feat: add GitHub App configuration (env vars, coder template, triggers) (#91)

* feat: add GitHub App configuration (env vars, coder template, triggers)

Add the three GitHub App environment variables (GITHUB_APP_ID,
GITHUB_APP_PRIVATE_KEY, GITHUB_APP_WEBHOOK_SECRET) to:
- .env.example with documentation on required App permissions and events
- coder-template/main.tf as workspace parameters wired to both the
  agent env block and container env block

Add github_app triggers to opentower.config.json:
- github-app-event: issues, pull_request, check_suite:completed,
  workflow_run:completed, push (mirrors github-event)
- github-app-comment: PR review comments, issue comments, PR reviews
  with $BOT_LOGIN self-loop guard (mirrors github-comment)

Both trigger sets use source: "github_app" so they route through
the GithubAppHandler which uses installation tokens for entity
enrichment API calls.

* chore(coder-template): increase memory limit to 8Gi and disk to 50Gi

- Memory: requests 1Gi -> 2Gi, limits 4Gi -> 8Gi
- PVC storage: 10Gi -> 50Gi

Author: MathurAditya724

.env.example

@@ -81,6 +81,22 @@ GITHUB_WEBHOOK_SECRET=
 # If GH_TOKEN is unset or invalid, $BOT_LOGIN won't be substituted
 # (the self-loop guard is degraded). Set GH_TOKEN for autonomous flows.
 
+# === Optional: GitHub App authentication ===
+# Alternative to org-level webhooks + PAT. A GitHub App uses JWT-based
+# auth with per-installation tokens. Create an app at
+# https://github.com/settings/apps with these permissions:
+#   Contents (read & write), Issues (read & write),
+#   Pull requests (read & write), Checks (read), Actions (read & write)
+# Subscribe to events: check_suite, issue_comment, issues, pull_request,
+#   pull_request_review, pull_request_review_comment, push, workflow_run
+#
+# All three variables are required to enable the GitHub App handler.
+# The private key is the PEM file generated when creating the app;
+# literal \n in the value is auto-converted to real newlines.
+# GITHUB_APP_ID=
+# GITHUB_APP_PRIVATE_KEY=
+# GITHUB_APP_WEBHOOK_SECRET=
+
 # Override the bundled opentower.config.json with one of your own. Default
 # resolves to ~/.config/opencode/opentower.config.json (the baked-in file).
 # Point this at a path on the persistent ~/dev volume to customize

coder-template/main.tf

@@ -81,6 +81,36 @@ data "coder_parameter" "github_webhook_secret" {
   order        = 2
 }
 
