Refactor: upgrade deps, improve reliability, update docs and tooling

[cbullinger]

Summary

Major refactor covering dependency upgrades, reliability improvements, documentation overhaul, and tooling updates.

Dependency Upgrades

• Go 1.24.0 → 1.26.0
• google/go-github v48 → v82
• mongo-driver v1 → v2

Reliability & Features

• Rate limit handling: RateLimitTransport with auto-retry on 403/429
• Webhook idempotency: DeliveryTracker deduplicates via X-GitHub-Delivery header
• Structured logging: migrated to log/slog with JSON output for Cloud Logging
• Sentinel errors: ErrRateLimited, ErrNotFound, etc. in errors.go
• Token manager: thread-safe token state with sync.RWMutex
• Readiness endpoint: /ready probe separate from /health liveness
• Dry-run enforcement: DryRun flag now actually prevents writes (was cosmetic-only)
• Added backward-compatible fields to DeprecatedFileEntry:
  • source_path - Original source file path (for traceability)
  • pr_number - PR that caused the deletion (for auditing)
• Slack notifications for deprecations: Automatic Slack notification when files are deprecated
• Slack added to startup banner: Added Slack: true/false to the startup banner to show whether Slack notifications are enabled

Docs & Config

• Deleted stale/duplicative docs (QUICK-REFERENCE.md, DEBUG-LOGGING.md, RECOMMENDATIONS.md)
• Updated all docs for Cloud Run (removed App Engine references), /events webhook path, slog logging
• Deleted legacy app.yaml (App Engine Flex config)
• Added github-app-manifest.yml documenting required permissions and events
• Updated LOCAL-TESTING.md with GitHub App auth setup (SKIP_SECRET_MANAGER flow)
• Fixed default WebserverPath from /webhook to /events

Scripts

• Deleted obsolete scripts (convert-env-format.sh, convert-env-to-yaml.sh, validate-config-detailed.py)
• Added ci-local.sh (mirrors CI pipeline locally)
• Updated all scripts for Cloud Run, correct binary name, /events path
• Added release.sh to create a tag-based release system

CLI Tools (cmd/)

• test-webhook: added X-GitHub-Delivery header, fixed stale URLs
• config-validator: init now supports basic/glob/regex templates, fixed type: "pr" → "pull_request"
• test-pem: rewritten with proper error handling, added README

CI

• Updated ci.yml for Go 1.26, added security scanning (gosec, Trivy)
• Kept SERVICE_NAME: "examples-copier" to deploy to existing Cloud Run service
• Dockerfile binary renamed internally to github-copier
• Removed release deployment on merge to main. Instead, it now requires a manual release via release.sh script

---

Bug Fixes

Deprecation File Location Fix

• Issue: Deprecation file (deprecated_examples.json) was being read/written to the config repo instead of the source repo
• Fix: Now correctly reads from and writes to the source repository where files are being deleted
• Bonus: Creates the deprecation file automatically if it doesn't exist (handles 404 gracefully)
• Bonus: Detects and skips duplicate deprecation entries on webhook redelivery

Duplicate Prevention on Webhook Redelivery

• Issue: Webhook redelivery could create duplicate entries in the deprecation file
• Fix: UpdateDeprecationFile() now checks for existing entries before appending
• Key matching: Uses filename|repo|branch composite key for deduplication

Deprecation Config Enabled Check

• Issue: DeprecationConfig.Enabled field was never checked - deprecation tracking happened for ALL deleted files regardless of config
• Fix: addToDeprecationMap() now only tracks deprecations when workflow.DeprecationCheck.Enabled == true
• Impact: Prevents unintended deprecation tracking for workflows that don't opt-in

Exclude Patterns Fix

• Issue: Workflow.Exclude patterns weren't working because the code used glob matching but the documentation (and configs) specified regex patterns
• Fix: Changed isExcluded() to use regex matching, consistent with documentation and SourcePattern.ExcludePatterns
• Files like *_test.ts, *.spec.ts, and .eslintrc.* are now properly excluded

Auto-Merge Batching Warning

• Issue: When multiple workflows target the same repo with conflicting auto_merge settings, there was no indication of the conflict
• Fix: Added warning log when workflows conflict, with AND logic for safety (any false disables auto-merge for the batch)

---

Deprecation Feature Enhancements (Latest Session)

Test plan

• go build ./... passes
• go test -race ./... passes
• golangci-lint run ./... passes
• Local dry-run test with smee webhook forwarding (confirmed dry-run prevents writes)
• Local test against production config (grove-platform/github-copier → .copier/main.yaml)
• CI pipeline passes on this PR
• Exclude patterns correctly filter out *_test.ts, *.spec.ts, .eslintrc.* files
• Deprecation file created/updated in source repo (not config repo)
• Duplicate deprecation entries skipped on webhook redelivery
• Auto-merge conflict warning logged when workflows have different settings
• Deprecation only tracked when DeprecationCheck.Enabled: true
• Deprecation entries include source_path and pr_number fields
• Slack notification sent when files are deprecated
• Deploy to Cloud Run and verify /health, /ready, /metrics endpoints
• Verify webhook processing on production with a real merged PR

Made with Cursor

[MongoCaleb]

A couple of Qs. LTGM.

[MongoCaleb]

Edification question: It's been a long time since I visited this; do we now have a safe way to store a PEM?

[cbullinger]

it'd be only if you're testing locally, so it'd be stored in an uncommitted .env.local

[MongoCaleb]

Do we want to spell out/define Personal Access Token here?