Skip to main content
Azure Container Apps is a serverless container platform built on Kubernetes. It handles scaling, networking, and TLS certificates automatically, letting you focus on configuring MergeWatch rather than managing infrastructure.

Overview

This guide walks you through deploying the MergeWatch container to Azure Container Apps, connecting it to Azure Database for PostgreSQL - Flexible Server, and configuring the GitHub App webhook.

Prerequisites

1

Install the Azure CLI

az login
az account set --subscription YOUR_SUBSCRIPTION_ID
2

Create a resource group

az group create --name mergewatch-rg --location eastus
3

Gather your GitHub App credentials

VariableDescription
GITHUB_APP_IDNumeric App ID from the GitHub App settings page
GITHUB_PRIVATE_KEYPEM-formatted private key generated for the App
GITHUB_WEBHOOK_SECRETSecret used to validate incoming webhook payloads
4

Choose an LLM provider

Set LLM_PROVIDER to your preferred provider. For Azure OpenAI, you can use managed identity authentication via LiteLLM — no static API keys required.

Deploy to Azure Container Apps

1

Create a Container Apps environment

az containerapp env create \
  --name mergewatch-env \
  --resource-group mergewatch-rg \
  --location eastus
2

Create the Container App

az containerapp create \
  --name mergewatch \
  --resource-group mergewatch-rg \
  --environment mergewatch-env \
  --image ghcr.io/santthosh/mergewatch:latest \
  --target-port 3000 \
  --ingress external \
  --min-replicas 0 \
  --max-replicas 3 \
  --env-vars \
    "GITHUB_APP_ID=YOUR_APP_ID" \
    "GITHUB_PRIVATE_KEY=YOUR_PRIVATE_KEY" \
    "GITHUB_WEBHOOK_SECRET=YOUR_WEBHOOK_SECRET" \
    "LLM_PROVIDER=anthropic" \
    "ANTHROPIC_API_KEY=YOUR_ANTHROPIC_KEY" \
    "DATABASE_URL=postgresql://USER:PASSWORD@HOST:5432/mergewatch"
Setting --min-replicas 0 allows the app to scale to zero when no webhooks are being processed. Azure Container Apps scales up automatically when a request arrives.
3

Use secrets for sensitive values (recommended)

az containerapp secret set \
  --name mergewatch \
  --resource-group mergewatch-rg \
  --secrets \
    "github-pk=YOUR_PRIVATE_KEY" \
    "webhook-secret=YOUR_WEBHOOK_SECRET" \
    "anthropic-key=YOUR_ANTHROPIC_KEY" \
    "db-url=postgresql://USER:PASSWORD@HOST:5432/mergewatch"

az containerapp update \
  --name mergewatch \
  --resource-group mergewatch-rg \
  --set-env-vars \
    "GITHUB_PRIVATE_KEY=secretref:github-pk" \
    "GITHUB_WEBHOOK_SECRET=secretref:webhook-secret" \
    "ANTHROPIC_API_KEY=secretref:anthropic-key" \
    "DATABASE_URL=secretref:db-url"
4

Note the FQDN

After creation, retrieve the app URL:
az containerapp show \
  --name mergewatch \
  --resource-group mergewatch-rg \
  --query properties.configuration.ingress.fqdn \
  --output tsv

mergewatch.kindocean-abc123.eastus.azurecontainerapps.io

Set up Postgres

MergeWatch requires PostgreSQL to store installation and review data. Azure Database for PostgreSQL - Flexible Server is the recommended option.
1

Create a Flexible Server instance

az postgres flexible-server create \
  --resource-group mergewatch-rg \
  --name mergewatch-db \
  --location eastus \
  --admin-user mergewatch \
  --admin-password YOUR_DB_PASSWORD \
  --sku-name Standard_B1ms \
  --tier Burstable \
  --version 15
2

Create the database

az postgres flexible-server db create \
  --resource-group mergewatch-rg \
  --server-name mergewatch-db \
  --database-name mergewatch
3

Allow access from Container Apps

az postgres flexible-server firewall-rule create \
  --resource-group mergewatch-rg \
  --name mergewatch-db \
  --rule-name allow-azure-services \
  --start-ip-address 0.0.0.0 \
  --end-ip-address 0.0.0.0
The 0.0.0.0 rule allows connections from Azure services. For tighter security, use VNet integration between Container Apps and the Flexible Server.
4

Update the DATABASE_URL

Update your Container App with the Flexible Server connection string:
az containerapp update \
  --name mergewatch \
  --resource-group mergewatch-rg \
  --set-env-vars \
    "DATABASE_URL=postgresql://mergewatch:YOUR_DB_PASSWORD@mergewatch-db.postgres.database.azure.com:5432/mergewatch?sslmode=require"

Managed identity for Azure OpenAI

If you use Azure OpenAI as your LLM provider via LiteLLM, you can authenticate with a managed identity instead of static API keys.
1

Enable managed identity

az containerapp identity assign \
  --name mergewatch \
  --resource-group mergewatch-rg \
  --system-assigned
2

Grant the identity access to Azure OpenAI

az role assignment create \
  --assignee MANAGED_IDENTITY_PRINCIPAL_ID \
  --role "Cognitive Services OpenAI User" \
  --scope /subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.CognitiveServices/accounts/YOUR_OPENAI_RESOURCE
3

Configure LiteLLM environment variables

az containerapp update \
  --name mergewatch \
  --resource-group mergewatch-rg \
  --set-env-vars \
    "LLM_PROVIDER=azure" \
    "AZURE_API_BASE=https://YOUR_RESOURCE.openai.azure.com" \
    "AZURE_API_VERSION=2024-02-01"

Configure the webhook URL

Set the webhook URL on your GitHub App to the Container App FQDN followed by /webhook: 
https://mergewatch.kindocean-abc123.eastus.azurecontainerapps.io/webhook
Azure Container Apps provides TLS automatically on the default FQDN. Do not use http:// — GitHub requires HTTPS for webhook delivery.

Next steps

Configure review behavior

Tune sensitivity, ignored paths, and review focus areas.

Environment variables

Full list of supported environment variables.

Troubleshooting

Common issues and how to fix them.

Upgrading

How to update MergeWatch to the latest version.