diff --git a/docs/docs/configuration/auth/providers.mdx b/docs/docs/configuration/auth/providers.mdx
index ae52ea460..7fda085af 100644
--- a/docs/docs/configuration/auth/providers.mdx
+++ b/docs/docs/configuration/auth/providers.mdx
@@ -33,6 +33,13 @@ The following authentication providers require an [enterprise license](/docs/lic
[Auth.js GitHub Provider Docs](https://authjs.dev/getting-started/providers/github)
+Authentication using both a **GitHub OAuth App** and a **GitHub App** is supported. In both cases, you must provide Sourcebot the `CLIENT_ID` and `SECRET_ID` and configure the
+callback URL correctly (more info in Auth.js docs).
+
+When using a **GitHub App** for auth, enable the following permissions:
+- `“Email addresses” account permissions (read)`
+- `"Metadata" repository permissions (read)` (only needed if enabling [permission syncing](/docs/features/permission-syncing))
+
**Required environment variables:**
- `AUTH_EE_GITHUB_CLIENT_ID`
- `AUTH_EE_GITHUB_CLIENT_SECRET`
diff --git a/docs/docs/configuration/environment-variables.mdx b/docs/docs/configuration/environment-variables.mdx
index a51aeb370..b6fba9eba 100644
--- a/docs/docs/configuration/environment-variables.mdx
+++ b/docs/docs/configuration/environment-variables.mdx
@@ -62,9 +62,9 @@ The following environment variables allow you to configure your Sourcebot deploy
### Review Agent Environment Variables
| Variable | Default | Description |
| :------- | :------ | :---------- |
-| `GITHUB_APP_ID` | `-` | The GitHub App ID used for review agent authentication.
|
-| `GITHUB_APP_PRIVATE_KEY_PATH` | `-` | The container relative path to the private key file for the GitHub App used by the review agent.
|
-| `GITHUB_APP_WEBHOOK_SECRET` | `-` | The webhook secret for the GitHub App used by the review agent.
|
+| `GITHUB_REVIEW_AGENT_APP_ID` | `-` | The GitHub App ID used for review agent authentication.
|
+| `GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH` | `-` | The container relative path to the private key file for the GitHub App used by the review agent.
|
+| `GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET` | `-` | The webhook secret for the GitHub App used by the review agent.
|
| `OPENAI_API_KEY` | `-` | The OpenAI API key used by the review agent.
|
| `REVIEW_AGENT_API_KEY` | `-` | The Sourcebot API key used by the review agent.
|
| `REVIEW_AGENT_AUTO_REVIEW_ENABLED` | `false` | Enables/disables automatic code reviews by the review agent.
|
diff --git a/docs/docs/features/agents/review-agent.mdx b/docs/docs/features/agents/review-agent.mdx
index 743611d0d..49e1834d5 100644
--- a/docs/docs/features/agents/review-agent.mdx
+++ b/docs/docs/features/agents/review-agent.mdx
@@ -44,9 +44,9 @@ Before you get started, make sure you have an OpenAPI account that you can creat
Sourcebot requires the following environment variables to begin reviewing PRs through your new GitHub app:
- - `GITHUB_APP_ID`: The client ID of your GitHub app. Can be found in your [app settings](https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/quickstart#navigate-to-your-app-settings)
- - `GITHUB_APP_WEBHOOK_SECRET`: The webhook secret you defined in your GitHub app. Can be found in your [app settings](https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/quickstart#navigate-to-your-app-settings)
- - `GITHUB_APP_PRIVATE_KEY_PATH`: The path to your app's private key. If you're running Sourcebot from a container, this is the path to this file from within your container
+ - `GITHUB_REVIEW_AGENT_APP_ID`: The client ID of your GitHub app. Can be found in your [app settings](https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/quickstart#navigate-to-your-app-settings)
+ - `GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET`: The webhook secret you defined in your GitHub app. Can be found in your [app settings](https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/quickstart#navigate-to-your-app-settings)
+ - `GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH`: The path to your app's private key. If you're running Sourcebot from a container, this is the path to this file from within your container
(ex `/data/review-agent-key.pem`). You must copy the private key file into the directory you mount to Sourcebot (similar to the config file).
