Skip to content

shipiit/forge

Repository files navigation

ShipIT Forge β€” autonomous GitHub coding agent

An autonomous GitHub coding agent β€” like a teammate that fixes issues, opens PRs, and reviews pull requests (with a GitHub Advanced Security–style security pass).

Multi-provider Β· Vision-aware Β· Self-hosted Β· Original open-source code.


Website CI License: MIT Node TypeScript Tests PRs welcome


Providers: Β Vertex AI GeminiΒ Β·Β AWS BedrockΒ Β·Β OpenAIΒ Β·Β Anthropic


🌐 shipiit.github.io/forge  ·  Live examples  ·  Docs

On this page: Quick start Β· Deploy as an App Β· Use as an Action Β· How it works Β· Config Β· Roadmap


✨ What it does

Capability How you trigger it
πŸ› οΈ Fix an issue β†’ open a PR β€” investigates the repo, writes the fix on a branch, runs the tests, opens a PR that closes the issue Label agent-fix, or comment /fix
πŸ” Review a PR β€” inline comments + summary verdict, quality and security lenses Open a PR, or comment /review
πŸ›‘οΈ Security review β€” flags SSRF, injection, secrets, authz… with severity + a suggested-fix block Auto on PRs, or comment /security
πŸ‘‹ Invite as a reviewer β€” request @shipit-forge on any PR and it reviews on demand Add it as a PR reviewer
πŸ’¬ Answer @mentions β€” explains code on issues; on a PR it can push a follow-up commit to the branch Comment @shipit-forge <ask>
πŸ–ΌοΈ Reads screenshots β€” pulls images out of issue/PR bodies and feeds them to vision models Automatic

🧭 Three ways to install & run it

Pick the one that fits β€” they all share the same engine.

Best for Install Run
β‘  CLI / local Trying it on your machine, scripting, CI of your own git clone https://github.com/shipiit/forge.git && cd forge && npm install && npm run build node dist/cli.js fix --repo /path/to/repo --task "…" --provider fake
β‘‘ GitHub Action Per-repo or per-org, your own keys, zero infra Copy examples/forge.yml β†’ .github/workflows/forge.yml, add a provider secret Label an issue agent-fix, comment /review, or @shipit-forge … β€” it runs in your Actions
β‘’ Hosted GitHub App Org-wide, one-click install for many repos Deploy the webhook server (Render / Cloud Run / Docker), then register via app.yml Install on the org β†’ events trigger it automatically on a server you host

Not sure? Start with β‘  CLI + --provider fake (no keys, 2 min). Want it on GitHub without hosting β†’ β‘‘ Action. Want org-wide one-click β†’ β‘’ App. Full per-distribution credential setup for all four providers: deploy/PROVIDERS.md.

Jump to: β‘  CLI Β· β‘‘ Action Β· β‘’ App


πŸ“¦ Installation

Prerequisites: Node.js β‰₯ 20 (22 recommended), git, and (optional but faster search) ripgrep.

# 1. Clone
git clone https://github.com/shipiit/forge.git
cd forge

# 2. Install dependencies
npm install

# 3. Build (compiles TypeScript β†’ dist/)
npm run build

# 4. Verify everything works (88 unit + integration tests)
npm test

That's it β€” you now have the forge CLI at node dist/cli.js. (Optionally npm link to get a global forge command.)

πŸš€ Quick start (no credentials)

The agent engine runs locally with a built-in fake provider β€” no API keys needed, great for a first look:

node dist/cli.js fix --repo /path/to/any/repo --task "fix the failing login test" --provider fake

It clones nothing (works on the path you give), runs the tool loop, and prints what changed.

Configure a provider securely β€” forge setup

The easiest, safest way to add your credentials. It writes a gitignored .env with chmod 600 so secrets never get committed:

node dist/cli.js setup
πŸ”§ ShipIT Forge β€” provider setup

Which provider?
  1) Vertex AI Gemini
  2) Anthropic
  3) OpenAI
  4) AWS Bedrock
> 1
GCP project id: <your-gcp-project-id>
Location [us-central1]:
Model [gemini-2.5-pro]:
Provide the service-account key. Either:
  β€’ a path to the JSON file, or
  β€’ paste the JSON, then a line with just END
path or paste> <paste your service-account JSON, or a file path>
βœ… Wrote .env (chmod 600) and updated .gitignore. Your secrets are gitignored.

