Deprecate the channel input ; add debugging

.flake8

@@ -0,0 +1,10 @@
+[flake8]
+ignore =
+    E111,
+    E114,
+    E121,
+    E501
+
+# You can add project-wide settings here later, e.g.:
+# max-line-length = 120
+# exclude = .git,__pycache__,.venv

.github/workflows/python.yml

@@ -15,4 +15,4 @@ jobs:
       - name: Lint
         run: |
           pip install flake8
-          flake8 --ignore E111,E114,E121,E501 zhook.py
+          flake8 --config ./.flake8 ./zhook.py

.github/workflows/zhook.yml

@@ -17,35 +17,143 @@ on:
 
 jobs:
   mattermost-ziti-webhook:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: POST Webhook
     steps:
-      - uses: actions/checkout@v4
-      - name: run hook directly
+      - name: Debug Environment
+        uses: hmarr/debug-action@v3
+
+      - name: Install Debug Tools
+        shell: bash
+        run: sudo apt-get install --yes valgrind gdb
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Python Script Directly
         if: |
-          github.repository_owner == 'openziti'
+          (github.repository_owner == 'openziti' || github.repository_owner == 'netfoundry')
           && ((github.event_name != 'pull_request_review')
           || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
         env:
           INPUT_ZITIID: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
-          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL }}
+          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
           INPUT_EVENTJSON: ${{ toJson(github.event) }}
           INPUT_SENDERUSERNAME: GitHubZ
-          INPUT_DESTCHANNEL: dev-notifications
           INPUT_SENDERICONURL: https://github.com/fluidicon.png
+          INPUT_ZITILOGLEVEL: 6
+        shell: bash
+        run: |
+          set -o pipefail
+          set -o xtrace
+          pip install --user --upgrade --requirement ./requirements.txt
+          # in case valgrind catches a segfault, it will write a core file in ./vgcore.%p
+          valgrind \
+            --verbose \
+            --log-file=${GITHUB_WORKSPACE}/direct-valgrind-%p-%n.log \
+            --leak-check=yes \
+            python ./zhook.py
+
+      - name: Run in Docker with Core Dumps
+        if: |
+          always()
+          && (github.repository_owner == 'openziti' || github.repository_owner == 'netfoundry')
+          && ((github.event_name != 'pull_request_review')
+          || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
+        shell: bash
+        env:
+          INPUT_ZITIID: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
+          INPUT_WEBHOOKURL: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
+          INPUT_SENDERUSERNAME: GitHubZ
+          INPUT_SENDERICONURL: https://github.com/fluidicon.png
+          INPUT_ZITILOGLEVEL: 6
         run: |
-          pip install --upgrade requests openziti
-          python ./zhook.py
+          set -o pipefail
+          set -o xtrace
+
+          cat > /tmp/docker.env << EOF
+          INPUT_ZITIID=${INPUT_ZITIID}
+          INPUT_WEBHOOKURL=${INPUT_WEBHOOKURL}
+          INPUT_EVENTJSON=$(base64 -w 0 <<< '${{ toJson(github.event) }}')
+          INPUT_SENDERUSERNAME=${INPUT_SENDERUSERNAME}
+          INPUT_SENDERICONURL=${INPUT_SENDERICONURL}
+          INPUT_ZITILOGLEVEL=${INPUT_ZITILOGLEVEL}
+          GITHUB_WORKSPACE=${GITHUB_WORKSPACE}
+          GITHUB_EVENT_NAME=${GITHUB_EVENT_NAME}
+          GITHUB_ACTION_REPOSITORY=${GITHUB_ACTION_REPOSITORY}
+          EOF
 
