Scaling gitPlumbers: GitHub App + ZIP Ingestion and Automated Remediation at Enterprise Scale (Angular 20+, Nx, Firebase)

Platform-delivery · · · 9 minute read

Scaling gitPlumbers: GitHub App + ZIP Ingestion and Automated Remediation at Enterprise Scale (Angular 20+, Nx, Firebase)

How I scaled gitPlumbers into a multi‑ingest code analysis platform with a GitHub App, secure ZIP uploads, and signal‑driven remediation—measurable, resilient, fast.

Matthew Charlton

Senior Angular Consultant & Platform Engineer

Matthew Charlton is a remote Full Stack Angular consultant with 10+ years building enterprise applications for Fortune 100 companies in aviation, media, telecommunications, and insurance. Creator of NG Wave (110+ animated Angular components built with Signals and Three.js), gitPlumbers (stabilizing and modernizing AI-assisted and legacy systems so teams can ship faster, scale confidently, and innovate without chaos), IntegrityLens (revolutionizing hiring with comprehensive candidate verification and technical assessment using cutting-edge AI and multi-layered authentication), and SageStepper (the AI interview studio built for students and professionals who want to turn practice into panel-ready confidence through adaptive mock interviews and auto-coached feedback). Currently accepting 1-2 select Angular projects per quarter. Specialties include telematics dashboards, multi-tenant apps, offline-first UX, hardware integration, and code modernization services. Connect on LinkedIn at linkedin.com/in/mattcharlton and see live demos at angularux.com.

“One pipeline, two inputs (GitHub + ZIP), zero excuses. Make analysis measurable and remediation explainable.”
Back to all posts

I built gitPlumbers to answer a painful pattern I kept seeing on rescues: teams knew the code smelled, but they couldn’t quantify where to start or how to measure progress. Some clients had GitHub across dozens of orgs; others sent me a ZIP from an air‑gapped network. We needed both.

This is a platform & delivery note from the trenches—how I scaled ingestion (GitHub App + ZIP), standardized analysis into SARIF, and delivered automated remediation recommendations. The stack: Angular 20 + Signals/SignalStore, Nx, PrimeNG UI, Firebase (Hosting/Functions/Storage), Cloud Run for heavy jobs, Docker, and OpenTelemetry for traceability.

If you need a remote Angular developer or an Angular consultant to build or review a similar pipeline, this is the blueprint I use on gitPlumbers and on Fortune 100 upgrades.

A dashboard that ingests repos or ZIPs—without breaking prod

As companies plan 2025 Angular roadmaps, you can’t force every client into a single ingestion pattern. I scaled gitPlumbers to support both a GitHub App and secure ZIP uploads that land in the same typed pipeline. If you’re looking to hire an Angular developer or Angular consultant to do similar, this is the approach I’d implement again.

The scene

A PM hands me a list of repos: some public, some private, and one giant monorepo behind a VPN. Security says “No outbound tokens from CI.” Meanwhile, another team zips their source and uploads over a slow hotel Wi‑Fi. We still need consistent analysis and trustworthy remediation.

Stack choices that held up under load

These choices let me keep the UX fast while moving the heavy lifting to autoscaled containers.

  • Angular 20 + Signals/SignalStore for deterministic state and instant UI feedback.

  • Nx for monorepo structure across Angular app, Functions, and analysis workers.

  • Firebase Hosting + Functions for the edge, Cloud Run (Docker) for heavy analysis steps.

  • OpenTelemetry for trace correlation from UI → webhook → job → results.

Why unified ingestion matters for enterprise teams

I built gitPlumbers to help teams stabilize chaotic codebases and plan upgrades without a freeze. Unified ingestion means one UI, one policy surface, and one set of SLOs your directors and security teams can approve.

Measurable outcomes I target

  • Time‑to‑First‑Insight (TTFI): < 5 minutes for medium repos (<300k LOC).

  • Throughput: 60+ analyses/hour with autoscaled workers.

  • Reliability: P99 webhook handling < 3s; zero user‑visible outages during deploys.

  • Security: All uploads AV‑scanned; least‑privilege GitHub scopes; per‑tenant isolation.

Hiring perspective

If you need an Angular expert for hire, ask for these metrics on day one. The right pipeline turns “we think it’s a mess” into dashboards that show hotspots, upgrade blockers, and a prioritized remediation plan you can track in Jira.