Setting up Vertex AI credentials (step by step):

  1. In Google Cloud Console β†’ IAM & Admin β†’ Service Accounts, create a service account (or reuse one).
  2. Give it the Vertex AI User role (roles/aiplatform.user).
  3. Keys β†’ Add key β†’ JSON to download the key file. Keep it private β€” never commit it.
  4. Run forge setup, choose Vertex AI Gemini, enter your project id, and either paste the JSON or give the path to the downloaded file.

When you paste, the JSON is validated and saved to .forge/vertex-sa.json (chmod 600, gitignored); when you give a path, it's referenced in place. Either way nothing secret is ever committed.

Or set env vars manually

export LLM_PROVIDER=vertex
export VERTEX_PROJECT=my-gcp-project
export VERTEX_LOCATION=us-central1
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
node dist/cli.js fix --repo /path/to/repo --task "…" --provider vertex

See .env.example for every provider's variables, and deploy/PROVIDERS.md for step-by-step credential setup for all four providers (Vertex Gemini, Bedrock, OpenAI, Anthropic) across CLI / Action / App.

Test it end-to-end with a real model (2 minutes)

Make a tiny buggy repo and let Forge fix it:

# 1. A throwaway repo with a deliberate bug + a test
mkdir /tmp/forge-try && cd /tmp/forge-try && git init -q
printf 'export const add = (a, b) => a - b; // bug\n' > sum.js
printf "import test from 'node:test'; import assert from 'node:assert'; import {add} from './sum.js';\ntest('adds', () => assert.strictEqual(add(2,3), 5));\n" > sum.test.js
printf '{"type":"module","scripts":{"test":"node --test"}}\n' > package.json
git add -A && git commit -qm init

# 2. Point Forge at it with your provider (Vertex shown)
cd -                                   # back to the forge repo
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
node dist/cli.js fix --repo /tmp/forge-try \
  --task "add() subtracts instead of adding; fix it so the tests pass" \
  --provider vertex --model gemini-2.5-pro

Forge will read sum.js, change a - b β†’ a + b, run node --test, confirm it passes, and print the diff. (This exact flow is verified working against Vertex AI Gemini 2.5 Pro.) βœ…


πŸ€– Deploy as a GitHub App

Publishing the code β‰  running the agent. GitHub stores your repo and the App registration, but the agent runs on your server. GitHub sends webhooks β†’ your server clones the repo, calls the model, and opens the PR/review. Docker is just a portable way to run that server anywhere.

1. Deploy the webhook server (runs 24/7 β€” no laptop). Pick a host:

  • No GCP, easiest: Render β€” connect the repo, set env vars, done (uses render.yaml).
  • Google Cloud Run (one command): see deploy/DEPLOY.md
    PROJECT=your-gcp-project-id APP_ID=… WEBHOOK_SECRET=… \
      PRIVATE_KEY_FILE=./shipit-forge.private-key.pem ./deploy/cloudrun.sh
  • Any host with Docker (Railway, Fly.io, a VPS):
    docker build -t shipit-forge . && docker run -p 3000:3000 --env-file .env shipit-forge

It's a standard Node/Docker app β€” it just needs a public HTTPS URL. Set the provider/App env vars (see deploy/PROVIDERS.md); on non-GCP hosts pass the Vertex key as VERTEX_CREDENTIALS_JSON (the server writes it to a file at boot). Never set WEBHOOK_PROXY_URL in production.

2. Register the GitHub App (one click)

With the server running, open its URL (e.g. http://localhost:3000 in dev, or your public URL). Probot serves a registration page driven by app.yml:

  1. Click Register a GitHub App β†’ it redirects you to GitHub with the name, permissions, and events pre-filled from app.yml.
  2. Pick the owner β€” choose your organization (e.g. shipiit) so the App belongs to the org.
  3. Confirm. GitHub creates the App and redirects back; Probot automatically writes APP_ID, PRIVATE_KEY, and WEBHOOK_SECRET into your .env. Add your provider vars and restart.

