GitHub App
Install the App on a repo or org, configure the manifest, and every pull_request event triggers a PR Diff Red-Team Gate. The complement to the CLI/Action flow.
Key points
- Webhook authenticated by X-Hub-Signature-256 HMAC against GITHUB_APP_WEBHOOK_SECRET. JWT/API-key auth bypassed for this route only.
- Listens to pull_request events; runs the gate (manifest → scan → Check Run + comment) in a detached background task to ACK within ~10s.
- Installation token minted per-org via the App's private key. Stored in githubInstallStore so subsequent events do not re-handshake.
- Verdict (PROMOTE / HOLD) posts as a Check Run + sticky PR comment so the gate is visible in the merge box.
01
App vs. CLI/Action
- Use the App when you want zero-config gating across many repos — install once at the org level.
- Use the Action/CLI when the team prefers an explicit workflow file and per-repo opt-in.
- The App is the only path to native Check Runs (the API surface for the merge box red/green).
02
What ships today
- Install handshake, webhook receiver, signature verification, manifest discovery, Check Run + comment posting.
- Manifest schema mirrors .doesitdefend.yml from the Action — target.endpoint, template, watched paths.
- Installation state persisted; reinstalls cleanly handle revoke + re-grant cycles.