Payload
{
"action": "created",
"comment": {
"url": "https://api.github.com/repos/darkmatter/infra/pulls/comments/3349617867",
"pull_request_review_id": 4419887003,
"id": 3349617867,
"node_id": "PRRC_kwDOPq3Cd87HpxzL",
"diff_hunk": "@@ -0,0 +1,299 @@\n+#!/usr/bin/env bun\n+/**\n+ * Mint a short-lived GHCR pull token via the darkmatter-bot GitHub App and\n+ * open a PR against darkmatter/gitops that lands the corresponding\n+ * imagePullSecret manifest in the `tenderly-snap` namespace.\n+ *\n+ * Why a script instead of an Alchemy Resource:\n+ * The installation token expires after ~1h, so there is no stable\n+ * \"output attribute\" for an Alchemy Resource to track. This is a\n+ * bootstrap action, not durable state.\n+ *\n+ * Inputs (himitsu):\n+ * github/darkmatter-bot/app_id App ID (number)\n+ * github/darkmatter-bot/private_key RSA PEM private key\n+ * github/darkmatter-bot/installation_id Installation ID on darkmatter org\n+ * (optional — looked up via the App\n+ * JWT if absent)\n+ *\n+ * Flow:\n+ * 1. App JWT (RS256, 10-min ttl).\n+ * 2. Mint installation token A: { packages: read } on darkmatter/tenderly-snap.\n+ * 3. Mint installation token B: { contents: write, pull_requests: write } on\n+ * darkmatter/gitops.\n+ * 4. Build .dockerconfigjson with token A (user `x-access-token`).\n+ * 5. Render `manifests/tenderly-snap/ghcr-pull-secret.yaml`.\n+ * 6. Clone darkmatter/gitops with token B, commit on a dated branch,\n+ * push, and open a PR.\n+ *\n+ * Security note:\n+ * Token A is plaintext in the rendered Secret and ends up in the gitops\n+ * git history. It expires in ~1h, so blast radius is bounded. SOPS\n+ * encryption would be cleaner; not done here because the gitops repo's\n+ * age recipients aren't co-located. Worth a follow-up.\n+ *\n+ * Usage:\n+ * bun run packages/alchemy/scripts/provision-ghcr-pull-secret.ts\n+ */\n+\n+import { createPrivateKey, createSign } from \"node:crypto\";\n+import { spawnSync } from \"node:child_process\";\n+import { mkdtempSync, rmSync, writeFileSync, mkdirSync } from \"node:fs\";\n+import { tmpdir } from \"node:os\";\n+import { join } from \"node:path\";\n+\n+// ---------------------------------------------------------------------------\n+// Config\n+// ---------------------------------------------------------------------------\n+\n+const GITOPS_OWNER = \"darkmatter\";\n+const GITOPS_REPO = \"gitops\";\n+const IMAGE_REPO_OWNER = \"darkmatter\";\n+const IMAGE_REPO_NAME = \"tenderly-snap\";\n+const K8S_NAMESPACE = \"tenderly-snap\";\n+const SECRET_NAME = \"ghcr-pull\";\n+const MANIFEST_PATH = `manifests/${K8S_NAMESPACE}/ghcr-pull-secret.yaml`;\n+const HIMITSU_PREFIX = \"github/darkmatter-bot\";\n+\n+// ---------------------------------------------------------------------------\n+// Logging\n+// ---------------------------------------------------------------------------\n+\n+const log = (msg: string) => console.log(`[ghcr-pull] ${msg}`);\n+const ok = (msg: string) => console.log(`[ghcr-pull] ✓ ${msg}`);\n+const fatal = (msg: string): never => {\n+ console.error(`[ghcr-pull] ✗ ${msg}`);\n+ process.exit(1);\n+};\n+\n+// ---------------------------------------------------------------------------\n+// Helpers\n+// ---------------------------------------------------------------------------\n+\n+function himitsuRead(path: string): string {\n+ const res = spawnSync(\"himitsu\", [\"read\", path], { encoding: \"utf8\" });\n+ if (res.status !== 0) {\n+ fatal(`himitsu read ${path} failed: ${res.stderr.trim() || res.status}`);\n+ }\n+ return res.stdout.replace(/\\n$/, \"\");\n+}\n+\n+function base64url(buf: Buffer | string): string {\n+ const b = typeof buf === \"string\" ? Buffer.from(buf) : buf;\n+ return b\n+ .toString(\"base64\")\n+ .replace(/\\+/g, \"-\")\n+ .replace(/\\//g, \"_\")\n+ .replace(/=+$/, \"\");\n+}\n+\n+function signAppJwt(appId: string, privateKeyPem: string): string {\n+ const now = Math.floor(Date.now() / 1000);\n+ const header = { alg: \"RS256\", typ: \"JWT\" };\n+ const payload = { iat: now - 60, exp: now + 9 * 60, iss: appId };\n+ const signingInput = `${base64url(JSON.stringify(header))}.${base64url(\n+ JSON.stringify(payload),\n+ )}`;\n+ const key = createPrivateKey(privateKeyPem);\n+ const sig = createSign(\"RSA-SHA256\").update(signingInput).sign(key);\n+ return `${signingInput}.${base64url(sig)}`;\n+}\n+\n+async function gh<T>(\n+ method: string,\n+ path: string,\n+ auth: string,\n+ body?: unknown,\n+): Promise<T> {\n+ const res = await fetch(`https://api.github.com${path}`, {\n+ method,\n+ headers: {\n+ Authorization: `Bearer ${auth}`,\n+ Accept: \"application/vnd.github+json\",\n+ \"X-GitHub-Api-Version\": \"2022-11-28\",\n+ \"Content-Type\": \"application/json\",\n+ },\n+ body: body === undefined ? undefined : JSON.stringify(body),\n+ });\n+ if (!res.ok) {\n+ const text = await res.text();\n+ fatal(`GitHub ${method} ${path} → ${res.status}: ${text}`);\n+ }\n+ return (await res.json()) as T;\n+}\n+\n+function run(cmd: string, args: string[], cwd: string, env?: NodeJS.ProcessEnv) {\n+ const res = spawnSync(cmd, args, {\n+ cwd,\n+ env: env ?? process.env,\n+ stdio: [\"ignore\", \"pipe\", \"pipe\"],\n+ encoding: \"utf8\",\n+ });\n+ if (res.status !