Auditors Webhook

Sometimes, the change you've made to a project is too small to make a full-fledged pull request, but you'd still like a pair of eyes to review it at some point. This project gives you an option for handling exactly this scenario. You push your changes, assign someone to "audit" them, and they can take a look when they get the chance while your changes land immediately.

It works as a simple Express.js app that creates issues to track post-commit code review requests.

When set up, it uses the GitHub webhooks and issues APIs to create an issue for each commit that has 'Auditors: ' in the message body at the start of a line. One issue is created for each auditor and each commit. The auditor is assigned on the issue, and the corresponding commit to be reviewed is linked in the issue body.

Usage

Here's how it looks in real life.

Write your commit

Once you've followed the Setup instructions below, you can add auditors to your commits by just adding the line Auditors: username1 [username1 ...] to your commit messages:

Browse the issue

When that commit gets pushed to the repo you configured the webhook for, it creates an issue that looks like this:

You can see that it...

creates an issue for every auditor on each commit, and assigns auditors to the issues
links to the commit diff, so you can discuss the changes in line
adds the "audit" label
mentions the author, so they can see all open audits they're participating in

Review the commit

When the auditor gets around to it, they can use GitHub's normal commit view to see your changes. The code review discussion should be on the GitHub page for that commit (as opposed to on the audit issue):

That's it! Follow the setup below to get it working for your repositories.

Setup

There are two ways to get set up; you can get set up for The Real World or for development.

The Real World

This app can be deployed with Heroku.

$ git clone https://github.com/jez/auditors-webhook

Next, either install the Heroku toolbelt, or make sure you have the foreman gem installed.

Install the Heroku toolbelt package installer from Heroku

or

$ brew install heroku-toolbelt
$ gem install foreman

You'll need to choose a name for your app on Heroku, then create it at the command line:

$ heroku create <myapp's name>

Next up, you'll need to create an application on GitHub to get an app client_id and client_secret. Fill in

"Homepage URL" with http://MYAPP_NAME.herokuapp.com
"Authorization callback URL" with http://MYAPP_NAME.herokuapp.com/callback

Replace MYAPP_NAME as necessary. Click "Register application". Once you have a client id and client secret, fill in the appropriate values in .env.template after renaming it to .env.prod.

$ cp .env.template .env.prod

(Edit .env.prod)

Now push this config to Heroku:

$ heroku config:push -e .env.prod

We are now safe to deploy the app to Heroku:

$ git push heroku master

We have to create a Webhook on GitHub for the repo you want to enable auditors on by

navigating to your organization or repository settings
finding the "Webhooks & Services" tab
setting "Payload URL" to <your "Forwarding" URL>/postreceive
clicking add (the defaults are good for everything else)

We're almost there. Last up, we need to get an access token so we can use the GitHub API.

To get the appearance that these commits are being created by a bot, now is the time to create a bot account. Use it when signing in below.

Go to http://MYAPP_NAME.herokuapp.com
Click "Login with GitHub"
Authorize the application
Copy the access token and find the line in .env.prod where it needs to go (it is commented out by default; uncomment it)
Run heroku config:push -e .env.prod again

We're also going to want to be able to verify that requests from GitHub are actually coming from GitHub:

Run ruby -rsecurerandom -e 'puts SecureRandom.hex(20) and note the output (or just come up with some random string).
Uncomment WEBHOOK_SECRET from .env and add this string there.
Add this string to the "Secret" field where you configured your repo (it was on the "Webhooks & Services" tab on GitHub)
Run heroku config:push -e .env.prod to sync the config with Heroku

That's it! You should be able to commit to any repo you configured with Auditors: <GitHub username> in the commit message and have issues be created.

Development

The development environment requires a Node.js development environment.

$ git clone https://github.com/jez/auditors-webhook
$ npm install

# If you want a fancy development environment:
$ npm install -g nodemon

Next, either install the Heroku toolbelt, or make sure you have the foreman gem installed.

Install the Heroku toolbelt package installer from Heroku

or

$ brew install heroku-toolbelt
$ gem install foreman

Next up, you'll need to create an application on GitHub to get an app client_id and client_secret. Fill in

"Homepage URL" with http://localhost:5000
"Authorization callback URL" with http://localhost:5000/callback

Click "Register application". Once you have a client id and client secret, fill in the appropriate values in .env.template after renaming it to .env.

$ cp .env.template .env

(Edit .env)

In development, we'll need a way to expose our localhost app to the Internet so that GitHub can hit it with it's webhooks. This can be done with ngrok.

$ brew install ngrok

ngrok works by giving us an arbitrary subdomain on ngrok.com. All traffic to this domain is forwarded to a port on our local computer. Start it with

$ ngrok 5000

Take note of the http URL that ngrok spits out next to "Forwarding":

   grok

   Tunnel Status                 online
   Version                       1.7/1.7
>> Forwarding                    http://6bc3b373.ngrok.com -> 127.0.0.1:3000
   Forwarding                    https://6bc3b373.ngrok.com -> 127.0.0.1:3000
   Web Interface                 127.0.0.1:4040

Using this URL, create a Webhook on GitHub for the repo you want to enable auditors on by

navigation to your organization or repository settings
finding the "Webhooks & Services" tab
setting "Payload URL" to <your "Forwarding" URL>/postreceive
clicking add (the defaults are good for everything else)

Start the server:

$ foreman start

We're almost there. We need to get an access token so we can use the GitHub API.

To get the appearance that these commits are being created by a bot, now is the time to create a bot account. Use it when signing in below.

Go to http://localhost:5000
Click "Login with GitHub"
Authorize the application
Copy the access token and find the line in .env where it needs to go (it is commented out by default; uncomment it)

We're also going to want to be able to verify that requests from GitHub are actually coming from GitHub:

Run ruby -rsecurerandom -e 'puts SecureRandom.hex(20) and note the output (or just come up with some random string).
Uncomment WEBHOOK_SECRET from .env and add this string there.
Add this string to the "Secret" field where you configured your repo (it was on the "Webhooks & Services" tab on GitHub)

Restart the server one last time.

That's it! You should be able to commit to any repo you configured with Auditors: <GitHub username> in the commit message and have issues be created.

Further Notes

It's 2015; you should be using HTTPS. Here are some options:

If you're working on your laptop, you can set up stress free HTTPS on OS X
If you have a custom domain name, Cloudflare will give you free HTTPS
Heroku has some addons for adding HTTPS
Let's Encrypt will be giving out free certificates soon!
StartSSL gives out free SSL certificates

LICENSE

MIT License. See LICENSE

jez / auditors-webhook Goto Github PK