You can generate a private key file for your app in the [app settings](https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/quickstart#navigate-to-your-app-settings). You must copy this private key file into the
@@ -74,9 +74,9 @@ Before you get started, make sure you have an OpenAPI account that you can creat
- "/Users/michael/sourcebot_review_agent_workspace:/data"
environment:
CONFIG_PATH: "/data/config.json"
- GITHUB_APP_ID: "my-github-app-id"
- GITHUB_APP_WEBHOOK_SECRET: "my-github-app-webhook-secret"
- GITHUB_APP_PRIVATE_KEY_PATH: "/data/review-agent-key.pem"
+ GITHUB_REVIEW_AGENT_APP_ID: "my-github-app-id"
+ GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET: "my-github-app-webhook-secret"
+ GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH: "/data/review-agent-key.pem"
REVIEW_AGENT_API_KEY: "sourcebot-my-key"
OPENAI_API_KEY: "sk-proj-my-open-api-key"
```
diff --git a/docs/snippets/schemas/v3/app.schema.mdx b/docs/snippets/schemas/v3/app.schema.mdx
new file mode 100644
index 000000000..7eabc79fe
--- /dev/null
+++ b/docs/snippets/schemas/v3/app.schema.mdx
@@ -0,0 +1,82 @@
+{/* THIS IS A AUTO-GENERATED FILE. DO NOT MODIFY MANUALLY! */}
+```json
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "AppConfig",
+ "oneOf": [
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "type": "object",
+ "title": "GithubAppConfig",
+ "properties": {
+ "type": {
+ "const": "githubApp",
+ "description": "GitHub App Configuration"
+ },
+ "deploymentHostname": {
+ "type": "string",
+ "format": "hostname",
+ "default": "github.com",
+ "description": "The hostname of the GitHub App deployment.",
+ "examples": [
+ "github.com",
+ "github.example.com"
+ ]
+ },
+ "id": {
+ "type": "string",
+ "description": "The ID of the GitHub App."
+ },
+ "privateKey": {
+ "description": "The private key of the GitHub App.",
+ "anyOf": [
+ {
+ "type": "object",
+ "properties": {
+ "secret": {
+ "type": "string",
+ "description": "The name of the secret that contains the token."
+ }
+ },
+ "required": [
+ "secret"
+ ],
+ "additionalProperties": false
+ },
+ {
+ "type": "object",
+ "properties": {
+ "env": {
+ "type": "string",
+ "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+ }
+ },
+ "required": [
+ "env"
+ ],
+ "additionalProperties": false
+ }
+ ]
+ }
+ },
+ "required": [
+ "type",
+ "id"
+ ],
+ "oneOf": [
+ {
+ "required": [
+ "privateKey"
+ ]
+ },
+ {
+ "required": [
+ "privateKeyPath"
+ ]
+ }
+ ],
+ "additionalProperties": false
+ }
+ ]
+}
+```
diff --git a/docs/snippets/schemas/v3/githubApp.schema.mdx b/docs/snippets/schemas/v3/githubApp.schema.mdx
new file mode 100644
index 000000000..2d1aea882
--- /dev/null
+++ b/docs/snippets/schemas/v3/githubApp.schema.mdx
@@ -0,0 +1,76 @@
+{/* THIS IS A AUTO-GENERATED FILE. DO NOT MODIFY MANUALLY! */}
+```json
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "type": "object",
+ "title": "GithubAppConfig",
+ "properties": {
+ "type": {
+ "const": "githubApp",
+ "description": "GitHub App Configuration"
+ },
+ "deploymentHostname": {
+ "type": "string",
+ "format": "hostname",
+ "default": "github.com",
+ "description": "The hostname of the GitHub App deployment.",
+ "examples": [
+ "github.com",
+ "github.example.com"
+ ]
+ },
+ "id": {
+ "type": "string",
+ "description": "The ID of the GitHub App."
+ },
+ "privateKey": {
+ "description": "The private key of the GitHub App.",
+ "anyOf": [
+ {
+ "type": "object",
+ "properties": {
+ "secret": {
+ "type": "string",
+ "description": "The name of the secret that contains the token."
+ }
+ },
+ "required": [
+ "secret"
+ ],
+ "additionalProperties": false
+ },
+ {
+ "type": "object",
+ "properties": {
+ "env": {
+ "type": "string",
+ "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+ }
+ },
+ "required": [
+ "env"
+ ],
+ "additionalProperties": false
+ }
+ ]
+ }
+ },
+ "required": [
+ "type",
+ "id"
+ ],
+ "oneOf": [
+ {
+ "required": [
+ "privateKey"
+ ]
+ },
+ {
+ "required": [
+ "privateKeyPath"
+ ]
+ }
+ ],
+ "additionalProperties": false
+}
+```
diff --git a/docs/snippets/schemas/v3/index.schema.mdx b/docs/snippets/schemas/v3/index.schema.mdx
index 9df06a9f1..c79cd2b37 100644
--- a/docs/snippets/schemas/v3/index.schema.mdx
+++ b/docs/snippets/schemas/v3/index.schema.mdx
@@ -4273,6 +4273,89 @@
}
]
}
+ },
+ "apps": {
+ "type": "array",
+ "description": "Defines a collection of apps that are available to Sourcebot.",
+ "items": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "AppConfig",
+ "oneOf": [
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "type": "object",
+ "title": "GithubAppConfig",
+ "properties": {
+ "type": {
+ "const": "githubApp",
+ "description": "GitHub App Configuration"
+ },
+ "deploymentHostname": {
+ "type": "string",
+ "format": "hostname",
+ "default": "github.com",
+ "description": "The hostname of the GitHub App deployment.",
+ "examples": [
+ "github.com",
+ "github.example.com"
+ ]
+ },
+ "id": {
+ "type": "string",
+ "description": "The ID of the GitHub App."