Architecture overview: GitHub App, ZIP ingest, SARIF outputs

Here’s a minimal webhook verifier I’ve used in production:

GitHub App path

  • App scopes: metadata, contents:read, issues:write (optional for PR comments).

  • Webhook events: push, pull_request, check_suite, repository.

  • Delivery: Functions HTTP endpoint → queue → worker; idempotent by deliveryGuid.

ZIP upload path

  • Client: Firebase Storage resumable upload with chunking + retry.

  • Post‑upload: Cloud Run triggers AV scan (ClamAV), unzip, normalize repo, enqueue analysis job.

  • No secrets required for air‑gapped clients; audit trail stored with artifact.

Analysis workers

LLM output is additive and never the source of truth; deterministic rules produce the actions.

  • Dockerized Node.js workers with pinned toolchains (ESLint, dependency‑cruiser, ts‑morph, custom Angular rules).

  • Outputs: SARIF + JSON summaries; artifacts to Storage; summaries to Firestore/Postgres.

  • Remediation: codemods (jscodeshift/ts‑morph), upgrade advice, perf/a11y flags, and optional LLM explanations.

Secure webhooks and uploads (code snippets)

// functions/src/github-webhook.ts
import * as functions from 'firebase-functions/v2/https';
import { createHmac, timingSafeEqual } from 'crypto';

export const githubWebhook = functions.onRequest(async (req, res) => {
  const signature = req.get('X-Hub-Signature-256') ?? '';
  const secret = process.env.GITHUB_WEBHOOK_SECRET!;
  const raw = JSON.stringify(req.body);
  const expected = 'sha256=' + createHmac('sha256', secret).update(raw).digest('hex');
  const valid = timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
  if (!valid) return res.status(401).send('invalid signature');

  const deliveryGuid = req.get('X-GitHub-Delivery')!;
  // enqueue idempotent job by deliveryGuid
  await enqueueJob({ deliveryGuid, event: req.get('X-GitHub-Event'), payload: req.body });
  res.status(202).send('accepted');
});
// apps/web/src/app/state/ingest.store.ts
import { signalStore, withState, withMethods } from '@ngrx/signals';
import { computed, signal } from '@angular/core';
import { uploadBytesResumable, getDownloadURL } from 'firebase/storage';

interface IngestState { file?: File; progress: number; status: 'idle'|'uploading'|'queued'|'analyzing'|'done'|'error'; jobId?: string; }

export const IngestStore = signalStore(
  withState<IngestState>({ progress: 0, status: 'idle' }),
  withMethods((store, svc = inject(AnalysisApi)) => ({
    selectFile(file: File) { store.patch({ file }); },
    upload(file: File) {
      store.patch({ status: 'uploading', progress: 0 });
      const task = uploadBytesResumable(svc.storageRef(file.name), file);
      task.on('state_changed', snap => {
        store.patch({ progress: Math.round(100 * (snap.bytesTransferred / snap.totalBytes)) });
      }, err => store.patch({ status: 'error' }), async () => {
        const url = await getDownloadURL(task.snapshot.ref);
        const job = await svc.enqueueZip(url);
        store.patch({ status: 'queued', jobId: job.id });
        svc.watchJob(job.id).subscribe(state => store.patch({ status: state.status }));
      });
    }
  }))
);
# .github/workflows/gitplumbers.yml
name: gitPlumbers Analysis
on:
  workflow_dispatch:
  push:
    branches: [ main ]
jobs:
  analyze:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Create repo archive
        run: git archive --format=zip HEAD -o repo.zip
      - name: Upload to gitPlumbers
        run: |
          curl -f -X POST "$GITPLUMBERS_URL/api/ingest" \
            -H "Authorization: Bearer $GITPLUMBERS_TOKEN" \
            -F repo=repo.zip

Verify GitHub webhooks (Node.js/Functions)

Resumable ZIP uploads with progress (Angular 20 + SignalStore)

