How to register, configure, and install the bob-bot GitHub App.
- Go to 56kcloud org app settings
- Fill in the registration form:
| Field | Value |
|---|---|
| GitHub App name | bob-bot |
| Homepage URL | https://github.com/56kcloud/bob-bot |
| Webhooks > Active | Unchecked (no webhook server needed) |
- Set Repository permissions (see permissions.md for rationale):
| Permission | Access |
|---|---|
| Contents | Read & write |
| Metadata | Read-only |
| Pull requests | Read & write |
- Under "Where can this GitHub App be installed?", select Any account
- Click Create GitHub App
After creation, you'll land on the app's settings page. The App ID is displayed near the top (e.g., 123456). This is different from the Client ID.
- On the app settings page, scroll to Private keys
- Click Generate a private key
- A
.pemfile will download -- keep this safe
The token vending service is an AWS Lambda that holds the private key and generates installation tokens for any org where bob-bot is installed. Workflows authenticate via GitHub Actions OIDC -- no secrets are shared with consuming repositories.
cd infra
pnpm install
pnpm run build:functions
pulumi config set app-id <your-app-id>
pulumi config set --secret private-key "$(cat path/to/private-key.pem)"
pulumi upAfter deployment, Pulumi outputs the functionUrl -- this is the endpoint baked into the action. Update ACPE_BOT_ENDPOINT in action.yml with this URL.
- Go to the app settings page > Install App (left sidebar)
- Click Install next to the
56kcloudorganization - Choose repository access:
- All repositories -- gives
bob-botaccess to every repo in the org - Only select repositories -- pick specific repos (e.g.,
acpm-registry)
- All repositories -- gives
- An org admin navigates to github.com/apps/bob-bot
- Click Install and select the target organization
- Choose repository access (all or select repositories)
- No secrets needed -- use the
generate-tokenaction in workflows
name: Test bob-bot
on: workflow_dispatch
permissions:
id-token: write
contents: read
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Generate bob-bot token
id: bob-bot-token
uses: 56kcloud/bob-bot@main
- name: Test token
env:
GH_TOKEN: ${{ steps.bob-bot-token.outputs.token }}
run: gh api repos/${{ github.repository }} --jq '.full_name'Run it manually via Actions > Test bob-bot > Run workflow. If it prints the repo name, the setup is correct.
When the bot pushes commits, configure the git identity to attribute them to the app:
- name: Configure git identity
run: |
git config --local user.name "bob-bot[bot]"
git config --local user.email "<APP_ID>+bob-bot[bot]@users.noreply.github.com"Replace <APP_ID> with the actual numeric app ID from step 2. This makes commits show up as authored by bob-bot[bot] in the GitHub UI.
To rotate the private key:
- Go to the app settings page > Private keys
- Click Generate a private key (creates a new one)
- Update the Pulumi config:
pulumi config set --secret private-key "$(cat new-key.pem)" pulumi up
- Delete the old private key from the app settings page
Both keys are valid simultaneously until you delete the old one, so there's no downtime. The private key only exists in AWS Secrets Manager -- no GitHub org secrets to update.