@async/github-app 0.1.1

package/dist/github.js

@@ -0,0 +1,258 @@
+import { validateChangeFiles } from "./safety.js";
+import { redactSensitive, utf8ToBase64 } from "./util.js";
+export class GitHubApiError extends Error {
+    status;
+    method;
+    path;
+    constructor(message, status, method, path) {
+        super(message);
+        this.status = status;
+        this.method = method;
+        this.path = path;
+        this.name = "GitHubApiError";
+    }
+}
+export function createGitHubClient(auth) {
+    async function request(method, path, body) {
+        const token = await auth.getToken();
+        const init = {
+            method,
+            headers: {
+                accept: "application/vnd.github+json",
+                authorization: `Bearer ${token}`,
+                "content-type": "application/json",
+                "x-github-api-version": "2022-11-28"
+            }
+        };
+        if (body !== undefined) {
+            init.body = JSON.stringify(body);
+        }
+        const response = await fetch(`${auth.baseUrl}${path}`, init);
+        if (response.status === 204) {
+            return undefined;
+        }
+        const text = await response.text();
+        if (!response.ok) {
+            throw new GitHubApiError(`GitHub ${method} ${path} failed with ${response.status}: ${redactSensitive(text)}`, response.status, method, path);
+        }
+        return (text ? JSON.parse(text) : undefined);
+    }
+    return {
+        request,
+        ensureBranch: (options) => ensureBranch(request, options),
+        commitChangeSet: (options) => commitChangeSet(request, options),
+        openOrUpdatePullRequest: (options) => openOrUpdatePullRequest(request, options),
+        getTreeSnapshot: (options) => getTreeSnapshot(request, options),
+        compareBranch: (options) => compareBranch(request, options)
+    };
+}
+export function parseGitHubRepo(input) {
+    if (typeof input !== "string") {
+        return input;
+    }
+    const [owner, repo, extra] = input.split("/");
+    if (!owner || !repo || extra) {
+        throw new Error(`Expected GitHub repo as owner/name, received "${input}".`);
+    }
+    return { owner, repo };
+}
+export function formatGitHubRepo(input) {
+    const repo = parseGitHubRepo(input);
+    return `${repo.owner}/${repo.repo}`;
+}
+async function ensureBranch(request, options) {
+    const repo = parseGitHubRepo(options.repo);
+    const repoName = formatGitHubRepo(repo);
+    const branchPath = `/repos/${repo.owner}/${repo.repo}/git/ref/heads/${encodeURIComponent(options.branch)}`;
+    try {
+        const existing = await request("GET", branchPath);
+        return {
+            repo: repoName,
+            branch: options.branch,
+            sha: existing.object.sha,
+            created: false
+        };
+    }
+    catch (error) {
+        if (!(error instanceof GitHubApiError) || error.status !== 404) {
+            throw error;
+        }
+    }
+    const base = await request("GET", `/repos/${repo.owner}/${repo.repo}/git/ref/heads/${encodeURIComponent(options.from)}`);
+    await request("POST", `/repos/${repo.owner}/${repo.repo}/git/refs`, {
+        ref: `refs/heads/${options.branch}`,
+        sha: base.object.sha
+    });
+    return {
+        repo: repoName,
+        branch: options.branch,
+        sha: base.object.sha,
+        created: true
+    };
+}
+async function commitChangeSet(request, options) {
+    validateChangeFiles(options.files, {
+        allowWorkflowPaths: options.allowWorkflowPaths,
+        allowedPathGlobs: options.allowedPathGlobs
+    });
+    const repo = parseGitHubRepo(options.repo);
+    const repoName = formatGitHubRepo(repo);
+    const receipts = [];
+    const commitShas = [];
+    for (const file of options.files) {
+        const receipt = await commitOneFile(request, repo, options.branch, options.message, file, {
