Skip to main content

Integrating Other GitHub Applications with IAMbic's GitHub Integration

IAMbic's GitHub Integration is designed to approve and apply pull requests in a secure and controlled manner. Typically, pull requests are applied only when they have been approved and an iambic apply command is issued. Without an appropriate approval, the request will not be applied, even if an iambic apply command is issued. This approval process is configured by the GitHub administrator and requires changes to be made only via pull requests.

When a different GitHub Application creates a pull request against your IAMbic templates repository, this process might not succeed. That's because no human operator has submitted a pull request review with approval using the GitHub interface. The challenge here is that GitHub pull requests prevent the author of the pull request from approving their own requests. This makes perfect sense for human operators, but poses a challenge for GitHub apps.

To overcome this, the IAMbic GitHub Integration supports the iambic approve comment if the comment's author (user or Github app) is authorized to approve pull requests. The instructions below provide guidance on authorizing a GitHub App to approve pull requests.

Authorizing a Comment Author to Approve Pull Requests

To authorize a GitHub App to approve pull requests, add the following to your IAMbic configuration file:

github:
  allowed_bot_approvers:
  - login: YOUR_GITHUB_LOGIN
    es256_pub_key: "YOUR_ES256_PUBLIC_KEY_IN_PEM_FORMAT"

In this configuration:

  • YOUR_GITHUB_LOGIN is typically the name of the GitHub App integration, suffixed with [bot].

  • YOUR_ES256_PUBLIC_KEY_IN_PEM_FORMAT is the public key provided by the GitHub App developer.

Generating an ECDSA Public and Private Key

If you are a GitHub App developer, you need to generate a new ECDSA private key. Here's how to do it:

First, set up your environment:

python3 -m venv env
. env/bin/activate
pip install cryptography

Next, use the following Python script to generate your keys:

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ec
private_key = ec.generate_private_key(ec.SECP256R1())
public_key = private_key.public_key()
public_pem = public_key.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
es256_pub_key = public_pem.decode("utf-8")
print(es256_pub_key)

private_pem = private_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption(),
)
es256_private_key = private_pem.decode("utf-8")
print(es256_private_key)

Please handle your private key with extreme care. It is a sensitive piece of information and should be guarded diligently.