Merge branch 'github:main-enterprise' into main-enterprise

Author: madkoo

.devcontainer/Dockerfile

@@ -1,6 +1,6 @@
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.195.0/containers/javascript-node/.devcontainer/base.Dockerfile
-# [Choice] Node.js version (use -bullseye variants on local arm64/Apple Silicon): 16, 14, 12, 16-bullseye, 14-bullseye, 12-bullseye, 16-buster, 14-buster, 12-buster
-ARG VARIANT=20-bookworm
+# [Choice] Node.js version/variant (use -bookworm variants on local arm64/Apple Silicon): e.g. 22-bookworm, 20-bookworm, 18-bookworm
+ARG VARIANT=22-bookworm
 FROM mcr.microsoft.com/devcontainers/javascript-node:1-${VARIANT}
 
 # [Optional] Uncomment this section to install additional OS packages.
@@ -23,7 +23,10 @@ RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "aws
   rm -rf ./aws && \
   rm awscliv2.zip
 # Install sam cli
-RUN curl -L "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-$(dpkg --print-architecture).zip" -o "aws-sam-cli.zip" && \
+RUN ARCH_RAW=$(uname -m) && \
+  ARCH=$ARCH_RAW && \
+  if [ "$ARCH_RAW" = "aarch64" ]; then ARCH="arm64"; fi && \
+  curl -L "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-${ARCH}.zip" -o "aws-sam-cli.zip" && \
   unzip aws-sam-cli.zip -d sam-installation && \
   sudo ./sam-installation/install && \
   rm -rf ./sam-installation && \

.devcontainer/devcontainer.json

@@ -4,10 +4,10 @@
 	"name": "Node.js",
 	"build": {
 		"dockerfile": "Dockerfile",
-		// Update 'VARIANT' to pick a Node version: 16, 14, 12.
-		// Append -bullseye or -buster to pin to an OS version.
-		// Use -bullseye variants on local arm64/Apple Silicon.
-		"args": { "VARIANT": "20-bookworm" }
+		// Update 'VARIANT' to pick a Node version, e.g. 22, 20, 18.
+		// Append -bookworm or -bullseye to pin to an OS version.
+		// Use -bookworm variants on local arm64/Apple Silicon.
+		"args": { "VARIANT": "22-bookworm" }
 	},
 
 	"settings": {},

.github/workflows/advanced-codeql.yml

@@ -0,0 +1,72 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  workflow_dispatch: 
+  push:
+    branches: [ "main-enterprise" ]
+  pull_request:
+    branches: [ "main-enterprise" ]
+
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: 'Checkout repository'
+      uses: actions/checkout@v4
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/create-pre-release.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@v6
         with:
-          node-version: 16.x
+          node-version: 22.x
           cache: 'npm'
       - run: npm install
       - name: Set up Docker Buildx
@@ -71,9 +71,10 @@ jobs:
       - name: Run Functional Tests
         id: functionaltest
         run: |
-          docker run --env APP_ID=${{ secrets.APP_ID }} --env PRIVATE_KEY=${{ secrets.PRIVATE_KEY }} --env WEBHOOK_SECRET=${{ secrets.WEBHOOK_SECRET }} -d -p 3000:3000 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-enterprise
+          CONTAINER_ID=$(docker run --env APP_ID=${{ secrets.APP_ID }} --env PRIVATE_KEY=${{ secrets.PRIVATE_KEY }} --env WEBHOOK_SECRET=${{ secrets.WEBHOOK_SECRET }} --env NODE_ENV=development -d -p 3000:3000 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-enterprise)
           sleep 10
-          curl http://localhost:3000
+          docker logs $CONTAINER_ID || true
+          curl --fail --retry 5 --retry-delay 3 --retry-connrefused http://localhost:3000
       - run: echo "${{ github.ref }}"
       - name: Tag a final release 
         id: prerelease

.github/workflows/create-release.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@v6
         with:
-          node-version: 16.x
+          node-version: 22.x
           cache: "npm"
       - run: npm install
       - name: Set up Docker Buildx

.github/workflows/node-ci.yml

@@ -11,7 +11,7 @@ concurrency:
 
 jobs:
   test:
-    if: ${{ github.actor != 'dependabot'}}
+    if: ${{ github.actor != 'dependabot[bot]'}}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -25,5 +25,5 @@ jobs:
     strategy:
       matrix:
         node-version:
-          - 18
-          - 20
+          - 22
+          - 24

.github/workflows/rc-release.yml

@@ -27,7 +27,7 @@ jobs:
     - name: Use Node.js
       uses: actions/setup-node@v6
       with:
-        node-version: 16.x
+        node-version: 22.x
         cache: npm
     - run: npm ci
     - run: npm run build --if-present

.nvmrc

@@ -1 +1 @@
-v20
+v22

Dockerfile

@@ -1,6 +1,7 @@
-FROM node:20-alpine
+FROM node:22-alpine
 WORKDIR /opt/safe-settings
 ENV NODE_ENV production
+ENV HOST=0.0.0.0
 ## Set the Labels
 LABEL version="1.0" \
       description="Probot app which is a modified version of Settings Probot GitHub App" \

docs/deploy.md

@@ -88,6 +88,9 @@ This will start the container in the background and detached.
   - `docker exec -it safe-settings /bin/sh`
 - You will now be inside the running **Docker** container and can perform any troubleshooting needed
 
+### Troubleshooting Docker Build and Runtime Issues
+For detailed guidance on debugging Docker image builds, runtime failures, and comparing local vs. GHCR images, see [docker-debugging.md](docker-debugging.md).
+
 ## Deploy the app to AWS Lambda
 
 ### Production-Ready Template