ANIRUDDHA ADAK

Posted on Apr 8

A GitHub automation tool that uses Pulumi to deploy a CI/CD pipeline with

#devchallenge #pulumichallenge #github #api

This is a submission for the Pulumi Deploy and Document Challenge: Get Creative with Pulumi and GitHub

What I Built

Auto-Labeler Bot: A GitHub automation tool that uses Pulumi to deploy a CI/CD pipeline with:

AI-powered issue labeling (via AWS Comprehend)
Auto-generated PR templates based on issue content
Dynamic milestone assignment based on labels
Security checks for sensitive keywords

Key Files:

main.py: Core Pulumi program
labeler_bot.py: GitHub App logic using Automation API
ci-cd-pipeline.yaml: GitHub Actions workflow
README.md: Setup guide & threat model

My Journey

First Hurdle: Authentication Circus

Tried 3 different token approaches before realizing Pulumi's aws.iam.Role could simplify permissions.

Key Prompt:

"Show me how to create a GitHub repository with a CODEOWNERS file and deployment protection rules using Pulumi"

Breakthrough:

Used Pulumi's GitHubRepositoryWebhook resource to connect the bot to GitHub's Events API without exposing secrets in code!

Using Pulumi with GitHub

Why Pulumi?

Version-controlled infrastructure for GitHub workflows
Multi-repository management across teams
Secret encryption using Pulumi's Secrets Manager

SDK Gems:

import pulumi_github as github

# Create repository with security policies
repo = github.Repository("secure-app", 
    visibility="private",
    allow_merge_commit=False,
    allow_rebase_merge=True)

# Auto-labeler webhook setup
webhook = github.RepositoryWebhook("issue-labeler",
    repository=repo.full_name,
    events=["issues"],
    active=True,
    configuration={
        "url": "https://labeler-bot.example.com/webhook",
        "content_type": "json"
    })

Security Wins:

GitHub App credentials stored in Pulumi Secrets Manager
Deployment protection rules blocking force-pushes
Automated dependabot alerts

Documentation Highlights (From README)

Step 1: Deploy with Pulumi

pulumi up --config github:token=your_personal_access_token

Step 2: Configure Webhook

curl -X POST -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/yourusername/auto-labeler-bot/hooks

Step 3: Customize Rules (YAML snippet)

label_rules:
  - keywords: ["urgent", "security"]
    priority: P0
    assignees: ["security-team"]
  - keywords: ["bug"]
    add_labels: ["bug", "needs-triage"]

Troubleshooting Tips:

⚠️ Ensure GitHub App has contents:read scope

⚠️ Validate webhook URLs with ngrok during testing

⚠️ Monitor AWS Comprehend API costs

Why This Matters

Traditional approaches to GitHub automation:

🚫 Require manual YAML configuration

🚫 Hardcode security policies

🚫 Can’t adapt to new patterns

Our solution:

🤖 Self-healing workflows that evolve with your codebase

🔒 Secrets managed through Pulumi’s secret system

🌐 Easily extendable with custom NLP models

Special Thanks

Big shoutout to the Pulumi Community Slack for helping debug event payload parsing – special thanks to @github_guru for the GitHubEventFilter tip!

Turning boring workflows into smart automation since 2023 🤖

DEV Community