Merge branch 'master' into aliu/timeout-ui

Author: aliu39

.github/file-filters.yml

@@ -3,6 +3,9 @@
 sentry_frontend_workflow_file: &sentry_frontend_workflow_file
   - added|modified: '.github/workflows/frontend.yml'
 
+sentry_frontend_snapshots_workflow_file: &sentry_frontend_snapshots_workflow_file
+  - added|modified: '.github/workflows/frontend-snapshots.yml'
+
 # Provides list of changed files to test (jest)
 # getsentry/sentry does not use the list directly, instead we shard tests inside jest.config.js
 testable_modified: &testable_modified
@@ -30,6 +33,7 @@ typecheckable_rules_changed: &typecheckable_rules_changed
 # Trigger to apply the 'Scope: Frontend' label to PRs
 frontend_all: &frontend_all
   - *sentry_frontend_workflow_file
+  - *sentry_frontend_snapshots_workflow_file
   - added|modified: '**/*.{ts,tsx,js,jsx,mjs}'
   - added|modified: 'static/**/*.{less,json,yml,md,mdx}'
   - added|modified: '{vercel,tsconfig,biome,package}.json'

.github/workflows/frontend-optional.yml

@@ -90,6 +90,17 @@ jobs:
 
       - uses: ./.github/actions/setup-node-pnpm
 
+      - name: jest transform cache
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: |
+            .cache/jest
+            ~/.cache/swc
+          key: jest-cache-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml', 'jest.config.ts') }}-${{ matrix.instance }}
+          restore-keys: |
+            jest-cache-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml', 'jest.config.ts') }}-
+            jest-cache-${{ runner.os }}-
+
       - name: Download jest-balance.json
         id: download-artifact
         uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11

.github/workflows/frontend-snapshots.yml

@@ -69,37 +69,19 @@ jobs:
 
       - name: Install sentry-cli
         if: ${{ !cancelled() }}
-        run: curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION=3.3.4 sh
+        run: curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION=3.3.5 sh
 
       - name: Upload snapshots
         id: upload
         if: ${{ !cancelled() }}
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_SNAPSHOTS_AUTH_TOKEN }}
-        run: |
-          ARGS=(
-            --log-level=debug
-            --auth-token "${{ secrets.SENTRY_SNAPSHOTS_AUTH_TOKEN }}"
-            build snapshots "${{ env.SNAPSHOT_OUTPUT_DIR }}"
-            --app-id sentry-frontend
-            --project sentry-frontend
-            --head-sha "${{ github.event.pull_request.head.sha || github.sha }}"
-            --vcs-provider github
-            --head-repo-name "${{ github.repository }}"
-          )
-
-          # PR-only flags: base-sha, base-ref, base-repo-name, head-ref, pr-number
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            ARGS+=(
-              --base-sha "${{ github.event.pull_request.base.sha }}"
-              --base-repo-name "${{ github.repository }}"
-              --head-ref "${{ github.head_ref }}"
-              --base-ref "${{ github.base_ref }}"
-              --pr-number "${{ github.event.number }}"
-            )
-          fi
-
-          sentry-cli "${ARGS[@]}"
+        run: >
+          sentry-cli
+          --log-level=debug
+          build snapshots "${{ env.SNAPSHOT_OUTPUT_DIR }}"
+          --app-id sentry-frontend
+          --project sentry-frontend
 
       - name: Report upload failure to Sentry
         if: ${{ failure() && steps.upload.outcome == 'failure' }}

CHANGES

@@ -462,6 +462,7 @@ export default typescript.config([
       '@sentry/no-flag-comments': 'error',
       '@sentry/no-static-translations': 'error',
       '@sentry/no-styled-shortcut': 'error',
+      '@sentry/no-unnecessary-use-callback': 'error',
     },
   },
   {

eslint.config.ts

@@ -87,9 +87,10 @@ dependencies = [
   "sentry-forked-email-reply-parser>=0.5.12.post1",
   "sentry-kafka-schemas>=2.1.27",
   "sentry-ophio>=1.1.3",
-  "sentry-protos>=0.8.11",
+  "sentry-protos>=0.8.12",
   "sentry-redis-tools>=0.5.0",
-  "sentry-relay>=0.9.26",
+  "sentry-relay>=0.9.27",
+  "sentry-scm>=0.1.7",
   "sentry-sdk[http2]>=2.47.0",
   "sentry-usage-accountant>=0.0.10",
   # remove once there are no unmarked transitive dependencies on setuptools

pyproject.toml

@@ -207,6 +207,7 @@ const CONSTANTS: Record<string, string> = {
   'IssueTaxonomy.ERRORS_AND_OUTAGES': 'errors-outages',
   'IssueTaxonomy.BREACHED_METRICS': 'breached-metrics',
   'IssueTaxonomy.WARNINGS': 'warnings',
+  'IssueTaxonomy.SENTRY_CONFIGURATION': 'sentry-configuration',
 };
 