+ },
+ "privateKey": {
+ "anyOf": [
+ {
+ "type": "object",
+ "properties": {
+ "secret": {
+ "type": "string",
+ "description": "The name of the secret that contains the token."
+ }
+ },
+ "required": [
+ "secret"
+ ],
+ "additionalProperties": false
+ },
+ {
+ "type": "object",
+ "properties": {
+ "env": {
+ "type": "string",
+ "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+ }
+ },
+ "required": [
+ "env"
+ ],
+ "additionalProperties": false
+ }
+ ],
+ "description": "The private key of the GitHub App."
+ }
+ },
+ "required": [
+ "type",
+ "id"
+ ],
+ "oneOf": [
+ {
+ "required": [
+ "privateKey"
+ ]
+ },
+ {
+ "required": [
+ "privateKeyPath"
+ ]
+ }
+ ],
+ "additionalProperties": false
+ }
+ ]
+ }
}
},
"additionalProperties": false
diff --git a/packages/backend/package.json b/packages/backend/package.json
index 800d2504a..8329fbbb7 100644
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@@ -24,6 +24,7 @@
"dependencies": {
"@coderabbitai/bitbucket": "^1.1.3",
"@gitbeaker/rest": "^40.5.1",
+ "@octokit/app": "^16.1.1",
"@octokit/rest": "^21.0.2",
"@sentry/cli": "^2.42.2",
"@sentry/node": "^9.3.0",
diff --git a/packages/backend/src/ee/githubAppManager.ts b/packages/backend/src/ee/githubAppManager.ts
new file mode 100644
index 000000000..2205b9394
--- /dev/null
+++ b/packages/backend/src/ee/githubAppManager.ts
@@ -0,0 +1,138 @@
+import { GithubAppConfig, SourcebotConfig } from "@sourcebot/schemas/v3/index.type";
+import { loadConfig } from "@sourcebot/shared";
+import { env } from "../env.js";
+import { createLogger } from "@sourcebot/logger";
+import { getTokenFromConfig } from "../utils.js";
+import { PrismaClient } from "@sourcebot/db";
+import { App } from "@octokit/app";
+
+const logger = createLogger('githubAppManager');
+const GITHUB_DEFAULT_DEPLOYMENT_HOSTNAME = 'github.com';
+
+type Installation = {
+ id: number;
+ appId: number;
+ account: {
+ login: string;
+ type: 'organization' | 'user';
+ };
+ createdAt: string;
+ expiresAt: string;
+ token: string;
+};
+
+export class GithubAppManager {
+ private static instance: GithubAppManager | null = null;
+ private octokitApps: Map;
+ private installationMap: Map;
+ private db: PrismaClient | null = null;
+ private initialized: boolean = false;
+
+ private constructor() {
+ this.octokitApps = new Map();
+ this.installationMap = new Map();
+ }
+
+ public static getInstance(): GithubAppManager {
+ if (!GithubAppManager.instance) {
+ GithubAppManager.instance = new GithubAppManager();
+ }
+ return GithubAppManager.instance;
+ }
+
+ private ensureInitialized(): void {
+ if (!this.initialized) {
+ throw new Error('GithubAppManager must be initialized before use. Call init() first.');
+ }
+ }
+
+ public async init(db: PrismaClient) {
+ this.db = db;
+ const config = await loadConfig(env.CONFIG_PATH!);
+ const githubApps = config.apps?.filter(app => app.type === 'githubApp') as GithubAppConfig[];
+
+ logger.info(`Found ${githubApps.length} GitHub apps in config`);
+
+ for (const app of githubApps) {
+ const deploymentHostname = app.deploymentHostname as string || GITHUB_DEFAULT_DEPLOYMENT_HOSTNAME;
+
+ // @todo: we should move SINGLE_TENANT_ORG_ID to shared package or just remove the need to pass this in
+ // when resolving tokens
+ const SINGLE_TENANT_ORG_ID = 1;
+ const privateKey = await getTokenFromConfig(app.privateKey, SINGLE_TENANT_ORG_ID, this.db!);
+
+ const octokitApp = new App({
+ appId: Number(app.id),
+ privateKey: privateKey,
+ });
+ this.octokitApps.set(Number(app.id), octokitApp);
+
+ const installations = await octokitApp.octokit.request("GET /app/installations");
+ logger.info(`Found ${installations.data.length} GitHub App installations for ${deploymentHostname}/${app.id}:`);
+
+ for (const installationData of installations.data) {
+ if (!installationData.account || !installationData.account.login || !installationData.account.type) {
+ logger.warn(`Skipping installation ${installationData.id}: missing account data (${installationData.account})`);
+ continue;
+ }
+
+ logger.info(`\tInstallation ID: ${installationData.id}, Account: ${installationData.account.login}, Type: ${installationData.account.type}`);
+
+ const owner = installationData.account.login;
