Frozen Throne (Merge Freezes)
Frozen Throne is an API deployed to GCP Cloud Run for gating PR merges on Github.
API
Endpoint |
Description |
POST data |
/freeze/{repo} |
Freeze the github {repo} |
user |
/thaw/{repo} |
Thaws a repo, allowing merges |
user |
/github-webhook |
|
github webhook event |
Authentication
The freeze and thaw endpoints both require authentication in the form of a header in the request.
X-Access-Token: WRITE_SECRET
Example requests
$ curl -X POST -H "X-Access-Token: SECRET" localhost:8080/freeze/frozen-throne -d "user=thejokersthief"
{"frozen":true}
$ curl -X POST -H "X-Access-Token: SECRET" localhost:8080/thaw/frozen-throne -d "user=thejokersthief"
{"frozen":false}
Deployment
Pre-requisites
Create Secrets
The deployed cloud function uses the GCP Secret Manager to store secret values for:
- The Write Secret token
- The Read-Only Secret token
- The secret used to sign webhooks from Github
- The Github App ID
- The Github App's private key
The first 4 of these can be created with the following command:
PROJECT_ID=<ID> \
WRITE_SECRET=<secret> \
WEBHOOK_SECRET=<secret> \
GITHUB_APP_ID=<secret int> \
make create_secrets
And you can update the secrets by using the same command, but replacing create_secrets
with update_secrets
.
The final secret is a private key associated with the Github app. This is a .pem
file and can be added with the following command:
export PROJECT_ID="example"
export PATH_TO_PEM_FILE="some/file/path"
gcloud --project ${PROJECT_ID} secrets create FT_GITHUB_PRIVATE_KEY --replication-policy="automatic" --data-file=${PATH_TO_PEM_FILE}
Deploy to Cloud Run
Now that you've got all your secrets set up, you are good to deploy to Cloud Run. This involves two stages:
- Build a cloud image
- Deploy the image to Cloud Run
make build
PROJECT_ID=<ID> make deploy