GitHub Action that posts to a Mattermost webhook endpoint over OpenZiti

This GitHub workflow action uses Ziti Python SDK to post an event's payload information to a Mattermost instance over a Ziti connection. This allows the Mattermost server to remain private, i.e. not directly exposed to the internet.

See action.yml for descriptions of all available inputs.

name: ziti-mattermost-action-py
on:
  create:
  delete:
  issues:
  issue_comment:
  pull_request_review:
  pull_request_review_comment:
  pull_request:
  push:
  fork:
  release:
    types: [released]

jobs:
  ziti-webhook:
    runs-on: ubuntu-latest
    name: Ziti Mattermost Action - Py
    steps:
    - uses: openziti/ziti-mattermost-action-py@v1
      with:
        # Identity JSON containing key to access a Ziti network
        zitiId: ${{ secrets.ZITI_MATTERMOST_IDENTITY }}

        # URL to post the payload. Note that the `zitiId` must provide access to a service 
        # intercepting `my-mattermost-ziti-server`
        webhookUrl: 'https://{my-mattermost-ziti-server}/hook/{my-mattermost-webhook-id}}'

        eventJson: ${{ toJson(github.event) }}
        senderUsername: "GitHubZ"
        destChannel: "github-notifications"

The zitiId input is the JSON formatted string of an identity enrolled in an OpenZiti Network.

The identity can be created by enrolling via the ziti edge enroll path/to/jwt [flags] command. The ziti CLI executable can be obtained here.

This input value is a Mattermost "Incoming Webhook" URL available over an OpenZiti Network to the identity specified by zitiId. This URL should be configured in Mattermost to allow posting to any valid channel with any sender username. The default username will be the sender.login from the GitHub Action event.

1. Build the container

docker build -t ghcr.io/openziti/ziti-mattermost-action-py:latest .

2. Generate PAT with scopes

• go to https://github.com/settings/tokens
• choose "Tokens(classic)"
• Choose "Generate new token" and select "Generate new token (classic)" from the dropdown
• Add note: "GHCR Deploy Token"
• choose permissions - write:packages (will also end up with read:packages)

3. Login + push with PAT

  export PAT='ghp_xxxxxx' # copy leading space to (probably) keep it out of your shell history or edit/source a file
echo "$PAT" | docker login ghcr.io -u dovholuknf --password-stdin

4. Push the image

docker push ghcr.io/openziti/ziti-mattermost-action-py:latest

5. Revoke PAT

• go to https://github.com/settings/tokens
• delete the token you just added (or not whatever)