Merge branch 'master' into tkdodo/ref/keys-endpoint-to-apiOptions

Author: TkDodo

.github/file-filters.yml

@@ -3,6 +3,9 @@
 sentry_frontend_workflow_file: &sentry_frontend_workflow_file
   - added|modified: '.github/workflows/frontend.yml'
 
+sentry_frontend_snapshots_workflow_file: &sentry_frontend_snapshots_workflow_file
+  - added|modified: '.github/workflows/frontend-snapshots.yml'
+
 # Provides list of changed files to test (jest)
 # getsentry/sentry does not use the list directly, instead we shard tests inside jest.config.js
 testable_modified: &testable_modified
@@ -30,6 +33,7 @@ typecheckable_rules_changed: &typecheckable_rules_changed
 # Trigger to apply the 'Scope: Frontend' label to PRs
 frontend_all: &frontend_all
   - *sentry_frontend_workflow_file
+  - *sentry_frontend_snapshots_workflow_file
   - added|modified: '**/*.{ts,tsx,js,jsx,mjs}'
   - added|modified: 'static/**/*.{less,json,yml,md,mdx}'
   - added|modified: '{vercel,tsconfig,biome,package}.json'

.github/workflows/frontend-optional.yml

@@ -90,6 +90,17 @@ jobs:
 
       - uses: ./.github/actions/setup-node-pnpm
 
+      - name: jest transform cache
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: |
+            .cache/jest
+            ~/.cache/swc
+          key: jest-cache-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml', 'jest.config.ts') }}-${{ matrix.instance }}
+          restore-keys: |
+            jest-cache-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml', 'jest.config.ts') }}-
+            jest-cache-${{ runner.os }}-
+
       - name: Download jest-balance.json
         id: download-artifact
         uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11

.github/workflows/frontend-snapshots.yml

@@ -69,37 +69,19 @@ jobs:
 
       - name: Install sentry-cli
         if: ${{ !cancelled() }}
-        run: curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION=3.3.4 sh
+        run: curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION=3.3.5 sh
 
       - name: Upload snapshots
         id: upload
         if: ${{ !cancelled() }}
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_SNAPSHOTS_AUTH_TOKEN }}
-        run: |
-          ARGS=(
-            --log-level=debug
-            --auth-token "${{ secrets.SENTRY_SNAPSHOTS_AUTH_TOKEN }}"
-            build snapshots "${{ env.SNAPSHOT_OUTPUT_DIR }}"
-            --app-id sentry-frontend
-            --project sentry-frontend
-            --head-sha "${{ github.event.pull_request.head.sha || github.sha }}"
-            --vcs-provider github
-            --head-repo-name "${{ github.repository }}"
-          )
-
-          # PR-only flags: base-sha, base-ref, base-repo-name, head-ref, pr-number
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            ARGS+=(
-              --base-sha "${{ github.event.pull_request.base.sha }}"
-              --base-repo-name "${{ github.repository }}"
-              --head-ref "${{ github.head_ref }}"
-              --base-ref "${{ github.base_ref }}"
-              --pr-number "${{ github.event.number }}"
-            )
-          fi
-
-          sentry-cli "${ARGS[@]}"
+        run: >
+          sentry-cli
+          --log-level=debug
+          build snapshots "${{ env.SNAPSHOT_OUTPUT_DIR }}"
+          --app-id sentry-frontend
+          --project sentry-frontend
 
       - name: Report upload failure to Sentry
         if: ${{ failure() && steps.upload.outcome == 'failure' }}

CHANGES

@@ -90,6 +90,7 @@ dependencies = [
   "sentry-protos>=0.8.12",
   "sentry-redis-tools>=0.5.0",
   "sentry-relay>=0.9.27",
+  "sentry-scm>=0.1.7",
   "sentry-sdk[http2]>=2.47.0",
   "sentry-usage-accountant>=0.0.10",
   # remove once there are no unmarked transitive dependencies on setuptools

pyproject.toml

@@ -1,6 +1,6 @@
 [metadata]
 name = sentry
-version = 26.4.0.dev0
+version = 26.5.0.dev0
 description = A realtime logging and aggregation server.
 long_description = file: README.md
 long_description_content_type = text/markdown

setup.cfg

@@ -833,6 +833,10 @@ def authenticate(self, request: Request) -> tuple[Any, Any] | None:
             return None
 
         sentry_sdk.get_isolation_scope().set_tag("viewer_context_auth", True)
+        # Viewer context comes from a trusted first-party service. Keep auth
+        # session-like for permission derivation, but mark it so org access can
+        # avoid requiring browser-session SSO state on service callbacks.
+        setattr(request, "user_from_viewer_context", True)
 
