Refactor: upgrade deps, improve reliability, update docs and tooling#4
Open
cbullinger wants to merge 25 commits intomainfrom
Open
Refactor: upgrade deps, improve reliability, update docs and tooling#4cbullinger wants to merge 25 commits intomainfrom
cbullinger wants to merge 25 commits intomainfrom
Conversation
The workflow processor was creating UploadKey with BranchPath set to just the branch name (e.g., 'main') instead of the full ref path (e.g., 'refs/heads/main'). This caused GitHub API calls to fail with 404 errors when trying to access the branch ref. This fix ensures BranchPath is always set with the 'refs/heads/' prefix, consistent with how it's used throughout the rest of the codebase.
- Add GetRestClientForOrg() to get installation-specific tokens - Fix GraphQL query to use node(id:) instead of repository(owner:) - Update RetrieveFileContentsWithConfigAndBranch to use org-specific client - Remove refs/heads/ prefix duplication in workflow processor - Fixes 404 errors when accessing repos in different orgs
- Add explicit 'GITHUB APP AUTHENTICATION FAILED' message for 401 errors - Point users to check CODE_COPIER_PEM secret in GCP Secret Manager - Add detection in getInstallationIDForOrg, getInstallationAccessToken - Add detection in config_loader and main_config_loader when fetching configs This makes it immediately obvious when the PEM key is invalid/expired instead of showing misleading 'failed to load config' errors.
golangci-lint v1.x is built with Go 1.24 and can't analyze Go 1.26 code. Pin to v2.9.0 which supports Go 1.26. Similarly, the gosec Docker action bundles Go 1.25.7 — switch to `go install` so it uses the Go 1.26 from setup-go. Co-authored-by: Cursor <cursoragent@cursor.com>
golangci-lint-action v6 doesn't support golangci-lint v2. Switch to action v7 which does. gosec @latest includes new taint analysis rules (G703-G706) that flag all http.Client.Do() calls as SSRF and CLI os.ReadFile as path traversal. These are false positives for this codebase — exclude globally alongside the existing G115 exclusion. Co-authored-by: Cursor <cursoragent@cursor.com>
- Wrap deferred Close() calls to satisfy errcheck - Replace deprecated github.String/Int/Bool with github.Ptr (SA1019) - Apply De Morgan's law to simplify boolean expressions (QF1001) - Remove unused parseIntWithDefault function - Use t.Setenv in tests instead of unchecked os.Setenv (errcheck) - Use system golangci-lint v2.9.0 in pre-commit for full coverage Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Major refactor covering dependency upgrades, reliability improvements, documentation overhaul, and tooling updates.
Dependency Upgrades
google/go-githubv48 → v82mongo-driverv1 → v2Reliability & Features
RateLimitTransportwith auto-retry on 403/429DeliveryTrackerdeduplicates viaX-GitHub-Deliveryheaderlog/slogwith JSON output for Cloud LoggingErrRateLimited,ErrNotFound, etc. inerrors.gosync.RWMutex/readyprobe separate from/healthlivenessDryRunflag now actually prevents writes (was cosmetic-only)Docs & Config
QUICK-REFERENCE.md,DEBUG-LOGGING.md,RECOMMENDATIONS.md)/eventswebhook path,slogloggingapp.yaml(App Engine Flex config)github-app-manifest.ymldocumenting required permissions and eventsLOCAL-TESTING.mdwith GitHub App auth setup (SKIP_SECRET_MANAGERflow)WebserverPathfrom/webhookto/eventsScripts
convert-env-format.sh,convert-env-to-yaml.sh,validate-config-detailed.py)ci-local.sh(mirrors CI pipeline locally)/eventspathCLI Tools (
cmd/)test-webhook: addedX-GitHub-Deliveryheader, fixed stale URLsconfig-validator:initnow supportsbasic/glob/regextemplates, fixedtype: "pr"→"pull_request"test-pem: rewritten with proper error handling, added READMECI
ci.ymlfor Go 1.26, added security scanning (gosec, Trivy)SERVICE_NAME: "examples-copier"to deploy to existing Cloud Run servicegithub-copierTest plan
go build ./...passesgo test -race ./...passesgolangci-lint run ./...passesgrove-platform/github-copier→.copier/main.yaml)/health,/ready,/metricsendpointsMade with Cursor