tailscale/ToBeReviewedBot tailscale/ToBeReviewedBot

  • Stars
    star
    111
  • Rank 303,458 (Top 7 %)
  • Language
    Go
  • License
    BSD 3-Clause "New...
  • Created about 2 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
tailscale/ToBeReviewedBot
github

tailscale

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

GitHub App to watch for PRs merged without a reviewer approving.

ToBeReviewed Bot

The automation in this repository supports a To-Be-Reviewed Pull Request workflow:

  • Allows a repository to enable branch protection and require pull requests, but have flexibility in submission of pull requests in case of urgent need by not mandating an approver before submission.
  • If a PR is submitted without an Approver, the bot will notice within a few minutes and file a GitHub issue requiring followup.
  • The bot notes cases where intent is clear and does not intervene. Merging someone else's PR constitutes Approval. A comment containing "LGTM" constitutes Approval.
  • The issues requiring followup carry a distinctive title allowing for easy generation of the full population during a Compliance-related periodic audit, and to demonstrate that all such issues did get a followup review within a reasonable amount of time.

Configuration variables

The bot expects to run continuously on a production system, and supports the following environment variables:

Additionally, the bot supports the following environment variables which should ideally be handled by secrets management infrastructure in cloud providers:

Reducing latency using GitHub webhooks

Normally the bot wakes up every hour to check for recently submitted PRs needing followup. Its reaction to a submitted PR can be hastened by setting up a GitHub webhook for "Pull requests" events (which send on a merged PR).

GitHub should be configured to deliver webhook events to https://Public-DNS-name/webhook

The bot expects to find the shared secret for validating webhook payloads in a WEBHOOK_SECRET environment variable. The shared secret is configured in the webhook in https://github.com/organizations/*ORGNAME*/settings/hooks/*WEBHOOK_ID*?tab=settings

Monitoring

When used as part of the controls for Compliance requirements, it is important to to monitor whether the bot is working. Finding out on the eve of an audit that the bot has been offline for an extended period would be ruinous.

In addition to /webhook the bot also exports metrics:

  • https://Tailscale-MagicDNS-name/debug/vars in JSON format
  • https://Tailscale-MagicDNS-name/debug/varz in Prometheus metric format

The /debug endpoints can only be reached from a local Tailscale tailnet. It is reasonable to allow public Internet access to https://Public-DNS-name/ for GitHub to be able to deliver webhooks, TBR-bot will restrict the other endpoints to only be accessible via a private tailnet connection.

A metric of interest for monitoring is tbrbot_repos_checked, which counts the number of times the bot has checked a repository for submitted PRs. This is expected to increment at least once per hour. An alert when tbrbot_repos_checked goes N hours with no change is a reasonable way to monitor TBR-bot's operation. An example alerting rule for Grafana in a panel for the tbrbot_repos_checked metric is: WHEN diff_abs() OF query (A, 12h, now) IS BELOW 1

Hosting

The included Dockerfile and example fly.toml are suitable to run the tbr-bot hosted on fly.io.

We recommend forking this repository and making local modifications to the supplied fly.toml to set it to the name of your instance and update the environment variables to correspond to the GitHub repositories you want it to watch.

The bot needs a small amount of persistent storage for its Tailscale state, plus the various configuration and secrets described above.

$ flyctl volumes create tbrbot_data --region sjc --size 1
$ flyctl scale count 1
$ flyctl secrets set TS_AUTHKEY=... TBRBOT_APP_ID=... TBRBOT_APP_INSTALL=...
$ flyctl secrets set TBRBOT_WEBHOOK_SECRET=...
$ flyctl secrets set TBRBOT_APP_PRIVATE_KEY=- < pem
$ flyctl ips allocate-v6
$ flyctl ips allocate-v4

We recommend using a one-time authkey with Tags set to authorize the bot to join the tailnet. Once the bot has run once and written its state to persistent storage, the TS_AUTHKEY secret should be removed.

Contributing

PRs welcome! But please file bugs. Commit messages should reference bugs.

We require Developer Certificate of Origin Signed-off-by lines in commits.

More Repositories

1

tailscale

The easiest, most secure way to use WireGuard and 2FA.
Go
16,304
star
2

golink

A private shortlink service for tailnets
Go
1,120
star
3

tailscale-synology

Synology packages for tailscale.com
833
star
4

tailscale-android

Tailscale Android Client
Kotlin
812
star
5

hujson

HuJSON: JSON for Humans (JWCC: JSON w/ comments and trailing commas)
Go
561
star
6

github-action

A GitHub Action to connect your workflow to your Tailscale network.
472
star
7

tailscale-qpkg

Package Tailscale client in QPKG
Shell
439
star
8

depaware

depaware makes you aware of your Go dependencies
Go
427
star
9

caddy-tailscale

A highly experimental exploration of integrating Tailscale and Caddy.
Go
238
star
10

terraform-provider-tailscale

Terraform provider for Tailscale
Go
236
star
11

security-policies

Security policies for Tailscale
234
star
12

sqlite

work in progress
Go
184
star
13

libtailscale

Tailscale C library
Go
153
star
14

pam

An experimental, work-in-progress PAM module for Tailscale
Rust
139
star
15

tailetc

total-memory-cache etcd v3 client
Go
135
star
16

cpc

a copy tool
Go
98
star
17

go-mod-archiver

go.mod git archiver
Go
88
star
18

wf

Package for controlling the Windows firewall (aka Windows Filtering Platform, WFP)
Go
75
star
19

gitops-acl-action

GitOps for your Tailscale ACLs
70
star
20

setec

Go
70
star
21

codespace

Experimenting with codespaces
Shell
68
star
22

mkctr

mkctr: cross platform container builder for go
Go
59
star
23

docker-extension

Docker Desktop extension adding Tailscale networking.
TypeScript
58
star
24

wireguard-go

Tailscale's temporary fork of https://git.zx2c4.com/wireguard-go
Go
50
star
25

tailscale-client-go

A client implementation for the Tailscale HTTP API
Go
49
star
26

tailsql

A SQL playground service over Tailscale.
Go
43
star
27

art

implementation of the Allotment Routing Table (ART) algorithm by Donald Knuth, as described in the paper by Yoichi Hariguchi
Go
41
star
28

tmemes

A meme generator for your tailnet!
Go
32
star
29

scertec

ACME client daemon that puts fresh HTTPS certs in setec, and client to get them out of at serving time
Go
29
star
30

squibble

A lightweight schema manager for SQLite databases.
Go
24
star
31

tscert

Minimal package for just the HTTPS cert fetching part of the Tailscale client API
Go
19
star
32

tailscale-chocolatey

Chocolatey packaging for Tailscale IPN
PowerShell
16
star
33

gitpod

Investigation into gitpod.io
Shell
11
star
34

tailscale-aws-host-acl-updater

Update Hosts list in Tailscale ACL file as AWS resources move about.
Go
11
star
35

wintun

Fork of https://git.zx2c4.com/wintun
C
10
star
36

peercred

Go
9
star
37

terms-and-conditions

Terms and conditions for Tailscale
9
star
38

winipcfg-go

old fork of https://git.zx2c4.com/winipcfg-go, from before it moved to the wireguard-windows repo; no longer used by Tailscale
Go
6
star
39

ts-webhook-adapter

Adapter for Tailscale Webhooks for Microsoft Teams and Discord.
Go
6
star
40

go-mod-tidy-broken

demo showing a go mod tidy bug
Go
4
star
41

tb

Go
4
star
42

issue-status

Tailscale's status page
JavaScript
2
star
43

bradtest

Brad's GitHub automation test repo
Go
2
star
44

web-client-prebuilt

Prebuilt assets for the Tailscale web client
HTML
2
star
45

quis-custodiet

quis custodiet ipsos custodes: a service to check whether someone is assigned to oncall on each calendar at squadcast.com.
Go
1
star
46

active-directory-sites-subnets

Populate Active Directory Sites & Subnets table for Tailscale clients
Go
1
star