Deprecate the channel input ; add debugging

.flake8

@@ -0,0 +1,10 @@
+[flake8]
+ignore =
+    E111,
+    E114,
+    E121,
+    E501
+
+# You can add project-wide settings here later, e.g.:
+# max-line-length = 120
+# exclude = .git,__pycache__,.venv

.github/workflows/python.yml

@@ -15,4 +15,4 @@ jobs:
       - name: Lint
         run: |
           pip install flake8
-          flake8 --ignore E111,E114,E121,E501 zhook.py
+          flake8 --config ./.flake8 ./zhook.py

.github/workflows/zhook.yml

@@ -18,49 +18,243 @@ on:
 
 jobs:
   mattermost-ziti-webhook:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: POST Webhook
     steps:
-      - uses: actions/checkout@v4
-      - name: run hook directly
+      - name: Debug Environment
+        uses: hmarr/debug-action@v3
+
+      - name: Install Debug Tools
+        shell: bash
+        run: sudo apt-get install --yes valgrind gdb
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Python Script Directly
         if: |
-          github.repository_owner == 'openziti'
+          (github.repository_owner == 'openziti' || github.repository_owner == 'netfoundry')
           && ((github.event_name != 'pull_request_review')
           || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
         env:
           INPUT_ZITIID: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
-          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL }}
+          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
           INPUT_EVENTJSON: ${{ toJson(github.event) }}
           INPUT_SENDERUSERNAME: GitHubZ
-          INPUT_DESTCHANNEL: dev-notifications
           INPUT_SENDERICONURL: https://github.com/fluidicon.png
+          INPUT_ZITILOGLEVEL: 6
+        shell: bash
         run: |
-          pip install --upgrade requests openziti
-          set +e
-          if [ "${ZHOOK_VALGRIND}" = "true" ]; then
-            echo "⚠️ running with valgrind..."
-            sudo apt-get update
-            sudo apt-get install -y valgrind
-            echo "⚙️ Running under valgrind..."
-            valgrind --tool=memcheck --leak-check=full \
-              --show-leak-kinds=all --track-origins=yes \
-              python ./zhook.py
-          else
+          set -o pipefail
+          set -o xtrace
+          pip install --user --upgrade --requirement ./requirements.txt
+          # in case valgrind catches a segfault, it will write a core file in ./vgcore.%p
+          valgrind \
+            --verbose \
+            --log-file=${GITHUB_WORKSPACE}/direct-valgrind-%p-%n.log \
+            --leak-check=yes \
             python ./zhook.py
-          fi
-          echo "⚠️ zhook.py exited with code $?, continuing..."
-          exit 0
 
