This sample app showcases how webhooks can be used with a GitHub App's installation token to create a bot that responds to issues. Code uses octokit.js.
- Node.js 20 or higher
- A GitHub App subscribed to Pull Request events and with the following permissions:
- Pull requests: Read & write
- Metadata: Read-only
- (For local development) A tunnel to expose your local server to the internet (e.g. smee, ngrok or cloudflared)
- Your GitHub App Webhook must be configured to receive events at a URL that is accessible from the internet.
- Clone this repository.
- Create a
.env
file similar to.env.example
and set actual values. If you are using GitHub Enterprise Server, also include aENTERPRISE_HOSTNAME
variable and set the value to the name of your GitHub Enterprise Server instance. - Install dependencies with
npm install
. - Start the server with
npm run server
. - Ensure your server is reachable from the internet.
- If you're using
smee
, runsmee -u <smee_url> -t http://localhost:3000/api/webhook
.
- If you're using
- Ensure your GitHub App includes at least one repository on its installations.
With your server running, you can now create a pull request on any repository that
your app can access. GitHub will emit a pull_request.opened
event and will deliver
the corresponding Webhook payload to your server.
The server in this example listens for pull_request.opened
events and acts on
them by creating a comment on the pull request, with the message in message.md
,
using the octokit.js rest methods.
To keep things simple, this example reads the GITHUB_APP_PRIVATE_KEY
from the
environment. A more secure and recommended approach is to use a secrets management system
like Vault, or one offered
by major cloud providers:
Azure Key Vault,
AWS Secrets Manager,
Google Secret Manager,
etc.