+ const accountType = installationData.account.type.toLowerCase() as 'organization' | 'user';
+ const installationOctokit = await octokitApp.getInstallationOctokit(installationData.id);
+ const auth = await installationOctokit.auth({ type: "installation" }) as { expires_at: string, token: string };
+
+ const installation: Installation = {
+ id: installationData.id,
+ appId: Number(app.id),
+ account: {
+ login: owner,
+ type: accountType,
+ },
+ createdAt: installationData.created_at,
+ expiresAt: auth.expires_at,
+ token: auth.token
+ };
+ this.installationMap.set(this.generateMapKey(owner, deploymentHostname), installation);
+ }
+ }
+
+ this.initialized = true;
+ }
+
+ public async getInstallationToken(owner: string, deploymentHostname: string = GITHUB_DEFAULT_DEPLOYMENT_HOSTNAME): Promise {
+ this.ensureInitialized();
+
+ const key = this.generateMapKey(owner, deploymentHostname);
+ const installation = this.installationMap.get(key) as Installation | undefined;
+ if (!installation) {
+ throw new Error(`GitHub App Installation not found for ${key}`);
+ }
+
+ if (installation.expiresAt < new Date().toISOString()) {
+ const octokitApp = this.octokitApps.get(installation.appId) as App;
+ const installationOctokit = await octokitApp.getInstallationOctokit(installation.id);
+ const auth = await installationOctokit.auth({ type: "installation" }) as { expires_at: string, token: string };
+
+ const newInstallation: Installation = {
+ ...installation,
+ expiresAt: auth.expires_at,
+ token: auth.token
+ };
+ this.installationMap.set(key, newInstallation);
+
+ return newInstallation.token;
+ } else {
+ return installation.token;
+ }
+ }
+
+ public appsConfigured() {
+ return this.octokitApps.size > 0;
+ }
+
+ private generateMapKey(owner: string, deploymentHostname: string): string {
+ return `${deploymentHostname}/${owner}`;
+ }
+}
\ No newline at end of file
diff --git a/packages/backend/src/ee/repoPermissionSyncer.ts b/packages/backend/src/ee/repoPermissionSyncer.ts
index 453b94f6a..2393561a4 100644
--- a/packages/backend/src/ee/repoPermissionSyncer.ts
+++ b/packages/backend/src/ee/repoPermissionSyncer.ts
@@ -18,7 +18,6 @@ const QUEUE_NAME = 'repoPermissionSyncQueue';
const logger = createLogger('repo-permission-syncer');
-
export class RepoPermissionSyncer {
private queue: Queue;
private worker: Worker;
diff --git a/packages/backend/src/github.ts b/packages/backend/src/github.ts
index 2b42eed23..19752914e 100644
--- a/packages/backend/src/github.ts
+++ b/packages/backend/src/github.ts
@@ -8,6 +8,8 @@ import { BackendException, BackendError } from "@sourcebot/error";
import { processPromiseResults, throwIfAnyFailed } from "./connectionUtils.js";
import * as Sentry from "@sentry/node";
import { env } from "./env.js";
+import { GithubAppManager } from "./ee/githubAppManager.js";
+import { hasEntitlement } from "@sourcebot/shared";
const logger = createLogger('github');
const GITHUB_CLOUD_HOSTNAME = "github.com";
@@ -55,6 +57,40 @@ export const createOctokitFromToken = async ({ token, url }: { token?: string, u
};
}
+/**
+ * Helper function to get an authenticated Octokit instance using GitHub App if available,
+ * otherwise falls back to the provided octokit instance.
+ */
+const getOctokitWithGithubApp = async (
+ octokit: Octokit,
+ owner: string,
+ url: string | undefined,
+ context: string
+): Promise => {
+ if (!hasEntitlement('github-app') || !GithubAppManager.getInstance().appsConfigured()) {
+ return octokit;
+ }
+
+ try {
+ const hostname = url ? new URL(url).hostname : GITHUB_CLOUD_HOSTNAME;
+ const token = await GithubAppManager.getInstance().getInstallationToken(owner, hostname);
+ const { octokit: octokitFromToken, isAuthenticated } = await createOctokitFromToken({
+ token,
+ url,
+ });
+
+ if (isAuthenticated) {
+ return octokitFromToken;
+ } else {
+ logger.error(`Failed to authenticate with GitHub App for ${context}. Falling back to legacy token resolution.`);
+ return octokit;
+ }
+ } catch (error) {
+ logger.error(`Error getting GitHub App token for ${context}. Falling back to legacy token resolution.`, error);
+ return octokit;
+ }
+}
+
export const getGitHubReposFromConfig = async (config: GithubConnectionConfig, orgId: number, db: PrismaClient, signal: AbortSignal) => {
const hostname = config.url ?