== 0) {\n+ fatal(`${cmd} ${args.join(\" \")} (cwd=${cwd}) failed: ${res.stderr || res.stdout}`);\n+ }\n+ return res.stdout;\n+}\n+\n+// ---------------------------------------------------------------------------\n+// Main\n+// ---------------------------------------------------------------------------\n+\n+interface InstallationTokenResponse {\n+ token: string;\n+ expires_at: string;\n+}\n+\n+interface Installation {\n+ id: number;\n+ account: { login: string };\n+}\n+\n+async function main() {\n+ log(`reading darkmatter-bot App credentials from himitsu (${HIMITSU_PREFIX}/*)`);\n+ const appId = himitsuRead(`${HIMITSU_PREFIX}/app_id`);\n+ const privateKey = himitsuRead(`${HIMITSU_PREFIX}/private_key`);\n+\n+ let installationId: string;\n+ try {\n+ installationId = himitsuRead(`${HIMITSU_PREFIX}/installation_id`);\n+ } catch {\n+ installationId = \"\";\n+ }\n+\n+ const appJwt = signAppJwt(appId, privateKey);\n+ ok(\"signed App JWT\");\n+\n+ if (!installationId) {\n+ log(\"installation_id not in himitsu — looking up via /app/installations\");\n+ const installations = await gh<Installation[]>(\n+ \"GET\",\n+ \"/app/installations\",\n+ appJwt,\n+ );\n+ const match = installations.find((i) => i.account.login === GITOPS_OWNER);\n+ if (!match) {\n+ fatal(`no installation found on ${GITOPS_OWNER} org`);\n+ }\n+ installationId = String(match.id);\n+ ok(`installation_id resolved: ${installationId}`);\n+ }\n+\n+ log(\"minting pull token (packages:read on darkmatter/tenderly-snap)\");\n+ const pullToken = await gh<InstallationTokenResponse>(\n+ \"POST\",\n+ `/app/installations/${installationId}/access_tokens`,\n+ appJwt,\n+ {\n+ repositories: [IMAGE_REPO_NAME],\n+ permissions: { packages: \"read\" },\n+ },\n+ );\n+ ok(`pull token minted (expires ${pullToken.expires_at})`);\n+\n+ log(\"minting gitops token (contents:write + pull_requests:write on gitops)\");\n+ const gitopsToken = await gh<InstallationTokenResponse>(\n+ \"POST\",\n+ `/app/installations/${installationId}/access_tokens`,\n+ appJwt,\n+ {\n+ repositories: [GITOPS_REPO],\n+ permissions: { contents: \"write\", pull_requests: \"write\" },\n+ },\n+ );\n+ ok(\"gitops token minted\");\n+\n+ const dockerconfig = {\n+ auths: {\n+ \"ghcr.io\": {\n+ username: \"x-access-token\",\n+ password: pullToken.token,\n+ auth: Buffer.from(`x-access-token:${pullToken.token}`).toString(\"base64\"),\n+ },\n+ },\n+ };\n+ const dockerconfigB64 = Buffer.from(JSON.stringify(dockerconfig)).toString(\n+ \"base64\",\n+ );\n+\n+ const secretYaml = `apiVersion: v1\n+kind: Secret\n+metadata:\n+ name: ${SECRET_NAME}\n+ namespace: ${K8S_NAMESPACE}\n+ annotations:\n+ # Token expires ~1h after the alchemy run that produced this file.\n+ # Refresh by re-running:\n+ # bun run packages/alchemy/scripts/provision-ghcr-pull-secret.ts\n+ # Long-term, a CronJob in this repo should refresh it in-cluster.\n+ darkmatter.io/expires-at: \"${pullToken.expires_at}\"\n+ darkmatter.io/minted-by: \"github-app:darkmatter-bot\"\n+type: kubernetes.io/dockerconfigjson\n+data:\n+ .dockerconfigjson: ${dockerconfigB64}\n+`;\n+\n+ const workdir = mkdtempSync(join(tmpdir(), \"gitops-ghcr-\"));\n+ log(`cloning ${GITOPS_OWNER}/${GITOPS_REPO} → ${workdir}`);\n+ const cloneUrl = `https://x-access-token:${gitopsToken.token}@github.com/${GITOPS_OWNER}/${GITOPS_REPO}.git`;\n+ run(\"git\", [\"clone\", \"--depth\", \"1\", cloneUrl, \".\"], workdir);",
"path": "packages/alchemy/scripts/provision-ghcr-pull-secret.ts",
"commit_id": "5eaf4889cef96cb699f219f7eff4a6b464125330",
"original_commit_id": "5eaf4889cef96cb699f219f7eff4a6b464125330",
"user": {
"login": "Copilot",
"id": 175728472,
"node_id": "BOT_kgDOCnlnWA",
"avatar_url": "https://avatars.githubusercontent.com/in/946600?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/Copilot",
"html_url": "https://github.com/apps/copilot-pull-request-reviewer",
"followers_url": "https://api.github.com/users/Copilot/followers",
"following_url": "https://api.github.com/users/Copilot/following{/other_user}",
"gists_url": "https://api.github.com/users/Copilot/gists{/gist_id}",
"starred_url": "https://api.github.com/users/Copilot/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/Copilot/subscriptions",
"organizations_url": "https://api.github.com/users/Copilot/orgs",
"repos_url": "https://api.github.com/users/Copilot/repos",
"events_url": "https://api.github.com/users/Copilot/events{/privacy}",
