add fips release handlers; stop setting dest channel

.github/workflows/zhook.yml

@@ -17,35 +17,148 @@ on:
 
 jobs:
   mattermost-ziti-webhook:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: POST Webhook
     steps:
-      - uses: actions/checkout@v4
-      - name: run hook directly
+      - name: Debug Environment
+        uses: hmarr/debug-action@v3
+
+      - name: Install Debug Tools
+        shell: bash
+        run: sudo apt-get install --yes valgrind gdb
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Python Script Directly
+        if: |
+          github.repository_owner == 'openziti'
+          && ((github.event_name != 'pull_request_review')
+          || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
+        env:
+          INPUT_ZITIID: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
+          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
+          INPUT_EVENTJSON: ${{ toJson(github.event) }}
+          INPUT_SENDERUSERNAME: GitHubZ
+          INPUT_SENDERICONURL: https://github.com/fluidicon.png
+          INPUT_ZITILOGLEVEL: 6
+        shell: bash
+        run: |
+          set -o pipefail
+          set -o xtrace
+          pip install --user --upgrade --requirement ./requirements.txt
+          # in case valgrind catches a segfault, it will write a core file in ./vgcore.%p
+          valgrind \
+            --verbose \
+            --log-file=${GITHUB_WORKSPACE}/direct-valgrind-%p-%n.log \
+            --leak-check=yes \
+            python ./zhook.py
+
+      - name: Run in Docker with Core Dumps
         if: |
           github.repository_owner == 'openziti'
           && ((github.event_name != 'pull_request_review')
           || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
+        shell: bash
         env:
           INPUT_ZITIID: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
-          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL }}
+          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
           INPUT_EVENTJSON: ${{ toJson(github.event) }}
           INPUT_SENDERUSERNAME: GitHubZ
-          INPUT_DESTCHANNEL: dev-notifications
           INPUT_SENDERICONURL: https://github.com/fluidicon.png
+          INPUT_ZITILOGLEVEL: 6
         run: |
-          pip install --upgrade requests openziti
-          python ./zhook.py
+          set -o pipefail
+          set -o xtrace
 
-      - uses: ./  # use self to bring the pain forward
-        name: run action
+          # Base64 encode JSON to avoid whitespace issues in env file
+          ENCODED_JSON=$(echo "${INPUT_EVENTJSON}" | base64 -w 0)
+
+          cat > /tmp/docker.env << EOF
+          INPUT_ZITIID=${INPUT_ZITIID}
+          INPUT_WEBHOOKURL=${INPUT_WEBHOOKURL}
+          INPUT_EVENTJSON_B64=${ENCODED_JSON}
+          INPUT_SENDERUSERNAME=${INPUT_SENDERUSERNAME}
+          INPUT_SENDERICONURL=${INPUT_SENDERICONURL}
+          INPUT_ZITILOGLEVEL=${INPUT_ZITILOGLEVEL}
+          GITHUB_WORKSPACE=${GITHUB_WORKSPACE}
+          GITHUB_EVENT_NAME=${GITHUB_EVENT_NAME}
+          GITHUB_ACTION_REPOSITORY=${GITHUB_ACTION_REPOSITORY}
+          EOF
+
+          # configure the kernel to write core dumps to the workspace directory that is writable by the container in case there is a segfault valgrind cannot catch in a vgcore.%p
+          sudo sysctl -w kernel.core_pattern="${GITHUB_WORKSPACE}/core.%e.%p.%t"
+
+          # build the action's container image so we can source it for the debug image
+          docker build -t zhook-action .
+          docker build -t zhook-action-dbg -f debug.Dockerfile .
+          docker run --rm \
+            --volume "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}" \
+            --workdir "${GITHUB_WORKSPACE}" \
+            --env-file /tmp/docker.env \
+            --entrypoint=/bin/bash \
+            zhook-action-dbg -euxo pipefail -c '
+              ulimit -c unlimited;
+              exec valgrind \
+                --verbose \
+                --log-file=${GITHUB_WORKSPACE}/docker-valgrind-%p-%n.log \
+                --leak-check=yes \
+                python /app/zhook.py;
+            '
+
+      - uses: ./
+        name: Run as a GH Action from the Local Checkout
         if: |
           github.repository_owner == 'openziti'
           && ((github.event_name != 'pull_request_review')
           || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
         with:
           zitiId: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
-          webhookUrl: ${{ secrets.ZHOOK_URL }}
+          webhookUrl: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
           eventJson: ${{ toJson(github.event) }}
-          senderUsername: "GitHubZ"
-          destChannel: "dev-notifications"
+          senderUsername: GitHubZ
+          senderIconUrl: https://github.com/fluidicon.png
+          zitiLogLevel: 6
+
+      - name: Print Debug Info
+        if: always()
+        shell: bash
+        run: |
+          set -o xtrace
+          set +o errexit
+          echo "DEBUG: PYTHONPATH=${PYTHONPATH:-}"
+          echo "DEBUG: PATH=${PATH:-}"
+          echo "DEBUG: LD_LIBRARY_PATH=${LD_LIBRARY_PATH:-}"
+          # list non-git files in the two uppermost levels of the workspace directory hierarchy
+          find . -maxdepth 2 -path './.git' -prune -o -print
+          find $(python -c "import site; print(site.USER_SITE)") -path "*/openziti*" -name "*.so*" -type f -print0 | xargs -0r ldd
+
+          shopt -s nullglob
+          # find valgrind logs from both execution steps
+          typeset -a VALGRIND_LOGS=(${GITHUB_WORKSPACE}/*-valgrind-*.log)
+          if (( ${#VALGRIND_LOGS[@]} )); then
+            for LOG in "${VALGRIND_LOGS[@]}"; do
+              if [ -s "$LOG" ]; then
+                echo "DEBUG: Valgrind log: $LOG"
+                cat "$LOG"
+                echo "--- End of $(basename "$LOG") ---"
+              fi
+            done
+          else
+            echo "DEBUG: No Valgrind logs found"
+          fi
+
+          # find core dumps produced by the kernel and valgrind
+          typeset -a CORES=(${GITHUB_WORKSPACE}/core.* ${GITHUB_WORKSPACE}/vgcore.*)
+          shopt -u nullglob
+          if (( ${#CORES[@]} )); then
+            for CORE in "${CORES[@]}"; do
+              if [ -s "$CORE" ]; then
+                echo "DEBUG: Core dump: $CORE"
+                EXECUTABLE=$(basename "$CORE" | cut -d. -f2)
+                gdb -q $(realpath $(which "$EXECUTABLE")) -c "$CORE" --ex bt --ex exit
+              fi
+            done
+          else
+            echo "DEBUG: No core dumps found"
+          fi