new URL(config.url).hostname :
@@ -107,19 +143,19 @@ export const getGitHubReposFromConfig = async (config: GithubConnectionConfig, o
};
if (config.orgs) {
- const { validRepos, notFoundOrgs } = await getReposForOrgs(config.orgs, octokit, signal);
+ const { validRepos, notFoundOrgs } = await getReposForOrgs(config.orgs, octokit, signal, config.url);
allRepos = allRepos.concat(validRepos);
notFound.orgs = notFoundOrgs;
}
if (config.repos) {
- const { validRepos, notFoundRepos } = await getRepos(config.repos, octokit, signal);
+ const { validRepos, notFoundRepos } = await getRepos(config.repos, octokit, signal, config.url);
allRepos = allRepos.concat(validRepos);
notFound.repos = notFoundRepos;
}
if (config.users) {
- const { validRepos, notFoundUsers } = await getReposOwnedByUsers(config.users, octokit, signal);
+ const { validRepos, notFoundUsers } = await getReposOwnedByUsers(config.users, octokit, signal, config.url);
allRepos = allRepos.concat(validRepos);
notFound.users = notFoundUsers;
}
@@ -178,11 +214,12 @@ export const getReposForAuthenticatedUser = async (visibility: 'all' | 'private'
}
}
-const getReposOwnedByUsers = async (users: string[], octokit: Octokit, signal: AbortSignal) => {
+const getReposOwnedByUsers = async (users: string[], octokit: Octokit, signal: AbortSignal, url?: string) => {
const results = await Promise.allSettled(users.map(async (user) => {
try {
logger.debug(`Fetching repository info for user ${user}...`);
+ const octokitToUse = await getOctokitWithGithubApp(octokit, user, url, `user ${user}`);
const { durationMs, data } = await measure(async () => {
const fetchFn = async () => {
let query = `user:${user}`;
@@ -194,7 +231,7 @@ const getReposOwnedByUsers = async (users: string[], octokit: Octokit, signal: A
// the username as a parameter.
// @see: https://github.com/orgs/community/discussions/24382#discussioncomment-3243958
// @see: https://api.github.com/search/repositories?q=user:USERNAME
- const searchResults = await octokit.paginate(octokit.rest.search.repos, {
+ const searchResults = await octokitToUse.paginate(octokitToUse.rest.search.repos, {
q: query,
per_page: 100,
request: {
@@ -237,13 +274,14 @@ const getReposOwnedByUsers = async (users: string[], octokit: Octokit, signal: A
};
}
-const getReposForOrgs = async (orgs: string[], octokit: Octokit, signal: AbortSignal) => {
+const getReposForOrgs = async (orgs: string[], octokit: Octokit, signal: AbortSignal, url?: string) => {
const results = await Promise.allSettled(orgs.map(async (org) => {
try {
logger.info(`Fetching repository info for org ${org}...`);
+ const octokitToUse = await getOctokitWithGithubApp(octokit, org, url, `org ${org}`);
const { durationMs, data } = await measure(async () => {
- const fetchFn = () => octokit.paginate(octokit.repos.listForOrg, {
+ const fetchFn = () => octokitToUse.paginate(octokitToUse.repos.listForOrg, {
org: org,
per_page: 100,
request: {
@@ -283,14 +321,15 @@ const getReposForOrgs = async (orgs: string[], octokit: Octokit, signal: AbortSi
};
}
-const getRepos = async (repoList: string[], octokit: Octokit, signal: AbortSignal) => {
+const getRepos = async (repoList: string[], octokit: Octokit, signal: AbortSignal, url?: string) => {
const results = await Promise.allSettled(repoList.map(async (repo) => {
try {
const [owner, repoName] = repo.split('/');
logger.info(`Fetching repository info for ${repo}...`);
+ const octokitToUse = await getOctokitWithGithubApp(octokit, owner, url, `repo ${repo}`);
const { durationMs, data: result } = await measure(async () => {
- const fetchFn = () => octokit.repos.get({
+ const fetchFn = () => octokitToUse.repos.get({
owner,
repo: repoName,
request: {
diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts
index 78a1ce6c6..354e61ff7 100644
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@@ -10,6 +10,7 @@ import { ConnectionManager } from './connectionManager.js';
import { DEFAULT_SETTINGS, INDEX_CACHE_DIR, REPOS_CACHE_DIR } from './constants.js';
import { RepoPermissionSyncer } from './ee/repoPermissionSyncer.js';
import { UserPermissionSyncer } from "./ee/userPermissionSyncer.js";
+import { GithubAppManager } from "./ee/githubAppManager.js";
import { env } from "./env.js";
import { RepoIndexManager } from "./repoIndexManager.js";
import { PromClient } from './promClient.js';
@@ -58,6 +59,11 @@ const promClient = new PromClient();
const settings = await getSettings(env.CONFIG_PATH);
+
+if (hasEntitlement('github-app')) {
