Example applications
Complete Node applications that run without credentials against an in-memory provider. Copy the supplied fake environment file when you are ready to connect a real GitHub, Linear, Jira, or Azure DevOps project.
Every committed token, account, domain, project, and webhook secret in these examples is intentionally fake. Both apps default to WORK_PROVIDER=memory and make no external network request.
Safe fake credentials
Each app includes a tracked .env.example. Copy it to the ignored .env file, select one provider, and replace only that provider's values. Fake values consistently contain example or use reserved example domains.
WORK_PROVIDER=azure-devops
WORK_ITEM_ID=42
WORK_TARGET_STATE=Ready for validation
# Fake values — replace only in your private .env
AZURE_DEVOPS_ORGANIZATION=acme-example
AZURE_DEVOPS_PROJECT=Platform
AZURE_DEVOPS_AUTH=entra
AZURE_DEVOPS_TOKEN=azure_example_not_a_real_tokenExample 01
Interactive approval CLI
A terminal application that prepares an update, prints the exact diff and warnings, asks for explicit approval, and commits the reviewed plan with a stable idempotency key. Typing anything except yes exits without a provider mutation.
Run the local demo
pnpm --filter @work-sdk/example-approval-cli startConnect a provider
cd examples/approval-cli
cp .env.example .env
# Edit .env locally
pnpm start:envExample 02
Idempotent deployment webhook bot
A small HTTP service built with Node core APIs. It verifies an HMAC-SHA256 signature, validates a deployment event, prepares a Markdown comment, and uses the event ID as a business-stable idempotency key. Repeated deliveries return replayed: true.
{
"id": "deploy_example_20260712_001",
"status": "succeeded",
"environment": "staging",
"commit": "4cae7d53fb5d2da17ec7a4f342e28c31e95fdcb2",
"url": "https://deployments.example.com/runs/deploy_example_20260712_001"
}Run both sides locally
# Terminal 1
pnpm --filter @work-sdk/example-webhook-bot start
# Terminal 2
pnpm --filter @work-sdk/example-webhook-bot send-demoThe app also exposes GET /health, rejects invalid signatures before a provider call, limits request bodies to 64 KiB, and returns small JSON receipts.
Before production
| Demo default | Production replacement |
|---|---|
| Memory adapter | Authenticated GitHub, Linear, Jira, or Azure DevOps adapter |
| Memory idempotency store | Transactional database or durable key-value store |
| Local fake webhook secret | Secret-manager value with rotation |
| Direct HTTP processing | Queue, retry policy, reconciliation, and dead-letter handling |
| Console output | Structured redacted logs and audit receipts |