+            author: options.author,
+            committer: options.committer
+        });
+        receipts.push(receipt);
+        if (receipt.commitSha) {
+            commitShas.push(receipt.commitSha);
+        }
+    }
+    return {
+        id: options.changeSetId,
+        repo: repoName,
+        branch: options.branch,
+        baseBranch: options.baseBranch,
+        commitSha: commitShas.at(-1),
+        commitShas,
+        files: receipts,
+        indexHints: extractIndexHints(options.metadata),
+        metadata: options.metadata
+    };
+}
+async function commitOneFile(request, repo, branch, message, file, identity) {
+    const contentPath = `/repos/${repo.owner}/${repo.repo}/contents/${encodeContentPath(file.path)}`;
+    const sha = file.previousSha ?? await getContentSha(request, contentPath, branch);
+    if (file.action === "delete") {
+        if (!sha) {
+            throw new GitHubApiError(`Cannot delete ${file.path}; GitHub did not return an existing sha.`, 404, "GET", contentPath);
+        }
+        const deleted = await request("DELETE", contentPath, {
+            message,
+            sha,
+            branch,
+            author: identity.author,
+            committer: identity.committer
+        });
+        return {
+            path: file.path,
+            action: "delete",
+            commitSha: deleted.commit.sha,
+            contentSha: sha
+        };
+    }
+    const updated = await request("PUT", contentPath, {
+        message,
+        content: file.encoding === "base64" ? file.content : utf8ToBase64(file.content ?? ""),
+        sha,
+        branch,
+        author: identity.author,
+        committer: identity.committer
+    });
+    return {
+        path: file.path,
+        action: "upsert",
+        commitSha: updated.commit.sha,
+        contentSha: updated.content?.sha
+    };
+}
+async function getContentSha(request, contentPath, branch) {
+    try {
+        const current = await request("GET", `${contentPath}?ref=${encodeURIComponent(branch)}`);
+        return current.sha;
+    }
+    catch (error) {
+        if (error instanceof GitHubApiError && error.status === 404) {
+            return undefined;
+        }
+        throw error;
+    }
+}
+async function openOrUpdatePullRequest(request, options) {
+    const repo = parseGitHubRepo(options.repo);
+    const headForSearch = options.head.includes(":") ? options.head : `${repo.owner}:${options.head}`;
+    const existing = await request("GET", `/repos/${repo.owner}/${repo.repo}/pulls?state=open&head=${encodeURIComponent(headForSearch)}&base=${encodeURIComponent(options.base)}`);
+    if (existing[0]) {
+        const updated = await request("PATCH", `/repos/${repo.owner}/${repo.repo}/pulls/${existing[0].number}`, {
+            title: options.title,
+            body: options.body
+        });
+        return {
+            number: updated.number,
+            url: updated.html_url,
+            head: options.head,
+            base: options.base,
+            created: false
+        };
+    }
+    const created = await request("POST", `/repos/${repo.owner}/${repo.repo}/pulls`, {
+        title: options.title,
+        body: options.body,
+        head: options.head,
+        base: options.base,
+        draft: options.draft
+    });
+    return {
+        number: created.number,
+        url: created.html_url,
+        head: options.head,
+        base: options.base,
+        created: true
+    };
+}
+async function getTreeSnapshot(request, options) {
+    const repo = parseGitHubRepo(options.repo);
+    const entries = [];
+    if (options.paths?.length) {
+        for (const path of options.paths) {
+            const item = await request("GET", `/repos/${repo.owner}/${repo.repo}/contents/${encodeContentPath(path)}?ref=${encodeURIComponent(options.ref)}`);