"received_events_url": "https://api.github.com/users/Copilot/received_events",
"type": "Bot",
"user_view_type": "public",
"site_admin": false
},
"body": "The gitops installation token is embedded into the clone URL and passed as a process argument (`git clone https://x-access-token:<token>@github.com/...`). On multi-user systems this can be observable via `ps`, and on failures it may also show up in git's own stderr/stdout. Prefer passing credentials via `http.extraheader`/credential helper (so the token is not present in the command line).",
"created_at": "2026-06-03T15:07:10Z",
"updated_at": "2026-06-03T15:07:12Z",
"html_url": "https://github.com/darkmatter/infra/pull/20#discussion_r3349617867",
"pull_request_url": "https://api.github.com/repos/darkmatter/infra/pulls/20",
"_links": {
"self": {
"href": "https://api.github.com/repos/darkmatter/infra/pulls/comments/3349617867"
},
"html": {
"href": "https://github.com/darkmatter/infra/pull/20#discussion_r3349617867"
},
"pull_request": {
"href": "https://api.github.com/repos/darkmatter/infra/pulls/20"
}
},
"reactions": {
"url": "https://api.github.com/repos/darkmatter/infra/pulls/comments/3349617867/reactions",
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
},
"start_line": 238,
"original_start_line": 238,
"start_side": "RIGHT",
"line": 239,
"original_line": 239,
"side": "RIGHT",
"author_association": "NONE",
"original_position": 239,
"position": 239,
"subject_type": "line"
},
"pull_request": {
"url": "https://api.github.com/repos/darkmatter/infra/pulls/20",
"id": 3792061589,
"node_id": "PR_kwDOPq3Cd87iBkSV",
"html_url": "https://github.com/darkmatter/infra/pull/20",
"diff_url": "https://github.com/darkmatter/infra/pull/20.diff",
"patch_url": "https://github.com/darkmatter/infra/pull/20.patch",
"issue_url": "https://api.github.com/repos/darkmatter/infra/issues/20",
"number": 20,
"state": "closed",
"locked": false,
"title": "feat(alchemy): provision GHCR pull secret via darkmatter-bot GH App",
"user": {
"login": "czxtm",
"id": 1325802,
"node_id": "MDQ6VXNlcjEzMjU4MDI=",
"avatar_url": "https://avatars.githubusercontent.com/u/1325802?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/czxtm",
"html_url": "https://github.com/czxtm",
"followers_url": "https://api.github.com/users/czxtm/followers",
"following_url": "https://api.github.com/users/czxtm/following{/other_user}",
"gists_url": "https://api.github.com/users/czxtm/gists{/gist_id}",
"starred_url": "https://api.github.com/users/czxtm/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/czxtm/subscriptions",
"organizations_url": "https://api.github.com/users/czxtm/orgs",
"repos_url": "https://api.github.com/users/czxtm/repos",
"events_url": "https://api.github.com/users/czxtm/events{/privacy}",
"received_events_url": "https://api.github.com/users/czxtm/received_events",
"type": "User",
"user_view_type": "public",
"site_admin": false
},
"body": "## Summary\n\nAdds `packages/alchemy/scripts/provision-ghcr-pull-secret.ts` and a new `bun run ghcr-pull:provision` task. Bootstraps the `ghcr-pull` imagePullSecret for the tenderly-snap workload by minting a scoped installation token via the **darkmatter-bot** GitHub App and opening a PR against `darkmatter/gitops` with the rendered Secret manifest.\n\n## What it does at run time\n\n1. Reads `github/darkmatter-bot/{app_id, private_key, [installation_id]}` from himitsu.\n2. Signs an App JWT (RS256, 9-min TTL via `node:crypto`).\n3. Mints two scoped installation tokens off the same JWT:\n - **Pull token** — `packages: read` on `darkmatter/tenderly-snap`, embedded as `x-access-token:<token>` in `.dockerconfigjson`.\n - **Gitops token** — `contents: write` + `pull_requests: write` on `darkmatter/gitops`, used to clone, commit, push the branch, and open the PR.\n4. Writes `manifests/tenderly-snap/ghcr-pull-secret.yaml` (typed `kubernetes.io/dockerconfigjson`) onto a fresh dated branch in a clone of gitops, commits as `darkmatter-bot`, pushes, opens a **draft** PR.\n\n## Caveats / known tradeoffs\n\n- **~1h token TTL.** The committed Secret contains a live ~1h installation token. Merge before it expires or re-run the provisioner. The annotations include `darkmatter.io/expires-at` so it's obvious in `kubectl describe`.\n- **Plaintext token in gitops history.** Not SOPS-encrypted — gitops's age recipients aren't co-located with infra, and the 1h TTL bounds the blast radius. Worth a follow-up to wrap with SOPS.\n- **Bootstrap only.** Continuous refresh wants an in-cluster CronJob (a small Job that re-runs the same JWT→install-token dance and `kubectl patch`es the Secret). Out of scope here.\n- **Cross-repo writes are out-of-band of Alchemy's Resource model.** This is a one-shot script, not a `Resource` provider — the installation token has no stable output to track. Lives under `scripts/` alongside `bootstrap-ci.ts`.