Adding a new GitHub Refresh app integration

Adding the GitHub refresh app integration to a new environment requires configuring things in GitHub and Phalanx.

Create a new GitHub app

  1. Click the New GitHub App button in the lsst-sqre org Developer Settings apps page.

  2. Name it mobu refresh (env URL or id if the URL is too long).

  3. Make sure the Active checkbox is checked in the Webhook section.

  4. Enter https://env URL/mobu/github/refresh/webhook in the Webhook URL input.

  5. Generate a strong password to use as the webhook secret.

  6. Store this in the SQuaRE vault in the LSST IT 1Password account in an Server item named mobu (env URL) in a password field called github-refresh-app-webhook-secret.

  7. Get this into the Phalanx secret store for that env under the key: github-refresh-app-webhook-secret (this process is different for different envs).

  8. Enter this secret in the Webhook secret (optional) box in the GitHub App config.

  9. Select Read-only in the dropdown of the Contents access category in the Repository Permissions section.

  10. Check the Push checkbox in the Subscribe to events section.

  11. Select the Any account radio button in the Where can this GitHub App be installed? section.

  12. Click the Create GitHub App button.

Install the app for a repo

  1. Go to new app’s homepage (something like apps/mobu-refresh-usdfdev).

  2. Click the Install button.

  3. Select the Only select repositories radio button.

  4. Select the repo in the dropdown.

  5. Click Install.

Add Phalanx configuration

In applications/mobu/values-env.yaml, add a config.githubRefreshApp value:

config:
  githubRefreshApp:
    acceptedGithubOrgs:
      - lsst-sqre

All of these items are required.

accepted_github_orgs

A list of GitHub organizations from which this instance of Mobu will accept webhook requests. Webhook requests from any orgs not in this list will get a 403 response.