Merge branch 'main-enterprise' into bug/issue-842

Author: decyjphr

.github/workflows/create-pre-release.yml

@@ -71,9 +71,10 @@ jobs:
       - name: Run Functional Tests
         id: functionaltest
         run: |
-          docker run --env APP_ID=${{ secrets.APP_ID }} --env PRIVATE_KEY=${{ secrets.PRIVATE_KEY }} --env WEBHOOK_SECRET=${{ secrets.WEBHOOK_SECRET }} -d -p 3000:3000 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-enterprise
+          CONTAINER_ID=$(docker run --env APP_ID=${{ secrets.APP_ID }} --env PRIVATE_KEY=${{ secrets.PRIVATE_KEY }} --env WEBHOOK_SECRET=${{ secrets.WEBHOOK_SECRET }} --env NODE_ENV=development -d -p 3000:3000 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-enterprise)
           sleep 10
-          curl http://localhost:3000
+          docker logs $CONTAINER_ID || true
+          curl --fail --retry 5 --retry-delay 3 --retry-connrefused http://localhost:3000
       - run: echo "${{ github.ref }}"
       - name: Tag a final release 
         id: prerelease

Dockerfile

@@ -1,6 +1,7 @@
 FROM node:22-alpine
 WORKDIR /opt/safe-settings
 ENV NODE_ENV production
+ENV HOST=0.0.0.0
 ## Set the Labels
 LABEL version="1.0" \
       description="Probot app which is a modified version of Settings Probot GitHub App" \

docs/deploy.md

@@ -88,6 +88,9 @@ This will start the container in the background and detached.
   - `docker exec -it safe-settings /bin/sh`
 - You will now be inside the running **Docker** container and can perform any troubleshooting needed
 
+### Troubleshooting Docker Build and Runtime Issues
+For detailed guidance on debugging Docker image builds, runtime failures, and comparing local vs. GHCR images, see [docker-debugging.md](docker-debugging.md).
+
 ## Deploy the app to AWS Lambda
 