+ await GithubAppManager.getInstance().init(prisma);
+}
+
const connectionManager = new ConnectionManager(prisma, settings, redis);
const repoPermissionSyncer = new RepoPermissionSyncer(prisma, settings, redis);
const userPermissionSyncer = new UserPermissionSyncer(prisma, settings, redis);
diff --git a/packages/backend/src/utils.ts b/packages/backend/src/utils.ts
index aaaad4eaf..01b44f54e 100644
--- a/packages/backend/src/utils.ts
+++ b/packages/backend/src/utils.ts
@@ -6,6 +6,8 @@ import { getTokenFromConfig as getTokenFromConfigBase } from "@sourcebot/crypto"
import { BackendException, BackendError } from "@sourcebot/error";
import * as Sentry from "@sentry/node";
import { GithubConnectionConfig, GitlabConnectionConfig, GiteaConnectionConfig, BitbucketConnectionConfig, AzureDevOpsConnectionConfig } from '@sourcebot/schemas/v3/connection.type';
+import { GithubAppManager } from "./ee/githubAppManager.js";
+import { hasEntitlement } from "@sourcebot/shared";
import { REPOS_CACHE_DIR } from "./constants.js";
export const measure = async (cb: () => Promise) => {
@@ -126,6 +128,28 @@ export const fetchWithRetry = async (
// may have their own token. This method will just pick the first connection that has a token (if one exists) and uses that. This
// may technically cause syncing to fail if that connection's token just so happens to not have access to the repo it's referencing.
export const getAuthCredentialsForRepo = async (repo: RepoWithConnections, db: PrismaClient, logger?: Logger): Promise => {
+ // If we have github apps configured we assume that we must use them for github service auth
+ if (repo.external_codeHostType === 'github' && hasEntitlement('github-app') && GithubAppManager.getInstance().appsConfigured()) {
+ const owner = repo.displayName?.split('/')[0];
+ const deploymentHostname = new URL(repo.external_codeHostUrl).hostname;
+ if (!owner || !deploymentHostname) {
+ throw new Error(`Failed to fetch GitHub App for repo ${repo.displayName}:Invalid repo displayName (${repo.displayName}) or deployment hostname (${deploymentHostname})`);
+ }
+
+ const token = await GithubAppManager.getInstance().getInstallationToken(owner, deploymentHostname);
+ return {
+ hostUrl: repo.external_codeHostUrl,
+ token,
+ cloneUrlWithToken: createGitCloneUrlWithToken(
+ repo.cloneUrl,
+ {
+ username: 'x-access-token',
+ password: token
+ }
+ ),
+ }
+ }
+
for (const { connection } of repo.connections) {
if (connection.connectionType === 'github') {
const config = connection.config as unknown as GithubConnectionConfig;
diff --git a/packages/schemas/src/v3/app.schema.ts b/packages/schemas/src/v3/app.schema.ts
new file mode 100644
index 000000000..5b4b96f75
--- /dev/null
+++ b/packages/schemas/src/v3/app.schema.ts
@@ -0,0 +1,81 @@
+// THIS IS A AUTO-GENERATED FILE. DO NOT MODIFY MANUALLY!
+const schema = {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "AppConfig",
+ "oneOf": [
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "type": "object",
+ "title": "GithubAppConfig",
+ "properties": {
+ "type": {
+ "const": "githubApp",
+ "description": "GitHub App Configuration"
+ },
+ "deploymentHostname": {
+ "type": "string",
+ "format": "hostname",
+ "default": "github.com",
+ "description": "The hostname of the GitHub App deployment.",
+ "examples": [
+ "github.com",
+ "github.example.com"
+ ]
+ },
+ "id": {
+ "type": "string",
+ "description": "The ID of the GitHub App."
+ },
+ "privateKey": {
+ "description": "The private key of the GitHub App.",
+ "anyOf": [
+ {
+ "type": "object",
+ "properties": {
+ "secret": {
+ "type": "string",
+ "description": "The name of the secret that contains the token."
+ }
+ },
+ "required": [
+ "secret"
+ ],
+ "additionalProperties": false
+ },
+ {
+ "type": "object",
+ "properties": {
+ "env": {
+ "type": "string",
+ "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+ }
+ },
+ "required": [
+ "env"
+ ],
+ "additionalProperties": false
+ }
+ ]
+ }
+ },
+ "required": [
+ "type",
+ "id"
+ ],
+ "oneOf": [
+ {
+ "required": [
+ "privateKey"
+ ]
+ },
+ {
+ "required": [
+ "privateKeyPath"
+ ]
+ }
+ ],
+ "additionalProperties": false
+ }
+ ]
+} as const;
+export { schema as appSchema };
\ No newline at end of file
diff --git a/packages/schemas/src/v3/app.type.ts b/packages/schemas/src/v3/app.type.ts
new file mode 100644
index 000000000..255ef033d
--- /dev/null
+++ b/packages/schemas/src/v3/app.type.ts
@@ -0,0 +1,6 @@
+// THIS IS A AUTO-GENERATED FILE. DO NOT MODIFY MANUALLY!