-      - uses: ./  # use self to bring the pain forward
-        name: run action
+      - name: Run in Docker with Core Dumps
         if: |
-          github.repository_owner == 'openziti'
+          always()
+          && (github.repository_owner == 'openziti' || github.repository_owner == 'netfoundry')
+          && ((github.event_name != 'pull_request_review')
+          || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
+        shell: bash
+        env:
+          INPUT_ZITIID: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
+          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
+          INPUT_SENDERUSERNAME: GitHubZ
+          INPUT_SENDERICONURL: https://github.com/fluidicon.png
+          INPUT_ZITILOGLEVEL: 6
+        run: |
+          set -o pipefail
+          set -o xtrace
+
+          cat > /tmp/docker.env << EOF
+          INPUT_ZITIID=${INPUT_ZITIID}
+          INPUT_WEBHOOKURL=${INPUT_WEBHOOKURL}
+          INPUT_EVENTJSON=$(base64 -w 0 <<< '${{ toJson(github.event) }}')
+          INPUT_SENDERUSERNAME=${INPUT_SENDERUSERNAME}
+          INPUT_SENDERICONURL=${INPUT_SENDERICONURL}
+          INPUT_ZITILOGLEVEL=${INPUT_ZITILOGLEVEL}
+          GITHUB_WORKSPACE=${GITHUB_WORKSPACE}
+          GITHUB_EVENT_NAME=${GITHUB_EVENT_NAME}
+          GITHUB_ACTION_REPOSITORY=${GITHUB_ACTION_REPOSITORY}
+          EOF
+
+          # configure the kernel to write core dumps to the workspace directory that is writable by the container in case there is a segfault valgrind cannot catch in a vgcore.%p
+          sudo sysctl -w kernel.core_pattern="${GITHUB_WORKSPACE}/core.%e.%p.%t"
+
+          # build the action's container image so we can source it for the debug image
+          docker build -t zhook-action .
+          docker build -t zhook-action-dbg -f debug.Dockerfile .
+          docker run --rm \
+            --volume "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}" \
+            --workdir "${GITHUB_WORKSPACE}" \
+            --env-file /tmp/docker.env \
+            --entrypoint=/bin/bash \
+            zhook-action-dbg -euxo pipefail -c '
+              ulimit -c unlimited;
+              exec valgrind \
+                --verbose \
+                --log-file=${GITHUB_WORKSPACE}/docker-valgrind-%p-%n.log \
+                --leak-check=yes \
+                python /app/zhook.py;
+            '
+
+      - name: Run in Docker with Core Dumps
+        if: |
+          always()
+          && (github.repository_owner == 'openziti' || github.repository_owner == 'netfoundry')
+          && ((github.event_name != 'pull_request_review')
+          || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
+        shell: bash
+        env:
+          INPUT_ZITIID: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
+          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
+          INPUT_SENDERUSERNAME: GitHubZ
+          INPUT_SENDERICONURL: https://github.com/fluidicon.png
+          INPUT_ZITILOGLEVEL: 6
+        run: |
+          set -o pipefail
+          set -o xtrace
+
+          cat > /tmp/docker.env << EOF
+          INPUT_ZITIID=${INPUT_ZITIID}
+          INPUT_WEBHOOKURL=${INPUT_WEBHOOKURL}
+          INPUT_EVENTJSON=$(base64 -w 0 <<< '${{ toJson(github.event) }}')
+          INPUT_SENDERUSERNAME=${INPUT_SENDERUSERNAME}
+          INPUT_SENDERICONURL=${INPUT_SENDERICONURL}
+          INPUT_ZITILOGLEVEL=${INPUT_ZITILOGLEVEL}
+          GITHUB_WORKSPACE=${GITHUB_WORKSPACE}
+          GITHUB_EVENT_NAME=${GITHUB_EVENT_NAME}
+          GITHUB_ACTION_REPOSITORY=${GITHUB_ACTION_REPOSITORY}
+          EOF
+
+          # configure the kernel to write core dumps to the workspace directory that is writable by the container in case there is a segfault valgrind cannot catch in a vgcore.%p
+          sudo sysctl -w kernel.core_pattern="${GITHUB_WORKSPACE}/core.%e.%p.%t"
+
+          # build the action's container image so we can source it for the debug image
+          docker build -t zhook-action .
+          docker build -t zhook-action-dbg -f debug.Dockerfile .
+          docker run --rm \
+            --volume "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}" \
+            --workdir "${GITHUB_WORKSPACE}" \
+            --env-file /tmp/docker.env \
+            --entrypoint=/bin/bash \
+            zhook-action-dbg -euxo pipefail -c '
+              ulimit -c unlimited;
+              exec valgrind \
+                --verbose \
+                --log-file=${GITHUB_WORKSPACE}/docker-valgrind-%p-%n.log \
+                --leak-check=yes \
+                python /app/zhook.py;
+            '
+
+      - uses: ./
+        name: Run as a GH Action from the Local Checkout
+        if: |
+          always()
+          && (github.repository_owner == 'openziti' || github.repository_owner == 'netfoundry')
+          && ((github.event_name != 'pull_request_review')
+          || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
+        shell: bash
+        env:
+          INPUT_ZITIID: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
+          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
+          INPUT_EVENTJSON: ${{ toJson(github.event) }}
+          INPUT_SENDERUSERNAME: GitHubZ
+          INPUT_SENDERICONURL: https://github.com/fluidicon.png
+          INPUT_ZITILOGLEVEL: 6
+        run: |
+          set -o pipefail
+          set -o xtrace
+
+          cat > /tmp/docker.env << EOF
+          INPUT_ZITIID=${INPUT_ZITIID}
+          INPUT_WEBHOOKURL=${INPUT_WEBHOOKURL}
+          INPUT_EVENTJSON=$(base64 -w 0 <<< '${{ toJson(github.event) }}')
+          INPUT_SENDERUSERNAME=${INPUT_SENDERUSERNAME}
+          INPUT_SENDERICONURL=${INPUT_SENDERICONURL}
+          INPUT_ZITILOGLEVEL=${INPUT_ZITILOGLEVEL}
+          GITHUB_WORKSPACE=${GITHUB_WORKSPACE}
+          GITHUB_EVENT_NAME=${GITHUB_EVENT_NAME}
+          GITHUB_ACTION_REPOSITORY=${GITHUB_ACTION_REPOSITORY}
+          EOF
+
+          # configure the kernel to write core dumps to the workspace directory that is writable by the container in case there is a segfault valgrind cannot catch in a vgcore.%p
+          sudo sysctl -w kernel.core_pattern="${GITHUB_WORKSPACE}/core.%e.%p.%t"
+
+          # build the action's container image so we can source it for the debug image
+          docker build -t zhook-action .
+          docker build -t zhook-action-dbg -f debug.Dockerfile .
+          docker run --rm \
+            --volume "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}" \
+            --workdir "${GITHUB_WORKSPACE}" \
+            --env-file /tmp/docker.env \
+            --entrypoint=/bin/bash \
+            zhook-action-dbg -euxo pipefail -c '
+              ulimit -c unlimited;
+              exec valgrind \
+                --verbose \
+                --log-file=${GITHUB_WORKSPACE}/docker-valgrind-%p-%n.log \
+                --leak-check=yes \
+                python /app/zhook.py;
+            '
+
+      - uses: ./
+        name: Run as a GH Action from the Local Checkout
+        if: |
+          always()
+          && (github.repository_owner == 'openziti' || github.repository_owner == 'netfoundry')
           && ((github.event_name != 'pull_request_review')
           || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
         with:
           zitiId: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
-          webhookUrl: ${{ secrets.ZHOOK_URL }}
+          webhookUrl: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
           eventJson: ${{ toJson(github.event) }}
-          senderUsername: "GitHubZ"
-          destChannel: "dev-notifications"
+          senderUsername: GitHubZ
+          senderIconUrl: https://github.com/fluidicon.png
+          zitiLogLevel: 6
 
