Refactor: upgrade deps, improve reliability, update docs and tooling

.copier/main-test.yaml

@@ -0,0 +1,66 @@
+# Main Configuration File for the Dev Docs Copier App
+# This is the central config file that references individual workflow configs
+# Specified in app's env.yaml as MAIN_CONFIG_FILE
+
+# ============================================================================
+# GLOBAL DEFAULTS
+# ============================================================================
+# These defaults apply to all workflows across all workflow config files
+# unless overridden at the workflow config level or individual workflow level
+
+defaults:
+  commit_strategy:
+    type: "pull_request"
+    auto_merge: false
+  deprecation_check:
+    enabled: true
+    file: "deprecated_examples.json"
+
+# ============================================================================
+# WORKFLOW CONFIG REFERENCES
+# ============================================================================
+# App will auto-discover installation ID for source repo, then fetch the workflow config
+
+workflow_configs:
+
+  # --------------------------------------------------------------------------
+  # SAMPLE APPS
+  # --------------------------------------------------------------------------
+  - source: "repo"
+    repo: "mongodb/docs-sample-apps"
+    branch: "main"  # optional, defaults to main
+    path: ".copier/config.yaml"
+    enabled: true
+
+  # --------------------------------------------------------------------------
+  # MONOREPO
+  # --------------------------------------------------------------------------
+  - source: "repo"
+    repo: "10gen/docs-mongodb-internal"
+    branch: "main"
+    path: ".copier/config.yaml"
+    enabled: true
+
+  # --------------------------------------------------------------------------
+  # DOCS CODE EXAMPLES (DISABLED)
+  # --------------------------------------------------------------------------
+  - source: "repo"
+    repo: "mongodb/docs-code-examples"
+    branch: "main"
+    path: ".copier/config.yaml"
+    enabled: false
+
+  # --------------------------------------------------------------------------
+  # ** TESTING **
+  # --------------------------------------------------------------------------
+  - source: "repo"
+    repo: "cbullinger/aggregation-tasks"
+    branch: "main"
+    path: "copier-config.yaml"
+    enabled: true
+
+  - source: "repo"
+    repo: "cbullinger/copier-app-source-test"
+    branch: "main"
+    path: ".copier/test-main.yaml"
+    enabled: true

.cursorignore

@@ -0,0 +1,50 @@
+# Git
+.git/
+
+# Binaries
+github-copier
+code-copier
+copier
+config-validator
+test-webhook
+test-pem
+*.exe
+*.dll
+*.so
+*.dylib
+*.test
+
+# Dependencies
+vendor/
+go.sum
+
+# Build/Coverage output
+*.out
+
+# Environment files (secrets)
+.env
+.env.*
+!.env.test
+
+# Private keys
+*.pem
+*.key
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Logs and temp
+*.log
+tmp/
+temp/
+
+# Large test fixtures (JSON payloads)
+testdata/*.json

.github/workflows/ci.yml

@@ -3,6 +3,7 @@ name: CI
 on:
   push:
     branches: [main]
+    tags: ['v*']
   pull_request:
     branches: [main]
 
@@ -14,15 +15,13 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.26'
 
       - name: Download dependencies
         run: go mod download
 
       - name: Run tests
-        # Note: -race disabled due to pre-existing race conditions in tests that spawn
-        # background goroutines. These should be fixed by adding proper synchronization.
-        run: go test -v ./...
+        run: go test -race -v ./...
 
   lint:
     runs-on: ubuntu-latest
@@ -31,12 +30,12 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.26'
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
-          version: latest
+          version: v2.9.0
 
   security:
     runs-on: ubuntu-latest
@@ -45,16 +44,15 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.26'
+
+      - name: Install gosec
+        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
 
       - name: Run gosec
-        uses: securego/gosec@master
-        with:
-          # Exclude G101 (hardcoded credentials - false positive on env var names)
-          # Exclude G115 (integer overflow - false positive for PR numbers)
-          # Exclude G304 (file inclusion - intentional for CLI tools)
-          # Exclude G306 (file permissions - config files don't need 0600)
-          args: -exclude=G101,G115,G304,G306 ./...
+        # All false positives are suppressed with inline #nosec comments.
+        # No global exclusions — every suppression is documented at the call site.
+        run: gosec ./...
 
   build:
     runs-on: ubuntu-latest
@@ -64,16 +62,34 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.26'
 
       - name: Build
         run: go build -v ./...
 