+
+export type AppConfig = GithubAppConfig;
+export type GithubAppConfig = {
+ [k: string]: unknown;
+};
diff --git a/packages/schemas/src/v3/githubApp.schema.ts b/packages/schemas/src/v3/githubApp.schema.ts
new file mode 100644
index 000000000..aab0ef20a
--- /dev/null
+++ b/packages/schemas/src/v3/githubApp.schema.ts
@@ -0,0 +1,75 @@
+// THIS IS A AUTO-GENERATED FILE. DO NOT MODIFY MANUALLY!
+const schema = {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "type": "object",
+ "title": "GithubAppConfig",
+ "properties": {
+ "type": {
+ "const": "githubApp",
+ "description": "GitHub App Configuration"
+ },
+ "deploymentHostname": {
+ "type": "string",
+ "format": "hostname",
+ "default": "github.com",
+ "description": "The hostname of the GitHub App deployment.",
+ "examples": [
+ "github.com",
+ "github.example.com"
+ ]
+ },
+ "id": {
+ "type": "string",
+ "description": "The ID of the GitHub App."
+ },
+ "privateKey": {
+ "description": "The private key of the GitHub App.",
+ "anyOf": [
+ {
+ "type": "object",
+ "properties": {
+ "secret": {
+ "type": "string",
+ "description": "The name of the secret that contains the token."
+ }
+ },
+ "required": [
+ "secret"
+ ],
+ "additionalProperties": false
+ },
+ {
+ "type": "object",
+ "properties": {
+ "env": {
+ "type": "string",
+ "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+ }
+ },
+ "required": [
+ "env"
+ ],
+ "additionalProperties": false
+ }
+ ]
+ }
+ },
+ "required": [
+ "type",
+ "id"
+ ],
+ "oneOf": [
+ {
+ "required": [
+ "privateKey"
+ ]
+ },
+ {
+ "required": [
+ "privateKeyPath"
+ ]
+ }
+ ],
+ "additionalProperties": false
+} as const;
+export { schema as githubAppSchema };
\ No newline at end of file
diff --git a/packages/schemas/src/v3/githubApp.type.ts b/packages/schemas/src/v3/githubApp.type.ts
new file mode 100644
index 000000000..cd5af6af1
--- /dev/null
+++ b/packages/schemas/src/v3/githubApp.type.ts
@@ -0,0 +1,34 @@
+// THIS IS A AUTO-GENERATED FILE. DO NOT MODIFY MANUALLY!
+
+export type GithubAppConfig = {
+ /**
+ * GitHub App Configuration
+ */
+ type: "githubApp";
+ /**
+ * The hostname of the GitHub App deployment.
+ */
+ deploymentHostname?: string;
+ /**
+ * The ID of the GitHub App.
+ */
+ id: string;
+ /**
+ * The private key of the GitHub App.
+ */
+ privateKey?:
+ | {
+ /**
+ * The name of the secret that contains the token.
+ */
+ secret: string;
+ }
+ | {
+ /**
+ * The name of the environment variable that contains the token. Only supported in declarative connection configs.
+ */
+ env: string;
+ };
+} & {
+ [k: string]: unknown;
+};
diff --git a/packages/schemas/src/v3/index.schema.ts b/packages/schemas/src/v3/index.schema.ts
index 38ec2f0a0..c326e7b65 100644
--- a/packages/schemas/src/v3/index.schema.ts
+++ b/packages/schemas/src/v3/index.schema.ts
@@ -4272,6 +4272,89 @@ const schema = {
}
]
}
+ },
+ "apps": {
+ "type": "array",
+ "description": "Defines a collection of apps that are available to Sourcebot.",
+ "items": {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "AppConfig",
+ "oneOf": [
+ {
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "type": "object",
+ "title": "GithubAppConfig",
+ "properties": {
+ "type": {
+ "const": "githubApp",
+ "description": "GitHub App Configuration"
+ },
+ "deploymentHostname": {
+ "type": "string",
+ "format": "hostname",
+ "default": "github.com",
+ "description": "The hostname of the GitHub App deployment.",
+ "examples": [
+ "github.com",
+ "github.example.com"
+ ]
+ },
+ "id": {
+ "type": "string",
+ "description": "The ID of the GitHub App."
+ },
+ "privateKey": {
+ "anyOf": [
+ {
+ "type": "object",
+ "properties": {
+ "secret": {
+ "type": "string",
+ "description": "The name of the secret that contains the token."
+ }
+ },
+ "required": [
+ "secret"
+ ],
+ "additionalProperties": false
+ },
+ {
+ "type": "object",
+ "properties": {
+ "env": {
+ "type": "string",
+ "description": "The name of the environment variable that contains the token. Only supported in declarative connection configs."