GitHub Actions to trigger analysis

Automated remediation that teams trust

Example remediation generation (simplified):

interface Finding { id: string; file: string; startLine: number; rule: string; details: string; }
interface Remediation { title: string; actions: Array<{ type: 'codemod'|'lintFix'|'doc'; command?: string; file?: string; }> }

export function recommend(f: Finding): Remediation {
  switch (f.rule) {
    case 'angular/upgrade-v20-cli':
      return {
        title: 'Align Angular CLI to v20 and enable esbuild',
        actions: [
          { type: 'codemod', command: 'ng update @angular/cli @angular/core --force' },
          { type: 'doc' }
        ]
      };
    case 'rxjs/no-compat':
      return {
        title: 'Remove RxJS compat and update imports',
        actions: [{ type: 'codemod', command: 'npx rxjs-tslint --update' }]
      };
    default:
      return { title: `Review: ${f.rule}`, actions: [{ type: 'doc', file: f.file }] };
  }
}

Deterministic rules first

Codemods and ESLint rules apply changes or open actionable issues with owners and estimates.

  • Angular upgrade diffs: CLI configs, RxJS 8 migrations, TypeScript 5 strictness.

  • Dependency hygiene: outdated/unused packages, duplicated polyfills, zone.js flags.

  • Architecture: dependency‑cruiser rules for layer violations; hot‑spot scoring by churn × complexity.

Explain, don’t guess

I’ve used the same playbook rescuing a telecom analytics dashboard and an IoT device portal—explainability is what wins stakeholders.

  • LLM summaries are optional and flagged via feature flags (SignalStore).

  • Each recommendation links to source evidence, SARIF location, and docs.

  • Copy‑ready commit messages with PR templates accelerate review.

Angular UI that scales without race conditions

<!-- apps/web/src/app/ingest/ingest.component.html -->
<p-fileUpload mode="basic" name="file" (onSelect)="store.selectFile($event.files[0])"
              (onUpload)="store.upload(store.file())" [auto]="true" chooseLabel="Upload ZIP">
</p-fileUpload>
<p-progressBar [value]="store.progress()" *ngIf="store.status() === 'uploading'"></p-progressBar>
<p-tag [severity]="store.status() === 'error' ? 'danger' : 'info'" [value]="store.status()"></p-tag>

<p-table [value]="findings()" [virtualScroll]="true" [rows]="50" [scrollHeight]="'60vh'">
  <ng-template pTemplate="header">
    <tr><th>Rule</th><th>File</th><th>Line</th></tr>
  </ng-template>
  <ng-template pTemplate="body" let-f>
    <tr><td>{{f.rule}}</td><td>{{f.file}}</td><td>{{f.startLine}}</td></tr>
  </ng-template>
</p-table>

Signals + PrimeNG for clarity

This avoids over‑reliance on zones and keeps SSR/tests deterministic if you choose to add them later.

  • Statuses and progress signals feed PrimeNG tables and toasts.

  • Feature flags via SignalStore flip between GitHub and ZIP modes safely.

  • Data virtualization for large findings (thousands of SARIF records).

Minimal component snippet

Operational guardrails and metrics

I’ve shipped similar guardrails for airport kiosks (offline‑tolerant flows with Docker simulation) and telecom analytics dashboards (typed event schemas over WebSockets). The same discipline applies here—just different inputs.

Guardrails I enforce

  • Docker image digests pinned; SBOM generated with syft/anchore.

  • AV scan every artifact; quarantine on failure; audit log per tenant.

  • Bundle budgets checked in CI; e2e smoke on canary; feature flags default to safe.

What to measure

Use Angular DevTools and Lighthouse for UI performance, GA4/Firebase Analytics for behavior, Sentry for defects, and OpenTelemetry for traces.

  • TTFI, job duration by step, error budget burn rate.

  • Adoption: % repos analyzed, % recommendations applied.

  • User signals: task success, rage clicks, path to remediation.

When to Hire an Angular Developer for Legacy Rescue

If you’re evaluating an Angular consultant, ask for a platform like gitPlumbers behind their plan. It keeps work visible, defensible, and measurable.

Good triggers to call in help

I can assess within a week and provide a remediation plan with estimates, owners, and a delivery map. Zero‑downtime is the default.”

  • AngularJS → Angular migration stalled; zone.js perf issues; flaky CI.

  • Version upgrades blocked by RxJS/TypeScript/API drift.

  • Security asks for audit trails and you don’t have them.

Example outcomes from a large repo scan

These are the kinds of measurable wins directors want before funding a larger modernization.