+            const items = Array.isArray(item) ? item : [item];
+            for (const entry of items) {
+                entries.push({
+                    path: entry.path,
+                    sha: entry.sha,
+                    type: normalizeContentType(entry.type),
+                    size: entry.size
+                });
+            }
+        }
+    }
+    else {
+        const tree = await request("GET", `/repos/${repo.owner}/${repo.repo}/git/trees/${encodeURIComponent(options.ref)}?recursive=1`);
+        for (const entry of tree.tree) {
+            entries.push({
+                path: entry.path,
+                sha: entry.sha,
+                type: entry.type,
+                size: entry.size
+            });
+        }
+    }
+    return {
+        repo: formatGitHubRepo(repo),
+        ref: options.ref,
+        entries
+    };
+}
+async function compareBranch(request, options) {
+    const repo = parseGitHubRepo(options.repo);
+    const compared = await request("GET", `/repos/${repo.owner}/${repo.repo}/compare/${encodeURIComponent(options.base)}...${encodeURIComponent(options.head)}`);
+    return {
+        status: compared.status,
+        aheadBy: compared.ahead_by,
+        behindBy: compared.behind_by,
+        commits: compared.commits.map((commit) => ({ sha: commit.sha })),
+        htmlUrl: compared.html_url
+    };
+}
+function normalizeContentType(type) {
+    return type;
+}
+function encodeContentPath(path) {
+    return path.split("/").map((part) => encodeURIComponent(part)).join("/");
+}
+function extractIndexHints(metadata) {
+    const hints = metadata?.indexHints;
+    return Array.isArray(hints) && hints.every((hint) => typeof hint === "string") ? hints : [];
+}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export { actionsBridgeAuth, createGitHubAppJwt, githubAppAuth, githubUserAuth, GitHubAuthError, staticTokenAuth } from "./auth.js";
+export { asyncGithubApp, defineGithubApp } from "./app.js";
+export { createGitHubClient, formatGitHubRepo, GitHubApiError, parseGitHubRepo } from "./github.js";
+export { assertSafeChangeFilePath, UnsafeChangePathError, validateChangeFiles } from "./safety.js";
+export type { ActionsBridgeAuthOptions, AsyncGithubAppMetadata, ChangeFile, ChangeFileAction, ChangeFileReceipt, ChangeSet, ChangeSetMode, CommitChangeSetOptions, CommitReceipt, CompareBranchOptions, CompareBranchReceipt, DefineGithubAppOptions, EnsureBranchOptions, EnsureBranchReceipt, GitAuthor, GitHubAppAuthOptions, GitHubAuthProvider, GitHubAuthScope, GitHubBaseUrl, GitHubClient, GithubAppDefinition, GitHubRepo, GitHubRepoInput, OpenOrUpdatePullRequestOptions, PathSafetyOptions, PullRequestReceipt, TokenAuthOptions, TreeSnapshot, TreeSnapshotEntry, TreeSnapshotOptions } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,aAAa,EACb,cAAc,EACd,eAAe,EACf,eAAe,EAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,cAAc,EACd,eAAe,EAChB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,wBAAwB,EACxB,qBAAqB,EACrB,mBAAmB,EACpB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,wBAAwB,EACxB,sBAAsB,EACtB,UAAU,EACV,gBAAgB,EAChB,iBAAiB,EACjB,SAAS,EACT,aAAa,EACb,sBAAsB,EACtB,aAAa,EACb,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,mBAAmB,EACnB,mBAAmB,EACnB,SAAS,EACT,oBAAoB,EACpB,kBAAkB,EAClB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,UAAU,EACV,eAAe,EACf,8BAA8B,EAC9B,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,YAAY,EACZ,iBAAiB,EACjB,mBAAmB,EACpB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { actionsBridgeAuth, createGitHubAppJwt, githubAppAuth, githubUserAuth, GitHubAuthError, staticTokenAuth } from "./auth.js";
+export { asyncGithubApp, defineGithubApp } from "./app.js";
+export { createGitHubClient, formatGitHubRepo, GitHubApiError, parseGitHubRepo } from "./github.js";
+export { assertSafeChangeFilePath, UnsafeChangePathError, validateChangeFiles } from "./safety.js";

