cloudflare-worker-github-app-example

A Cloudflare Worker + GitHub App Example

The worker.js file is a Cloudflare Worker which is continuously deployed using GitHub Actions (see .github/workflows/deploy.yml).

The worker does 2 things

1. GET requests: respond with an HTML website with links and a live counter of installations.
2. POST requests: handle webhook request from GitHub

⚠️ The requests from GitHub are currently not verified using the signature, because the code is currently using Node's crypto package. This will be resolved once I create a universal webhook verification package, similar to universal-github-app-jwt. For the time being, you could define a secret path that that webhook requests by GitHub are sent to, in order to prevent anyone who knows your workers URL from sending fake webhook requests. See #1

Step-by-step instructions to create your own

Note that you require access to the new GitHub Actions for the automated deployment to work.

1. Fork this repository

2. Create a GitHub App

3. Create a Cloudflare account (it's free!) if you don't have one yet.

4. Install the wrangler CLI and login with your account

   npm install --global wrangler
   wrangler login
   

5. Edit the wrangler.toml file, change the value for account_id to your own (select your account, then find your Account ID at the bottom of the side bar)

6. Add the following secrets to your Cloudflare worker:

   • APP_ID: In your GitHub App registration's settings page, find App ID

     wrangler secret put APP_ID
     

   • WEBHOOK_SECRET: In your GitHub App registration's settings page, find Webhook secret

     wrangler secret put WEBHOOK_SECRET
     

   • PRIVATE_KEY: Generate a private key (see the button at the bottom of your GitHub App registration's settings page).

     1. You will be prompted to download a *.pem file. After download, rename it to private-key.pem.

     2. Convert the key from the PKCS#1 format to PKCS#8 (The WebCrypto API only supports PKCS#8):

        openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private-key-pkcs8.pem
        

     3. Write the contents of the new file into the secret PRIVATE_KEY:

        cat private-key-pkcs8.pem | wrangler secret put PRIVATE_KEY
        

7. Add the following secret in your fork's repository settings:

   • CF_API_TOKEN: Create a new token, use the "Edit Cloudflare Workers" template

That should be it. The worker.js file will now be continously deployed to Cloudflare each time there is a commit to master.

See also

• Cloudflare Worker GitHub OAuth Example

Credits

The OAuth App Avatar and this repository's social preview are using @cameronmcefee's cloud Octodex graphic 💖

License

ISC