Cotton is a serverless GitHub app which upgrades dependencies in projects which use Yarn. It is written in Node.js with the Serverless framework.
- Upgrades all dependencies in a repository in one consolidated PR.
- Updates yarn.lock together with package.json. Projects which do not use yarn are currently unsupported.
- Monorepo support (I haven't actually tried Cotton on actual Yarn monorepos, only monorepos with multiple independent package.json files).
- Manual upgrade trigger (currently unsecured).
- Abort rebase when non-Cotton commits are found to have been pushed to the PR.
- Scheduled upgrades.
- Configurable upgrade schedule.
Cotton is deployed on AWS using the Serverless framework. It is comprised of 3 lambdas written as Serverless handlers. They invoke each other using the Amazon Simple Notification Service (SNS), and can also be invoked through their REST API endpoints.
upgradeAllInstallations
: upgrades all repos that Cotton is installed on by invokingupgradeInstallation
for each installation. It can be invoked by the REST API endpoint/upgradeAllInstallations
upgradeInstallation
: upgrades all repos in an installation by invokingupgradeRepository
for each repo in the input installation. It can be invoked by the REST API endpoint/upgradeInstallation/{installationID}
, or through an SNS message on theupgradeInstallation
topic.upgradeRepository
: upgrades a repository. It can be invoked by the REST API endpoint/upgradeRepository/{installationID}/{repoOwner}/{repoName}
, e.g./upgradeRepository/123456/taneliang/Cotton
, or through an SNS message on theupgradeRepository
topic.
- Clone this repo.
- Run
cp .env.example .env
at the repo root. - Set up an AWS account if you haven't.
- Generate
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
, following https://serverless.com/framework/docs/providers/aws/guide/credentials/. - Set
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
in.env
. - Register a new GitHub App, following https://developer.github.com/apps/building-github-apps/creating-a-github-app/. Use dummy urls as required. Permission settings are as followed:
- Repository contents: R&W
- Issues: R&W
- Repo metadata: R
- PRs: R&W
- Subscribe to events: Push, Issue comment, PR review, PR review comment
- Generate (securely, e.g. using a password manager) and set a webhook secret for the new app, and set
GITHUB_WEBHOOK_SECRET
in.env
. - Generate the private key following https://developer.github.com/apps/building-github-apps/authentication-options-for-github-apps/#generating-a-private-key.
- Download the key into the repo root and rename it "gh_priv_key.pem".
- Use the Github ID on the app settings page to set
GITHUB_APP_ID
in.env
. - Deploy the app by running
yarn deploy
. - Once deployed, Serverless will output a few URLs. Set the GitHub App's Webhook URL to the githubWebhook POST endpoint by Serverless.
Run yarn start
. This starts a serverless-offline
server, which simulates API Gateway locally. Note that the upgradeAllInstallations
and upgradeInstallation
handlers will fail to trigger their downstream lambdas as serverless-offline
does not mock SNS.
Run yarn test
. Tests are written with Jest.
Run yarn deploy
. This command uses serverless to deploy Cotton to AWS.