github
diff --git a/‎.github/workflows/create-pre-release.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/create-pre-release.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/create-release.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/create-release.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/deploy-k8s.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/deploy-k8s.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/rc-release.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/rc-release.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎NOTICE.md‎
Lines changed: 1 addition & 1 deletion b/‎NOTICE.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 51 additions & 23 deletions b/‎README.md‎
Lines changed: 51 additions & 23 deletions
diff --git a/‎docs/deploy.md‎
Lines changed: 24 additions & 14 deletions b/‎docs/deploy.md‎
Lines changed: 24 additions & 14 deletions
diff --git a/‎docs/sample-settings/sample-deployment-settings.yml‎
Lines changed: 16 additions & 5 deletions b/‎docs/sample-settings/sample-deployment-settings.yml‎
Lines changed: 16 additions & 5 deletions
diff --git a/‎handler.js‎
Lines changed: 3 additions & 2 deletions b/‎handler.js‎
Lines changed: 3 additions & 2 deletions
@@ -58,7 +58,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0
         with:
           context: .
           file: ./Dockerfile
@@ -85,7 +85,7 @@ jobs:
           commitish: ${{ github.ref }}
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0
         with:
           context: .
           file: ./Dockerfile
 
@@ -36,7 +36,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image Locally
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0
         with:
           context: .
           file: ./Dockerfile
@@ -59,7 +59,7 @@ jobs:
           bump: final
       - name: Push Docker Image
         if: ${{ success() }}
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0
         with:
           context: .
           file: ./Dockerfile
 
@@ -29,12 +29,12 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - uses: azure/login@a65d910e8af852a8061c627c456678983e180302
+      - uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
-      - uses: azure/aks-set-context@feeca6405be94202afcb1c395616ff29b1811b9f
+      - uses: azure/aks-set-context@c7eb093e5a5d47caa333f64974d5fd1cd4bf069d
         with:
           resource-group: ${{env.AZURE_RESOURCE_GROUP}}
           cluster-name: ${{env.AZURE_AKS_CLUSTER}}
 
@@ -76,7 +76,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
       - name: Build and push Docker image
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0
         with:
           context: .
           push: true
 
@@ -850,7 +850,7 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 - isexe, 2.0.0, ISC,
 - json-stringify-safe, 5.0.1, ISC,
 - lru-cache, 6.0.0, ISC,
-- minimatch, 3.0.4, ISC,
+- minimatch, 10.0.1, ISC,
 - octokit-auth-probot, 1.2.3, ISC,
 - once, 1.4.0, ISC,
 - probot, 11.0.6, ISC,
 
@@ -64,16 +64,40 @@ The App listens to the following webhook events:
 If you rename a `<repo.yml>` that corresponds to a repo, safe-settings will rename the repo to the new name. This behavior will take effect whether the env variable `BLOCK_REPO_RENAME_BY_HUMAN` is set or not.
 
 ### Restricting `safe-settings` to specific repos
-`safe-settings` can be turned on only to a subset of repos by specifying them in the runtime settings file, `deployment-settings.yml`. If no file is specified, then the following repositories -  `'admin', '.github', 'safe-settings'` are exempted by default.
-A sample of `deployment-settings` file is found [here](docs/sample-settings/sample-deployment-settings.yml).
-
-To apply `safe-settings` __only__ to a specific list of repos, add them to the `restrictedRepos` section as `include` array.
 
-To ignore `safe-settings` for a specific list of repos, add them to the `restrictedRepos` section as `exclude` array.
+To restrict which repositories `safe-settings` can manage, create a `deployment-settings.yml` file. This file controls the app's scope through the `restrictedRepos` configuration:
+
+```yml
+# Using include/exclude
+restrictedRepos:
+  include:
+    - api
+    - core-*    # Matches `core-api`, `core-service`, etc.
+  exclude:
+    - admin
+    - .github
+    - safe-settings
+    - test-*    # Matches `test-repo`, etc.
+
+# Or using simple array syntax for includes
+restrictedRepos: 
+  - admin
+  - .github
+  # ...
+```
 
 > [!NOTE]
-> The `include` and `exclude` attributes support as well regular expressions.
-> By default they look for regex, Example include: ['SQL'] will look apply to repos with SQL and SQL_ and SQL- etc if you want only SQL repo then use include:['^SQL$']
+> Pattern matching uses glob expressions, e.g use * for wildcards.
+
+When using `include` and `exclude`:
+
+- If `include` is specified, will **only** run on repositories that match pattern(s)
+- If `exclude` is specified, will run on all repositories **except** those matching pattern(s)
+- If both are specified, will run only on included repositories that are'nt excluded
+
+By default, if no configuration file is provided, `safe-settings` will excludes these repos: `admin`, `.github` and `safe-settings`.
+
+See our [deployment-settings.yml sample](docs/sample-settings/sample-deployment-settings.yml).
 