\n\n## Verification\n\n- `bun run check` — typecheck OK (workspace sources).\n- Cannot run end-to-end here: requires `himitsu`, network access to `api.github.com`, and write access to `darkmatter/gitops` via the App. Smoke test will happen when you invoke `bun run ghcr-pull:provision` on your host.\n\n## Test plan\n\n- [ ] CI: `Nix eval`, `DeterminateCI / inventory`, `SOPS yaml drift`, `Pre-commit hooks` all pass\n- [ ] On a host with himitsu access: `bun run ghcr-pull:provision` produces a draft PR on `darkmatter/gitops` with a valid `manifests/tenderly-snap/ghcr-pull-secret.yaml`\n- [ ] Merge that PR; ArgoCD syncs; `kubectl -n tenderly-snap get secret ghcr-pull` shows the secret\n- [ ] Deployment in `tenderly-snap` namespace pulls the image successfully\n\n## Follow-up (not in this PR)\n\n- In-cluster CronJob for continuous refresh of `ghcr-pull`.\n- SOPS-encrypt the rendered Secret using gitops's age recipients.\n\nhttps://claude.ai/code/session_01SyfNM4XfTFSpY1WvKJ2dEq\n\n---\n_Generated by [Claude Code](https://claude.ai/code/session_01SyfNM4XfTFSpY1WvKJ2dEq)_\n\n<!-- codesmith:footer -->\n---\n<a href=\"https://app.blacksmith.sh/darkmatter/codesmith/infra/pr/20\"><picture><source media=\"(prefers-color-scheme: dark)\" srcset=\"https://pr-comments-assets.blacksmith.sh/codesmith/view-with-codesmith-dark-v2.svg\"><source media=\"(prefers-color-scheme: light)\" srcset=\"https://pr-comments-assets.blacksmith.sh/codesmith/view-with-codesmith-light-v2.svg\"><img alt=\"View with Codesmith\" src=\"https://pr-comments-assets.blacksmith.sh/codesmith/view-with-codesmith-dark-v2.svg\"></picture></a> <a href=\"https://backend.blacksmith.sh/track/enable-autofix?expires=1783040399&installation_id=137091173&pr_number=20&repository=darkmatter%2Finfra&return_to=https%3A%2F%2Fgithub.com%2Fdarkmatter%2Finfra%2Fpull%2F20&signature=03271f41fc71c6cb5a71ecd845852dc1a06f5651a413c09145c035879d56e76e\"><picture><source media=\"(prefers-color-scheme: dark)\" srcset=\"https://pr-comments-assets.blacksmith.sh/codesmith/autofix-with-codesmith-dark.svg\"><source media=\"(prefers-color-scheme: light)\" srcset=\"https://pr-comments-assets.blacksmith.sh/codesmith/autofix-with-codesmith-light.svg\"><img alt=\"Autofix with Codesmith\" src=\"https://pr-comments-assets.blacksmith.sh/codesmith/autofix-with-codesmith-dark.svg\"></picture></a>\n<sup>Need help on this PR? Tag <code>@codesmith</code> with what you need. Autofix is disabled.</sup>\n\n<!-- codesmith:autofix:disabled -->\n<!-- /codesmith:footer -->",
"created_at": "2026-06-03T00:59:56Z",
"updated_at": "2026-06-03T15:07:12Z",
"closed_at": "2026-06-03T15:03:22Z",
"merged_at": "2026-06-03T15:03:22Z",
"merge_commit_sha": "205a0b3a30342e6293ec631fd08eb985f728877c",
"assignees": [],
"requested_reviewers": [],
"requested_teams": [],
"labels": [],
"milestone": null,
"draft": false,
"commits_url": "https://api.github.com/repos/darkmatter/infra/pulls/20/commits",
"review_comments_url": "https://api.github.com/repos/darkmatter/infra/pulls/20/comments",
"review_comment_url": "https://api.github.com/repos/darkmatter/infra/pulls/comments{/number}",
"comments_url": "https://api.github.com/repos/darkmatter/infra/issues/20/comments",
"statuses_url": "https://api.github.com/repos/darkmatter/infra/statuses/5eaf4889cef96cb699f219f7eff4a6b464125330",
"head": {
"label": "darkmatter:claude/gallant-cori-Zqh40",
"ref": "claude/gallant-cori-Zqh40",
"sha": "5eaf4889cef96cb699f219f7eff4a6b464125330",
"user": {
"login": "darkmatter",
"id": 17834193,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjE3ODM0MTkz",
"avatar_url": "https://avatars.githubusercontent.com/u/17834193?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/darkmatter",
"html_url": "https://github.com/darkmatter",
"followers_url": "https://api.github.com/users/darkmatter/followers",
"following_url": "https://api.github.com/users/darkmatter/following{/other_user}",
"gists_url": "https://api.github.com/users/darkmatter/gists{/gist_id}",
"starred_url": "https://api.github.com/users/darkmatter/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/darkmatter/subscriptions",
"organizations_url": "https://api.github.com/users/darkmatter/orgs",
"repos_url": "https://api.github.com/users/darkmatter/repos",
"events_url": "https://api.github.com/users/darkmatter/events{/privacy}",
"received_events_url": "https://api.github.com/users/darkmatter/received_events",
"type": "Organization",
"user_view_type": "public",
"site_admin": false
},
"repo": {
"id": 1051574903,
"node_id": "R_kgDOPq3Cdw",
"name": "infra",
"full_name": "darkmatter/infra",
"private": true,
"owner": {
"login": "darkmatter",
"id": 17834193,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjE3ODM0MTkz",