package/dist/safety.d.ts

@@ -0,0 +1,7 @@
+import type { ChangeFile, PathSafetyOptions } from "./types.js";
+export declare class UnsafeChangePathError extends Error {
+    constructor(path: string, reason: string);
+}
+export declare function assertSafeChangeFilePath(path: string, options?: PathSafetyOptions): void;
+export declare function validateChangeFiles(files: readonly ChangeFile[], options?: PathSafetyOptions): void;
+//# sourceMappingURL=safety.d.ts.map

package/dist/safety.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safety.d.ts","sourceRoot":"","sources":["../src/safety.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEhE,qBAAa,qBAAsB,SAAQ,KAAK;gBAClC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAIzC;AAED,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,GAAE,iBAAsB,GAAG,IAAI,CAqB5F;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,SAAS,UAAU,EAAE,EAAE,OAAO,GAAE,iBAAsB,GAAG,IAAI,CAiBvG"}

package/dist/safety.js

@@ -0,0 +1,57 @@
+export class UnsafeChangePathError extends Error {
+    constructor(path, reason) {
+        super(`Unsafe GitHub change path "${path}": ${reason}`);
+        this.name = "UnsafeChangePathError";
+    }
+}
+export function assertSafeChangeFilePath(path, options = {}) {
+    if (!path || path.trim() !== path) {
+        throw new UnsafeChangePathError(path, "paths must be non-empty and cannot include leading or trailing whitespace");
+    }
+    if (path.startsWith("/") || /^[A-Za-z]:[\\/]/u.test(path)) {
+        throw new UnsafeChangePathError(path, "absolute paths are not allowed");
+    }
+    const parts = path.split("/");
+    if (parts.some((part) => part === ".." || part === "")) {
+        throw new UnsafeChangePathError(path, "paths cannot contain empty segments or ..");
+    }
+    if (!options.allowWorkflowPaths && path.startsWith(".github/workflows/")) {
+        throw new UnsafeChangePathError(path, ".github/workflows writes require allowWorkflowPaths");
+    }
+    if (options.allowedPathGlobs?.length && !options.allowedPathGlobs.some((glob) => matchesSimpleGlob(path, glob))) {
+        throw new UnsafeChangePathError(path, `path is outside allowed globs: ${options.allowedPathGlobs.join(", ")}`);
+    }
+}
+export function validateChangeFiles(files, options = {}) {
+    if (!files.length) {
+        throw new UnsafeChangePathError("(empty)", "change sets must contain at least one file");
+    }
+    const seen = new Set();
+    for (const file of files) {
+        assertSafeChangeFilePath(file.path, options);
+        if (seen.has(file.path)) {
+            throw new UnsafeChangePathError(file.path, "a change set cannot include the same path more than once");
+        }
+        seen.add(file.path);
+        if (file.action === "upsert" && file.content === undefined) {
+            throw new UnsafeChangePathError(file.path, "upsert files require content");
+        }
+    }
+}
+function matchesSimpleGlob(path, glob) {
+    if (glob.endsWith("/**")) {
+        return path.startsWith(glob.slice(0, -2));
+    }
+    if (glob.endsWith("/*")) {
+        const prefix = glob.slice(0, -1);
+        const rest = path.slice(prefix.length);
+        return path.startsWith(prefix) && rest.length > 0 && !rest.includes("/");
+    }
+    if (glob.includes("*")) {
+        const escaped = glob
+            .replace(/[.+?^${}()|[\]\\]/gu, "\\$&")
+            .replaceAll("\\*", "[^/]*");
+        return new RegExp(`^${escaped}$`, "u").test(path);
+    }
+    return path === glob || path.startsWith(`${glob}/`);
+}

