refactor: mattermost-notify should be a composite action, not a reusable workflow

[mattyg]

Followup to #6

This removes the mattermost-notifier reusable workflow and adds a composite action instead. This allows it to be run as a step within a workflow.

Summary by CodeRabbit

• New Features

  • Added a reusable Mattermost notifier action and supporting script to send messages to Mattermost channels from workflows.

• Refactor

  • Migrated notification delivery from a reusable workflow to a composite action for simpler invocation.
  • Renamed authentication input for clearer, consistent usage.

• Documentation

  • Updated README examples and usage instructions to reflect the new action and input name.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 408703e1-3fbd-4d36-b887-0c4fb596a90b

📥 Commits

Reviewing files that changed from the base of the PR and between 8f1c9dc and 35e7f1b.

📒 Files selected for processing (4)

• .github/workflows/mattermost-notify.yml
• README.md
• mattermost-notify/action.yml
• mattermost-notify/notify.sh

💤 Files with no reviewable changes (1)

• .github/workflows/mattermost-notify.yml

✅ Files skipped from review due to trivial changes (1)

• mattermost-notify/notify.sh

🚧 Files skipped from review as they are similar to previous changes (2)

• mattermost-notify/action.yml
• README.md

---

Walkthrough

Replaced a reusable GitHub Actions workflow for Mattermost notifications with a composite action and supporting script. Deleted .github/workflows/mattermost-notify.yml, added mattermost-notify/action.yml and mattermost-notify/notify.sh, and updated README to show the new action and input name change.

Changes

Cohort / File(s)	Summary
Removed reusable workflow .github/workflows/mattermost-notify.yml	Deleted the workflow that exposed a workflow_call interface with inputs mattermost_url, channel_id, message and used the MATTERMOST_PERSONAL_ACCESS_TOKEN secret to post to Mattermost.
Composite action + script mattermost-notify/action.yml, mattermost-notify/notify.sh	Added a composite GitHub Action Mattermost notifier (action.yml) with inputs mattermost_url, channel_id, message, mattermost_personal_access_token and an executable notify.sh that builds JSON with jq, POSTs to /api/v4/posts via curl, and enforces 2xx success checking.
Documentation update README.md	Replaced example usage of the reusable workflow with the composite action usage, and changed documented secret/input name from MATTERMOST_PERSONAL_ACCESS_TOKEN to mattermost_personal_access_token passed via with.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: action to send a message to a mattermost channel #6: Replaces the original reusable workflow with a composite action and supporting script for Mattermost notifications.

Suggested reviewers

• ThetaSinner

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: converting the mattermost-notify implementation from a reusable workflow to a composite action, which is reflected in all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/mattermost-notify-composite-action

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

README.md (1)

27-27: Pin the action reference to a commit SHA instead of @main.

At line 27, using @main references a mutable branch, creating unnecessary supply-chain risk. GitHub Actions documentation recommends pinning third-party actions to a full-length commit SHA for maximum security. Update to a specific commit hash (e.g., @a1b2c3d4e5f6...) rather than a branch reference.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 27, Replace the mutable branch reference in the
workflow/action declaration that currently reads uses:
holochain/actions/mattermost-notify@main with a pinned full-length commit SHA;
locate the line containing holochain/actions/mattermost-notify and change the
`@main` suffix to @<full-commit-sha> (e.g., fetch the desired commit SHA from the
holochain/actions repository and substitute it) so the action is pinned to an
immutable commit.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@mattermost-notify/notify.sh`:
- Around line 13-29: The temporary file created by mktemp (assigned to
response_body in notify.sh) is never removed on exit; add an EXIT trap
immediately after creating response_body that removes the file (e.g., trap 'rm
-f "$response_body"' EXIT) so the temp file is cleaned on normal exit, failure
paths, and signals; ensure the trap references the response_body variable
created by mktemp and remains in scope for the whole script.
- Around line 15-23: The curl invocation that sets response_code should include
explicit network timeouts and optional retry flags to avoid hanging: add
--connect-timeout (e.g. 5s) and --max-time (e.g. 30s) and consider
--retry/--retry-connrefused for transient errors to the curl command that writes
to response_body; also ensure the temporary file created by mktemp
(response_body) is always removed by adding a trap like trap "rm -f
'$response_body'" EXIT immediately after mktemp so the temp file is cleaned up
on any exit path.

---

Nitpick comments:
In `@README.md`:
- Line 27: Replace the mutable branch reference in the workflow/action
declaration that currently reads uses: holochain/actions/mattermost-notify@main
with a pinned full-length commit SHA; locate the line containing
holochain/actions/mattermost-notify and change the `@main` suffix to
@<full-commit-sha> (e.g., fetch the desired commit SHA from the
holochain/actions repository and substitute it) so the action is pinned to an
immutable commit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e10778e8-4d19-470c-8a13-faba1eeb61bd

📥 Commits

Reviewing files that changed from the base of the PR and between c070e4d and 8f1c9dc.

📒 Files selected for processing (4)

• .github/workflows/mattermost-notify.yml
• README.md
• mattermost-notify/action.yml
• mattermost-notify/notify.sh

💤 Files with no reviewable changes (1)

• .github/workflows/mattermost-notify.yml

[cocogitto-bot]

✔️ 35e7f1b - Conventional commits check succeeded.