All files / src/cli/commands setup-app.ts

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
7x
 
7x
7x
 
 
7x
 
 
7x
 
 
7x
7x
7x
7x
7x
7x
7x
 
 
7x
 
7x
 
 
 
 
 
 
 
 
 
7x
7x
3x
2x
 
1x
 
 
 
 
7x
 
7x
 
7x
7x
1x
1x
1x
 
1x
1x
 
 
 
 
7x
7x
7x
7x
 
 
7x
7x
7x
7x
 
 
7x
 
 
3x
3x
3x
 
 
3x
3x
3x
3x
3x
3x
3x
 
 
3x
3x
3x
 
 
3x
3x
3x
 
 
3x
3x
3x
 
3x
3x
3x
3x
 
 
3x
3x
 
3x
3x
9x
 
3x
 
3x
 
4x
4x
4x
 
 
4x
4x
4x
4x
4x
4x
4x
4x
4x
4x
 
4x
4x
 
4x
 
7x
 
 
 
/**
 * Setup GitHub App command.
 * Creates a GitHub App via the manifest flow for Warden to post as a custom bot.
 */
 
import { randomBytes } from 'node:crypto';
import chalk from 'chalk';
import type { SetupAppOptions } from '../args.js';
import type { Reporter } from '../output/reporter.js';
import { getGitHubRepoUrl } from '../git.js';
import { buildManifest } from './setup-app/manifest.js';
import { startCallbackServer } from './setup-app/server.js';
import { openBrowser } from './setup-app/browser.js';
import { exchangeCodeForCredentials } from './setup-app/credentials.js';
 
/**
 * Run the setup-app command.
 */
export async function runSetupApp(options: SetupAppOptions, reporter: Reporter): Promise<number> {
  const { port, timeout, org, name, open } = options;
 
  reporter.bold('SETUP GITHUB APP');
  reporter.blank();
 
  // Generate state token for CSRF protection
  const state = randomBytes(16).toString('hex');
 
  // Build manifest
  const manifest = buildManifest({ name, port });
 
  // Show what permissions will be requested
  reporter.text('This will create a GitHub App with the following permissions:');
  reporter.text(`  ${chalk.dim('•')} contents: write       ${chalk.dim('- Read files, resolve review threads')}`);
  reporter.text(`  ${chalk.dim('•')} pull_requests: write  ${chalk.dim('- Post review comments')}`);
  reporter.text(`  ${chalk.dim('•')} issues: write         ${chalk.dim('- Create/update issues')}`);
  reporter.text(`  ${chalk.dim('•')} checks: write         ${chalk.dim('- Create check runs')}`);
  reporter.text(`  ${chalk.dim('•')} metadata: read        ${chalk.dim('- Read repository metadata')}`);
  reporter.blank();
 
  // Start local server (serves the form and handles callback)
  reporter.step(`Starting local server on http://localhost:${port}...`);
 
  const serverHandle = startCallbackServer({
    port,
    expectedState: state,
    timeoutMs: timeout * 1000,
    manifest,
    org,
  });
 
  // Handle server errors (e.g., port already in use) by racing a rejection
  // against the callback promise so the error flows into the catch block below.
  const serverError = new Promise<never>((_, reject) => {
    serverHandle.server.on('error', (error: NodeJS.ErrnoException) => {
      if (error.code === 'EADDRINUSE') {
        reject(new Error(`Port ${port} is already in use. Try a different port with --port <number>`));
      } else {
        reject(new Error(`Server error: ${error.message}`));
      }
    });
  });
  // Prevent unhandled rejection if the server errors before Promise.race is reached
  serverError.catch((_e: unknown) => undefined);
 
  try {
    // Open browser to our local server (which will POST to GitHub)
    let showUrl = !open;
    if (open) {
      reporter.step('Opening browser...');
      try {
        await openBrowser(serverHandle.startUrl);
      } catch {
        reporter.warning('Could not open browser automatically.');
        showUrl = true;
      }
    }
 