Dockerfile

@@ -1,13 +1,13 @@
 FROM python:3-slim AS builder
 
-RUN pip install --target=/app requests openziti
+COPY requirements.txt /tmp/requirements.txt
+RUN pip install --target=/app --requirement /tmp/requirements.txt
 
 # https://github.com/GoogleContainerTools/distroless
 FROM gcr.io/distroless/python3-debian12
 COPY --from=builder /app /app
-COPY ./zhook.py /app/zhook.py
+COPY --chmod=0755 ./zhook.py /app/zhook.py
 WORKDIR /app
 ENV PYTHONPATH=/app
-ENV ZITI_LOG=6
-ENV TLSUV_DEBUG=6
+
 CMD ["/app/zhook.py"]

README.md

@@ -1,4 +1,5 @@
 # ziti-mattermost-action-py
+
 GitHub Action that posts to a Mattermost webhook endpoint over OpenZiti
 
 This GitHub workflow action uses [Ziti Python SDK](https://github.com/openziti/ziti-sdk-py) to post an event's payload information to a [Mattermost](https://mattermost.com/) instance over a `Ziti` connection. This allows the Mattermost server to remain private, i.e. not directly exposed to the internet.
@@ -38,7 +39,6 @@ jobs:
 
         eventJson: ${{ toJson(github.event) }}
         senderUsername: "GitHubZ"
-        destChannel: "github-notifications"
 ```
 
 ### Inputs

action.yml

@@ -1,30 +1,34 @@
-name: 'Ziti Mattermost Action - Python'
-description: 'POST to Mattermost Webhook endpoint over a Ziti network'
+name: Ziti Mattermost Action - Python
+description: POST to Mattermost Webhook endpoint over a Ziti network
 branding:
-  icon: 'zap'  
-  color: 'red'
+  icon: zap
+  color: red
 inputs:
   zitiId:
-    description: 'Identity JSON for an enrolled Ziti endpoint'
+    description: Identity JSON for an enrolled Ziti endpoint
     required: true
   webhookUrl:
-    description: 'URL for posting the payload'
+    description: Mattermost-channel-specific URL for posting the event
     required: true
   eventJson:
-    description: 'GitHub event JSON (github.event)'
+    description: GitHub event JSON (github.event)
     required: true
   senderUsername:
-    description: 'Mattermost username'
+    description: Mattermost username
     required: false
-    default: "GithubZ"
+    default: GithubZ
   senderIconUrl:
-    description: 'Mattermost user icon URL'
+    description: Mattermost user icon URL
     required: false
-    default: "https://github.com/fluidicon.png"
+    default: https://github.com/fluidicon.png
   destChannel:
-    description: 'Mattermost channel'
+    description: Mattermost channel (ignored because incoming webhooks are locked to a channel)
     required: false
-    default: "dev-notifications"
+    default: null
+  zitiLogLevel:
+    description: Ziti log level
+    required: false
+    default: 3
 runs:
-  using: "docker"
-  image: "Dockerfile"
+  using: docker
+  image: Dockerfile

debug.Dockerfile

@@ -0,0 +1,7 @@
+FROM zhook-action AS distroless
+
+FROM python:3-slim AS debug
+
+COPY --from=distroless /app /app
+
+RUN apt-get update && apt-get install -y valgrind

requirements.txt

@@ -0,0 +1,2 @@
+requests
+openziti