š„Letās Do DevOps: Making a GitHub Action Event Driven + New Repo Immediate Configuration + GitHub Apps + Python3 Lambda (Part 1)
--
This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures. You can do it!
Hey all!
That title is a mouthful! Over the past few months Iāve taken on a side project ā building a ālittle scriptā that configures all the repos in our github Org ā it sets all the permissions, builds all the branch policies, checks all the boxes we care about, etc.
That Little Script has been a constantly evolving project as Iāve used it as a vehicle to learn more about GitHub Actions. Iāve built an API token empty circuit breaker, sharded the workload over n builders, and wrote an overview of what the tool is doing and how it works.
The basics of this tool is we have lots of repos, and we want to keep them configured properly. To do that, we download a list of all the repos, then synchronously iterate over them across 2 builders in parallel. However, there has been a big problem ā when a new repo is built, it isnāt configured until the next time the āGitHubCopā (the tongue in cheek name for the tool I built) runs, which is currently nightly. That could be a long time during which the repo is configured incorrectly, doesnāt connect to our Jenkins instance, doesnāt have the right permissions, etc.
What would be even better would be that when new repo is created, the GitHubCop script would immediately configure it. So thatās what I built. As part of it, I built:
- A GitHub App ā Lets us collect Org-wide actions, like āNew Repo Createdā and send a webhook to an arbitrary endpoint
- AWS API Gateway ā This lets us have a permanent URL to receive the webhook
- AWS Lambda ā This lets us process and verify the inbound webhook and extract the info we need, grab the secrets we need, and trigger the GitHubCop Action in our Org
- AWS Secrets ā To store the GitHub PAT (Personal Access Token) used to authenticate to GitHub to trigger the Action using a REST call
- Updated the GitHubCop Action to receive an optional attribute ā a repo name, that can beā¦