+ }
+ },
+ "required": [
+ "env"
+ ],
+ "additionalProperties": false
+ }
+ ],
+ "description": "The private key of the GitHub App."
+ }
+ },
+ "required": [
+ "type",
+ "id"
+ ],
+ "oneOf": [
+ {
+ "required": [
+ "privateKey"
+ ]
+ },
+ {
+ "required": [
+ "privateKeyPath"
+ ]
+ }
+ ],
+ "additionalProperties": false
+ }
+ ]
+ }
}
},
"additionalProperties": false
diff --git a/packages/schemas/src/v3/index.type.ts b/packages/schemas/src/v3/index.type.ts
index 4e8982dc0..3d0b19478 100644
--- a/packages/schemas/src/v3/index.type.ts
+++ b/packages/schemas/src/v3/index.type.ts
@@ -25,6 +25,10 @@ export type LanguageModel =
| OpenAICompatibleLanguageModel
| OpenRouterLanguageModel
| XaiLanguageModel;
+export type AppConfig = GithubAppConfig;
+export type GithubAppConfig = {
+ [k: string]: unknown;
+};
export interface SourcebotConfig {
$schema?: string;
@@ -45,6 +49,10 @@ export interface SourcebotConfig {
* Defines a collection of language models that are available to Sourcebot.
*/
models?: LanguageModel[];
+ /**
+ * Defines a collection of apps that are available to Sourcebot.
+ */
+ apps?: AppConfig[];
}
/**
* Defines the global settings for Sourcebot.
diff --git a/packages/shared/src/entitlements.ts b/packages/shared/src/entitlements.ts
index be40b9275..1c0c688ff 100644
--- a/packages/shared/src/entitlements.ts
+++ b/packages/shared/src/entitlements.ts
@@ -39,15 +39,16 @@ const entitlements = [
"code-nav",
"audit",
"analytics",
- "permission-syncing"
+ "permission-syncing",
+ "github-app"
] as const;
export type Entitlement = (typeof entitlements)[number];
const entitlementsByPlan: Record = {
oss: ["anonymous-access"],
"cloud:team": ["billing", "multi-tenancy", "sso", "code-nav"],
- "self-hosted:enterprise": ["search-contexts", "sso", "code-nav", "audit", "analytics", "permission-syncing"],
- "self-hosted:enterprise-unlimited": ["search-contexts", "anonymous-access", "sso", "code-nav", "audit", "analytics", "permission-syncing"],
+ "self-hosted:enterprise": ["search-contexts", "sso", "code-nav", "audit", "analytics", "permission-syncing", "github-app"],
+ "self-hosted:enterprise-unlimited": ["search-contexts", "anonymous-access", "sso", "code-nav", "audit", "analytics", "permission-syncing", "github-app"],
// Special entitlement for https://demo.sourcebot.dev
"cloud:demo": ["anonymous-access", "code-nav", "search-contexts"],
} as const;
diff --git a/packages/web/src/app/[domain]/agents/page.tsx b/packages/web/src/app/[domain]/agents/page.tsx
index 03b2a2d69..1da98ff20 100644
--- a/packages/web/src/app/[domain]/agents/page.tsx
+++ b/packages/web/src/app/[domain]/agents/page.tsx
@@ -8,7 +8,7 @@ const agents = [
id: "review-agent",
name: "Review Agent",
description: "An AI code review agent that reviews your PRs. Uses the code indexed on Sourcebot to provide codebase-wide context.",
- requiredEnvVars: ["GITHUB_APP_ID", "GITHUB_APP_WEBHOOK_SECRET", "GITHUB_APP_PRIVATE_KEY_PATH", "OPENAI_API_KEY"],
+ requiredEnvVars: ["GITHUB_REVIEW_AGENT_APP_ID", "GITHUB_REVIEW_AGENT_APP_WEBHOOK_SECRET", "GITHUB_REVIEW_AGENT_APP_PRIVATE_KEY_PATH", "OPENAI_API_KEY"],
configureUrl: "https://docs.sourcebot.dev/docs/features/agents/review-agent"
},
];
diff --git a/packages/web/src/app/[domain]/components/settingsDropdown.tsx b/packages/web/src/app/[domain]/components/settingsDropdown.tsx
index 377d0ef79..92a5705aa 100644
--- a/packages/web/src/app/[domain]/components/settingsDropdown.tsx
+++ b/packages/web/src/app/[domain]/components/settingsDropdown.tsx
@@ -73,19 +73,24 @@ export const SettingsDropdown = ({
-
+
{session?.user ? (
-
-
+
+
-
- {session.user.name && session.user.name.length > 0 ? session.user.name[0] : 'U'}
+
+ {session.user.name && session.user.name.length > 0 ? session.user.name[0].toUpperCase() : 'U'}
-
{session.user.email ?? "User"}
+
+
{session.user.name ?? "User"}
+ {session.user.email && (
+
{session.user.email}
+ )}
+