 ### Production-Ready Template 

docs/docker-debugging.md

@@ -0,0 +1,181 @@
+
+# Docker Build and Test Debugging Runbook
+
+This document summarizes the Docker experiments done for this repo and converts them into a repeatable workflow for debugging local image builds and GHCR images.
+
+## Goals
+
+- Build and test the app image from local source.
+- Compare behavior with the published image from GHCR.
+- Quickly diagnose common failures (container startup, shell access, port exposure, env setup).
+
+## What We Learned From The Experiments
+
+- The image is Alpine-based, so use /bin/sh, not /bin/bash.
+- Use docker rm (or docker container rm) to remove containers. Commands like docker delete, docker destroy, or docker remove do not exist.
+- To pass host binding correctly, use HOST=0.0.0.0 (equal sign), not HOST:0.0.0.0.
+- Port mapping is required for host access: -p 3000:3000.
+- Supplying .env values is required for realistic startup testing.
+- Testing both local and GHCR images with the same runtime flags makes behavior comparisons easier.
+
+## Prerequisites
+
+- Docker is installed and running.
+- A valid .env file exists at repo root.
+- You are in repo root.
+
+## 1) Build And Test Local Image
+
+Build the local image:
+
+```bash
+docker build -t safe-settings:local .
+```
+
+Run container in foreground with explicit runtime env and port mapping:
+
+```bash
+docker run --name safe-settings-local \
+	--env-file ./.env \
+	--env NODE_ENV=development \
+	--env HOST=0.0.0.0 \
+	-p 3000:3000 \
+	-it safe-settings:local
+```
+
+If startup fails, inspect logs:
+
+```bash
+docker logs safe-settings-local
+```
+
+Shell into running container for investigation:
+
+```bash
+docker exec -it safe-settings-local /bin/sh
+```
+
+Clean up:
+
+```bash
+docker rm -f safe-settings-local
+```
+
+## 2) Pull And Test GHCR Image
+
+Pull published image:
+
+```bash
+docker pull ghcr.io/github/safe-settings:2.1.19
+```
+
+Run with the same env and port flags used for local testing:
+
+```bash
+docker run --name safe-settings-ghcr \
+	--env-file ./.env \
+	--env NODE_ENV=development \
+	--env HOST=0.0.0.0 \
+	-p 3000:3000 \
+	-it ghcr.io/github/safe-settings:2.1.19
+```
+
+Inspect logs:
+
+```bash
+docker logs safe-settings-ghcr
+```
+
+Debug inside container:
+
+```bash
+docker exec -it safe-settings-ghcr /bin/sh
+```
+
+Clean up:
+
+```bash
+docker rm -f safe-settings-ghcr
+```
+
+## 3) Fast Differential Debug (Local vs GHCR)
+
+Use this when one image works and the other does not.
+
+1. Run both images with identical flags (env, HOST, port mapping).
+2. Compare startup logs side-by-side.
+3. Compare environment inside each container:
+
+```bash
+docker exec -it safe-settings-local /bin/sh -c 'env | sort'
+docker exec -it safe-settings-ghcr /bin/sh -c 'env | sort'
+```
+
+4. Confirm app process is listening on expected port inside container:
+
+```bash
+docker exec -it safe-settings-local /bin/sh -c 'netstat -lntp 2>/dev/null || ss -lntp'
+docker exec -it safe-settings-ghcr /bin/sh -c 'netstat -lntp 2>/dev/null || ss -lntp'
+```
+
+5. Validate host reachability:
+
+```bash
+curl -i http://localhost:3000/
+```
+
+## 4) Common Failure Patterns And Fixes
+
+Symptom: container exits immediately.
+Likely causes:
+- Missing required variables in .env.
+- Invalid app credentials.
+Checks:
+- docker logs <container-name>
+- Confirm .env has required app settings.
+
+Symptom: cannot connect from host to localhost:3000.
+Likely causes:
+- Missing -p 3000:3000.
+- App not binding to all interfaces.
+Checks:
+- Ensure HOST=0.0.0.0 is set.
+- Ensure port mapping is present.
+
+Symptom: cannot shell into container with bash.
+Likely cause:
+- Alpine image does not include bash.
+Fix:
+- Use /bin/sh.
+
+Symptom: name conflict when re-running tests.
+Likely cause:
+- Old container still exists.
+Fix:
+- docker rm -f <container-name>
+
+## 5) Minimal Known-Good Commands
+
+Local:
+
+```bash
+docker build -t safe-settings:local . && \
+docker run --rm --name safe-settings-local \
+	--env-file ./.env \
+	--env NODE_ENV=development \
+	--env HOST=0.0.0.0 \
+	-p 3000:3000 \
+	-it safe-settings:local
+```
+
+GHCR:
+
+```bash
+docker pull ghcr.io/github/safe-settings:2.1.19 && \
+docker run --rm --name safe-settings-ghcr \
+	--env-file ./.env \
+	--env NODE_ENV=development \
+	--env HOST=0.0.0.0 \
+	-p 3000:3000 \
+	-it ghcr.io/github/safe-settings:2.1.19
+```

index.js

@@ -199,7 +199,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
   async function createCheckRun (context, pull_request, head_sha, head_branch) {
     const { payload } = context
     // robot.log.debug(`Check suite was requested! for ${context.repo()} ${pull_request.number} ${head_sha} ${head_branch}`)
-    const res = await context.octokit.checks.create({
+    const res = await context.octokit.rest.checks.create({
       owner: payload.repository.owner.login,
       repo: payload.repository.name,
       name: 'Safe-setting validator',
@@ -211,13 +211,13 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
   async function info () {
     const github = await robot.auth()
     const installations = await github.paginate(
-      github.apps.listInstallations.endpoint.merge({ per_page: 100 })
+      github.rest.apps.listInstallations.endpoint.merge({ per_page: 100 })
     )
     robot.log.debug(`installations: ${JSON.stringify(installations)}`)
     if (installations.length > 0) {
       const installation = installations[0]
       const github = await robot.auth(installation.id)
-      const app = await github.apps.getAuthenticated()
+      const app = await github.rest.apps.getAuthenticated()
       appSlug = app.data.slug
       robot.log.debug(`Validated the app is configured properly = \n${JSON.stringify(app.data, null, 2)}`)
     }
@@ -228,7 +228,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
     const github = await robot.auth()
 