"avatar_url": "https://avatars.githubusercontent.com/u/17834193?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/darkmatter",
"html_url": "https://github.com/darkmatter",
"followers_url": "https://api.github.com/users/darkmatter/followers",
"following_url": "https://api.github.com/users/darkmatter/following{/other_user}",
"gists_url": "https://api.github.com/users/darkmatter/gists{/gist_id}",
"starred_url": "https://api.github.com/users/darkmatter/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/darkmatter/subscriptions",
"organizations_url": "https://api.github.com/users/darkmatter/orgs",
"repos_url": "https://api.github.com/users/darkmatter/repos",
"events_url": "https://api.github.com/users/darkmatter/events{/privacy}",
"received_events_url": "https://api.github.com/users/darkmatter/received_events",
"type": "Organization",
"user_view_type": "public",
"site_admin": false
},
"html_url": "https://github.com/darkmatter/infra",
"description": "Versioned infra repo",
"fork": false,
"url": "https://api.github.com/repos/darkmatter/infra",
"forks_url": "https://api.github.com/repos/darkmatter/infra/forks",
"keys_url": "https://api.github.com/repos/darkmatter/infra/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/darkmatter/infra/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/darkmatter/infra/teams",
"hooks_url": "https://api.github.com/repos/darkmatter/infra/hooks",
"issue_events_url": "https://api.github.com/repos/darkmatter/infra/issues/events{/number}",
"events_url": "https://api.github.com/repos/darkmatter/infra/events",
"assignees_url": "https://api.github.com/repos/darkmatter/infra/assignees{/user}",
"branches_url": "https://api.github.com/repos/darkmatter/infra/branches{/branch}",
"tags_url": "https://api.github.com/repos/darkmatter/infra/tags",
"blobs_url": "https://api.github.com/repos/darkmatter/infra/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/darkmatter/infra/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/darkmatter/infra/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/darkmatter/infra/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/darkmatter/infra/statuses/{sha}",
"languages_url": "https://api.github.com/repos/darkmatter/infra/languages",
"stargazers_url": "https://api.github.com/repos/darkmatter/infra/stargazers",
"contributors_url": "https://api.github.com/repos/darkmatter/infra/contributors",
"subscribers_url": "https://api.github.com/repos/darkmatter/infra/subscribers",
"subscription_url": "https://api.github.com/repos/darkmatter/infra/subscription",
"commits_url": "https://api.github.com/repos/darkmatter/infra/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/darkmatter/infra/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/darkmatter/infra/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/darkmatter/infra/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/darkmatter/infra/contents/{+path}",
"compare_url": "https://api.github.com/repos/darkmatter/infra/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/darkmatter/infra/merges",
"archive_url": "https://api.github.com/repos/darkmatter/infra/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/darkmatter/infra/downloads",
"issues_url": "https://api.github.com/repos/darkmatter/infra/issues{/number}",
"pulls_url": "https://api.github.com/repos/darkmatter/infra/pulls{/number}",
"milestones_url": "https://api.github.com/repos/darkmatter/infra/milestones{/number}",
"notifications_url": "https://api.github.com/repos/darkmatter/infra/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/darkmatter/infra/labels{/name}",
"releases_url": "https://api.github.com/repos/darkmatter/infra/releases{/id}",
"deployments_url": "https://api.github.com/repos/darkmatter/infra/deployments",
"created_at": "2025-09-06T09:28:59Z",
"updated_at": "2026-06-03T14:06:12Z",
"pushed_at": "2026-06-03T15:05:41Z",
"git_url": "git://github.com/darkmatter/infra.git",
"ssh_url": "git@github.com:darkmatter/infra.git",
"clone_url": "https://github.com/darkmatter/infra.git",
"svn_url": "https://github.com/darkmatter/infra",
"homepage": null,
"size": 59144,
"stargazers_count": 0,
"watchers_count": 0,
"language": "Nix",
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": true,
"has_discussions": false,
"forks_count": 0,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 1,
"license": null,
"allow_forking": false,
"is_template": false,
"web_commit_signoff_required": false,
"has_pull_requests": true,
"pull_request_creation_policy": "all",
"topics": [],
"visibility": "private",
"forks": 0,
"open_issues": 1,
"watchers": 0,
"default_branch": "main",
"allow_squash_merge": true,
"allow_merge_commit": true,
"allow_rebase_merge": true,
"allow_auto_merge": false,
"delete_branch_on_merge": false,
"allow_update_branch": false,
"use_squash_pr_title_as_default": false,