 function resolveTemplate(expr: string): string {

scripts/routes.ts

@@ -1,6 +1,6 @@
 [metadata]
 name = sentry
-version = 26.4.0.dev0
+version = 26.5.0.dev0
 description = A realtime logging and aggregation server.
 long_description = file: README.md
 long_description_content_type = text/markdown

setup.cfg

@@ -789,19 +789,47 @@ class ViewerContextAuthentication(BaseAuthentication):
     """
 
     def authenticate(self, request: Request) -> tuple[Any, Any] | None:
-        from sentry.viewer_context import viewer_context_from_header
+        from sentry.viewer_context import _get_verification_keys, viewer_context_from_header
 
         header = request.META.get("HTTP_X_VIEWER_CONTEXT")
         if not header:
             return None
 
         signature = request.META.get("HTTP_X_VIEWER_CONTEXT_SIGNATURE")
+        verification_keys = _get_verification_keys()
         vc = viewer_context_from_header(header, signature)
+
         if vc is None or vc.user_id is None:
+            # TODO(jstanley): Temporary logging for debugging non-public prod 401s
+            # during X-Viewer-Context propagation (Seer code mode callbacks).
+            # Remove once the auth issue is resolved.
+            logger.warning(
+                "viewer_context_auth.failed",
+                extra={
+                    "reason": "vc_not_resolved" if vc is None else "no_user_id",
+                    "header_length": len(header),
+                    "header_is_jwt": "." in header and header.count(".") == 2,
+                    "signature_present": signature is not None,
+                    "signature_length": len(signature) if signature else 0,
+                    "verification_key_count": len(verification_keys),
+                    "path": request.path,
+                },
+            )
             return None
 
         user = user_service.get_user(user_id=vc.user_id)
         if user is None or not user.is_active:
+            # TODO(jstanley): Temporary logging for debugging non-public prod 401s
+            # during X-Viewer-Context propagation (Seer code mode callbacks).
+            # Remove once the auth issue is resolved.
+            logger.warning(
+                "viewer_context_auth.failed",
+                extra={
+                    "reason": "user_not_found" if user is None else "user_inactive",
+                    "vc_user_id": vc.user_id,
+                    "path": request.path,
+                },
+            )
             return None
 
         sentry_sdk.get_isolation_scope().set_tag("viewer_context_auth", True)

src/sentry/api/authentication.py

@@ -1,3 +1,5 @@
+from collections.abc import Mapping
+
 from django.conf import settings
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -10,6 +12,30 @@
 from sentry.runner.settings import configure, discover_configs
 
 
+def _coerce_early_feature_flag_value(value: object) -> bool | None:
+    """
+    Map API input to a bool for SENTRY_FEATURES. Accepts JSON booleans, 0/1
+    (common in scripts), and the strings "true"/"false" (case-insensitive).
+    Returns None if the value cannot be interpreted safely.
+    """
+    if isinstance(value, bool):
+        return value
+    if isinstance(value, int):
+        if value == 1:
+            return True
+        if value == 0:
+            return False
+        return None
+    if isinstance(value, str):
+        lowered = value.lower()
+        if lowered == "true":
+            return True
+        if lowered == "false":
+            return False
+        return None
+    return None
+
+
 @all_silo_endpoint
 class InternalFeatureFlagsEndpoint(Endpoint):
     permission_classes = (SuperuserPermission,)
@@ -36,18 +62,38 @@ def put(self, request: Request) -> Response:
         if not settings.SENTRY_SELF_HOSTED:
             return Response("You are not self-hosting Sentry.", status=403)
 
-        data = request.data.keys()
-        valid_feature_flags = [flag for flag in data if SENTRY_EARLY_FEATURES.get(flag, False)]
+        payload: object = request.data
+        if not isinstance(payload, Mapping):
+            return Response(
+                {"detail": "Feature flag updates must be a JSON object."},
+                status=400,
+            )
+
+        valid_feature_flags = [flag for flag in payload if flag in SENTRY_EARLY_FEATURES]
+        coerced_values: dict[str, bool] = {}
+        for valid_flag in valid_feature_flags:
+            coerced = _coerce_early_feature_flag_value(payload.get(valid_flag))
+            if coerced is None:
+                return Response(
+                    {
+                        "detail": (
+                            f'Feature flag "{valid_flag}" must be true or false '
+                            f"(boolean, 0 or 1, or the string true or false)."
+                        )
+                    },
+                    status=400,
+                )
+            coerced_values[valid_flag] = coerced
+
         _, py, yml = discover_configs()
         # Open the file for reading and writing
         with open(py, "r+") as file:
             lines = file.readlines()
             # print(lines)
             for valid_flag in valid_feature_flags:
                 match_found = False
-                new_string = (
-                    f'\nSENTRY_FEATURES["{valid_flag}"]={request.data.get(valid_flag, False)}\n'
-                )
+                python_bool = "True" if coerced_values[valid_flag] else "False"
+                new_string = f'\nSENTRY_FEATURES["{valid_flag}"]={python_bool}\n'
                 # Search for the string match and update lines
                 for i, line in enumerate(lines):
                     if valid_flag in line: