unkeyed · chronark · Feb 3, 2026 · Jan 26, 2026 · Jan 26, 2026 · Jan 28, 2026
@@ -127,7 +127,7 @@ fuzz: ## Run fuzz tests
 		for func in $$funcs; do \
 			echo "Fuzzing $$func in $$file"; \
 			parentDir=$$(dirname $$file); \
-			go test $$parentDir -run=$$func -fuzz=$$func -fuzztime=60s; \
+			go test $$parentDir -run=^$$func$$ -fuzz=^$$func$$ -fuzztime=1m; \
 		done; \
 	done
 .PHONY: unkey

@@ -68,29 +68,18 @@ var apiCmd = &cli.Command{
 		cli.String("restate-api-key", "API key for Restate ingress requests",
 			cli.EnvVar("UNKEY_RESTATE_API_KEY")),
 
-		cli.String("clickhouse-url", "ClickHouse connection string for analytics. Recommended for production. Example: clickhouse://user:pass@host:9000/unkey",
-			cli.EnvVar("UNKEY_CLICKHOUSE_URL")),
-
-		// Build S3 configuration
-		cli.String("build-s3-url", "S3 URL for build storage",
-			cli.Required(), cli.EnvVar("UNKEY_BUILD_S3_URL")),
-		cli.String("build-s3-external-url", "External S3 URL for presigned URLs",
-			cli.EnvVar("UNKEY_BUILD_S3_EXTERNAL_URL")),
-		cli.String("build-s3-bucket", "S3 bucket for build storage",
-			cli.Required(), cli.EnvVar("UNKEY_BUILD_S3_BUCKET")),
-		cli.String("build-s3-access-key-id", "S3 access key ID",
-			cli.Required(), cli.EnvVar("UNKEY_BUILD_S3_ACCESS_KEY_ID")),
-		cli.String("build-s3-access-key-secret", "S3 access key secret",
-			cli.Required(), cli.EnvVar("UNKEY_BUILD_S3_ACCESS_KEY_SECRET")),
-
 		cli.StringSlice("available-regions", "Available regions for deployment", cli.EnvVar("UNKEY_AVAILABLE_REGIONS"), cli.Default([]string{"local.dev"})),
 
 		// Certificate bootstrap configuration
 		cli.String("default-domain", "Default domain for wildcard certificate bootstrapping (e.g., unkey.app)", cli.EnvVar("UNKEY_DEFAULT_DOMAIN")),
+
 		cli.String("regional-domain", "Domain for cross-region communication. Per-region wildcards created as *.{region}.{domain} (e.g., unkey.cloud)", cli.EnvVar("UNKEY_REGIONAL_DOMAIN")),
 
 		// Custom domain configuration
 		cli.String("cname-domain", "Base domain for custom domain CNAME targets (e.g., unkey-dns.com)", cli.Required(), cli.EnvVar("UNKEY_CNAME_DOMAIN")),
+
+		// GitHub webhook configuration
+		cli.String("github-app-webhook-secret", "Secret for verifying GitHub webhook signatures", cli.EnvVar("UNKEY_GITHUB_APP_WEBHOOK_SECRET")),
 	},
 	Action: apiAction,
 }
@@ -137,15 +126,6 @@ func apiAction(ctx context.Context, cmd *cli.Command) error {
 		// Control Plane Specific
 		AuthToken: cmd.String("auth-token"),
 
-		// Build configuration
-		BuildS3: ctrlapi.S3Config{
-			URL:             cmd.String("build-s3-url"),
-			ExternalURL:     cmd.String("build-s3-external-url"),
-			Bucket:          cmd.String("build-s3-bucket"),
-			AccessKeySecret: cmd.String("build-s3-access-key-secret"),
-			AccessKeyID:     cmd.String("build-s3-access-key-id"),
-		},
-
 		// Restate configuration (API is a client, only needs ingress URL)
 		Restate: ctrlapi.RestateConfig{
 			URL:      cmd.String("restate-url"),
@@ -161,6 +141,9 @@ func apiAction(ctx context.Context, cmd *cli.Command) error {
 
 		// Custom domain configuration
 		CnameDomain: strings.TrimSuffix(strings.TrimSpace(cmd.RequireString("cname-domain")), "."),
+
+		// GitHub webhook
+		GitHubWebhookSecret: cmd.String("github-app-webhook-secret"),
 	}
 
 	err := config.Validate()

@@ -46,14 +46,6 @@ var workerCmd = &cli.Command{
 		),
 
 		// Build Configuration
-		cli.String("build-s3-url", "S3 Compatible Endpoint URL for build contexts",
-			cli.Required(), cli.EnvVar("UNKEY_BUILD_S3_URL")),
-		cli.String("build-s3-bucket", "S3 bucket name for build contexts",
-			cli.Required(), cli.EnvVar("UNKEY_BUILD_S3_BUCKET")),
-		cli.String("build-s3-access-key-id", "S3 access key ID for build contexts",
-			cli.Required(), cli.EnvVar("UNKEY_BUILD_S3_ACCESS_KEY_ID")),
-		cli.String("build-s3-access-key-secret", "S3 secret access key for build contexts",
-			cli.Required(), cli.EnvVar("UNKEY_BUILD_S3_ACCESS_KEY_SECRET")),
 		cli.String("build-platform", "Run builds on this platform ('dynamic', 'linux/amd64', 'linux/arm64')",
 			cli.Default("linux/amd64"), cli.EnvVar("UNKEY_BUILD_PLATFORM")),
 
@@ -105,6 +97,10 @@ var workerCmd = &cli.Command{
 		cli.String("sentinel-image", "The image new sentinels get deployed with", cli.Default("ghcr.io/unkeyed/unkey:local"), cli.EnvVar("UNKEY_SENTINEL_IMAGE")),
 		cli.StringSlice("available-regions", "Available regions for deployment", cli.EnvVar("UNKEY_AVAILABLE_REGIONS"), cli.Default([]string{"local.dev"})),
 
+		// GitHub App Configuration
+		cli.Int64("github-app-id", "GitHub App ID for webhook-triggered deployments", cli.EnvVar("UNKEY_GITHUB_APP_ID")),
+		cli.String("github-private-key-pem", "GitHub App private key in PEM format", cli.EnvVar("UNKEY_GITHUB_PRIVATE_KEY_PEM")),
+
 		// Healthcheck heartbeat URLs
 		cli.String("cert-renewal-heartbeat-url", "Checkly heartbeat URL for certificate renewal", cli.EnvVar("UNKEY_CERT_RENEWAL_HEARTBEAT_URL")),
 		cli.String("quota-check-heartbeat-url", "Checkly heartbeat URL for quota checks", cli.EnvVar("UNKEY_QUOTA_CHECK_HEARTBEAT_URL")),
@@ -132,13 +128,6 @@ func workerAction(ctx context.Context, cmd *cli.Command) error {
 		VaultToken: cmd.String("vault-token"),
 
 		// Build configuration
-		BuildS3: worker.S3Config{
-			URL:             cmd.String("build-s3-url"),
-			Bucket:          cmd.String("build-s3-bucket"),
-			AccessKeyID:     cmd.String("build-s3-access-key-id"),
-			AccessKeySecret: cmd.String("build-s3-access-key-secret"),
-			ExternalURL:     "",
-		},
 		BuildPlatform: cmd.String("build-platform"),
 
 		// Registry configuration
@@ -179,16 +168,20 @@ func workerAction(ctx context.Context, cmd *cli.Command) error {
 		ClickhouseURL:      cmd.String("clickhouse-url"),
 		ClickhouseAdminURL: cmd.String("clickhouse-admin-url"),
 
-		// Common
-		Clock: clock.New(),
-
 		// Sentinel configuration
 		SentinelImage:    cmd.String("sentinel-image"),
 		AvailableRegions: cmd.RequireStringSlice("available-regions"),
 
+		// GitHub configuration
+		GitHub: worker.GitHubConfig{
+			AppID:         cmd.Int64("github-app-id"),
+			PrivateKeyPEM: cmd.String("github-private-key-pem"),
+		},
 		// Custom domain configuration
 		CnameDomain: strings.TrimSuffix(strings.TrimSpace(cmd.RequireString("cname-domain")), "."),
 
+		Clock: clock.New(),
+
 		// Healthcheck heartbeat URLs
 		CertRenewalHeartbeatURL: cmd.String("cert-renewal-heartbeat-url"),
 		QuotaCheckHeartbeatURL:  cmd.String("quota-check-heartbeat-url"),

@@ -0,0 +1,18 @@
+# GitHub App credentials for webhook-triggered deployments
+# Copy this to .env.github and fill in your values
+
+# GitHub App ID (from your GitHub App settings)
+UNKEY_GITHUB_APP_ID=2721195
+
+# GitHub App Private Key (PEM format, keep the newlines)
+# Generate from GitHub App settings > Private keys > Generate a private key
+UNKEY_GITHUB_PRIVATE_KEY_PEM=-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA...
+...your key here...
+-----END RSA PRIVATE KEY-----
+
+
+UNKEY_GITHUB_APP_WEBHOOK_SECRET=superescuretsecret
+
+
+NEXT_PUBLIC_GITHUB_APP_NAME="unkey-staging"
@@ -229,6 +229,7 @@ local_resource(
 )
 
 
+
 # Dashboard - runs locally with HMR (env loaded from web/apps/dashboard/.env)
 local_resource(
     'dashboard',