 ### Custom rules
 
@@ -329,24 +353,28 @@ The following can be configured:
 - `Rulesets`
 - `Environments` - wait timer, required reviewers, prevent self review, protected branches deployment branch policy, custom deployment branch policy, variables, deployment protection rules
 
-> [!important]
-> It is possible to provide an `include` or `exclude` settings to restrict the `collaborators`, `teams`, `labels` to a list of repos or exclude a set of repos for a collaborator. 
-> The include/exclude pattern can also be for glob. For e.g.:
-```
-teams:
-  - name: Myteam-admins
-    permission: admin
-  - name: Myteam-developers
-    permission: push
-  - name: Other-team
-    permission: push
-    include:
-      - '*-config'
-```
-> Will only add `Other-team` to only `*-config` repos
-
 See [`docs/sample-settings/settings.yml`](docs/sample-settings/settings.yml) for a sample settings file.
 
+> [!note]
+> When using `collaborators`, `teams` or `labels`, you can control which repositories they apply to using `include` and `exclude`:
+>
+> - If `include` is specified, settings will **only** apply to repositories that match those patterns
+> - If `exclude` is specified, settings will apply to all repositories **except** those matching the patterns  
+> - If both are specified, `exclude` takes precedence over `include` but `include` patterns will still be respected
+>
+> Pattern matching uses glob expressions, e.g use * for wildcards. For example:
+>
+> ```yml
+> teams:
+>   - name: Myteam-admins
+>     permission: admin
+>   - name: Myteam-developers
+>     permission: push
+>   - name: Other-team
+>     permission: push
+>     include:
+>       - '*-config'
+>  ```
 
 ### Additional values
 
 
@@ -54,42 +54,48 @@ Optional values in the .env file can be found under the [Environment variables](
 
 Once you have the `.env` file configured, you are ready to start the building of the container.
 
-### Docker
-#### Build the Docker container
+## Docker
+### Build the Docker container
 Once you have configured the **GitHub App** and updated the source code, you should be ready to build the container.
 - Change directory to inside the code base
   - `cd safe-settings/`
 - Build the container
   - `docker build -t safe-settings .`
 - This process should complete successfully and you will then have a **Docker** container ready for deployment
 
-#### Run the Docker container
+### Run the Docker container
 Once the container has been successfully built, you can deploy it and start utilizing the **GitHub App**.
 
-#### Start the container with docker-compose
+### Start the container with docker-compose
 If you have docker-compose installed, you can simply start and stop the **Docker** container with:
 - `cd safe-settings/; docker-compose --env-file .env up -d`
 This will start the container in the background and detached.
 
-#### Start Docker container Detached in background
+### Start Docker container Detached in background
 - Start the container detached with port assigned (*Assuming port 3000 for the webhook*)
   - `docker run -d -p 3000:3000 safe-settings`
 - You should now have the container running in the background and can validate it running with the command:
   - `docker ps`
 - This should show the `safe-settings` alive and running
 
-#### Start Docker container attached in forground (Debug)
+### Start Docker container attached in foreground (Debug)
 - If you need to run the container in interactive mode to validate connectivity and functionality:
   - `docker run -it -p 3000:3000 safe-settings`
 - You will now have the log of the container showing to your terminal, and can validate connectivity and functionality.
 
-#### Connect to running Docker container (Debug)
+### Connect to running Docker container (Debug)
 - If you need to connect to the container thats already running, you can run the following command:
   - `docker exec -it safe-settings /bin/sh`
 - You will now be inside the running **Docker** container and can perform any troubleshooting needed
 
-### Deploy the app to AWS Lambda
+## Deploy the app to AWS Lambda
 [Serverless Framework Deployment of safe-settings on AWS](AWS-README.md)
+
+### Proxy Support
+The AWS Lambda handler, `handler.js` uses a custom  `Octokit` factory that creates Octokit with ___Proxied fetch___ instead of the regular ___fetch___ when the `http_proxy`/`https_proxy` env variables are set.
+
+In the future we can use the same pattern to support proxy in all deployments of the app.
+
 ## Deploy the app in Kubernetes
 
 ### __Deploying using kubectl__
@@ -205,24 +211,24 @@ Probot runs like [any other Node app](https://devcenter.heroku.com/articles/depl
 
