🔥Let’s Do DevOps: Making a GitHub Action Event Driven + New Repo Immediate Configuration + GitHub Apps + Python3 Lambda (Part 1)

Kyler Middleton
12 min readMay 1, 2023

This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures. You can do it!

Hey all!

That title is a mouthful! Over the past few months I’ve taken on a side project — building a “little script” that configures all the repos in our github Org — it sets all the permissions, builds all the branch policies, checks all the boxes we care about, etc.

That Little Script has been a constantly evolving project as I’ve used it as a vehicle to learn more about GitHub Actions. I’ve built an API token empty circuit breaker, sharded the workload over n builders, and wrote an overview of what the tool is doing and how it works.

The basics of this tool is we have lots of repos, and we want to keep them configured properly. To do that, we download a list of all the repos, then synchronously iterate over them across 2 builders in parallel. However, there has been a big problem — when a new repo is built, it isn’t configured until the next time the “GitHubCop” (the tongue in cheek name for the tool I built) runs, which is currently nightly. That could be a long time during which the repo is configured incorrectly, doesn’t connect to our Jenkins instance, doesn’t have the right permissions, etc.

What would be even better would be that when new repo is created, the GitHubCop script would immediately configure it. So that’s what I built. As part of it, I built:

  • A GitHub App — Lets us collect Org-wide actions, like “New Repo Created” and send a webhook to an arbitrary endpoint
  • AWS API Gateway — This lets us have a permanent URL to receive the webhook
  • AWS Lambda — This lets us process and verify the inbound webhook and extract the info we need, grab the secrets we need, and trigger the GitHubCop Action in our Org
  • AWS Secrets — To store the GitHub PAT (Personal Access Token) used to authenticate to GitHub to trigger the Action using a REST call
  • Updated the GitHubCop Action to receive an optional attribute — a repo name, that can be…



Kyler Middleton

DevNetSecOps, DevRel, cloud security chick. I will teach you, it’s unavoidable. She/Her 🏳️‍🌈🏳️‍🌈, INFJ-A, support the EFF!