@@ -44,35 +44,7 @@ spec:
             # Observability - DISABLED for development
             - name: UNKEY_OTEL
               value: "false"
-            # Control Plane Specific
-            # Vault Configuration (required)
-            - name: UNKEY_VAULT_URL
-              value: http://vault:8060
-            - name: UNKEY_VAULT_TOKEN
-              value: vault-test-token-123
-            - name: UNKEY_BUILD_S3_URL
-              valueFrom:
-                secretKeyRef:
-                  name: depot-credentials
-                  key: UNKEY_BUILD_S3_URL
-            - name: UNKEY_BUILD_S3_EXTERNAL_URL
-              valueFrom:
-                secretKeyRef:
-                  name: depot-credentials
-                  key: UNKEY_BUILD_S3_URL
-            - name: UNKEY_BUILD_S3_BUCKET
-              value: "build-contexts"
-            - name: UNKEY_BUILD_S3_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: depot-credentials
-                  key: UNKEY_BUILD_S3_ACCESS_KEY_ID
-            - name: UNKEY_BUILD_S3_ACCESS_KEY_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: depot-credentials
-                  key: UNKEY_BUILD_S3_ACCESS_KEY_SECRET
-            # Registry Configuration (used by both Docker and Depot backends)
+
             #kubectl create secret docker-registry depot-registry \
             # --docker-server=registry.depot.dev \
             # --docker-username=x-token \
@@ -97,14 +69,21 @@ spec:
             - name: UNKEY_CNAME_DOMAIN
               value: "unkey.local"
 
+            # GitHub webhook
+            - name: UNKEY_GITHUB_APP_WEBHOOK_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: github-credentials
+                  key: UNKEY_GITHUB_APP_WEBHOOK_SECRET
+
       initContainers:
         - name: wait-for-dependencies
           image: busybox:1.36
           command:
             [
               "sh",
               "-c",
-              "until nc -z mysql 3306 && nc -z s3 3902 && nc -z restate 8080 && nc -z vault 8060; do echo waiting for dependencies; sleep 2; done;",
+              "until nc -z mysql 3306 && nc -z restate 8080 && nc -z vault 8060; do echo waiting for dependencies; sleep 2; done;",
             ]
 
 ---

@@ -58,24 +58,6 @@ spec:
             # Build Configuration
             - name: UNKEY_BUILD_PLATFORM
               value: "linux/arm64"
-            # Build S3 Storage (from depot-credentials secret)
-            - name: UNKEY_BUILD_S3_URL
-              valueFrom:
-                secretKeyRef:
-                  name: depot-credentials
-                  key: UNKEY_BUILD_S3_URL
-            - name: UNKEY_BUILD_S3_BUCKET
-              value: "build-contexts"
-            - name: UNKEY_BUILD_S3_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: depot-credentials
-                  key: UNKEY_BUILD_S3_ACCESS_KEY_ID
-            - name: UNKEY_BUILD_S3_ACCESS_KEY_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: depot-credentials
-                  key: UNKEY_BUILD_S3_ACCESS_KEY_SECRET
 
             # Registry Configuration
             - name: UNKEY_REGISTRY_URL
@@ -118,6 +100,18 @@ spec:
             - name: UNKEY_CLICKHOUSE_ADMIN_URL
               value: "clickhouse://unkey_user_admin:C57RqT5EPZBqCJkMxN9mEZZEzMPcw9yBlwhIizk99t7kx6uLi9rYmtWObsXzdl@clickhouse:9000?secure=false&skip_verify=true"
 
+            # GitHub App Configuration
+            - name: UNKEY_GITHUB_APP_ID
+              valueFrom:
+                secretKeyRef:
+                  name: github-credentials
+                  key: UNKEY_GITHUB_APP_ID
+            - name: UNKEY_GITHUB_PRIVATE_KEY_PEM
+              valueFrom:
+                secretKeyRef:
+                  name: github-credentials
+                  key: UNKEY_GITHUB_PRIVATE_KEY_PEM
+
             - name: UNKEY_SENTINEL_IMAGE
               value: "unkey/sentinel:latest"
           envFrom:
@@ -135,7 +129,7 @@ spec:
             [
               "sh",
               "-c",
-              "until nc -z mysql 3306 && nc -z s3 3902 && nc -z restate 8080 && nc -z vault 8060; do echo waiting for dependencies; sleep 2; done;",
+              "until nc -z mysql 3306 && nc -z restate 8080 && nc -z vault 8060; do echo waiting for dependencies; sleep 2; done;",
             ]
 
 ---

@@ -96,6 +96,7 @@ var excludePatterns = []string{
 	// Kubernetes
 	`^k8s\.io/api/core/v1.*$`,
 	`^k8s\.io/api/apps/v1.*$`,
+	`^k8s\.io/api/batch/v1.*$`,
 	`^k8s\.io/apimachinery/pkg/apis/meta/v1.*$`,
 	`^sigs\.k8s\.io/controller-runtime/pkg/client.*$`,
-Original file line number
+Diff line change
@@ Expand Up / @@ -229,6 +229,7 @@ local_resource( @@
     )
     # Dashboard - runs locally with HMR (env loaded from web/apps/dashboard/.env)
     local_resource(
         'dashboard',
@@ Expand Down @@