Dev.to

A GitHub automation tool that uses Pulumi to deploy a CI/CD pipeline with

This is a submission for the Pulumi Deploy and Document Challenge: Get Creative with Pulumi and GitHub What I Built Auto-Labeler Bot: A GitHub automation tool that uses Pulumi to deploy a CI/CD pipeline with: AI-powered issue labeling (via AWS Comprehend) Auto-generated PR templates based on issue content Dynamic milestone assignment based on labels Security checks for sensitive keywords Key Files: main.py: Core Pulumi program labeler_bot.py: GitHub App logic using Automation API ci-cd-pipeline.yaml: GitHub Actions workflow README.md: Setup guide & threat model My Journey First Hurdle: Authentication Circus Tried 3 different token approaches before realizing Pulumi's aws.iam.Role could simplify permissions. Key Prompt: "Show me how to create a GitHub repository with a CODEOWNERS file and deployment protection rules using Pulumi" Breakthrough: Used Pulumi's GitHubRepositoryWebhook resource to connect the bot to GitHub's Events API without exposing secrets in code! Using Pulumi with GitHub Why Pulumi? Version-controlled infrastructure for GitHub workflows Multi-repository management across teams Secret encryption using Pulumi's Secrets Manager SDK Gems: import pulumi_github as github # Create repository with security policies repo = github.Repository("secure-app", visibility="private", allow_merge_commit=False, allow_rebase_merge=True) # Auto-labeler webhook setup webhook = github.RepositoryWebhook("issue-labeler", repository=repo.full_name, events=["issues"], active=True, configuration={ "url": "https://labeler-bot.example.com/webhook", "content_type": "json" }) Security Wins: GitHub App credentials stored in Pulumi Secrets Manager Deployment protection rules blocking force-pushes Automated dependabot alerts Documentation Highlights (From README) Step 1: Deploy with Pulumi pulumi up --config github:token=your_personal_access_token Step 2: Configure Webhook curl -X POST -H "Authorization: Bearer YOUR_TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/repos/yourusername/auto-labeler-bot/hooks Step 3: Customize Rules (YAML snippet) label_rules: - keywords: ["urgent", "security"] priority: P0 assignees: ["security-team"] - keywords: ["bug"] add_labels: ["bug", "needs-triage"] Troubleshooting Tips: ⚠️ Ensure GitHub App has contents:read scope ⚠️ Validate webhook URLs with ngrok during testing ⚠️ Monitor AWS Comprehend API costs Why This Matters Traditional approaches to GitHub automation:

Apr 8, 2025 - 05:51
 0
A GitHub automation tool that uses Pulumi to deploy a CI/CD pipeline with

This is a submission for the Pulumi Deploy and Document Challenge: Get Creative with Pulumi and GitHub

What I Built

Auto-Labeler Bot: A GitHub automation tool that uses Pulumi to deploy a CI/CD pipeline with:

  • AI-powered issue labeling (via AWS Comprehend)
  • Auto-generated PR templates based on issue content
  • Dynamic milestone assignment based on labels
  • Security checks for sensitive keywords

Key Files:

  • main.py: Core Pulumi program
  • labeler_bot.py: GitHub App logic using Automation API
  • ci-cd-pipeline.yaml: GitHub Actions workflow
  • README.md: Setup guide & threat model

My Journey

First Hurdle: Authentication Circus

Tried 3 different token approaches before realizing Pulumi's aws.iam.Role could simplify permissions.

Key Prompt:

"Show me how to create a GitHub repository with a CODEOWNERS file and deployment protection rules using Pulumi"

Breakthrough:

Used Pulumi's GitHubRepositoryWebhook resource to connect the bot to GitHub's Events API without exposing secrets in code!

Using Pulumi with GitHub

Why Pulumi?

  • Version-controlled infrastructure for GitHub workflows
  • Multi-repository management across teams
  • Secret encryption using Pulumi's Secrets Manager

SDK Gems:

import pulumi_github as github

# Create repository with security policies
repo = github.Repository("secure-app", 
    visibility="private",
    allow_merge_commit=False,
    allow_rebase_merge=True)

# Auto-labeler webhook setup
webhook = github.RepositoryWebhook("issue-labeler",
    repository=repo.full_name,
    events=["issues"],
    active=True,
    configuration={
        "url": "https://labeler-bot.example.com/webhook",
        "content_type": "json"
    })

Security Wins:

  1. GitHub App credentials stored in Pulumi Secrets Manager
  2. Deployment protection rules blocking force-pushes
  3. Automated dependabot alerts

Documentation Highlights (From README)

Step 1: Deploy with Pulumi

pulumi up --config github:token=your_personal_access_token

Step 2: Configure Webhook

curl -X POST -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/yourusername/auto-labeler-bot/hooks

Step 3: Customize Rules (YAML snippet)

label_rules:
  - keywords: ["urgent", "security"]
    priority: P0
    assignees: ["security-team"]
  - keywords: ["bug"]
    add_labels: ["bug", "needs-triage"]

Troubleshooting Tips:

⚠️ Ensure GitHub App has contents:read scope

⚠️ Validate webhook URLs with ngrok during testing

⚠️ Monitor AWS Comprehend API costs

Why This Matters

Traditional approaches to GitHub automation:

Read More

Tags:

Previous Article

Introducing DoCoreAI – Dynamic Optimization & Contextual Response Engine

Next Article

AWS Step Function Limitations and How to Overcome Them

Related Posts

Implementing an effective Application Security Programm: Strategies, techniques, and Tools for Optimal results

Implementing an effective Application Security Programm...

Mar 28, 2025  0

Feb 27, 2025  0

How to use CSS variables like a pro

How to use CSS variables like a pro

Mar 25, 2025  0