DEV Community

ANIRUDDHA ADAK
ANIRUDDHA ADAK Subscriber

Posted on

A GitHub automation tool that uses Pulumi to deploy a CI/CD pipeline with

#devchallenge #pulumichallenge #github #api

This is a submission for the Pulumi Deploy and Document Challenge: Get Creative with Pulumi and GitHub

What I Built

Auto-Labeler Bot: A GitHub automation tool that uses Pulumi to deploy a CI/CD pipeline with:

  • AI-powered issue labeling (via AWS Comprehend)
  • Auto-generated PR templates based on issue content
  • Dynamic milestone assignment based on labels
  • Security checks for sensitive keywords

Key Files:

  • main.py: Core Pulumi program
  • labeler_bot.py: GitHub App logic using Automation API
  • ci-cd-pipeline.yaml: GitHub Actions workflow
  • README.md: Setup guide & threat model

My Journey

First Hurdle: Authentication Circus

Tried 3 different token approaches before realizing Pulumi's aws.iam.Role could simplify permissions.

Key Prompt:

"Show me how to create a GitHub repository with a CODEOWNERS file and deployment protection rules using Pulumi"
Enter fullscreen mode Exit fullscreen mode

Breakthrough:

Used Pulumi's GitHubRepositoryWebhook resource to connect the bot to GitHub's Events API without exposing secrets in code!

Using Pulumi with GitHub

Why Pulumi?

  • Version-controlled infrastructure for GitHub workflows
  • Multi-repository management across teams
  • Secret encryption using Pulumi's Secrets Manager

SDK Gems:

import pulumi_github as github # Create repository with security policies repo = github.Repository("secure-app", visibility="private", allow_merge_commit=False, allow_rebase_merge=True) # Auto-labeler webhook setup webhook = github.RepositoryWebhook("issue-labeler", repository=repo.full_name, events=["issues"], active=True, configuration={ "url": "https://labeler-bot.example.com/webhook", "content_type": "json" })
Enter fullscreen mode Exit fullscreen mode

Security Wins:

  1. GitHub App credentials stored in Pulumi Secrets Manager
  2. Deployment protection rules blocking force-pushes
  3. Automated dependabot alerts

Documentation Highlights (From README)

Step 1: Deploy with Pulumi

pulumi up --config github:token=your_personal_access_token
Enter fullscreen mode Exit fullscreen mode

Step 2: Configure Webhook

curl -X POST -H "Authorization: Bearer YOUR_TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/repos/yourusername/auto-labeler-bot/hooks
Enter fullscreen mode Exit fullscreen mode

Step 3: Customize Rules (YAML snippet)

label_rules: - keywords: ["urgent", "security"] priority: P0 assignees: ["security-team"] - keywords: ["bug"] add_labels: ["bug", "needs-triage"]
Enter fullscreen mode Exit fullscreen mode

Troubleshooting Tips:

⚠️ Ensure GitHub App has contents:read scope

⚠️ Validate webhook URLs with ngrok during testing

⚠️ Monitor AWS Comprehend API costs

Why This Matters

Traditional approaches to GitHub automation:

🚫 Require manual YAML configuration

🚫 Hardcode security policies

🚫 Can’t adapt to new patterns

Our solution:

🤖 Self-healing workflows that evolve with your codebase

🔒 Secrets managed through Pulumi’s secret system

🌐 Easily extendable with custom NLP models

Special Thanks

Big shoutout to the Pulumi Community Slack for helping debug event payload parsing – special thanks to @github_guru for the GitHubEventFilter tip!

Turning boring workflows into smart automation since 2023 🤖

Top comments (0)