Frozen Throne is an API deployed to GCP Cloud Run for gating PR merges on Github.
Endpoint | Description | POST data |
---|---|---|
/freeze/{repo} | Freeze the github {repo} | user |
/thaw/{repo} | Thaws a repo, allowing merges | user |
/github-webhook | github webhook event |
The freeze and thaw endpoints both require authentication in the form of a header in the request.
X-Access-Token: WRITE_SECRET
$ curl -X POST -H "X-Access-Token: SECRET" localhost:8080/freeze/frozen-throne -d "user=thejokersthief"
{"frozen":true}
$ curl -X POST -H "X-Access-Token: SECRET" localhost:8080/thaw/frozen-throne -d "user=thejokersthief"
{"frozen":false}
- Go 1.16
- Have created a Github App and have noted the Github App ID, and have generated a private key.
- Have generated a secret for both your webhook verification and a write-access API key (
openssl rand -base64 48
)
The deployed cloud function uses the GCP Secret Manager to store secret values for:
- The Write Secret token
- The secret used to sign webhooks from Github
- The Github App ID
- The Github App's private key
The first 3 of these can be created with the following command:
PROJECT_ID=<ID> \
WRITE_SECRET=<secret> \
WEBHOOK_SECRET=<secret> \
GITHUB_APP_ID=<secret int> \
make create_secrets
And you can update the secrets by using the same command, but replacing create_secrets
with update_secrets
.
The final secret is a private key associated with the Github app. This is a .pem
file and can be added with the following command:
export PROJECT_ID="example"
export PATH_TO_PEM_FILE="some/file/path"
gcloud --project ${PROJECT_ID} secrets create FT_GITHUB_PRIVATE_KEY --replication-policy="automatic" --data-file=${PATH_TO_PEM_FILE}
Now that you've got all your secrets set up, you are good to deploy to Cloud Run. This involves two stages:
- Build a cloud image
- Deploy the image to Cloud Run
make build
PROJECT_ID=<ID> make deploy