GitHub Apps are a GitHub’s preferred way to build more sophisticated functionality on top of GitHub. GitHub apps are a separate concept from GitHub OAuth Apps, which causes a lot of confusion.

Here’s how you can think of the difference: GitHub OAuth Apps can act on behalf of a user, but GitHub Apps are distinct “users” that can act on their own. If you authorize a GitHub OAuth App and that app posts on an issue, it looks as if you posted it. But if you install a GitHub App and that app posts on an issue, the post comes from a distinct user.

Getting Started

Let’s build a GitHub app that enforces pinning exact dependencies in package.json: no ^, >=, or *.

Go to your GitHub developer settings and create a new GitHub App. Make sure to note your GitHub App ID, Client ID, and Client secret.

You should also set up your webhook URL. Another key difference between apps and OAuth apps is that GitHub lets you configure a webhook that GitHub posts to every time an event occurs. This lets your app react to GitHub activity, like checking package.json whenever there’s a push to master.

You can set up a minimal Express server on an EC2 instance and point the GitHub webhook to it.

const express = require('express');

const app = express();
app.use(express.json());

app.post('/github', function(req, res) {
  console.log('Github post', req.body);
  res.json({ ok: 1 }); // Doesn't matter, can be any response
});

app.listen(80);

Once you’ve created the app, go to Developer Settings > Install App, and install the app on your personal account.

Once you click install, you should see the below screen. To avoid getting hooks for all of your GitHub activity, just install the app with access to a test repo as shown below.

When you make a commit and git push origin master to your test repo, GitHub will send an HTTP post to your endpoint, and you’ll get the below request body. For brevity, I excluded a bunch of irrelevant information from the request body.

#github #node #web-development #programming