Use AWS lambdas to automatically run custom status checks on all your pull requests. Check the PR title is of a specified format. Prevent merging to production outside certain hours
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
pull-request Fix for daylight saving Mar 25, 2018
.gitignore Update README/gitignore Mar 20, 2018
README.md Update README Mar 27, 2018

README.md

Description

This repo is set up to deploy 3 lambdas which will run 2 checks on your pull requests:

Title Checker

Checks if your Pull Request Titles match a given format

Time Checker

For any Pull Request merging into a given branch it will check that the time is ok i.e. prevents merging into production after certain hours

Setup

AWS Account

You will need an AWS account to deploy lambdas

  • Go to AWS Console and sign in or sign up
  • In order to deploy your lambda from the command line you will need acess keys:
    • Sign in to AWS Console
    • Click your profile in the top right corner and choose My Security Credentials
    • Click Access Tokens and generate
  • Create/edit the following in your home directory ~/.aws/credentials with:
    [YOUR_AWS_EMAIL]
    aws_access_key_id = YOUR_AWS_ACCESS_KEY
    aws_secret_access_key = YOUR AWS_SECRET_KEY

Github Config

Github Token

You will need a GitHub token to post status updates. You can use your own account or you can create a separate account to post status updates (if a shared repo for example).

  • On the account you choose, generate a new personal acess token
  • You only need to give it repo:status permissions
  • Save this token somewhere for now

Github Webhook Secret

You will need to generate a password for use with your webhook

  • Generate a secret for your webhook and save it somewhere for now
    • ruby -rsecurerandom -e 'puts SecureRandom.hex(20)'
    • Keep a note of this for now

AWS Config

Your lambda will need to know the token and webhook secret you have just generated

  • Go to AWS Console
  • From Services choose EC2
  • At the bottom of the left hand menu, choose Parameter Store
  • Add github_token and github_webhook_secret here based on the values noted above (as a Secure String)

Deploy Lambdas

Setup this repo to deploy the lambdas

  • Clone this repo: git clone git@github.com:robcronin/github-lambda-status-checks.git
  • cd github-lambda-status-checks/pull-request
  • Run yarn
  • In githubTimeStatus.js edit:
    • REPOS: owner/repo-name for any repos you wish the time checker to act on
    • BASE_BRANCH: branch you wish the time check to apply to (e.g. production)
  • Deploy the lambdas with serverless deploy or yarn deploy
  • Copy the endpoint that prints after a successful deployment

GitHub Webhook

Anytime you create or modify a pull request we want to activate the lambda. Github webhooks allow you specify an endpoint to hit when certain events occur.

  • In any repo you wish your lambda to respond to, go to settings and choose Webhooks
  • Add a webhook with:
    • Payload URL: the endpoint printed after serverless deploy
    • Content Type: application/json
    • Secret: webhook secret you have generated and stored in AWS
    • Events: Choose the events you wish to listen for (Pull Requests for this example)

Test it Out

  • Create a pull request in a repo you configured the webhook in
  • See the status update
  • The default rules:
    • Name Check will only only pass if the PR title has 'ROBC' and a '#' in it
    • Time Check will only be active for pull requests into production and will pass between 8am-4pm (GMT+1)
  • If it doesn't work, check the logs: serverless logs -f githubWebhookListener -t

Force it to be used

  • After it runs once in a repo it can be chosen as a Required status check on any protected branches
  • Go to settings in the repo and choose Branches
  • Choose/Create a protected branch
  • Tick Require status checks to pass before merging and then select these checks

Tweak it

GitHub Name Checker

  • In githubWebhookListener.js add your own rules from line 95 and redeploy
  • To see all the information that the GitHub response provides:
    • add a console.log(event.body) to githubWebhookListener.js
    • trigger an event and see the logs by running serverless logs -f githubWebhookListener -t

GitHub Time Status

  • In githubWebhookListener.js, on line 104, change to your desired (block/unblock)times
  • Also in serverless.yml, on line 34, change the times in the cron functions that specify when the block/unblock functions trigger for all pull requests

Gotchas

  • Generally when you redeploy, the endpoint will remain the same. However, I noticed on the odd occassion it will change and you will have to update your repo webhooks. I haven't figured out under what circumstances this occurs for yet
  • Statuses are tied to given commits, not given pull requests. Therefore if you have multiple pull requests open for the same branch (e.g. staging and production) then the status will apply to both. However if you don't set the time check as Required on staging then it won't block merging to staging
  • If you set the status Time of Day Check to 'Required' then any new pull request can not be merged until it passes this check, which won't be until 8am the next day... To overcome githubWebhookListener.js checks the time of the pull request event listener so that any new pull request can pass/fail the time check as expected

References