Implement gh app installation flow

Author: myftija

apps/webapp/app/env.server.ts

@@ -59,6 +59,12 @@ const EnvironmentSchema = z.object({
   SMTP_USER: z.string().optional(),
   SMTP_PASSWORD: z.string().optional(),
 
+  // GitHub App
+  GITHUB_APP_ID: z.string(),
+  GITHUB_APP_PRIVATE_KEY: z.string(),
+  GITHUB_APP_WEBHOOK_SECRET: z.string(),
+  GITHUB_APP_SLUG: z.string(),
+
   PLAIN_API_KEY: z.string().optional(),
   WORKER_SCHEMA: z.string().default("graphile_worker"),
   WORKER_CONCURRENCY: z.coerce.number().int().default(10),

apps/webapp/app/routes/_app.github.callback/route.tsx

@@ -0,0 +1,74 @@
+import { type LoaderFunctionArgs } from "@remix-run/node";
+import { z } from "zod";
+import { validateGitHubAppInstallSession } from "~/services/gitHubSession.server";
+import { linkGitHubAppInstallation } from "~/services/gitHub.server";
+import { logger } from "~/services/logger.server";
+import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/message.server";
+import { tryCatch } from "@trigger.dev/core";
+
+const QuerySchema = z.object({
+  installation_id: z.coerce.number(),
+  setup_action: z.enum(["install", "update", "request"]),
+  state: z.string(),
+});
+
+export async function loader({ request }: LoaderFunctionArgs) {
+  const url = new URL(request.url);
+  const queryParams = Object.fromEntries(url.searchParams);
+  const cookieHeader = request.headers.get("Cookie");
+
+  const result = QuerySchema.safeParse(queryParams);
+
+  if (!result.success) {
+    logger.warn("GitHub App callback with invalid params", {
+      queryParams,
+    });
+    return redirectWithErrorMessage("/", request, "Failed to install GitHub App");
+  }
+
+  const { installation_id, setup_action, state } = result.data;
+
+  const sessionResult = await validateGitHubAppInstallSession(cookieHeader, state);
+
+  if (!sessionResult.valid) {
+    logger.error("GitHub App callback with invalid session", {
+      state,
+      installation_id,
+      error: sessionResult.error,
+    });
+
+    return redirectWithErrorMessage("/", request, "Failed to install GitHub App");
+  }
+
+  const { organizationId, redirectTo } = sessionResult;
+
+  switch (setup_action) {
+    case "install":
+    case "update": {
+      const [error] = await tryCatch(linkGitHubAppInstallation(installation_id, organizationId));
+
+      if (error) {
+        logger.error("Failed to link GitHub App installation", {
+          error,
+        });
+        return redirectWithErrorMessage(redirectTo, request, "Failed to install GitHub App");
+      }
+
+      return redirectWithSuccessMessage(redirectTo, request, "GitHub App installed successfully");
+    }
+
+    case "request": {
+      // This happens when a non-admin user requests installation
+      // The installation_id won't be available until an admin approves
+      logger.info("GitHub App installation requested, awaiting approval", {
+        state,
+      });
+
+      return redirectWithSuccessMessage(redirectTo, request, "GitHub App installation requested");
+    }
+
+    default:
+      setup_action satisfies never;
+      return redirectWithErrorMessage(redirectTo, request, "Failed to install GitHub App");
+  }
+}

apps/webapp/app/routes/_app.github.install/route.tsx

@@ -0,0 +1,49 @@
+import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { redirect } from "remix-typedjson";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { createGitHubAppInstallSession } from "~/services/gitHubSession.server";
+import { requireUser } from "~/services/session.server";
+import { newOrganizationPath } from "~/utils/pathBuilder";
+import { logger } from "~/services/logger.server";
+
+const QuerySchema = z.object({
+  org_slug: z.string(),
+  redirect_to: z.string(),
+});
+
+export const loader = async ({ request }: LoaderFunctionArgs) => {
+  const searchParams = new URL(request.url).searchParams;
+  const parsed = QuerySchema.safeParse(Object.fromEntries(searchParams));
+
+  if (!parsed.success) {
+    logger.warn("GitHub App installation redirect with invalid params", {
+      searchParams,
+      error: parsed.error,
+    });
+    throw redirect("/");
+  }
+
+  const { org_slug, redirect_to } = parsed.data;
+  const user = await requireUser(request);
+
+  const org = await $replica.organization.findFirst({
+    where: { slug: org_slug, members: { some: { userId: user.id } }, deletedAt: null },
+    orderBy: { createdAt: "desc" },
+    select: {
+      id: true,
+    },
+  });
+
+  if (!org) {
+    throw redirect(newOrganizationPath());
+  }
+
+  const { url, cookieHeader } = await createGitHubAppInstallSession(org.id, redirect_to);
+
+  return redirect(url, {
+    headers: {
+      "Set-Cookie": cookieHeader,
+    },
+  });
+};