-      - uses: ./  # use self to bring the pain forward
-        name: run action
+          # configure the kernel to write core dumps to the workspace directory that is writable by the container in case there is a segfault valgrind cannot catch in a vgcore.%p
+          sudo sysctl -w kernel.core_pattern="${GITHUB_WORKSPACE}/core.%e.%p.%t"
+
+          # build the action's container image so we can source it for the debug image
+          docker build -t zhook-action .
+          docker build -t zhook-action-dbg -f debug.Dockerfile .
+          docker run --rm \
+            --volume "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}" \
+            --workdir "${GITHUB_WORKSPACE}" \
+            --env-file /tmp/docker.env \
+            --entrypoint=/bin/bash \
+            zhook-action-dbg -euxo pipefail -c '
+              ulimit -c unlimited;
+              exec valgrind \
+                --verbose \
+                --log-file=${GITHUB_WORKSPACE}/docker-valgrind-%p-%n.log \
+                --leak-check=yes \
+                python /app/zhook.py;
+            '
+
+      - uses: ./
+        name: Run as a GH Action from the Local Checkout
         if: |
-          github.repository_owner == 'openziti'
+          always()
+          && (github.repository_owner == 'openziti' || github.repository_owner == 'netfoundry')
           && ((github.event_name != 'pull_request_review')
           || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved'))
         with:
           zitiId: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}
-          webhookUrl: ${{ secrets.ZHOOK_URL }}
+          webhookUrl: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }}
           eventJson: ${{ toJson(github.event) }}
-          senderUsername: "GitHubZ"
-          destChannel: "dev-notifications"
+          senderUsername: GitHubZ
+          senderIconUrl: https://github.com/fluidicon.png
+          zitiLogLevel: 6
+
+      - name: Print Debug Info
+        if: always()
+        shell: bash
+        run: |
+          set -o xtrace
+          set +o errexit
+          echo "DEBUG: PYTHONPATH=${PYTHONPATH:-}"
+          echo "DEBUG: PATH=${PATH:-}"
+          echo "DEBUG: LD_LIBRARY_PATH=${LD_LIBRARY_PATH:-}"
+          # list non-git files in the two uppermost levels of the workspace directory hierarchy
+          find . -maxdepth 2 -path './.git' -prune -o -print
+          find $(python -c "import site; print(site.USER_SITE)") -path "*/openziti*" -name "*.so*" -type f -print0 | xargs -0r ldd
+
+          # find core dumps produced by the kernel or valgrind
+          shopt -s nullglob
+          typeset -a CORES=(${GITHUB_WORKSPACE}/core.* ${GITHUB_WORKSPACE}/vgcore.*)
+          shopt -u nullglob
+          if (( ${#CORES[@]} )); then
+            for CORE in "${CORES[@]}"; do
+              if [ -s "$CORE" ]; then
+                echo "DEBUG: Core dump: $CORE"
+                EXECUTABLE=$(basename "$CORE" | cut -d. -f2)
+                gdb -q $(realpath $(which "$EXECUTABLE")) -c "$CORE" --ex bt --ex exit
+              fi
+            done
+          else
+            echo "DEBUG: No core dumps found"
+          fi
+
+      - name: Upload Valgrind Logs and Core Dumps
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: valgrind-logs-and-core-dumps-${{ github.run_id }}
+          path: |
+            ${{ github.workspace }}/*-valgrind-*.log
+            ${{ github.workspace }}/core.*
+            ${{ github.workspace }}/vgcore.*
+          if-no-files-found: ignore

Dockerfile

@@ -1,13 +1,13 @@
 FROM python:3-slim AS builder
 
-RUN pip install --target=/app requests openziti
+COPY requirements.txt /tmp/requirements.txt
+RUN pip install --target=/app --requirement /tmp/requirements.txt
 
 # https://github.com/GoogleContainerTools/distroless
 FROM gcr.io/distroless/python3-debian12
 COPY --from=builder /app /app
-COPY ./zhook.py /app/zhook.py
+COPY --chmod=0755 ./zhook.py /app/zhook.py
 WORKDIR /app
 ENV PYTHONPATH=/app
-ENV ZITI_LOG=6
-ENV TLSUV_DEBUG=6
+
 CMD ["/app/zhook.py"]

README.md

@@ -34,11 +34,10 @@ jobs:
 
         # URL to post the payload. Note that the `zitiId` must provide access to a service 
         # intercepting `my-mattermost-ziti-server`
-        webhookUrl: 'https://{my-mattermost-ziti-server}/hook/{my-mattermost-webhook-id}}'
+        webhookUrl: http://{my-mattermost-ziti-server}/hook/{my-mattermost-webhook-id}}
 
         eventJson: ${{ toJson(github.event) }}
-        senderUsername: "GitHubZ"
-        destChannel: "github-notifications"
+        senderUsername: GitHubZ
 ```
 
 ### Inputs

action.yml

@@ -1,30 +1,34 @@
-name: 'Ziti Mattermost Action - Python'
-description: 'POST to Mattermost Webhook endpoint over a Ziti network'
+name: Ziti Mattermost Action - Python
+description: POST to Mattermost Webhook endpoint over a Ziti network
 branding:
-  icon: 'zap'  
-  color: 'red'
+  icon: zap
+  color: red
 inputs:
   zitiId:
-    description: 'Identity JSON for an enrolled Ziti endpoint'
+    description: Identity JSON for an enrolled Ziti endpoint
     required: true
   webhookUrl:
-    description: 'URL for posting the payload'
+    description: Mattermost-channel-specific URL for posting the event
     required: true
   eventJson:
-    description: 'GitHub event JSON (github.event)'
+    description: GitHub event JSON (github.event)
     required: true
   senderUsername:
-    description: 'Mattermost username'
+    description: Mattermost username
     required: false
-    default: "GithubZ"
+    default: GithubZ
   senderIconUrl:
-    description: 'Mattermost user icon URL'
+    description: Mattermost user icon URL
     required: false
-    default: "https://github.com/fluidicon.png"
+    default: https://github.com/fluidicon.png
   destChannel:
-    description: 'Mattermost channel'
+    description: Mattermost channel (ignored because incoming webhooks are locked to a channel)
     required: false
-    default: "dev-notifications"
+    default: null
+  zitiLogLevel:
+    description: Ziti log level
+    required: false
+    default: 3
 runs:
-  using: "docker"
-  image: "Dockerfile"
+  using: docker
+  image: Dockerfile

debug.Dockerfile

@@ -0,0 +1,7 @@
+FROM zhook-action AS distroless
+
+FROM python:3-slim AS debug
+
+COPY --from=distroless /app /app
+
+RUN apt-get update && apt-get install -y valgrind

requirements.txt

@@ -0,0 +1,2 @@
+requests
+openziti==1.4.1