Telecom analytics platform (500k+ LOC)

Remediation suggestions included RxJS 8 adapters, Angular 20 CLI updates, and dependency‑cruiser rules to stop regressions.

  • TTFI: 3m 42s; P95 analysis: 11m on autoscaled workers.

  • Identified 47 layer violations; 19 duplicate dependencies; 6 blocking upgrade issues.

  • Opened 23 PRs with codemods; 18 merged in first week; error rate down 32% over 30 days.

Takeaways and next steps

Need an Angular expert for hire with Fortune 100 experience? Let’s review your code analysis pipeline and ship measurable improvements in weeks, not quarters.

What to do now

If you want me to review your plan or build the ingest/analysis path, book a short call. I’m currently accepting 1–2 Angular projects per quarter.

  • Unify ingestion (GitHub App + ZIP) behind a single typed pipeline.

  • Adopt Signals + SignalStore for analysis state and feature flags.

  • Standardize outputs (SARIF) and generate explainable remediation.

  • Instrument the platform and set SLOs you can defend.

Related Resources

Key takeaways

  • Unify ingestion paths with a GitHub App for repos and secure, resumable ZIP uploads for ad‑hoc code—same typed pipeline, same guarantees.
  • Use Angular 20 Signals + SignalStore to coordinate uploads, webhook events, and background job progress without race conditions.
  • Automated remediation works when rules are typed and explainable—LLM summaries can augment, not replace, codemods and linters.
  • Scale safely with queues, idempotent jobs, SARIF outputs, and per‑tenant isolation; measure Time‑to‑First‑Insight and throughput.
  • CI guardrails matter: dependency locks, Docker image pins, antivirus scanning, and feature flags keep prod safe as you grow.

Implementation checklist

  • Register a GitHub App with least‑privilege scopes and webhook secrets.
  • Implement webhook verification and idempotent handlers with a persistent job key.
  • Add Firebase Storage resumable uploads with client‑side chunking and AV scanning in Cloud Run.
  • Normalize analysis into SARIF + JSON; store summaries and artifacts per tenant.
  • Wire SignalStore for ingest state: repo selection, upload progress, job status, and retry policy.
  • Queue long‑running analysis (Pub/Sub, SQS) with exponential backoff + jitter.
  • Generate explainable remediation: lint rules, codemods, dependency‑cruiser maps, and typed action items.
  • Instrument end‑to‑end with OpenTelemetry and correlate UI events to backend jobs.
  • Enforce CI guardrails: bundle budgets, Docker digest pins, and locked tool versions.
  • Document SLOs: TTFI < 5 min for medium repos; P99 webhook handling < 3s.

Questions we hear from teams

How much does it cost to hire an Angular developer for a code analysis platform?
Typical discovery + blueprint runs 1–2 weeks, followed by a 2–6 week implementation depending on scope. Fixed‑fee assessments are available; longer builds are time & materials with clear SLOs and milestones.
How long does GitHub App integration and ZIP ingestion take?
A minimal GitHub App, secure webhooks, and resumable ZIP uploads can be production‑ready in 1–2 weeks. Full analysis workers, SARIF outputs, and remediation generation usually add 2–4 weeks.
Is it safe to upload ZIPs of source code?
Yes—use resumable uploads, AV scanning in Cloud Run, encryption at rest, short‑lived signed URLs, and per‑tenant buckets. Access is audited and limited by least privilege. Air‑gapped clients remain supported.
What does an Angular consultant deliver on a project like this?
Architecture doc, Nx repo, GitHub App config, webhook handlers, upload UI with Signals, analysis workers, SARIF reports, remediation rules, CI/CD guardrails, and SLO dashboards with OpenTelemetry and Sentry.
Can automated remediation break production?
Changes land as codemods and PRs with tests and feature flags. CI runs bundle budgets and smoke tests on canaries. Nothing merges without review, and every action is explainable with linked evidence.

Ready to level up your Angular experience?

Let AngularUX review your Signals roadmap, design system, or SSR deployment plan.

Hire Matthew — Remote Angular Expert, Available Now See gitPlumbers — Code Rescue and Modernization Services

NG Wave

Angular Component Library

A comprehensive collection of 110+ animated, interactive, and customizable Angular components. Converted from React Bits with full feature parity, built with Angular Signals, GSAP animations, and Three.js for stunning visual effects.

Explore Components
NG Wave Component Library

Related resources