+data "coder_parameter" "github_app_id" {
+  name         = "github_app_id"
+  display_name = "GitHub App ID"
+  description  = "App ID from the GitHub App settings page. Required for GitHub App webhook handler."
+  type         = "string"
+  mutable      = true
+  default      = ""
+  order        = 4
+}
+
+data "coder_parameter" "github_app_private_key" {
+  name         = "github_app_private_key"
+  display_name = "GitHub App Private Key"
+  description  = "PEM private key generated when creating the GitHub App. Literal \\n is auto-converted to newlines."
+  type         = "string"
+  mutable      = true
+  default      = ""
+  order        = 5
+}
+
+data "coder_parameter" "github_app_webhook_secret" {
+  name         = "github_app_webhook_secret"
+  display_name = "GitHub App Webhook Secret"
+  description  = "Webhook secret configured in the GitHub App settings. Used for HMAC signature verification."
+  type         = "string"
+  mutable      = true
+  default      = ""
+  order        = 6
+}
+
 data "coder_parameter" "webhook_port" {
   name         = "webhook_port"
   display_name = "Webhook Port"
@@ -183,7 +213,7 @@ resource "kubernetes_persistent_volume_claim_v1" "dev" {
     access_modes = ["ReadWriteOnce"]
     resources {
       requests = {
-        storage = "10Gi"
+        storage = "50Gi"
       }
     }
   }
@@ -206,8 +236,11 @@ resource "coder_agent" "main" {
     GEMINI_API_KEY        = data.coder_parameter.gemini_api_key.value
     GROQ_API_KEY          = data.coder_parameter.groq_api_key.value
     OPENROUTER_API_KEY    = data.coder_parameter.openrouter_api_key.value
-    GITHUB_WEBHOOK_SECRET = data.coder_parameter.github_webhook_secret.value
-    EMAIL_WEBHOOK_SECRET  = data.coder_parameter.email_webhook_secret.value
+    GITHUB_WEBHOOK_SECRET      = data.coder_parameter.github_webhook_secret.value
+    GITHUB_APP_ID              = data.coder_parameter.github_app_id.value
+    GITHUB_APP_PRIVATE_KEY     = data.coder_parameter.github_app_private_key.value
+    GITHUB_APP_WEBHOOK_SECRET  = data.coder_parameter.github_app_webhook_secret.value
+    EMAIL_WEBHOOK_SECRET       = data.coder_parameter.email_webhook_secret.value
     WEBHOOK_PORT          = tostring(data.coder_parameter.webhook_port.value)
     OPENTOWER_API_TOKEN   = data.coder_parameter.opentower_api_token.value
     SENTRY_DSN            = data.coder_parameter.sentry_dsn.value
@@ -441,6 +474,18 @@ resource "kubernetes_deployment_v1" "workspace" {
             name  = "GITHUB_WEBHOOK_SECRET"
             value = data.coder_parameter.github_webhook_secret.value
           }
+          env {
+            name  = "GITHUB_APP_ID"
+            value = data.coder_parameter.github_app_id.value
+          }
+          env {
+            name  = "GITHUB_APP_PRIVATE_KEY"
+            value = data.coder_parameter.github_app_private_key.value
+          }
+          env {
+            name  = "GITHUB_APP_WEBHOOK_SECRET"
+            value = data.coder_parameter.github_app_webhook_secret.value
+          }
           env {
             name  = "EMAIL_WEBHOOK_SECRET"
             value = data.coder_parameter.email_webhook_secret.value
@@ -469,11 +514,11 @@ resource "kubernetes_deployment_v1" "workspace" {
           resources {
             requests = {
               "cpu"    = "500m"
-              "memory" = "1Gi"
+              "memory" = "2Gi"
             }
             limits = {
               "cpu"    = "4"
-              "memory" = "4Gi"
+              "memory" = "8Gi"
             }
           }
 

opentower.config.json

@@ -31,6 +31,31 @@
       "event": ["email.*"],
       "agent": "jared",
       "prompt_template": "An email was received. Read it and decide what to do. It could be a GitHub notification, a Sentry alert, a forwarded issue, or anything else. Use the email content to determine the appropriate action.\n\nDelivery: {{ delivery_id }}\n\nFrom: {{ payload.from }}\nTo: {{ payload.to }}\nSubject: {{ payload.subject }}\nMessage-ID: {{ payload.message_id }}\nIn-Reply-To: {{ payload.in_reply_to }}\nReferences: {{ payload.references }}\nList-ID: {{ payload.list_id }}\nX-GitHub-Reason: {{ payload.x_github_reason }}\nX-GitHub-Sender: {{ payload.x_github_sender }}\n\nBody:\n{{ payload.body_text }}"
+    },
+    {
+      "name": "github-app-event",
+      "source": "github_app",
+      "event": [
+        "issues",
+        "pull_request",
+        "check_suite:completed",
+        "workflow_run:completed",
+        "push"
+      ],
+      "agent": "jared",
+      "prompt_template": "A GitHub webhook just arrived. Read the payload and decide what to do.\n\nEvent: {{ event }}\nAction: {{ action }}\nDelivery: {{ delivery_id }}\n\nPayload:\n{{ payload }}"
+    },
+    {
+      "name": "github-app-comment",
+      "source": "github_app",
+      "event": [
+        "pull_request_review_comment",
+        "issue_comment",
+        "pull_request_review"
+      ],
+      "agent": "jared",
+      "ignore_authors": ["$BOT_LOGIN"],
+      "prompt_template": "A GitHub webhook just arrived. Read the payload and decide what to do.\n\nEvent: {{ event }}\nAction: {{ action }}\nDelivery: {{ delivery_id }}\n\nPayload:\n{{ payload }}"
     }
   ]
 }