    // Show the URL if the browser was not opened (or failed to open)
    Eif (showUrl) {
      reporter.blank();
      reporter.text('Open this URL in your browser:');
      reporter.text(chalk.cyan(serverHandle.startUrl));
    }
 
    reporter.blank();
    reporter.text(`On the GitHub page, click ${chalk.cyan('"Create GitHub App"')} to continue.`);
    reporter.blank();
    reporter.text(chalk.dim('Waiting for GitHub callback... (Ctrl+C to cancel)'));
 
    // Wait for callback, but also abort if the server errors out
    const { code } = await Promise.race([serverHandle.waitForCallback, serverError]);
 
    // Exchange code for credentials
    reporter.blank();
    reporter.step('Exchanging code for credentials...');
    const credentials = await exchangeCodeForCredentials(code);
 
    // Success!
    reporter.blank();
    reporter.success('GitHub App created!');
    reporter.blank();
    reporter.text(`  App ID:    ${chalk.cyan(credentials.id)}`);
    reporter.text(`  App Name:  ${chalk.cyan(credentials.name)}`);
    reporter.text(`  App URL:   ${chalk.cyan(credentials.htmlUrl)}`);
    reporter.blank();
 
    // Next steps - in correct order!
    const githubRepoUrl = getGitHubRepoUrl(process.cwd());
    reporter.bold('Next steps:');
    reporter.blank();
 
    // Step 1: Install the app (must happen first!)
    reporter.text(`  ${chalk.cyan('1.')} Install the app on your repository:`);
    reporter.text(`     ${chalk.cyan(credentials.htmlUrl + '/installations/new')}`);
    reporter.blank();
 
    // Step 2: Add secrets
    reporter.text(`  ${chalk.cyan('2.')} Add these secrets to your repository:`);
    Eif (githubRepoUrl) {
      reporter.text(`     ${chalk.cyan(githubRepoUrl + '/settings/secrets/actions')}`);
    }
    reporter.blank();
    reporter.text(`     ${chalk.white('WARDEN_APP_ID')}          ${credentials.id}`);
    reporter.text(`     ${chalk.white('WARDEN_PRIVATE_KEY')}     ${chalk.dim('(copy the key below)')}`);
    reporter.blank();
 
    // Private key with clear instructions
    reporter.text(`  ${chalk.cyan('Private Key')} ${chalk.dim('(copy entire block including BEGIN/END lines):')}`);
    reporter.blank();
    // Indent the private key for readability
    const pemLines = credentials.pem.trim().split('\n');
    for (const line of pemLines) {
      reporter.text(`     ${chalk.dim(line)}`);
    }
    reporter.blank();
 
    return 0;
  } catch (error) {
    const message = error instanceof Error ? error.message : String(error);
    reporter.error(message);
    reporter.blank();
 
    // Provide recovery guidance if the app might have been created
    const githubRepoUrl = getGitHubRepoUrl(process.cwd());
    reporter.text(chalk.dim('If the GitHub App was created before this error:'));
    reporter.text(chalk.dim('  1. Go to https://github.com/settings/apps' + (org ? ` (or your org's settings)` : '')));
    reporter.text(chalk.dim('  2. Find your app and click "Edit"'));
    reporter.text(chalk.dim('  3. Note the App ID from the "About" section'));
    reporter.text(chalk.dim('  4. Scroll to "Private keys" and click "Generate a private key"'));
    reporter.text(chalk.dim('  5. Install the app: click "Install App" in the sidebar'));
    reporter.text(chalk.dim('  6. Add secrets to your repository:'));
    Eif (githubRepoUrl) {
      reporter.text(chalk.dim(`     ${githubRepoUrl}/settings/secrets/actions`));
    }
    reporter.text(chalk.dim('     - WARDEN_APP_ID: your App ID'));
    reporter.text(chalk.dim('     - WARDEN_PRIVATE_KEY: contents of the downloaded .pem file'));
 
    return 1;
  } finally {
    serverHandle.close();
  }
}