GitHub app management #1596
Open
GitHub app management #1596
+17,185
−213
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add three new tables to the runtime schema for tracking GitHub App installations: - github_app_installations: Tracks installations linked to tenants with status tracking - github_app_repositories: Stores repositories accessible through each installation - github_project_repository_access: Links projects to specific repositories for fine-grained access control Includes proper indexes, foreign key constraints with cascade deletes, and comprehensive tests. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add comprehensive data access layer for GitHub App installation management: Installation management: - createInstallation: Create new installation records - getInstallationByGitHubId: Lookup by GitHub's installation ID - getInstallationById: Lookup with tenant validation - getInstallationsByTenantId: List tenant installations - updateInstallationStatus: Update status by internal ID - updateInstallationStatusByGitHubId: Update status by GitHub ID - deleteInstallation: Soft delete with cleanup Repository management: - syncRepositories: Full sync (add/remove/update repos) - addRepositories: Add repos (for webhook events) - removeRepositories: Remove repos (for webhook events) - getRepositoriesByInstallationId: List repos for installation - getRepositoryByFullName: Find by org/repo name - getRepositoryById: Find by internal ID - getRepositoriesByTenantId: List all tenant repos - getRepositoryCount: Count repos for installation Project access functions: - setProjectRepositoryAccess: Set/replace access list - getProjectRepositoryAccess: Get access entries - getProjectRepositoryAccessWithDetails: Get with repo details - checkProjectRepositoryAccess: Check repo access permission - clearProjectRepositoryAccess: Remove all access - validateRepositoryOwnership: Validate repo ownership Tests: 45 unit tests covering all functions Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add isWebhookConfigured() helper function to check if GITHUB_WEBHOOK_SECRET is set - Add getWebhookSecret() function to retrieve the webhook secret with error handling - Add validateGitHubWebhookConfigOnStartup() to log warning if webhook secret not configured - Update .env.example with GITHUB_WEBHOOK_SECRET documentation - Add comprehensive unit tests for config validation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add GET /manage/tenants/:tenantId/github/install-url endpoint that: - Generates a signed JWT state token containing tenantId with 10-minute expiration - Uses GITHUB_STATE_SIGNING_SECRET for HS256 signing - Returns URL to install the GitHub App with the state parameter - Requires tenant authentication New environment variables: - GITHUB_STATE_SIGNING_SECRET: HS256 signing secret for state JWT (min 32 chars) - GITHUB_APP_NAME: GitHub App name for installation URL generation Includes: - Config functions for state signing and app name validation - 25 unit tests for config functions and endpoint behavior Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements GET /api/github/callback endpoint to handle GitHub App installation redirects. Validates JWT state token, fetches installation details from GitHub API, stores installation in database, and syncs repositories. Key features: - State JWT validation with expiration and signature checks - GitHub API integration for installation and repository fetching - Database integration for installation creation/update - Repository syncing with pagination support - Redirect to Manage UI with success/error status Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create POST /api/github/webhooks endpoint for receiving GitHub events - Implement HMAC SHA-256 signature verification using GITHUB_WEBHOOK_SECRET - Use timing-safe comparison to prevent timing attacks - Parse X-GitHub-Event and X-GitHub-Delivery headers - Return 401 for invalid/missing signature, 200 for unhandled events - Add 18 comprehensive unit tests covering all verification scenarios Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement webhook event handlers for GitHub App installation lifecycle events: - Handle 'installation' event: created (activate pending), deleted (soft delete), suspend (set suspended status), unsuspend (reactivate) - Handle 'installation_repositories' event: added (add repos to DB), removed (remove repos and project access) - All webhook events are logged for debugging - Database errors return 200 to prevent GitHub retries - Added 18+ unit tests for all event types and edge cases Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add GET /manage/tenants/:tenantId/github/installations endpoint to list GitHub App installations connected to a tenant. Features: - Returns array of installations with id, installationId, accountLogin, accountType, status, repositoryCount, createdAt, updatedAt - Filters out deleted installations by default - Supports includeDeleted=true query param to include deleted ones - Fetches repository count for each installation - OpenAPI documented with typed request/response schemas Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add DELETE /manage/tenants/:tenantId/github/installations/:installationId endpoint for disconnecting GitHub App