feat: implement preview environment PR commenter in Go (#152)

Author: allanice001

.gitignore

@@ -1,2 +1,9 @@
-config
-__pycache__
+**/.DS_Store
+**/*_test.go
+**/*.md
+bin/
+dist/
+tmp/
+vendor/
+.env
+.idea/

Dockerfile

@@ -1,11 +1,21 @@
-FROM python:3.14.3-alpine@sha256:faee120f7885a06fcc9677922331391fa690d911c020abb9e8025ff3d908e510
+# ---- build stage ----
+FROM golang:1.25-alpine AS builder
 
-RUN pip install --upgrade pip
+WORKDIR /src
 
-COPY requirements.txt /app/requirements.txt
-WORKDIR /app
-RUN pip install -r requirements.txt
-COPY main.py /app/main.py
-COPY ./src /app/src
+COPY go.mod go.sum ./
+RUN go mod download
 
-CMD [ "python", "-u", "main.py" ]
+COPY . .
+
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags="-s -w" -o /out/pr-bot .
+
+# ---- runtime stage ----
+FROM gcr.io/distroless/static-debian12:nonroot
+
+WORKDIR /
+
+COPY --from=build /out/pr-bot /pr-bot
+
+# No port needed; it runs as a worker
+ENTRYPOINT ["/pr-bot"]

README.md

@@ -1,43 +1,94 @@
-# pr-bot
+# Preview Environment PR Commenter (Go)
 
-## Requirements
+A small Kubernetes service that watches **Argo CD Applications** representing preview environments and posts a **GitHub Pull Request comment** with:
+
+- the latest commit SHA deployed,
+- an Argo CD link,
+- preview links rendered as **QR codes** (minted via a protected QR signing service),
+- Grafana metrics and Loki logs links.
+
+It’s designed for GitOps/preview workflows where each PR spins up a temporary environment and you want an automatic “here’s where it is” comment.
 
-- You need a k8s cluster.
-- You need to deploy the resources below before to the `glueops-core` cluster
-- You need a git provider api token (Ex. Github Personal Access Token)
-- You need a captain domain
-  
-```yaml
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: git-provider-api-token
-type: Opaque
-data:
-  token: <base64 encoded github token>
+
+## How it works
+
+On a fixed interval, the service:
+
+1. Lists Argo CD `Applications` (`argoproj.io/v1alpha1`) from Kubernetes using the dynamic client.
+2. Filters to apps that:
+    - have at least one `ownerReference`,
+    - have annotation `preview_environment: "true"`,
+    - have annotation `head_sha` and the SHA appears in `status.sync.revisions`,
+    - have `status.health.status` of `Healthy` or `Degraded`,
+    - have at least one `status.summary.externalURLs` entry,
+    - contain required GitHub metadata annotations: `repository_organization`, `repository_name`, `pull_request_number`.
+3. Builds links to:
+    - Argo CD application page,
+    - Grafana “workload metrics” dashboard,
+    - Loki logs dashboard.
+4. For each external URL, calls a QR mint endpoint to produce a signed QR image URL.
+5. Posts a markdown table comment to the matching PR via the GitHub API.
+6. De-duplicates per process lifetime using `head_sha` (in-memory).
+
 ---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: glueops-captain-domain
-data:
-  captain_domain: <example: nonprod.tenant.glueopshosted.rocks>
+
+## Inputs expected on the Argo CD Application
+
+### Required annotations
+
+| Annotation | Required | Meaning |
+|---|:---:|---|
+| `preview_environment` | ✅ | Must be `"true"` to be considered |
+| `head_sha` | ✅ | Commit SHA expected to be deployed |
+| `repository_organization` | ✅ | GitHub org/owner |
+| `repository_name` | ✅ | GitHub repo name |
+| `pull_request_number` | ✅ | PR number to comment on |
+
+### Required status fields (set by Argo CD)
+
+- `status.sync.revisions` must contain `head_sha`
+- `status.health.status` must be `Healthy` or `Degraded`
+- `status.summary.externalURLs` must contain at least one URL
+
+---
+
+## Configuration
+
+Configuration is via environment variables:
+
+| Env var | Default | Required | Description |
+|---|---:|:---:|---|
+| `NAMESPACE` | `glueops-core` |  | Namespace used to read ConfigMap/Secret and list Applications |
+| `GITHUB_APP_SECRET_NAME` | `tenant-repo-creds` |  | K8s Secret with GitHub App credentials |
+| `CAPTAIN_DOMAIN_K8S_CONFIGMAP_NAME` | `glueops-captain-domain` |  | K8s ConfigMap with `captain_domain` |
+| `WATCH_FOR_APPS_DELAY_SECONDS` | `10` |  | Poll interval in seconds |
+| `QR_MINT_TOKEN` |  | ✅ | Bearer token for QR signing endpoint |
+| `QR_TTL_SECONDS` | `600` |  | Signed QR TTL in seconds |
+| `KUBECONFIG` | `~/.kube/config` |  | Used only when not running in-cluster |
+
+Hard-coded defaults:
+- HTTP timeout: 15 seconds
+- GitHub API version header: `2022-11-28`
+
 ---
-```
 
-## Running the app
+## Kubernetes resources required
 
-- Ensure you have the following set in your ```.env``` file (at **root** foolder):
+### ConfigMap: captain domain
 
-```bash
-export GITHUB_TOKEN=<some-value>
-```
+A ConfigMap containing the base domain used for service links:
 
-For cloud specific setup (to be authenticated to the captain cluster), check [here](https://github.com/GlueOps/terraform-module-cloud-aws-kubernetes-cluster/wiki)
+- Name: `CAPTAIN_DOMAIN_K8S_CONFIGMAP_NAME` (default `glueops-captain-domain`)
+- Key: `captain_domain`
 
-- Then run
+Example:
 
-```python
-python main.py
-```
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: glueops-captain-domain
+  namespace: glueops-core
+data:
+  captain_domain: example.internal

go.mod

@@ -0,0 +1,11 @@
+module github.com/glueops/pull-request-bot
+
+go 1.25.7
+
+require (
+	github.com/golang-jwt/jwt/v5 v5.3.1
+	github.com/joho/godotenv v1.5.1
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
+	k8s.io/client-go v0.35.1
+)

go.sum

@@ -0,0 +1,5 @@
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+k8s.io/api v0.35.1/go.mod h1:28uR9xlXWml9eT0uaGo6y71xK86JBELShLy4wR1XtxM=
+k8s.io/apimachinery v0.35.1/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/client-go v0.35.1/go.mod h1:1p1KxDt3a0ruRfc/pG4qT/3oHmUj1AhSHEcxNSGg+OA=