package/dist/server.d.ts

@@ -0,0 +1,34 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+export interface WebhookVerifyInput {
+    readonly signature: string | null;
+    readonly body: string;
+    readonly event: string;
+    readonly deliveryId: string;
+}
+export type WebhookVerifier = string | {
+    readonly secret: string | (() => string | Promise<string>);
+} | ((input: WebhookVerifyInput) => boolean | Promise<boolean>);
+export interface GithubWebhookEvent {
+    readonly event: string;
+    readonly deliveryId: string;
+    readonly payload: unknown;
+    readonly rawBody: string;
+    readonly headers: Headers;
+}
+export type GithubWebhookEventHandler = (event: GithubWebhookEvent) => void | Response | Promise<void | Response>;
+export interface CreateGithubWebhookHandlerOptions {
+    readonly verify: WebhookVerifier;
+    readonly route?: Record<string, GithubWebhookEventHandler>;
+    readonly onEvent?: GithubWebhookEventHandler;
+    readonly maxBodyBytes?: number;
+    readonly seenDeliveries?: Set<string>;
+}
+export declare function verifyWebhookSignature(options: {
+    readonly secret: string;
+    readonly body: string | Uint8Array;
+    readonly signature: string | null | undefined;
+}): boolean;
+export declare function createGithubWebhookHandler(options: CreateGithubWebhookHandlerOptions): (request: Request) => Promise<Response>;
+export declare function createNodeWebhookHandler(handler: (request: Request) => Promise<Response>): (request: IncomingMessage, response: ServerResponse) => Promise<void>;
+export declare function createDenoWebhookHandler(handler: (request: Request) => Promise<Response>): (request: Request) => Promise<Response>;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEjE,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,MAAM,eAAe,GAAG,MAAM,GAAG;IACrC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;CAC5D,GAAG,CAAC,CAAC,KAAK,EAAE,kBAAkB,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;AAEhE,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,MAAM,yBAAyB,GAAG,CAAC,KAAK,EAAE,kBAAkB,KAAK,IAAI,GAAG,QAAQ,GAAG,OAAO,CAAC,IAAI,GAAG,QAAQ,CAAC,CAAC;AAElH,MAAM,WAAW,iCAAiC;IAChD,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,yBAAyB,CAAC,CAAC;IAC3D,QAAQ,CAAC,OAAO,CAAC,EAAE,yBAAyB,CAAC;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,cAAc,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CACvC;AAED,wBAAgB,sBAAsB,CAAC,OAAO,EAAE;IAC9C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,CAAC;IACnC,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;CAC/C,GAAG,OAAO,CAUV;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,iCAAiC,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA2D9H;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,IAC9C,SAAS,eAAe,EAAE,UAAU,cAAc,KAAG,OAAO,CAAC,IAAI,CAAC,CA2B5G;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAElI"}

package/dist/server.js

@@ -0,0 +1,111 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+export function verifyWebhookSignature(options) {
+    const signature = options.signature;
+    if (!signature?.startsWith("sha256=")) {
+        return false;
+    }
+    const expected = `sha256=${createHmac("sha256", options.secret).update(options.body).digest("hex")}`;
+    const expectedBuffer = Buffer.from(expected);
+    const actualBuffer = Buffer.from(signature);
+    return expectedBuffer.length === actualBuffer.length && timingSafeEqual(expectedBuffer, actualBuffer);
+}
+export function createGithubWebhookHandler(options) {
+    const maxBodyBytes = options.maxBodyBytes ?? 1024 * 1024;
+    const seenDeliveries = options.seenDeliveries ?? new Set();
+    return async function githubWebhookHandler(request) {
+        if (request.method !== "POST") {
+            return json({ ok: false, error: "method_not_allowed" }, 405);
+        }
+        const event = request.headers.get("x-github-event") ?? "";
+        const deliveryId = request.headers.get("x-github-delivery") ?? "";
+        const signature = request.headers.get("x-hub-signature-256");
+        const rawBody = await request.text();
+        if (Buffer.byteLength(rawBody, "utf8") > maxBodyBytes) {
+            return json({ ok: false, error: "body_too_large" }, 413);
+        }
+        if (!event || !deliveryId) {
+            return json({ ok: false, error: "missing_github_headers" }, 400);
+        }
+        const verified = await verifyRequest(options.verify, {
+            signature,
+            body: rawBody,
+            event,
+            deliveryId
+        });
+        if (!verified) {
+            return json({ ok: false, error: "invalid_signature" }, 401);
+        }
+        if (seenDeliveries.has(deliveryId)) {
+            return json({ ok: true, duplicate: true });
+        }
+        seenDeliveries.add(deliveryId);
+        let payload;
+        try {
+            payload = JSON.parse(rawBody);
+        }
+        catch {
+            return json({ ok: false, error: "invalid_json" }, 400);
+        }
+        const handler = options.route?.[event] ?? options.route?.["*"] ?? options.onEvent;
+        if (!handler) {
+            return json({ ok: true, ignored: true });
+        }
+        const response = await handler({
+            event,
+            deliveryId,
+            payload,
+            rawBody,
+            headers: request.headers
+        });
+        return response ?? json({ ok: true });
+    };
+}
+export function createNodeWebhookHandler(handler) {
+    return async function nodeWebhookHandler(request, response) {
+        const chunks = [];
+        for await (const chunk of request) {
+            chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+        }
+        const headers = new Headers();
+        for (const [key, value] of Object.entries(request.headers)) {
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    headers.append(key, item);
+                }
+            }
+            else if (value !== undefined) {
+                headers.set(key, value);
+            }
+        }
+        const fetchRequest = new Request(`http://localhost${request.url ?? "/"}`, {
+            method: request.method ?? "POST",
+            headers,
+            body: Buffer.concat(chunks)
+        });
+        const fetchResponse = await handler(fetchRequest);
+        response.statusCode = fetchResponse.status;
+        fetchResponse.headers.forEach((value, key) => response.setHeader(key, value));
+        response.end(Buffer.from(await fetchResponse.arrayBuffer()));
+    };
+}
+export function createDenoWebhookHandler(handler) {
+    return handler;
+}
+async function verifyRequest(verifier, input) {
+    if (typeof verifier === "string") {
+        return verifyWebhookSignature({ secret: verifier, body: input.body, signature: input.signature });
+    }
+    if (typeof verifier === "function") {
+        return verifier(input);
+    }
+    const secret = typeof verifier.secret === "function" ? await verifier.secret() : verifier.secret;
+    return verifyWebhookSignature({ secret, body: input.body, signature: input.signature });
+}
+function json(body, status = 200) {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: {
+            "content-type": "application/json"
+        }
+    });
+}