apps/webapp/app/services/gitHub.server.ts

@@ -0,0 +1,73 @@
+import { App, type Octokit } from "octokit";
+import { env } from "../env.server";
+import { prisma } from "~/db.server";
+
+export const githubApp = new App({
+  appId: env.GITHUB_APP_ID,
+  privateKey: env.GITHUB_APP_PRIVATE_KEY,
+  webhooks: {
+    secret: env.GITHUB_APP_WEBHOOK_SECRET,
+  },
+});
+
+/**
+ * Links a GitHub App installation to a Trigger organization
+ */
+export async function linkGitHubAppInstallation(
+  installationId: number,
+  organizationId: string
+): Promise<void> {
+  const octokit = await githubApp.getInstallationOctokit(installationId);
+  const { data: installation } = await octokit.rest.apps.getInstallation({
+    installation_id: installationId,
+  });
+
+  const repositories = await fetchInstallationRepositories(octokit, installationId);
+
+  const repositorySelection = installation.repository_selection === "all" ? "ALL" : "SELECTED";
+
+  await prisma.githubAppInstallation.create({
+    data: {
+      appInstallationId: installationId,
+      organizationId,
+      targetId: installation.target_id,
+      targetType: installation.target_type,
+      permissions: installation.permissions,
+      repositorySelection,
+      repositories: {
+        create: repositories,
+      },
+    },
+  });
+}
+
+async function fetchInstallationRepositories(octokit: Octokit, installationId: number) {
+  const all = [];
+  let page = 1;
+  const perPage = 100;
+  const maxPages = 3;
+
+  while (page <= maxPages) {
+    const { data: repoData } = await octokit.rest.apps.listReposAccessibleToInstallation({
+      installation_id: installationId,
+      per_page: perPage,
+      page,
+    });
+
+    all.push(...repoData.repositories);
+
+    if (repoData.repositories.length < perPage) {
+      break;
+    }
+
+    page++;
+  }
+
+  return all.map((repo) => ({
+    githubId: repo.id,
+    name: repo.name,
+    fullName: repo.full_name,
+    htmlUrl: repo.html_url,
+    private: repo.private,
+  }));
+}

apps/webapp/app/services/gitHubSession.server.ts

@@ -0,0 +1,120 @@
+import { createCookieSessionStorage } from "@remix-run/node";
+import { randomBytes } from "crypto";
+import { env } from "../env.server";
+import { logger } from "./logger.server";
+
+const sessionStorage = createCookieSessionStorage({
+  cookie: {
+    name: "__github_app_install",
+    httpOnly: true,
+    maxAge: 60 * 60, // 1 hour
+    path: "/",
+    sameSite: "lax",
+    secrets: [env.SESSION_SECRET],
+    secure: env.NODE_ENV === "production",
+  },
+});
+
+/**
+ * Creates a secure session for GitHub App installation with organization tracking
+ */
+export async function createGitHubAppInstallSession(
+  organizationId: string,
+  redirectTo: string
+): Promise<{ url: string; cookieHeader: string }> {
+  const state = randomBytes(32).toString("hex");
+
+  const session = await sessionStorage.getSession();
+  session.set("organizationId", organizationId);
+  session.set("redirectTo", redirectTo);
+  session.set("state", state);
+  session.set("createdAt", Date.now());
+
+  const githubAppSlug = env.GITHUB_APP_SLUG;
+
+  // the state query param gets passed through to the installation callback
+  const url = `https://github.com/apps/${githubAppSlug}/installations/new?state=${state}`;
+
+  const cookieHeader = await sessionStorage.commitSession(session);
+
+  return { url, cookieHeader };
+}
+
+/**
+ * Validates and retrieves the GitHub App installation session
+ */
+export async function validateGitHubAppInstallSession(
+  cookieHeader: string | null,
+  state: string
+): Promise<
+  { valid: true; organizationId: string; redirectTo: string } | { valid: false; error?: string }
+> {
+  if (!cookieHeader) {
+    return {
+      valid: false,
+      error: "No installation session cookie found",
+    };
+  }
+
+  const session = await sessionStorage.getSession(cookieHeader);
+
+  const sessionState = session.get("state");
+  const organizationId = session.get("organizationId");
+  const redirectTo = session.get("redirectTo");
+  const createdAt = session.get("createdAt");
+
+  if (!sessionState || !organizationId || !createdAt || !redirectTo) {
+    logger.warn("GitHub App installation session missing required fields", {
+      hasState: !!sessionState,
+      hasOrgId: !!organizationId,
+      hasCreatedAt: !!createdAt,
+      hasRedirectTo: !!redirectTo,
+    });
+
+    return {
+      valid: false,
+      error: "invalid_session_data",
+    };
+  }
+
+  if (sessionState !== state) {
+    logger.warn("GitHub App installation state mismatch", {
+      expectedState: sessionState,
+      receivedState: state,
+    });
+    return {
+      valid: false,
+      error: "state_mismatch",
+    };
+  }
+
+  const expirationTime = createdAt + 60 * 60 * 1000;
+  if (Date.now() > expirationTime) {
+    logger.warn("GitHub App installation session expired", {
+      createdAt: new Date(createdAt),
+      now: new Date(),
+    });
+    return {
+      valid: false,
+      error: "session_expired",
+    };
+  }
+
+  return {
+    valid: true,
+    organizationId,
+    redirectTo,
+  };
+}
+
+/**
+ * Destroys the GitHub App installation cookie session
+ */
+export async function destroyGitHubAppInstallSession(cookieHeader: string | null): Promise<string> {
+  if (!cookieHeader) {
+    return "";
+  }
+
+  const session = await sessionStorage.getSession(cookieHeader);
+  return await sessionStorage.destroySession(session);
+}

apps/webapp/package.json

@@ -53,8 +53,8 @@
     "@electric-sql/react": "^0.3.5",
     "@headlessui/react": "^1.7.8",
     "@heroicons/react": "^2.0.12",
-    "@internal/redis": "workspace:*",
     "@internal/cache": "workspace:*",
+    "@internal/redis": "workspace:*",
     "@internal/run-engine": "workspace:*",
     "@internal/schedule-engine": "workspace:*",
     "@internal/tracing": "workspace:*",
@@ -157,6 +157,7 @@
     "morgan": "^1.10.0",
     "nanoid": "3.3.8",
     "non.geist": "^1.0.2",
+    "octokit": "^3.2.1",
     "ohash": "^1.1.3",
     "openai": "^4.33.1",
     "p-limit": "^6.2.0",