"squash_merge_commit_message": "COMMIT_MESSAGES",
"squash_merge_commit_title": "COMMIT_OR_PR_TITLE",
"merge_commit_message": "PR_TITLE",
"merge_commit_title": "MERGE_MESSAGE"
}
},
"base": {
"label": "darkmatter:main",
"ref": "main",
"sha": "2e2e378416e4cd8a586e676ffe611bf60ec7dfae",
"user": {
"login": "darkmatter",
"id": 17834193,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjE3ODM0MTkz",
"avatar_url": "https://avatars.githubusercontent.com/u/17834193?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/darkmatter",
"html_url": "https://github.com/darkmatter",
"followers_url": "https://api.github.com/users/darkmatter/followers",
"following_url": "https://api.github.com/users/darkmatter/following{/other_user}",
"gists_url": "https://api.github.com/users/darkmatter/gists{/gist_id}",
"starred_url": "https://api.github.com/users/darkmatter/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/darkmatter/subscriptions",
"organizations_url": "https://api.github.com/users/darkmatter/orgs",
"repos_url": "https://api.github.com/users/darkmatter/repos",
"events_url": "https://api.github.com/users/darkmatter/events{/privacy}",
"received_events_url": "https://api.github.com/users/darkmatter/received_events",
"type": "Organization",
"user_view_type": "public",
"site_admin": false
},
"repo": {
"id": 1051574903,
"node_id": "R_kgDOPq3Cdw",
"name": "infra",
"full_name": "darkmatter/infra",
"private": true,
"owner": {
"login": "darkmatter",
"id": 17834193,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjE3ODM0MTkz",
"avatar_url": "https://avatars.githubusercontent.com/u/17834193?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/darkmatter",
"html_url": "https://github.com/darkmatter",
"followers_url": "https://api.github.com/users/darkmatter/followers",
"following_url": "https://api.github.com/users/darkmatter/following{/other_user}",
"gists_url": "https://api.github.com/users/darkmatter/gists{/gist_id}",
"starred_url": "https://api.github.com/users/darkmatter/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/darkmatter/subscriptions",
"organizations_url": "https://api.github.com/users/darkmatter/orgs",
"repos_url": "https://api.github.com/users/darkmatter/repos",
"events_url": "https://api.github.com/users/darkmatter/events{/privacy}",
"received_events_url": "https://api.github.com/users/darkmatter/received_events",
"type": "Organization",
"user_view_type": "public",
"site_admin": false
},
"html_url": "https://github.com/darkmatter/infra",
"description": "Versioned infra repo",
"fork": false,
"url": "https://api.github.com/repos/darkmatter/infra",
"forks_url": "https://api.github.com/repos/darkmatter/infra/forks",
"keys_url": "https://api.github.com/repos/darkmatter/infra/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/darkmatter/infra/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/darkmatter/infra/teams",
"hooks_url": "https://api.github.com/repos/darkmatter/infra/hooks",
"issue_events_url": "https://api.github.com/repos/darkmatter/infra/issues/events{/number}",
"events_url": "https://api.github.com/repos/darkmatter/infra/events",
"assignees_url": "https://api.github.com/repos/darkmatter/infra/assignees{/user}",
"branches_url": "https://api.github.com/repos/darkmatter/infra/branches{/branch}",
"tags_url": "https://api.github.com/repos/darkmatter/infra/tags",
"blobs_url": "https://api.github.com/repos/darkmatter/infra/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/darkmatter/infra/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/darkmatter/infra/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/darkmatter/infra/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/darkmatter/infra/statuses/{sha}",
"languages_url": "https://api.github.com/repos/darkmatter/infra/languages",
"stargazers_url": "https://api.github.com/repos/darkmatter/infra/stargazers",
"contributors_url": "https://api.github.com/repos/darkmatter/infra/contributors",
"subscribers_url": "https://api.github.com/repos/darkmatter/infra/subscribers",
"subscription_url": "https://api.github.com/repos/darkmatter/infra/subscription",
"commits_url": "https://api.github.com/repos/darkmatter/infra/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/darkmatter/infra/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/darkmatter/infra/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/darkmatter/infra/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/darkmatter/infra/contents/{+path}",
"compare_url": "https://api.github.com/repos/darkmatter/infra/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/darkmatter/infra/merges",
"archive_url": "https://api.github.com/repos/darkmatter/infra/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/darkmatter/infra/downloads",
