|
1 | | -# Repository name |
2 | 1 |
|
3 | | -# Introduction |
4 | | -## About |
5 | | -*Describe what this repo contains and what the project is.* |
| 2 | +# ons-github-app |
| 3 | + |
| 4 | +## Overview |
| 5 | + |
| 6 | +A GitHub App backend for secure webhook processing and automation, deployed on Google Cloud Run. The app validates GitHub webhook signatures, manages installation tokens, and routes events for further processing. Infrastructure is provisioned with Terraform, and security is enforced via pre-commit hooks and CI scans. |
| 7 | + |
| 8 | +## Features |
| 9 | + |
| 10 | +- FastAPI-based webhook handler (`/webhooks/github`) |
| 11 | +- Signature verification for GitHub webhooks |
| 12 | +- JWT-based GitHub App authentication |
| 13 | +- Google Cloud Run deployment (Dockerized) |
| 14 | +- Terraform-managed GCP resources (Cloud Run, Artifact Registry, API Gateway) |
| 15 | +- Security scanning (Checkov, Trivy) via CI |
| 16 | +- Pre-commit hooks for secret/key detection |
6 | 17 |
|
7 | 18 | ## Installation |
8 | | -*Describe technical set-up. Such as the required dependencies.* |
9 | 19 |
|
10 | | -### Pre-commit actions |
11 | | -This repository contains a configuration of pre-commit hooks. These are language agnostic and focussed on repository security (such as detection of passwords and API keys). If approaching this project as a developer, you are encouraged to install and enable `pre-commits` by running the following in your shell: |
12 | | - 1. Install `pre-commit`: |
| 20 | +1. Clone the repo and create a Python virtual environment: |
13 | 21 |
|
14 | | - ``` |
15 | | - pip install pre-commit |
16 | | - ``` |
17 | | - 2. Enable `pre-commit`: |
| 22 | + ```bash |
| 23 | + python3 -m venv .venv |
| 24 | + source .venv/bin/activate |
| 25 | + pip install -r requirements.txt |
| 26 | + ``` |
18 | 27 |
|
19 | | - ``` |
20 | | - pre-commit install |
21 | | - ``` |
22 | | -Once pre-commits are activated, whenever you commit to this repository a series of checks will be executed. The pre-commits include checking for security keys, large files and unresolved merge conflict headers. The use of active pre-commits are highly encouraged and the given hooks can be expanded with Python or R specific hooks that can automate the code style and linting. For example, the `flake8` and `black` hooks are useful for maintaining consistent Python code formatting. |
| 28 | +2. Install pre-commit hooks: |
23 | 29 |
|
24 | | -**NOTE:** Pre-commit hooks execute Python, so it expects a working Python build. |
| 30 | + ```bash |
| 31 | + pip install pre-commit |
| 32 | + pre-commit install |
| 33 | + ``` |
| 34 | + |
| 35 | +3. Set required environment variables: |
| 36 | + - `GITHUB_APP_ID` |
| 37 | + - `GITHUB_PRIVATE_KEY` |
| 38 | + - `GITHUB_WEBHOOK_SECRET` |
| 39 | + - `GITHUB_ACCEPTED_EVENTS` (optional, comma-separated) |
25 | 40 |
|
26 | 41 | ## Usage |
27 | | -*Explain how to use the things in the repo.* |
28 | 42 |
|
29 | | -### Workflow |
30 | | -*You may wish to consider generating a graph to show your project workflow. GitHub markdown provides native support for [mermaid](https://mermaid.js.org/syntax/flowchart.html), an example of which is provided below:* |
| 43 | +- Run locally: |
31 | 44 |
|
32 | | -```mermaid |
33 | | -flowchart TD |
34 | | - id1[(Some data)] --> id2(Some processing) |
35 | | - id3[(More data)] --> id2 |
36 | | - id2 --> id4[Some output] |
37 | | -``` |
| 45 | + ```bash |
| 46 | + uvicorn src.app:app --host 0.0.0.0 --port 8080 |
| 47 | + ``` |
38 | 48 |
|
39 | | -# License |
| 49 | +- Health check endpoint: `GET /healthz` |
| 50 | +- Webhook endpoint: `POST /webhooks/github` |
40 | 51 |
|
41 | | -<!-- Unless stated otherwise, the codebase is released under [the MIT Licence][mit]. --> |
| 52 | +## Deployment |
42 | 53 |
|
43 | | -The code, unless otherwise stated, is released under [the MIT Licence][mit]. |
| 54 | +- Build and deploy with Docker and Google Cloud Build: |
| 55 | + - See `cloudbuild.yaml` and `deploy.sh` for build and deployment steps. |
| 56 | +- Infrastructure setup: |
| 57 | + - See `infra/terraform/README.md` for Terraform instructions. |
| 58 | + |
| 59 | +## Security |
| 60 | + |
| 61 | +- Pre-commit hooks scan for secrets and large files. |
| 62 | +- CI workflow runs Checkov and Trivy scans on every push/PR. |
| 63 | +- Sensitive values are managed via environment variables and never committed. |
| 64 | + |
| 65 | +## Project Workflow |
| 66 | + |
| 67 | +```mermaid |
| 68 | +flowchart TD |
| 69 | + code[Source Code] --> build[Build & Scan] |
| 70 | + build --> deploy[Deploy to Cloud Run] |
| 71 | + deploy --> api[API Gateway] |
| 72 | + api --> webhook[Webhook Handler] |
| 73 | + webhook --> process[Event Processing] |
| 74 | +``` |
44 | 75 |
|
45 | | -The documentation for this work is subject to [© Crown copyright][copyright] and is available under the terms of the [Open Government 3.0][ogl] licence. |
| 76 | +## License |
46 | 77 |
|
47 | | -[mit]: LICENCE |
48 | | -[copyright]: http://www.nationalarchives.gov.uk/information-management/re-using-public-sector-information/uk-government-licensing-framework/crown-copyright/ |
49 | | -[ogl]: http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/ |
| 78 | +The code is released under the MIT License. Documentation is © Crown copyright and available under the Open Government 3.0 license. |
0 commit comments