Proxy Danger requests through a proxy service

[maxdeviant]

This PR updates Danger to proxy its requests to GitHub through a proxy service.

Motivation

Currently Danger is not able to run on PRs opened from forks of Zed.

This is due to GitHub Actions' security policies. Forks are not able to see any of the repository secrets, and the built-in secrets.GITHUB_TOKEN has its permissions restricted to only reads when running on forks.

I asked around on the Danger repo, and some big projects (DefinitelyTyped) are working around this by using a publicly-listed (although slightly obfuscated) token: danger/danger-js#918 (comment).

While this approach is probably okay given the limited scope and permissions of the GitHub token, I would still prefer a solution that avoids disclosing the token at all.

Explanation

I ended up writing a small proxy service, Danger Proxy, that can be used to provide Danger with the ability to make authenticated GitHub requests, but without disclosing the token.

From the README:

Danger Proxy will:

• Proxy all requests to /github/* to the GitHub API. The provided GitHub API token will be used for authentication.
• Restrict requests to the list of repositories specified in the ALLOWED_REPOS environment variable.
• Restrict requests to the subset of the GitHub API that Danger requires.

I have an instance of this service deployed to danger-proxy.fly.dev.

Release Notes:

• N/A