[codex] Add app config doctor#8
Merged
Merged
Conversation
Signed-off-by: Val Alexander <bunsthedev@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR extends the webhook forwarder’s configuration workflow by supporting inline GitHub App private keys (via env var) and adding a doctor:app script to validate required App config, policy placeholders, and runtime prerequisites without printing secret values.
Changes:
- Add
GITHUB_APP_PRIVATE_KEYsupport (inline PEM) with fallback toGITHUB_APP_PRIVATE_KEY_PATH. - Add
npm run doctor:appand a newscripts/doctor-app-config.mjsvalidation command. - Update docs and add
.env.1password.exampleforop run --env-filelocal workflows.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/webhook-adapter.test.ts | Adds coverage for inline private key env support. |
| src/adapter.ts | Adds privateKeyPem to config and uses it for JWT signing before file fallback. |
| scripts/doctor-app-config.mjs | New doctor command that validates App env + policy placeholders and emits structured JSON output. |
| README.md | Documents doctor:app in the verification command sequence. |
| package.json | Adds the doctor:app npm script. |
| docs/coven-github-connection.md | Documents inline private key + 1Password op run flow and includes doctor:app in checklist. |
| .env.1password.example | Provides an example env-file template for 1Password-backed local runs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+271
to
+277
| test("config accepts an inline GitHub App private key from env", () => { | ||
| const config = createConfig( | ||
| { | ||
| GITHUB_APP_PRIVATE_KEY: "-----BEGIN PRIVATE KEY-----\nexample\n-----END PRIVATE KEY-----", | ||
| }, | ||
| process.cwd(), | ||
| ); |
Comment on lines
+2
to
+3
| import {existsSync, readFileSync} from "node:fs"; | ||
| import {join} from "node:path"; |
Comment on lines
+40
to
+45
| } else if (!config.privateKeyPem) { | ||
| const key = readFileSync(config.privateKeyPath, "utf8"); | ||
| if (!hasPem(key)) { | ||
| findings.push(finding("error", "GITHUB_APP_PRIVATE_KEY_PATH", "private key file does not look like a PEM", "Point GITHUB_APP_PRIVATE_KEY_PATH at the downloaded GitHub App private key.")); | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GITHUB_APP_PRIVATE_KEYsupport so 1Password can inject the GitHub App private key without writing a PEM file.npm run doctor:appto validate App ID, webhook secret, private key shape, policy placeholders, and runtime prerequisites without printing secret values..env.1password.exampleplus docs forop run --env-file.Verification
npm test— 14/14npm run buildnpm run smoke:appnpm run doctor:appreports missing local secrets as expected when env is not populatedgit diff --checkCurrent 1Password status
The likely
CovenCatitem provides an App ID, but the doctor still needs a webhook secret, GitHub App private key PEM, and real installation/repository IDs before we can run the non-demo App smoke.