cloudflare-worker-github-app-example

A Cloudflare Worker + GitHub App Example

The worker.js file is a Cloudflare Worker which is continuously deployed using GitHub Actions (see .github/workflows/deploy.yml).

The worker does 2 things

1. GET requests: respond with an HTML website with links and a live counter of installations.
2. POST requests: handle webhook request from GitHub

⚠️ The requests from GitHub are currently not verified using the signature, because the code is currently using Node's crypto package. This will be resolved once I create a universal webhook verification package, similar to universal-github-app-jwt. For the time being, you could define a secret path that that webhook requests by GitHub are sent to, in order to prevent anyone who knows your workers URL from sending fake webhook requests. See #1

Step-by-step instructions to create your own

Note that you require access to the new GitHub Actions for the automated deployment to work.

1. Fork this repository

2. Create a GitHub App

3. Create a Cloudflare account (it's free!) if you don't have one yet.

4. Install the wrangler CLI and login with your account

   npm install --global @cloudflare/wrangler
   wrangler login
   

5. Edit the wrangler.toml file, change the value for account_id to your own (select your account, then find your Account ID at the bottom of the side bar)

6. Add the following secrets to your Cloudflare worker:

   • APP_ID: In your GitHub App registration's settings page, find App ID

     wrangler secret put APP_ID
     

   • WEBHOOK_SECRET: In your GitHub App registration's settings page, find Webhook secret

     wrangler secret put WEBHOOK_SECRET
     

   • PRIVATE_KEY_1, PRIVATE_KEY_2, PRIVATE_KEY_3: Generate a private key (see the button at the bottom of your GitHub App registration's settings page).

     1. You will be prompted to download a *.pem file. After download, rename it to private-key.pem.

     2. Convert the key from the PKCS#1 format to PKCS#8 (The WebCrypto API only supports PKCS#8):

        openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private-key-pkcs8.pem
        

     3. The contents of the private key is too large for the 1kb limit of Cloudflare Workers secrets. Split it up into 3 parts using split. This will create 3 new files: xaa, xab, xac

        split -l 10 private-key-pkcs8.pem
        

     4. Write the contents of the 3 new files into the secrets PRIVATE_KEY_1, PRIVATE_KEY_2, and PRIVATE_KEY_3:

        cat xaa | wrangler secret put PRIVATE_KEY_1
        cat xab | wrangler secret put PRIVATE_KEY_2
        cat xac | wrangler secret put PRIVATE_KEY_3
        

7. Add the following secret in your fork's repository settings:

   • CF_API_TOKEN: Create a new token, use the "Edit Cloudflare Workers" template

That should be it. The worker.js file will now be continously deployed to Cloudflare each time there is a commit to master.

See also

• Cloudflare Worker GitHub OAuth Example

Credits

The OAuth App Avatar and this repository's social preview are using @cameronmcefee's cloud Octodex graphic 💖

License

ISC