Prefer manual? GitHub β†’ Settings β†’ Developer settings β†’ GitHub Apps β†’ New GitHub App, then copy the permissions/events from app.yml.

Keep it private while testing. app.yml has public: false, so only orgs you administer can install it β€” perfect for trying it inside your own org first. Flip to public: true later to allow any org and to list it on the Marketplace.

Set the App icon β€” in the App's Settings β†’ Display information β†’ Logo, upload assets/logo.png (the anvil-and-spark mark). A 512Γ—512 and a 1024Γ—1024 (logo-1024.png) export are included.

3. Install on your org (test it) β€” App page β†’ Install App β†’ your org β†’ pick one test repo (or All repositories). Then open an issue with the agent-fix label, or request @shipit-forge on a PR, and watch it work. Once it behaves, widen to all repos and/or make it public.

4. Invite & test it β€” in any repo of that org:

  • open an issue and add the label agent-fix (or comment /fix) β†’ Forge opens a fix PR;
  • open a PR β†’ Forge auto-reviews it; or request @shipit-forge as a reviewer on an existing PR;
  • comment /review, /security, or @shipit-forge <ask> anywhere.

Watch it work: the server logs every event and tool call (with secrets redacted). For Docker, docker logs -f <container>. A failed run still comments on the issue/PR explaining what happened.

Run locally without deploying (for development)

You can receive real GitHub webhooks on your laptop using a proxy β€” no hosting needed:

cp .env.example .env        # fill in APP_ID, PRIVATE_KEY, WEBHOOK_SECRET + your provider vars
npm run dev                 # starts the webhook server with hot reload
# Probot prints a smee.io proxy URL on first run; set it as the App's webhook URL.

This is the fastest way to try the App end-to-end and invite it on a test PR before committing to a hosting provider.


⚑ Use it as a GitHub Action (no server, your own keys)

Prefer "just add a file" with no hosting and no app registration? Use the Action β€” each repo/org runs Forge in its own CI with its own provider key. This is the per-org-credentials model (like Claude Code's Action).

  1. Add your provider key as a repo/org secret (Settings β†’ Secrets and variables β†’ Actions), e.g. VERTEX_SA_JSON, OPENAI_API_KEY, or ANTHROPIC_API_KEY.
  2. Copy examples/forge.yml to .github/workflows/forge.yml (full guide, incl. acting as your own App bot like Claude: deploy/GITHUB_ACTIONS.md):
name: ShipIT Forge
on:
  issues: { types: [opened, labeled] }
  issue_comment: { types: [created] }
  pull_request: { types: [opened, synchronize, review_requested] }
  pull_request_review_comment: { types: [created] }
permissions: { contents: write, pull-requests: write, issues: write, checks: read, statuses: read, actions: write }
jobs:
  forge:
    runs-on: ubuntu-latest
    steps:
      - uses: shipiit/forge@v1
        with: { provider: vertex }
        env:
          LLM_PROVIDER: vertex
          VERTEX_PROJECT: ${{ vars.VERTEX_PROJECT }}
          VERTEX_CREDENTIALS_JSON: ${{ secrets.VERTEX_SA_JSON }}

That's it β€” label an issue agent-fix, comment /review on a PR, or @shipit-forge anything, and it runs in your Actions with your key and compute. No server to host, nothing to register.

Action vs hosted App: the Action = per-org keys, zero infra, runs in their CI. The App (above) = one server you host and pay for, one-click install for others. Same engine.

🧩 Configuration

Per-repo via .github/agent.yml (all optional), with env-var defaults:

model: gemini-2.5-pro          # provider-specific model id
trigger_label: agent-fix
auto_fix: label                # label | opened | off
auto_review: always            # always | requested | off
test_command: "npm test"       # else auto-detected
review_depth: standard         # light | standard | deep
ignore_paths: ["dist/**", "*.lock"]
Env var Default Effect
LLM_PROVIDER anthropic vertex Β· bedrock Β· openai Β· anthropic
FORGE_AUTO_FIX label opened = attempt a PR on every new issue (full auto)
FORGE_AUTO_REVIEW always requested = only when invited / /review
MAX_ITERATIONS 25 Max agent tool-loop steps per run