     const installations = await github.paginate(
-      github.apps.listInstallations.endpoint.merge({ per_page: 100 })
+      github.rest.apps.listInstallations.endpoint.merge({ per_page: 100 })
     )
 
     if (installations.length > 0) {
@@ -577,11 +577,11 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       output: { title: 'Starting NOP', summary: 'initiating...' }
     }
     robot.log.debug(`Updating check run ${JSON.stringify(params)}`)
-    await context.octokit.checks.update(params)
+    await context.octokit.rest.checks.update(params)
 
     params = Object.assign(context.repo(), { pull_number: pull_request.number })
 
-    const changes = await context.octokit.pulls.listFiles(params)
+    const changes = await context.octokit.rest.pulls.listFiles(params)
     const files = changes.data.map(f => { return f.filename })
 
     const settingsModified = files.includes(Settings.FILE_PATH)
@@ -609,7 +609,7 @@ module.exports = (robot, { getRouter }, Settings = require('./lib/settings')) =>
       output: { title: 'No Safe-settings changes detected', summary: 'No changes detected' }
     }
     robot.log.debug(`Completing check run ${JSON.stringify(params)}`)
-    await context.octokit.checks.update(params)
+    await context.octokit.rest.checks.update(params)
   })
 
   robot.on('repository.created', async context => {

lib/configManager.js

@@ -19,7 +19,7 @@ module.exports = class ConfigManager {
     try {
       const repo = { owner: this.context.repo().owner, repo: env.ADMIN_REPO }
       const params = Object.assign(repo, { path: filePath, ref: this.ref })
-      const response = await this.context.octokit.repos.getContent(params).catch(e => {
+      const response = await this.context.octokit.rest.repos.getContent(params).catch(e => {
         this.log.error(`Error getting settings ${e}`)
       })
 

lib/plugins/archive.js

@@ -11,7 +11,7 @@ module.exports = class Archive {
 
   async getRepo () {
     try {
-      const { data } = await this.github.repos.get({
+      const { data } = await this.github.rest.repos.get({
         owner: this.repo.owner,
         repo: this.repo.repo
       })
@@ -32,13 +32,13 @@ module.exports = class Archive {
       return new NopCommand(
         this.constructor.name,
         this.repo,
-        this.github.repos.update.endpoint(this.settings),
+        this.github.rest.repos.update.endpoint(this.settings),
         change,
         'INFO'
       )
     }
 
-    const { data } = await this.github.repos.update({
+    const { data } = await this.github.rest.repos.update({
       owner: this.repo.owner,
       repo: this.repo.repo,
       archived

lib/plugins/autolinks.js

@@ -8,7 +8,7 @@ module.exports = class Autolinks extends Diffable {
   // }
 
   async find () {
-    const { data } = await this.github.repos.listAutolinks(this.repo)
+    const { data } = await this.github.rest.repos.listAutolinks(this.repo)
     return data
   }
 
@@ -43,13 +43,13 @@ module.exports = class Autolinks extends Diffable {
       return new NopCommand(
         this.constructor.name,
         this.repo,
-        this.github.repos.createAutolink.endpoint(attrs),
+        this.github.rest.repos.createAutolink.endpoint(attrs),
         'Add autolink'
       )
     }
 
     try {
-      return this.github.repos.createAutolink(attrs)
+      return this.github.rest.repos.createAutolink(attrs)
     } catch (e) {
       if (e?.response?.data?.errors?.[0]?.code === 'already_exists') {
         this.log.debug(`Did not update ${key_prefix}, as it already exists`)
@@ -68,10 +68,10 @@ module.exports = class Autolinks extends Diffable {
       return new NopCommand(
         this.constructor.name,
         this.repo,
-        this.github.repos.deleteAutolink.endpoint(attrs),
+        this.github.rest.repos.deleteAutolink.endpoint(attrs),
         'Remove autolink'
       )
     }
-    return this.github.repos.deleteAutolink(attrs)
+    return this.github.rest.repos.deleteAutolink(attrs)
   }
 }