package/dist/types.d.ts

@@ -0,0 +1,177 @@
+export type GitHubBaseUrl = `https://${string}` | `http://${string}`;
+export interface GitHubAuthProvider {
+    readonly kind: string;
+    readonly baseUrl: GitHubBaseUrl;
+    getToken(scope?: GitHubAuthScope): Promise<string>;
+}
+export interface GitHubAuthScope {
+    readonly repo?: GitHubRepoInput;
+    readonly permissions?: Record<string, "read" | "write">;
+}
+export interface GitHubAppAuthOptions {
+    readonly appId: string | number;
+    readonly privateKey: string;
+    readonly installationId: string | number;
+    readonly baseUrl?: GitHubBaseUrl | undefined;
+    readonly fetch?: typeof fetch | undefined;
+    readonly now?: (() => Date) | undefined;
+}
+export interface TokenAuthOptions {
+    readonly token: string;
+    readonly baseUrl?: GitHubBaseUrl | undefined;
+}
+export interface ActionsBridgeAuthOptions {
+    readonly tokenEnv?: string | undefined;
+    readonly env?: Record<string, string | undefined> | undefined;
+    readonly baseUrl?: GitHubBaseUrl | undefined;
+}
+export interface AsyncGithubAppMetadata {
+    readonly slug: string;
+    readonly installUrl: string;
+    readonly callbackUrl: string;
+    readonly webhookEvents: readonly string[];
+    readonly permissions: Readonly<Record<string, "read" | "write">>;
+}
+export interface GithubAppDefinition {
+    readonly metadata: AsyncGithubAppMetadata;
+    readonly auth?: GitHubAuthProvider | undefined;
+    readonly permissions: Readonly<Record<string, "read" | "write">>;
+    readonly endpoints: Readonly<Record<string, string>>;
+}
+export interface DefineGithubAppOptions {
+    readonly metadata?: Partial<AsyncGithubAppMetadata> | undefined;
+    readonly auth?: GitHubAuthProvider | undefined;
+    readonly permissions?: Record<string, "read" | "write"> | undefined;
+    readonly endpoints?: Record<string, string> | undefined;
+}
+export interface GitHubRepo {
+    readonly owner: string;
+    readonly repo: string;
+}
+export type GitHubRepoInput = GitHubRepo | `${string}/${string}`;
+export type ChangeFileAction = "upsert" | "delete";
+export interface ChangeFile {
+    readonly path: string;
+    readonly action: ChangeFileAction;
+    readonly content?: string | undefined;
+    readonly encoding?: "utf8" | "base64" | undefined;
+    readonly previousSha?: string | undefined;
+}
+export type ChangeSetMode = "app" | "actions-pull" | "actions-dispatch" | "token" | "branch" | "pull_request" | "direct";
+export interface ChangeSet {
+    readonly id: string;
+    readonly repo: GitHubRepoInput;
+    readonly baseBranch: string;
+    readonly targetBranch: string;
+    readonly mode: ChangeSetMode;
+    readonly files: readonly ChangeFile[];
+    readonly message?: string | undefined;
+    readonly title?: string | undefined;
+    readonly body?: string | undefined;
+    readonly metadata?: Record<string, unknown> | undefined;
+}
+export interface GitAuthor {
+    readonly name: string;
+    readonly email: string;
+    readonly date?: string | undefined;
+}
+export interface CommitChangeSetOptions {
+    readonly repo: GitHubRepoInput;
+    readonly branch: string;
+    readonly message: string;
+    readonly files: readonly ChangeFile[];
+    readonly baseBranch?: string | undefined;
+    readonly changeSetId?: string | undefined;
