Skip to content

fix(build-worker): use GitHub PAT from Parameter Store instead of env var#12

Merged
llama90 merged 4 commits intomainfrom
feature/build-worker-integration
Dec 30, 2025
Merged

fix(build-worker): use GitHub PAT from Parameter Store instead of env var#12
llama90 merged 4 commits intomainfrom
feature/build-worker-integration

Conversation

@llama90
Copy link
Contributor

@llama90 llama90 commented Dec 30, 2025

Summary

Fixes SSM parameter access issue where build worker couldn't retrieve GitHub PAT for repository_dispatch API.

Problem

Build worker was using a temporary GITHUB_TOKEN environment variable workaround because SSM parameter access wasn't implemented.

Solution

Added getGitHubToken() function

  • Retrieves GitHub PAT from /laco/cmn/github/pat/cloud-apps (common environment)
  • Uses direct parameter path instead of getSecret() to avoid environment-specific prefix
  • Supports local development with GITHUB_PAT_CLOUD_APPS env var

Code Changes

  • secrets.ts: New getGitHubToken() function with SSM integration
  • build/index.ts: Remove TODO comments and use getGitHubToken() instead of env var

IAM Permissions

Requires Lambda IAM role to have SSM parameter access (configured in cloud-sandbox PR):

{
  effect = "Allow"
  actions = ["ssm:GetParameter"]
  resources = ["arn:aws:ssm:ca-central-1:*:parameter/laco/cmn/github/pat/cloud-apps"]
}

GitHub PAT Permissions

The PAT must have these permissions (see cloud-control-plane PR for guide):

  • ✅ Contents: Read and write
  • ✅ Actions: Read and write
  • ✅ Workflows: Read and write
  • ✅ Metadata: Read-only

Testing

✅ Tested via Slack /build command - successfully triggers GitHub Actions workflow

Related PRs

  • cloud-sandbox: Build worker infrastructure
  • cloud-control-plane: GitHub OIDC and secrets

🤖 Generated with Claude Code

@llama90 @claude
fix(build-worker): use GitHub PAT from Parameter Store instead of env…
24e9f06 
… var

- Add getGitHubToken() function to retrieve PAT from common environment
- GitHub PAT stored at /laco/cmn/github/pat/cloud-apps (cross-environment)
- Support local development with GITHUB_PAT_CLOUD_APPS env var
- Remove TODO comments and temporary GITHUB_TOKEN workaround

This fixes the SSM parameter access issue where the build worker
couldn't access the GitHub PAT needed for repository_dispatch API.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@llama90 llama90 requested a review from Copilot December 30, 2025 00:37
Copilot AI reviewed Dec 30, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces the temporary GITHUB_TOKEN environment variable workaround with proper AWS Systems Manager (SSM) Parameter Store integration for retrieving the GitHub PAT used to trigger repository_dispatch API calls.

Key Changes:

  • Added getGitHubToken() function to retrieve GitHub PAT from SSM Parameter Store path /laco/cmn/github/pat/cloud-apps
  • Removed TODO comments and temporary environment variable workaround in build worker
  • Supports local development via GITHUB_PAT_CLOUD_APPS environment variable

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
applications/chatops/slack-bot/src/shared/secrets.ts Adds new getGitHubToken() function to retrieve GitHub PAT from common SSM parameter path with local development fallback
applications/chatops/slack-bot/src/workers/build/index.ts Replaces temporary GITHUB_TOKEN environment variable with proper getGitHubToken() call and removes TODO comments

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

llama90
llama90 commented Dec 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI commented Dec 30, 2025

@llama90 I've opened a new pull request, #13, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Dec 30, 2025
Merged
@llama90
Add caching to getGitHubToken() to match getSecret() pattern (#13)
2cdeae5 
- Initial plan
- feat: add caching to getGitHubToken() function
- fix: use parameterPath variable instead of hardcoded value in log

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: llama90 <6668548+llama90@users.noreply.github.com>
@llama90 llama90 merged commit 06d38e9 into main Dec 30, 2025
5 checks passed
@llama90 llama90 deleted the feature/build-worker-integration branch December 30, 2025 01:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@llama90