πŸ› οΈ How it works

issue / PR event ─▢ Probot webhook ─▢ clone repo (sandbox)
                                          β”‚
                       agent loop β—€β”€β”€β”€β”€β”€β”€β”€β”˜   (LLM + tools, provider-agnostic)
                       read Β· search Β· edit Β· multi_edit Β· glob Β· git_history Β· run_bash Β· run_tests
                                          β”‚
                       verify (tests) β”€β”€β”€β”€β”˜
                                          β”‚
                 β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                 β–Ό                         β–Ό                        β–Ό
          open PR (Closes #n)      PR review (inline +        @mention reply
                                   security + suggestions)
  • Provider layer (src/providers) β€” one LLMClient interface; adapters normalize chat + tool-calling + images for Anthropic, Vertex Gemini, OpenAI, Bedrock. Swap providers with one env var.
  • Tools (src/agent/tools) β€” read_file, write_file, edit_file, multi_edit, list_dir, glob, read_image, search, git_history, run_bash (sandboxed: allow/deny, timeout, no network), run_tests (auto-detected).
  • Agent loop (src/agent/loop.ts) β€” chat β†’ tool calls β†’ results β†’ repeat, with retries, iteration + token limits, and a repo-map for fast orientation.
  • GitHub layer (src/github) β€” vision image extraction, workspace clone/branch/commit/push, PR composer, diff-aware security review composer; wired to webhooks in src/app.ts.

πŸ§ͺ Testing

npm test         # vitest β€” 88 unit + integration tests
npm run typecheck

Everything is testable without credentials: a scripted fake provider drives the agent loop, and each real adapter is verified via pure normalization functions + injected mock clients. CI runs typecheck + tests + build on every push.


πŸ—ΊοΈ Roadmap

  • Agent engine, 11 tools, sandbox, retries
  • 4 provider adapters + vision
  • GitHub App: issueβ†’PR, PR review, security lens, @mentions
  • Review line-safety, .github/agent.yml, secret redaction, CI
  • Live provider smoke run (verified on Vertex Gemini 2.5 Pro)
  • Follow-up commits when @mentioned on a PR
  • Secure forge setup wizard (paste/point-to credentials, gitignored)
  • Recorded handler integration tests (mocked Octokit)
  • Cost tracking (per-run token + USD estimate)
  • CodeQL/SARIF ingestion (merge scanner findings into review)
  • Multi-pass self-review (agent critiques its own diff β†’ draft PR on blockers)
  • npm-publishable package (files, bin, prepublishOnly)
  • GitHub Action distribution (per-org credentials, no server)
  • Sub-agents β€” orchestrator can delegate focused subtasks (depth-bounded)
  • Marketplace listing kit + privacy policy (deploy/MARKETPLACE.md)
  • Submit the Marketplace listing (needs the public, verified, hosted App β€” your step)

πŸ”’ A note on provenance

ShipIT Forge is original open-source code. It does not copy or reuse any proprietary source. It follows the same public, event-driven pattern as other GitHub coding bots, implemented from scratch.

🀝 Contributing

Issues and PRs welcome! Read CONTRIBUTING.md for the dev setup, project layout, how to add a provider, and the PR checklist. Use the issue templates (πŸ› bug / πŸ’‘ feature) when opening an issue. Run npm test before pushing β€” and feel free to let Forge review your PR. πŸ˜„

main is protected: every change lands via PR, ShipIT Forge auto-reviews it (security + code), and a maintainer gives the final approval.

License

MIT Β© Rahul Raj


ShipIT Forge logo

ShipIT Forge

Autonomous GitHub coding agent β€” fixes issues, opens PRs, reviews code with a security lens.

🌐 Website Β Β·Β  πŸ“‚ Examples Β Β·Β  πŸ“– Docs Β Β·Β  ⭐ GitHub

Built by Rahul Raj Β· MIT licensed Β· Made with πŸ”¨

About

πŸ”¨ ShipIT Forge β€” autonomous GitHub coding agent: fixes issues, opens PRs, reviews code with a security lens, auto-fixes CI. Multi-provider (Vertex Gemini, Bedrock, OpenAI, Anthropic).

Topics

Resources

License

Contributing

Stars

Watchers

Forks

Packages

 
 
 

Contributors