+    readonly author?: GitAuthor | undefined;
+    readonly committer?: GitAuthor | undefined;
+    readonly allowWorkflowPaths?: boolean | undefined;
+    readonly allowedPathGlobs?: readonly string[] | undefined;
+    readonly metadata?: Record<string, unknown> | undefined;
+}
+export interface ChangeFileReceipt {
+    readonly path: string;
+    readonly action: ChangeFileAction;
+    readonly commitSha?: string | undefined;
+    readonly contentSha?: string | undefined;
+}
+export interface CommitReceipt {
+    readonly id?: string | undefined;
+    readonly repo: string;
+    readonly branch: string;
+    readonly baseBranch?: string | undefined;
+    readonly commitSha?: string | undefined;
+    readonly commitShas: readonly string[];
+    readonly pullRequestUrl?: string | undefined;
+    readonly files: readonly ChangeFileReceipt[];
+    readonly indexHints: readonly string[];
+    readonly metadata?: Record<string, unknown> | undefined;
+}
+export interface EnsureBranchOptions {
+    readonly repo: GitHubRepoInput;
+    readonly from: string;
+    readonly branch: string;
+}
+export interface EnsureBranchReceipt {
+    readonly repo: string;
+    readonly branch: string;
+    readonly sha: string;
+    readonly created: boolean;
+}
+export interface OpenOrUpdatePullRequestOptions {
+    readonly repo: GitHubRepoInput;
+    readonly head: string;
+    readonly base: string;
+    readonly title: string;
+    readonly body?: string | undefined;
+    readonly draft?: boolean | undefined;
+}
+export interface PullRequestReceipt {
+    readonly number: number;
+    readonly url: string;
+    readonly head: string;
+    readonly base: string;
+    readonly created: boolean;
+}
+export interface TreeSnapshotOptions {
+    readonly repo: GitHubRepoInput;
+    readonly ref: string;
+    readonly paths?: readonly string[];
+}
+export interface TreeSnapshotEntry {
+    readonly path: string;
+    readonly sha: string;
+    readonly type: "file" | "dir" | "symlink" | "submodule" | "tree" | "blob";
+    readonly size?: number | undefined;
+}
+export interface TreeSnapshot {
+    readonly repo: string;
+    readonly ref: string;
+    readonly entries: readonly TreeSnapshotEntry[];
+}
+export interface CompareBranchOptions {
+    readonly repo: GitHubRepoInput;
+    readonly base: string;
+    readonly head: string;
+}
+export interface CompareBranchReceipt {
+    readonly status: string;
+    readonly aheadBy: number;
+    readonly behindBy: number;
+    readonly commits: readonly {
+        readonly sha: string;
+    }[];
+    readonly htmlUrl?: string | undefined;
+}
+export interface GitHubClient {
+    request<T = unknown>(method: string, path: string, body?: unknown): Promise<T>;
+    ensureBranch(options: EnsureBranchOptions): Promise<EnsureBranchReceipt>;
+    commitChangeSet(options: CommitChangeSetOptions): Promise<CommitReceipt>;
+    openOrUpdatePullRequest(options: OpenOrUpdatePullRequestOptions): Promise<PullRequestReceipt>;
+    getTreeSnapshot(options: TreeSnapshotOptions): Promise<TreeSnapshot>;
+    compareBranch(options: CompareBranchOptions): Promise<CompareBranchReceipt>;
+}
+export interface PathSafetyOptions {
+    readonly allowWorkflowPaths?: boolean | undefined;
+    readonly allowedPathGlobs?: readonly string[] | undefined;
+}
+//# sourceMappingURL=types.d.ts.map