github-bots/

directory
v0.7.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 4, 2025 License: Apache-2.0

README

github-bots

This module has scaffolding for event-driven GitHub bots. This integrates with github-events to receive events, and provides SDK methods to interact with GitHub resources. The Terraform module creates a service account for the bot, and deploys the bot as a regional service.

Out-of-the-box bots include:

  • dnm: A bot that adds or removes a blocking/dnm label on pull requests if the title contains the text "do not merge".
  • blocker: A bot that passes or fails a GitHub Check Run based on the presence of a blocking/* label on a pull request.
    • this check can be used to block merges in GitHub.
// ... networking and cloudevent-broker modules...

module "github-events" {
  source = "./modules/github-events"

  project_id = var.project_id
  name       = "github-events"
  regions    = module.networking.regional-networks
  ingress    = module.cloudevent-broker.ingress

  // Which user is allowed to populate webhook secret values.
  secret_version_adder = "user:you@company.biz"
}

module "bots" {
  source = "./modules/github-bots"
  for_each = {
    "dnm"     = "dev.chainguard.github.pull_request",
    "blocker" = "dev.chainguard.github.pull_request",
  }

  project_id = var.project_id
  regions    = module.networking.regional-networks
  broker     = module.cloudevent-broker.broker

  name         = each.key
  github-event = each.value
  containers = {
    "bot" = {
      source = {
        importpath  = "./${each.key}"
      }
      env = [
        {
          name  = "FOO"
          value = "BAR"
        }
      ]
    }
  }
}


module "my-custom-bot" {
  source = "./modules/github-bots"

  project_id = var.project_id
  regions    = module.networking.regional-networks
  broker     = module.cloudevent-broker.broker

  name         = "my-custom-bot"
  github-event = "dev.chainguard.github.pull_request"
  containers = {
    "bot" = {
      source = {
        working_dir = path.module
        importpath  = "chainguard.dev/bots/my-custom-bot"
      }
      ports = [{ container_port = 8080 }]
      env = [{
        name  = "LOG_LEVEL"
        value = "info"
      }]
    }

}

Requirements

No requirements.

Providers

Name Version
google n/a

Modules

Name Source Version
cloudevent-trigger ../cloudevent-trigger n/a
dashboard ../dashboard/cloudevent-receiver n/a
service ../regional-go-service n/a

Resources

Name Type
google_service_account.sa resource

Inputs

Name Description Type Default Required
broker A map from each of the input region names to the name of the Broker topic in that region. map(string) n/a yes
containers The containers to run in the service. Each container will be run in each region. 
map(object({
    source = object({
      base_image  = optional(string, "cgr.dev/chainguard/static:latest-glibc@sha256:b2e1c3d3627093e54f6805823e73edd17ab93d6c7202e672988080c863e0412b")
      working_dir = string
      importpath  = string
    })
    args = optional(list(string), [])
    ports = optional(list(object({
      name           = optional(string, "http1")
      container_port = optional(number, 8080)
    })), [])
    resources = optional(
      object(
        {
          limits = optional(object(
            {
              cpu    = string
              memory = string
            }
          ), null)
          cpu_idle          = optional(bool, true)
          startup_cpu_boost = optional(bool, true)
        }
      ),
      {
        cpu_idle = true
      }
    )
    env = optional(list(object({
      name  = string
      value = optional(string)
      value_source = optional(object({
        secret_key_ref = object({
          secret  = string
          version = string
        })
      }), null)
    })), [])
    regional-env = optional(list(object({
      name  = string
      value = map(string)
    })), [])
    volume_mounts = optional(list(object({
      name       = string
      mount_path = string
    })), [])
  }))
 n/a yes
deletion_protection Whether to enable delete protection for the service. bool true no
enable_profiler Enable cloud profiler. bool false no
extra_filter Optional additional filters to include. map(string) {} no
extra_filter_has_attributes Optional additional attributes to check for presence. list(string) [] no
extra_filter_not_has_attributes Optional additional prefixes to check for presence. list(string) [] no
extra_filter_prefix Optional additional prefixes for filtering events. map(string) {} no
github-event The GitHub event type to subscribe to. string n/a yes
labels Labels to apply to the service. map(string) {} no
name The name of the bot. string n/a yes
notification_channels List of notification channels to alert. list(string) n/a yes
product Product label to apply to the service. string "unknown" no
project_id Project ID to create resources in. string n/a yes
raw_filter Raw PubSub filter to apply, ignores other variables. https://cloud.google.com/pubsub/docs/subscription-message-filter#filtering_syntax string "" no
regions A map from region names to a network and subnetwork. 
map(object({
    network = string
    subnet  = string
  }))
 n/a yes
service_account_email The email of the service account being authorized to invoke the private Cloud Run service. If empty, a service account will be created and used. string "" no
squad squad label to apply to the service. string "unknown" no

Outputs

Name Description
json n/a
serviceaccount-email The email of the service account for the bot.
serviceaccount-id The ID of the service account for the bot.

Directories

Path Synopsis
sdk
check

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.