Frozen Throne (Merge Freezes)

Frozen Throne is an API deployed to GCP Cloud Run for gating PR merges on Github.

• Frozen Throne Merge Freezes
• API
  • Authentication
  • Example requests
• Deployment
  • Pre-requisites
  • Create Secrets
  • Deploy to Cloud Run

API

Authentication

The freeze and thaw endpoints both require authentication in the form of a header in the request.

X-Access-Token: WRITE_SECRET

Example requests

$ curl -X POST -H "X-Access-Token: SECRET" localhost:8080/freeze/frozen-throne -d "user=thejokersthief"
{"frozen":true}

$ curl -X POST -H "X-Access-Token: SECRET" localhost:8080/thaw/frozen-throne -d "user=thejokersthief"
{"frozen":false}

Deployment

Pre-requisites

• Go 1.16
• Have created a Github App and have noted the Github App ID, and have generated a private key.
• Have generated a secret for both your webhook verification and a write-access API key (openssl rand -base64 48)

Create Secrets

The deployed cloud function uses the GCP Secret Manager to store secret values for:

1. The Write Secret token
2. The secret used to sign webhooks from Github
3. The Github App ID
4. The Github App's private key

The first 3 of these can be created with the following command:

PROJECT_ID=<ID> \
WRITE_SECRET=<secret> \
WEBHOOK_SECRET=<secret> \
GITHUB_APP_ID=<secret int> \
    make create_secrets

And you can update the secrets by using the same command, but replacing create_secrets with update_secrets.

The final secret is a private key associated with the Github app. This is a .pem file and can be added with the following command:

export PROJECT_ID="example"
export PATH_TO_PEM_FILE="some/file/path"
gcloud --project ${PROJECT_ID} secrets create FT_GITHUB_PRIVATE_KEY --replication-policy="automatic" --data-file=${PATH_TO_PEM_FILE}

Deploy to Cloud Run

Now that you've got all your secrets set up, you are good to deploy to Cloud Run. This involves two stages:

1. Build a cloud image
2. Deploy the image to Cloud Run

make build
PROJECT_ID=<ID> make deploy