+      - name: Print Debug Info
+        if: always()
+        shell: bash
+        run: |
+          set -o xtrace
+          set +o errexit
+          echo "DEBUG: PYTHONPATH=${PYTHONPATH:-}"
+          echo "DEBUG: PATH=${PATH:-}"
+          echo "DEBUG: LD_LIBRARY_PATH=${LD_LIBRARY_PATH:-}"
+          # list non-git files in the two uppermost levels of the workspace directory hierarchy
+          find . -maxdepth 2 -path './.git' -prune -o -print
+          find $(python -c "import site; print(site.USER_SITE)") -path "*/openziti*" -name "*.so*" -type f -print0 | xargs -0r ldd
+
+          # find core dumps produced by the kernel or valgrind
+          shopt -s nullglob
+          typeset -a CORES=(${GITHUB_WORKSPACE}/core.* ${GITHUB_WORKSPACE}/vgcore.*)
+          shopt -u nullglob
+          if (( ${#CORES[@]} )); then
+            for CORE in "${CORES[@]}"; do
+              if [ -s "$CORE" ]; then
+                echo "DEBUG: Core dump: $CORE"
+                EXECUTABLE=$(basename "$CORE" | cut -d. -f2)
+                gdb -q $(realpath $(which "$EXECUTABLE")) -c "$CORE" --ex bt --ex exit
+              fi
+            done
+          else
+            echo "DEBUG: No core dumps found"
+          fi
+
+      - name: Upload Valgrind Logs and Core Dumps
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: valgrind-logs-and-core-dumps-${{ github.run_id }}
+          path: |
+            ${{ github.workspace }}/*-valgrind-*.log
+            ${{ github.workspace }}/core.*
+            ${{ github.workspace }}/vgcore.*
+          if-no-files-found: ignore