+  scan:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+
   deploy:
     runs-on: ubuntu-latest
-    needs: [build, security]
-    # Only deploy on push to main (not on PRs)
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    needs: [build, security, scan]
+    # Only deploy on version tag pushes (e.g. v1.0.0)
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+
+    environment:
+      name: production
+      url: ${{ steps.show-url.outputs.url }}
 
     permissions:
       contents: read
@@ -87,6 +103,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Extract version from tag
+        id: version
+        run: echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
       - name: Authenticate to Google Cloud
         uses: google-github-actions/auth@v2
         with:
@@ -104,6 +124,9 @@ jobs:
             --project $PROJECT_ID \
             --allow-unauthenticated \
             --env-vars-file=env-cloudrun.yaml \
+            --set-env-vars="GITHUB_APP_ID=${{ secrets.GITHUB_APP_ID }},INSTALLATION_ID=${{ secrets.INSTALLATION_ID }}" \
+            --build-arg="VERSION=${{ steps.version.outputs.tag }}" \
+            --tag="${{ steps.version.outputs.tag }}" \
             --max-instances=10 \
             --cpu=1 \
             --memory=512Mi \
@@ -113,10 +136,11 @@ jobs:
             --platform=managed
 
       - name: Show deployment URL
+        id: show-url
         run: |
           URL=$(gcloud run services describe $SERVICE_NAME \
             --region $REGION \
             --project $PROJECT_ID \
             --format='value(status.url)')
-          echo "🚀 Deployed to: $URL"
-
+          echo "url=$URL" >> $GITHUB_OUTPUT
+          echo "Deployed ${{ steps.version.outputs.tag }} to: $URL"

.gitignore

@@ -2,6 +2,9 @@
 github-copier
 code-copier
 copier
+config-validator
+test-webhook
+test-pem
 *.exe
 *.exe~
 *.dll
@@ -60,4 +63,3 @@ Thumbs.db
 # Temporary files
 tmp/
 temp/
-RECOMMENDATIONS.md

.gitleaksignore

@@ -0,0 +1,5 @@
+# Example placeholder string in .env.local.example (not a real key)
+configs/.env.local.example:private-key:77
+
+# Purpose-generated test-only PEM key in .env.test (never associated with a real GitHub App)
+.env.test:private-key:30

.golangci.yml

@@ -0,0 +1,56 @@
+# golangci-lint v2 configuration
+# Matches CI (golangci-lint v2.9.0) and local pre-commit.
+# Docs: https://golangci-lint.run/usage/configuration/
+version: "2"
+
+linters:
+  default: none
+  enable:
+    # Bug detection (default set)
+    - errcheck        # unchecked errors
+    - govet           # suspicious constructs
+    - ineffassign     # unused assignments
+    - staticcheck     # advanced static analysis (includes gosimple)
+    - unused          # unused code
+
+    # Style & quality
+    - misspell        # common typos in comments/strings
+    - revive          # extensible linter (replaces golint)
+
+  settings:
+    errcheck:
+      # Ignore intentionally discarded errors in defer cleanup.
+      # All such cases use the _ = expr pattern for explicitness.
+      exclude-functions:
+        - (io.Closer).Close
+
+    revive:
+      rules:
+        - name: exported
+          disabled: true   # too noisy for internal-only code
+
+    staticcheck:
+      checks:
+        - "all"
+        - "-SA1029"   # context.WithValue key type — acceptable for request-scoped data
+        - "-ST1000"   # package comments — not enforced for this project
+        - "-ST1003"   # naming conventions — existing codebase uses mixed styles
+
+  # In golangci-lint v2, exclusion rules live under linters.exclusions (not issues).
+  exclusions:
+    rules:
+      # Test files: allow dot-imports and unused parameters.
+      - path: _test\.go
+        linters:
+          - revive
+        text: "dot-imports|unused-parameter"
+
+formatters:
+  enable:
+    - gofmt
+    - goimports
+
+issues:
+  # Don't limit the number of reported issues per linter.
+  max-issues-per-linter: 0
+  max-same-issues: 0

.pre-commit-config.yaml

@@ -5,11 +5,16 @@ repos:
     hooks:
       - id: gitleaks
 
-  # Go linting
-  - repo: https://github.com/golangci/golangci-lint
-    rev: v1.62.2
+  # Go linting - requires golangci-lint v2 installed locally:
+  #   go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.9.0
+  - repo: local
     hooks:
       - id: golangci-lint
+        name: golangci-lint
+        entry: golangci-lint run --fix
+        language: system
+        pass_filenames: false
+        types: [go]
 
   # Local Go hooks
   - repo: local