"issues_url": "https://api.github.com/repos/darkmatter/infra/issues{/number}",
"pulls_url": "https://api.github.com/repos/darkmatter/infra/pulls{/number}",
"milestones_url": "https://api.github.com/repos/darkmatter/infra/milestones{/number}",
"notifications_url": "https://api.github.com/repos/darkmatter/infra/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/darkmatter/infra/labels{/name}",
"releases_url": "https://api.github.com/repos/darkmatter/infra/releases{/id}",
"deployments_url": "https://api.github.com/repos/darkmatter/infra/deployments",
"created_at": "2025-09-06T09:28:59Z",
"updated_at": "2026-06-03T14:06:12Z",
"pushed_at": "2026-06-03T15:05:41Z",
"git_url": "git://github.com/darkmatter/infra.git",
"ssh_url": "git@github.com:darkmatter/infra.git",
"clone_url": "https://github.com/darkmatter/infra.git",
"svn_url": "https://github.com/darkmatter/infra",
"homepage": null,
"size": 59144,
"stargazers_count": 0,
"watchers_count": 0,
"language": "Nix",
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": true,
"has_discussions": false,
"forks_count": 0,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 1,
"license": null,
"allow_forking": false,
"is_template": false,
"web_commit_signoff_required": false,
"has_pull_requests": true,
"pull_request_creation_policy": "all",
"topics": [],
"visibility": "private",
"forks": 0,
"open_issues": 1,
"watchers": 0,
"default_branch": "main",
"allow_squash_merge": true,
"allow_merge_commit": true,
"allow_rebase_merge": true,
"allow_auto_merge": false,
"delete_branch_on_merge": false,
"allow_update_branch": false,
"use_squash_pr_title_as_default": false,
"squash_merge_commit_message": "COMMIT_MESSAGES",
"squash_merge_commit_title": "COMMIT_OR_PR_TITLE",
"merge_commit_message": "PR_TITLE",
"merge_commit_title": "MERGE_MESSAGE"
}
},
"_links": {
"self": {
"href": "https://api.github.com/repos/darkmatter/infra/pulls/20"
},
"html": {
"href": "https://github.com/darkmatter/infra/pull/20"
},
"issue": {
"href": "https://api.github.com/repos/darkmatter/infra/issues/20"
},
"comments": {
"href": "https://api.github.com/repos/darkmatter/infra/issues/20/comments"
},
"review_comments": {
"href": "https://api.github.com/repos/darkmatter/infra/pulls/20/comments"
},
"review_comment": {
"href": "https://api.github.com/repos/darkmatter/infra/pulls/comments{/number}"
},
"commits": {
"href": "https://api.github.com/repos/darkmatter/infra/pulls/20/commits"
},
"statuses": {
"href": "https://api.github.com/repos/darkmatter/infra/statuses/5eaf4889cef96cb699f219f7eff4a6b464125330"
}
},
"author_association": "MEMBER",
"auto_merge": null,
"assignee": null,
"active_lock_reason": null
},
"repository": {
"id": 1051574903,
"node_id": "R_kgDOPq3Cdw",
"name": "infra",
"full_name": "darkmatter/infra",
"private": true,
"owner": {
"login": "darkmatter",
"id": 17834193,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjE3ODM0MTkz",
"avatar_url": "https://avatars.githubusercontent.com/u/17834193?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/darkmatter",
"html_url": "https://github.com/darkmatter",
"followers_url": "https://api.github.com/users/darkmatter/followers",
"following_url": "https://api.github.com/users/darkmatter/following{/other_user}",
"gists_url": "https://api.github.com/users/darkmatter/gists{/gist_id}",
"starred_url": "https://api.github.com/users/darkmatter/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/darkmatter/subscriptions",
"organizations_url": "https://api.github.com/users/darkmatter/orgs",
"repos_url": "https://api.github.com/users/darkmatter/repos",
"events_url": "https://api.github.com/users/darkmatter/events{/privacy}",
"received_events_url": "https://api.github.com/users/darkmatter/received_events",
"type": "Organization",
"user_view_type": "public",
"site_admin": false
},
"html_url": "https://github.com/darkmatter/infra",
"description": "Versioned infra repo",
"fork": false,
"url": "https://api.github.com/repos/darkmatter/infra",
"forks_url": "https://api.github.com/repos/darkmatter/infra/forks",
"keys_url": "https://api.github.com/repos/darkmatter/infra/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/darkmatter/infra/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/darkmatter/infra/teams",
"hooks_url": "https://api.github.com/repos/darkmatter/infra/hooks",
"issue_events_url": "https://api.github.com/repos/darkmatter/infra/issues/events{/number}",
"events_url": "https://api.github.com/repos/darkmatter/infra/events",
"assignees_url": "https://api.github.com/repos/darkmatter/infra/assignees{/user}",
"branches_url": "https://api.github.com/repos/darkmatter/infra/branches{/branch}",
"tags_url": "https://api.github.com/repos/darkmatter/infra/tags",