Dockerfile

@@ -1,12 +1,15 @@
-FROM python:3.11-bullseye
+FROM python:3.11-bullseye AS builder
 
+COPY requirements.txt /tmp/requirements.txt
+RUN pip install --target=/app --requirement /tmp/requirements.txt
+
+# https://github.com/GoogleContainerTools/distroless
+FROM gcr.io/distroless/python3-debian12
+COPY --from=builder /app /app
+COPY --chmod=0755 ./zhook.py /app/zhook.py
 WORKDIR /app
 COPY ./zhook.py /app/zhook.py
 
-RUN pip install --no-cache-dir requests openziti
-
 ENV PYTHONPATH=/app
-#ENV ZITI_LOG=6
-#ENV TLSUV_DEBUG=6
 
-CMD ["python", "/app/zhook.py"]
+CMD ["/app/zhook.py"]

README.md

@@ -34,11 +34,10 @@ jobs:
 
         # URL to post the payload. Note that the `zitiId` must provide access to a service 
         # intercepting `my-mattermost-ziti-server`
-        webhookUrl: 'https://{my-mattermost-ziti-server}/hook/{my-mattermost-webhook-id}}'
+        webhookUrl: http://{my-mattermost-ziti-server}/hook/{my-mattermost-webhook-id}}
 
         eventJson: ${{ toJson(github.event) }}
-        senderUsername: "GitHubZ"
-        destChannel: "github-notifications"
+        senderUsername: GitHubZ
 ```
 
 ### Inputs
@@ -53,6 +52,58 @@ The identity can be created by enrolling via the `ziti edge enroll path/to/jwt [
 
 This input value is a Mattermost "Incoming Webhook" URL available over an OpenZiti Network to the identity specified by `zitiId`. This URL should be configured in Mattermost to allow posting to any valid channel with any sender username. The default username will be the `sender.login` from the GitHub Action event.
 
+## Testing
+
+Test `zhook.py` locally before deploying it as a GitHub Action using the built-in test mode:
+
+### Basic Usage
+
+```bash
+# Quick test with default push event
+INPUT_ZITIID="$(< /path/to/ziti-identity.json)" \
+INPUT_WEBHOOKURL="http://webhook.mattermost.ziti/hooks/YOUR_ID" \
+python3 zhook.py --test
+
+# Test different event types
+python3 zhook.py --test --event-type pull_request
+python3 zhook.py --test --event-type issues
+python3 zhook.py --test --event-type release
+
+# Preview payload without sending (dry-run)
+python3 zhook.py --test --event-type push --dry-run
+```
+
+### Available Options
+
+**Event types:** `push`, `pull_request`, `issues`, `release`, `watch`, `fork`
+
+**Flags:**
+
+- `--test`: Enable test mode with generated event data
+- `--event-type TYPE`: Specify which GitHub event to simulate (default: push)
+- `--dry-run`: Preview the webhook payload without sending it
+
+**Environment variables:**
+
+- `INPUT_ZITIID`: Ziti identity JSON (required, or use `INPUT_ZITIJWT`)
+- `INPUT_ZITIJWT`: Ziti enrollment JWT (alternative to `INPUT_ZITIID`)
+- `INPUT_WEBHOOKURL`: Mattermost webhook URL (uses default if not set in test mode)
+- `INPUT_SENDERUSERNAME`: Override sender username (optional)
+- `INPUT_SENDERICONURL`: Override sender icon URL (optional)
+- `GITHUB_ACTION_REPOSITORY`: Override repository name (optional)
+- `ZITI_LOG`: Ziti log level 0-6 (default: 3)
+
+### Advanced: Manual Event JSON
+
+For testing with custom event data, provide your own `INPUT_EVENTJSON`:
+
+```bash
+INPUT_ZITIID="$(< /path/to/ziti-identity.json)" \
+INPUT_WEBHOOKURL="http://webhook.mattermost.ziti/hooks/YOUR_ID" \
+INPUT_EVENTJSON='{"repository": {...}, "sender": {...}}' \
+GITHUB_EVENT_NAME="push" \
+python3 zhook.py
+```
 
 ## Updating the Container