installations from a tenant. - Soft deletes installation (sets status to 'deleted') - Removes all project repository access entries for the installation's repos - Does NOT uninstall the GitHub App from GitHub (user can do that separately) - Returns 404 if installation not found or belongs to different tenant - Added 8 unit tests covering success, 404, 500, and status variants Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Create POST /manage/tenants/:tenantId/github/installations/:installationId/sync endpoint to manually refresh repository list from GitHub API. - Uses createAppJwt() and fetchInstallationRepositories() to fetch repos - Syncs database using syncRepositories() data access function - Returns updated repository list with sync stats (added/removed/updated) - Returns 404 for invalid installation, 503 for GitHub API failures - Added 9 unit tests covering all scenarios Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Create PUT and GET endpoints for configuring project-level GitHub repository access: - GET /manage/tenants/:tenantId/projects/:projectId/github-access Returns current access configuration (mode='all' or 'selected' with repository list) - PUT /manage/tenants/:tenantId/projects/:projectId/github-access Configures access mode and validates repository ownership Features: - mode='all' grants access to all tenant repositories - mode='selected' scopes access to specific repository IDs - Validates repository IDs belong to tenant's GitHub installations - Full replacement of existing access entries (not incremental) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Validate GitHub App installation exists in our database before generating token - Return 403 with descriptive error messages for each invalid status: - Not registered: "Please connect your GitHub organization in the Inkeep dashboard" - Pending: "GitHub App installation is pending organization admin approval" - Suspended: "GitHub App installation is suspended" - Deleted: "GitHub App installation has been disconnected" - Include tenant_id in successful response metadata for future use - Add optional project_id parameter to validate project-level repository access - Add 7 new tests covering all validation scenarios Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created API client functions in lib/api/github.ts for fetching installations, syncing repos, and disconnecting - Created GitHub settings page at /[tenantId]/settings/github with: - Empty state when no installations exist - List of connected organizations with status badges - Actions dropdown for view details, sync repos, and disconnect - Created GitHubInstallationsList component with table display - Created GitHubInstallButton for initiating OAuth flow - Created DisconnectInstallationDialog with confirmation - Added SettingsNav component for sub-navigation between Organization and GitHub settings - Updated settings layout to include navigation tabs - Added component tests covering data types, status mapping, and navigation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create detail page at /[tenantId]/settings/github/[installationId] - Display installation info: org name/avatar, account type/status badges, installation ID, connected date, last updated date - Show pending status explanation when installation awaits approval - List all repositories with name (link to GitHub), Public/Private badge, and full name - Add Sync Repositories button to force refresh from GitHub API - Add Disconnect button with existing confirmation dialog - Add loading skeleton for async data fetching - Add 14 component tests covering types, status display, visibility badges, URL generation, navigation, and date formatting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…gs UI
- Add 'GitHub Access' section to project settings form with collapsible UI
- Create ProjectGitHubAccessSection component with:
- Current access mode display ('All repositories' or list of selected repos)
- 'Configure Access' dialog for mode selection
- Multi-select interface for repositories grouped by installation
- Sync button to refresh repos from GitHub API
- Add API functions: getProjectGitHubAccess(), setProjectGitHubAccess()
- Handle empty state when no GitHub installations are connected
- Reuse existing components: Dialog, RadioGroup, Checkbox, Badge, Table
- Add 17 unit tests for access mode logic and repository selection
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
🦋 Changeset detectedLatest commit: aa00b49 The changes in this PR will be included in the next version bump. This PR includes changesets to release 10 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Claude finished @miles-kt-inkeep's task —— View job GitHub App Management PR ReviewReviewing this comprehensive GitHub app integration feature implementation. This is a substantial PR with 14,836 additions across multiple domains. Review Tasks:
Architecture & Design Assessment✅ Excellent Overall StructureDatabase Design:
API Design:
Security Analysis✅ Strong Security ImplementationWebhook Security:
OAuth Flow Security:
GitHub App Authentication:
Code Quality Assessment✅ High-Quality ImplementationError Handling:
TypeScript Usage:
Testing Coverage:
Areas for Consideration
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.