"blobs_url": "https://api.github.com/repos/darkmatter/infra/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/darkmatter/infra/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/darkmatter/infra/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/darkmatter/infra/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/darkmatter/infra/statuses/{sha}",
"languages_url": "https://api.github.com/repos/darkmatter/infra/languages",
"stargazers_url": "https://api.github.com/repos/darkmatter/infra/stargazers",
"contributors_url": "https://api.github.com/repos/darkmatter/infra/contributors",
"subscribers_url": "https://api.github.com/repos/darkmatter/infra/subscribers",
"subscription_url": "https://api.github.com/repos/darkmatter/infra/subscription",
"commits_url": "https://api.github.com/repos/darkmatter/infra/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/darkmatter/infra/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/darkmatter/infra/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/darkmatter/infra/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/darkmatter/infra/contents/{+path}",
"compare_url": "https://api.github.com/repos/darkmatter/infra/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/darkmatter/infra/merges",
"archive_url": "https://api.github.com/repos/darkmatter/infra/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/darkmatter/infra/downloads",
"issues_url": "https://api.github.com/repos/darkmatter/infra/issues{/number}",
"pulls_url": "https://api.github.com/repos/darkmatter/infra/pulls{/number}",
"milestones_url": "https://api.github.com/repos/darkmatter/infra/milestones{/number}",
"notifications_url": "https://api.github.com/repos/darkmatter/infra/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/darkmatter/infra/labels{/name}",
"releases_url": "https://api.github.com/repos/darkmatter/infra/releases{/id}",
"deployments_url": "https://api.github.com/repos/darkmatter/infra/deployments",
"created_at": "2025-09-06T09:28:59Z",
"updated_at": "2026-06-03T14:06:12Z",
"pushed_at": "2026-06-03T15:05:41Z",
"git_url": "git://github.com/darkmatter/infra.git",
"ssh_url": "git@github.com:darkmatter/infra.git",
"clone_url": "https://github.com/darkmatter/infra.git",
"svn_url": "https://github.com/darkmatter/infra",
"homepage": null,
"size": 59144,
"stargazers_count": 0,
"watchers_count": 0,
"language": "Nix",
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": true,
"has_discussions": false,
"forks_count": 0,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 1,
"license": null,
"allow_forking": false,
"is_template": false,
"web_commit_signoff_required": false,
"has_pull_requests": true,
"pull_request_creation_policy": "all",
"topics": [],
"visibility": "private",
"forks": 0,
"open_issues": 1,
"watchers": 0,
"default_branch": "main",
"custom_properties": {}
},
"organization": {
"login": "darkmatter",
"id": 17834193,
"node_id": "MDEyOk9yZ2FuaXphdGlvbjE3ODM0MTkz",
"url": "https://api.github.com/orgs/darkmatter",
"repos_url": "https://api.github.com/orgs/darkmatter/repos",
"events_url": "https://api.github.com/orgs/darkmatter/events",
"hooks_url": "https://api.github.com/orgs/darkmatter/hooks",
"issues_url": "https://api.github.com/orgs/darkmatter/issues",
"members_url": "https://api.github.com/orgs/darkmatter/members{/member}",
"public_members_url": "https://api.github.com/orgs/darkmatter/public_members{/member}",
"avatar_url": "https://avatars.githubusercontent.com/u/17834193?v=4",
"description": ""
},
"enterprise": {
"id": 469843,
"slug": "darkmatter",
"name": "darkmatter",
"node_id": "E_kgDOAAcrUw",
"avatar_url": "https://avatars.githubusercontent.com/b/469843?v=4",
"description": "",
"website_url": "darkmatter.io",
"html_url": "https://github.com/enterprises/darkmatter",
"created_at": "2025-09-07T16:01:00Z",
"updated_at": "2026-05-09T15:34:55Z"
},
"sender": {
"login": "Copilot",
"id": 175728472,
"node_id": "BOT_kgDOCnlnWA",
"avatar_url": "https://avatars.githubusercontent.com/in/946600?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/Copilot",
"html_url": "https://github.com/apps/copilot-pull-request-reviewer",
"followers_url": "https://api.github.com/users/Copilot/followers",
"following_url": "https://api.github.com/users/Copilot/following{/other_user}",
"gists_url": "https://api.github.com/users/Copilot/gists{/gist_id}",
"starred_url": "https://api.github.com/users/Copilot/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/Copilot/subscriptions",
"organizations_url": "https://api.github.com/users/Copilot/orgs",
"repos_url": "https://api.github.com/users/Copilot/repos",
"events_url": "https://api.github.com/users/Copilot/events{/privacy}",
"received_events_url": "https://api.github.com/users/Copilot/received_events",
"type": "Bot",
"user_view_type": "public",
"site_admin": false
},
"installation": {
"id": 131074261,
"node_id": "MDIzOkludGVncmF0aW9uSW5zdGFsbGF0aW9uMTMxMDc0MjYx"
}
}