 1.  Make sure you have the [Heroku CLI](https://devcenter.heroku.com/articles/heroku-cli) client installed.
 
-1.  Clone the app that you want to deploy. e.g. `git clone https://github.com/probot/stale`
+2.  Clone the app that you want to deploy. e.g. `git clone https://github.com/probot/stale`
 
-1.  Create the Heroku app with the `heroku create` command:
+3.  Create the Heroku app with the `heroku create` command:
 
         $ heroku create
         Creating arcane-lowlands-8408... done, stack is cedar
         http://arcane-lowlands-8408.herokuapp.com/ | [email protected]:arcane-lowlands-8408.git
         Git remote heroku added
 
-1.  Go back to your [app settings page](https://github.com/settings/apps) and update the **Webhook URL** to the URL of your deployment, e.g. `http://arcane-lowlands-8408.herokuapp.com/`.
+4.  Go back to your [app settings page](https://github.com/settings/apps) and update the **Webhook URL** to the "${URL_of_your_deployment}/api/github/webhooks", e.g. `http://arcane-lowlands-8408.herokuapp.com/api/github/webhooks`.
 
-1.  Configure the Heroku app, replacing the `APP_ID` and `WEBHOOK_SECRET` with the values for those variables, and setting the path for the `PRIVATE_KEY`:
+5.  Configure the Heroku app, replacing the `APP_ID` and `WEBHOOK_SECRET` with the values for those variables, and setting the path for the `PRIVATE_KEY`:
 
         $ heroku config:set APP_ID=aaa \
             WEBHOOK_SECRET=bbb \
             PRIVATE_KEY="$(cat ~/Downloads/*.private-key.pem)"
 
-1.  Deploy the app to heroku with `git push`:
+6.  Deploy the app to heroku with `git push`:
 
         $ git push heroku master
         ...
@@ -231,12 +237,16 @@ Probot runs like [any other Node app](https://devcenter.heroku.com/articles/depl
         -----> Launching... done
               http://arcane-lowlands-8408.herokuapp.com deployed to Heroku
 
-1.  Your app should be up and running! To verify that your app
+7.  Your app should be up and running! To verify that your app
     is receiving webhook data, you can tail your app's logs:
 
          $ heroku config:set LOG_LEVEL=trace
          $ heroku logs --tail
 
+8. SSL [Optional]: If you want to secure webhook payloads, go to Heroku app settings => Configure SSL => Automatic Certificate Management (ACM) which uses Let's encrypt (or upload your own). Then go to the GitHub app settings, and update the url to use https:// instead
+
+9. Cron [Optional]: You can configure this app to run on a schedule using the var (CRON), you can set it in the app settings in the UI, or using `heroku config:set CRON='0 * * * *'` to run every hour for ex.
+
 ## Create the GitHub App
 
 Every deployment will need an [App](https://developer.github.com/apps/).
 
@@ -1,16 +1,27 @@
+# This is a sample deployment settings file
+# See the documentation for more details on how to use this file
+
+# If no file is specified, the following repositories are excluded by default
+# restrictedRepos: ['admin', '.github', 'safe-settings']
+
 restrictedRepos:
-  # You can exclude certain repos from safe-settings processing
-  #  If no file is specified, then the following repositories - 'admin', '.github', 'safe-settings' are exempted by default
-  exclude: ['^admin$', '^\.github$', '^safe-settings$', '.*-test']
-  # Alternatively you can only include certain repos
-  include: ['^test$']
+  exclude: 
+    - admin
+    - .github
+    - safe-settings
+    - admin-*
+  include:
+    - docs
+    - core-*
+
 configvalidators:
   - plugin: collaborators
     error: |
       `Admin cannot be assigned to collaborators`
     script: |
       console.log(`baseConfig ${JSON.stringify(baseconfig)}`)
       return baseconfig.permission != 'admin'
+
 overridevalidators:
   - plugin: branches
     error: |
 
@@ -2,15 +2,16 @@ const {
   createLambdaFunction,
   createProbot
 } = require('@probot/adapter-aws-lambda-serverless')
+const { getProbotOctoKit } = require('./lib/proxyAwareProbotOctokit')
 
 const appFn = require('./')
 
 module.exports.webhooks = createLambdaFunction(appFn, {
-  probot: createProbot()
+  probot: createProbot({ overrides: { Octokit: getProbotOctoKit() } })
 })
 
 module.exports.scheduler = function () {
-  const probot = createProbot()
+  const probot = createProbot({ overrides: { Octokit: getProbotOctoKit() } })
   const app = appFn(probot, {})
   return app.syncInstallation()
 }