         # Return None for auth to match session behavior —
         # determine_access will derive scopes from org membership role.

src/sentry/api/authentication.py

@@ -1,3 +1,5 @@
+from collections.abc import Mapping
+
 from django.conf import settings
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -10,6 +12,30 @@
 from sentry.runner.settings import configure, discover_configs
 
 
+def _coerce_early_feature_flag_value(value: object) -> bool | None:
+    """
+    Map API input to a bool for SENTRY_FEATURES. Accepts JSON booleans, 0/1
+    (common in scripts), and the strings "true"/"false" (case-insensitive).
+    Returns None if the value cannot be interpreted safely.
+    """
+    if isinstance(value, bool):
+        return value
+    if isinstance(value, int):
+        if value == 1:
+            return True
+        if value == 0:
+            return False
+        return None
+    if isinstance(value, str):
+        lowered = value.lower()
+        if lowered == "true":
+            return True
+        if lowered == "false":
+            return False
+        return None
+    return None
+
+
 @all_silo_endpoint
 class InternalFeatureFlagsEndpoint(Endpoint):
     permission_classes = (SuperuserPermission,)
@@ -36,18 +62,38 @@ def put(self, request: Request) -> Response:
         if not settings.SENTRY_SELF_HOSTED:
             return Response("You are not self-hosting Sentry.", status=403)
 
-        data = request.data.keys()
-        valid_feature_flags = [flag for flag in data if SENTRY_EARLY_FEATURES.get(flag, False)]
+        payload: object = request.data
+        if not isinstance(payload, Mapping):
+            return Response(
+                {"detail": "Feature flag updates must be a JSON object."},
+                status=400,
+            )
+
+        valid_feature_flags = [flag for flag in payload if flag in SENTRY_EARLY_FEATURES]
+        coerced_values: dict[str, bool] = {}
+        for valid_flag in valid_feature_flags:
+            coerced = _coerce_early_feature_flag_value(payload.get(valid_flag))
+            if coerced is None:
+                return Response(
+                    {
+                        "detail": (
+                            f'Feature flag "{valid_flag}" must be true or false '
+                            f"(boolean, 0 or 1, or the string true or false)."
+                        )
+                    },
+                    status=400,
+                )
+            coerced_values[valid_flag] = coerced
+
         _, py, yml = discover_configs()
         # Open the file for reading and writing
         with open(py, "r+") as file:
             lines = file.readlines()
             # print(lines)
             for valid_flag in valid_feature_flags:
                 match_found = False
-                new_string = (
-                    f'\nSENTRY_FEATURES["{valid_flag}"]={request.data.get(valid_flag, False)}\n'
-                )
+                python_bool = "True" if coerced_values[valid_flag] else "False"
+                new_string = f'\nSENTRY_FEATURES["{valid_flag}"]={python_bool}\n'
                 # Search for the string match and update lines
                 for i, line in enumerate(lines):
                     if valid_flag in line:

src/sentry/api/endpoints/internal/feature_flags.py

@@ -36,14 +36,14 @@
 from sentry.utils import snuba_rpc
 
 
-def as_tag_key(name: str, type: Literal["string", "number", "boolean"]):
-    key, _, _ = translate_internal_to_public_alias(name, type, SupportedTraceItemType.SPANS)
+def as_tag_key(name: str, search_type: Literal["string", "number", "boolean"]):
+    key, _, _ = translate_internal_to_public_alias(name, search_type, SupportedTraceItemType.SPANS)
 
     if key is not None:
         name = key
-    elif type == "number":
+    elif search_type == "number":
         key = f"tags[{name},number]"
-    elif type == "boolean":
+    elif search_type == "boolean":
         key = f"tags[{name},boolean]"
     else:
         key = name

src/sentry/api/endpoints/organization_spans_fields.py

@@ -203,9 +203,10 @@ def determine_access(
             rpc_user_org_context=org_context,
         )
 
-        if auth.is_user_signed_request(request):
-            # if the user comes from a signed request
-            # we let them pass if sso is enabled
+        if auth.is_user_signed_request(request) or auth.is_user_from_viewer_context(request):
+            # Signed requests and viewer-context-authenticated service
+            # callbacks already carry a trusted assertion of user identity, so
+            # they should not depend on browser-session SSO completion.
             logger.info(
                 "access.signed-sso-passthrough",
                 extra=extra,