganizationPermission): | ||
| scope_map = { | ||
| "GET": ["org:read", "org:write", "org:admin", "org:integrations", "org:ci"], | ||
| "POST": ["org:read", "org:write", "org:admin", "org:integrations", "org:ci"], |
There was a problem hiding this comment.
Do we have some documentation explaining what permissions they need to create?
There was a problem hiding this comment.
You mean customers? We already recommend creating org tokens over here: https://docs.sentry.io/cli/configuration/#to-authenticate-manually, but I will add a new section re. code mappings after this and the cli part is shipped, covering that as well 👍
|
@michelletran-sentry apologies, meant to link these PRs to the original proposal I've made: https://www.notion.so/sentry/Code-Mappings-Upload-in-sentry-cli-2ce8b10e4b5d801793d4c75926cda01d tl;dr is this endpoint is going to be used mostly from CI (either via sentry-cli, gradle plugin or directly) so the org:ci permission should fit. |
|
Thanks for the context @romtsn ! From a security perspective, I think this is fine, as the current |
|
@michelletran-sentry thanks! I can add it to sentry-cli/gradle plugin changelogs as well as to sentry.io/changelog, but unsure about self-hosted -- should it go here as a note in the upcoming release? |
Hmm, I think we can maybe just rely on the auto-generated changelogs in the release notes in Sentry for now (i.e. https://github.com/getsentry/sentry/tags). It looks like it's pulling the title from PR titles, so maybe we should make this PR title more descriptive of the permission changes (so something like |
romtsn
changed the title
org:ci token permissions to Bulk Code Mapping API endpoints
why does a write endpoint tolerate a read perm? |
…pping API endpoints (#109783) ## Summary - Add `OrganizationCodeMappingsBulkPermission` permission class that includes `org:ci` in GET and POST scopes - This allows auth tokens used by sentry-cli in CI to call the upcoming bulk code mappings endpoint - Follows the precedent of `OrganizationReleasePermission` which already includes `org:ci` for POST ## Test plan - Permission class is exercised by tests in the follow-up PR - Verified no existing tests are affected Closes getsentry/sentry-android-gradle-plugin#1073
good point! The scope_map uses OR logic (any()), so listing I tried to mirror |
## Summary
- Add `POST /api/0/organizations/{org}/code-mappings/bulk/` endpoint
that accepts human-readable identifiers (project slug, repo name)
instead of internal IDs
- Uses `update_or_create` loop for best-effort upsert with per-mapping
status reporting
- Supports up to 300 mappings per request, enabling sentry-cli to upload
all mappings for multi-module projects
- Validates paths, branch names, project/repo resolution, and
integration association
Depends on #109783
Closes
getsentry/sentry-android-gradle-plugin#1074
## Test plan
- [x] 20 tests covering happy path (single/multiple/update/mixed
create+update), validation errors, and resolution errors
- [x] Pre-commit passes
- [x] Existing code mappings tests unaffected
---------
Co-authored-by: getsantry[bot] <66042841+getsantry[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <[email protected]>
Co-authored-by: Claude Opus 4.6 <[email protected]>
_#skip-changelog_ Add the `sentry-cli code-mappings upload` subcommand group and the `upload` subcommand with file parsing and validation. This is the first in a stack of 4 PRs to support bulk uploading code mappings from a JSON file — useful for Java/Android multi-module projects that need dozens of mappings. This PR adds: - Command scaffold following the `repos`/`deploys` pattern - JSON file reading and validation (empty arrays, empty stackRoot/sourceRoot) - CLI args: positional `PATH`, `--repo`, `--default-branch` - Help and no-subcommand trycmd integration tests Stack: **#3207** → #3208 → #3209 → #3210 Backend PRs: getsentry/sentry#109783, getsentry/sentry#109785, getsentry/sentry#109786 Closes getsentry/sentry-android-gradle-plugin#1076 Closes getsentry/sentry-android-gradle-plugin#1077 --------- Co-authored-by: Claude Opus 4.6 <[email protected]>
…3208) *#skip-changelog* When `--repo` or `--default-branch` are not provided, infer them from the<br>local git repository. Uses the configured VCS remote (SENTRY_VCS_REMOTE / ini)<br>first, then falls back to best-effort remote detection (upstream > origin > first). Also extracts `find_best_remote()` as a shared utility in `src/utils/vcs.rs`,<br>replacing the inline logic that was duplicated in `git_repo_base_repo_name_preserve_case`. Stack: #3207 → [#3208](<#3208>) → [#3209](<#3209>) → [#3210](<#3210>) Backend PRs: [getsentry/sentry#109783](<getsentry/sentry#109783>), [getsentry/sentry#109785](<getsentry/sentry#109785>), [getsentry/sentry#109786](<getsentry/sentry#109786>) Closes [GRADLE-79](https://linear.app/getsentry/issue/GRADLE-79/add-git-inference-for-repo-name-and-default-branch) --------- Co-authored-by: Claude Opus 4.6 <[email protected]>
…#3209) _#skip-changelog_ Connect the `code-mappings upload` command to the bulk code mappings API endpoint (`POST /api/0/organizations/{org}/code-mappings/bulk/`). Adds: - `bulk_upload_code_mappings()` method on `AuthenticatedApi` - Request/response data types in `src/api/data_types/code_mappings.rs` - Summary table and error reporting in the command output - Happy-path integration test with mock endpoint Stack: #3207 → #3208 → **#3209** → #3210 Backend PRs: getsentry/sentry#109783, getsentry/sentry#109785, getsentry/sentry#109786 Closes getsentry/sentry-android-gradle-plugin#1079 --------- Co-authored-by: Claude Opus 4.6 <[email protected]>
_#skip-changelog_ Split large mapping files into batches of 300 (the backend limit) per request. Each batch is sent sequentially with progress reporting, and results are merged into a single summary. Also changes the output table to only show error rows — for large uploads (hundreds of mappings), printing every row would flood the terminal. Successful mappings are reflected in the summary counts instead. Stack: #3207 → #3208 → #3209 → **#3210** Backend PRs: getsentry/sentry#109783, getsentry/sentry#109785, getsentry/sentry#109786 --------- Co-authored-by: Claude Opus 4.6 <[email protected]>
4 participants
Summary
OrganizationCodeMappingsBulkPermissionpermission class that includesorg:ciin GET and POST scopesOrganizationReleasePermissionwhich already includesorg:cifor POSTTest plan
Closes getsentry/sentry-android-gradle-plugin#1073