๐ง What is a GitHub App?
A GitHub App is a first-class actor in the GitHub ecosystem. Unlike OAuth apps which act on behalf of a user, GitHub Apps have granular permissions, are installable on organizations or repositories, and authenticate as themselves or as an installation.
Theyโre designed for automation, integrations, and custom workflows such as CI/CD, issue bots, custom pull request checks, and more.
๐ Tutorial Roadmap
Section 1: GitHub App Basics
- What is a GitHub App
- GitHub App vs OAuth App
- Use Cases
- Basic GitHub App Architecture
Section 2: Building Your First GitHub App
- Creating the GitHub App
- Installing the App on a Repository
- Authenticating the App (JWT & Installation Token)
- Handling Webhooks
- Sample Node.js App with Probot
Section 3: Advanced Concepts
- Scopes and Permissions
- Webhook Security and Verification
- GitHub App Manifest Flow (for user-friendly installs)
- GitHub APIs: REST vs GraphQL in GitHub Apps
- Multi-repo & Org-level Access Management
Section 4: Real-World Use Cases
- Auto-labeling Pull Requests
- Slack Notifications on Issues
- GitHub App for CI/CD Trigger
- GitHub App with Terraform Workflows
- Marketplace App Deployment
๐งฉ Section 1: GitHub App Basics
โ What is a GitHub App?
- GitHub App = A bot/integration that acts independently, with restricted and customizable access to your repositories and orgs.
- Supports webhooks, fine-grained permissions, and custom API interactions.
๐ GitHub App vs OAuth App
| Feature | GitHub App | OAuth App |
|---|---|---|
| Authentication | JWT + Installation Token | OAuth token (user context) |
| Permissions | Granular per repo/org | Broad (user-level scopes) |
| Webhooks | App-specific | Shared via user |
| Recommended Use | Automation, integrations | User-based access |
๐ง Use Cases
- GitHub bot (like Mergify)
- Security scanners (e.g., Dependabot)
- CI/CD trigger tools
- PR auto-review and checks
- GitHub โ Slack, Jira integrations
โ๏ธ Section 2: Building Your First GitHub App
๐ Step 1: Create a GitHub App
Go to: https://github.com/settings/apps
- App Name:
my-first-gh-app - Homepage URL:
http://localhost:3000or your project site - Webhook URL:
http://localhost:3000/webhooks - Permissions:
- Contents: Read-only
- Issues: Read & write
- Pull requests: Read & write
- Subscribe to Webhooks:
issuespull_request
After creation, download the private key (PEM file) and note your:
- App ID
- Client ID & Secret
- Webhook Secret
๐ Step 2: Authentication (JWT โ Installation Token)
GitHub Apps authenticate using:
- JWT (JSON Web Token) โ signs requests as the App.
- Installation Token โ used to act on a specific repo/org installation.
๐งช Example: Generate JWT (Node.js)
const jwt = require("jsonwebtoken");
const fs = require("fs");
const APP_ID = "YOUR_APP_ID";
const PRIVATE_KEY = fs.readFileSync("private-key.pem");
const token = jwt.sign(
{
iat: Math.floor(Date.now() / 1000), // issued at
exp: Math.floor(Date.now() / 1000) + (10 * 60), // expires in 10 min
iss: APP_ID,
},
PRIVATE_KEY,
{ algorithm: "RS256" }
);
console.log(token);
Code language: JavaScript (javascript)
Use this JWT to call:
POST /app/installations/:installation_id/access_tokens
๐ Step 3: Handle Webhooks
GitHub will send webhooks to your app for subscribed events.
const express = require("express");
const bodyParser = require("body-parser");
const crypto = require("crypto");
const app = express();
const PORT = 3000;
const WEBHOOK_SECRET = "your-webhook-secret";
app.use(bodyParser.json());
app.post("/webhooks", (req, res) => {
const sig = req.headers["x-hub-signature-256"];
const payload = JSON.stringify(req.body);
const hmac = crypto
.createHmac("sha256", WEBHOOK_SECRET)
.update(payload)
.digest("hex");
const expected = `sha256=${hmac}`;
if (sig !== expected) {
return res.status(401).send("Invalid signature");
}
console.log("Received event:", req.body.action);
res.sendStatus(200);
});
app.listen(PORT, () => console.log(`Listening on port ${PORT}`));
Code language: JavaScript (javascript)
๐ค Step 4: Use Probot (Quick Start)
Probot is a framework to build GitHub Apps quickly.
npx create-probot-app my-github-app
cd my-github-app
npm start
This gives you a working app that responds to PRs or Issues.
๐ Section 3: Advanced Concepts
1. ๐ Permissions
Choose carefully:
Repository contents: Needed to read/write filesIssues: Read/write for issue botsMetadata: Always needed to list repos
You can update permissions in the GitHub App settings or dynamically request permissions during manifest-based installs.
2. ๐งช Webhook Security Tips
- Always verify webhook signature
- Rate limit / retry safe
- Use GitHub’s IP allowlist for security
3. ๐ GitHub App Manifest Flow
Use the manifest flow to allow users to easily install your GitHub App from a public-facing app.
Benefits:
- Avoid manual configuration
- Better UX for your appโs installation
4. ๐ REST vs GraphQL APIs
| Feature | REST API | GraphQL API |
|---|---|---|
| Simplicity | Easier for simple tasks | More efficient querying |
| Flexibility | Fixed endpoints | Custom queries |
| App Support | Both supported | GraphQL works with JWT tokens |
๐ก Section 4: Real-World Use Cases
๐ค Use Case 1: Auto-label Pull Requests
Label PRs based on title/author.
// listen to pull_request.opened and label accordingly
context.octokit.issues.addLabels({
owner,
repo,
issue_number: context.payload.pull_request.number,
labels: ['auto-labeled']
});
Code language: JavaScript (javascript)
๐ข Use Case 2: Slack Notifications
Send a message to Slack on new issue creation via webhook logic.
๐ Use Case 3: CI/CD GitHub App
Trigger a deployment pipeline from PR merges or release tags using app permissions and webhook events.
โ Use Case 4: App for Terraform Automation
A GitHub App can:
- Watch
.tffile changes - Run validation pipelines
- Comment back status on PR
๐ฐ Use Case 5: Publish to GitHub Marketplace
Once stable, your GitHub App can be published as a Marketplace App to share with the world.
๐ Summary
| Topic | Description |
|---|---|
| GitHub App | First-class automation/integration bot |
| Auth | JWT + Installation Token |
| Key Libraries | jsonwebtoken, probot, @octokit/rest |
| Key Features | Webhooks, fine-grained access, marketplace |
| Real-World Use Cases | Bots, CI/CD, Slack/Discord integrations |
๐งฐ Recommended Tools & Libraries
- Probot
- Octokit.js
- @actions/github
- GitHub CLI:
gh app install
๐ Want to Go Further?
I’m Rajesh Kumar, a DevOps, SRE, DevSecOps, Cloud, and Platform Engineering expert passionate about sharing practical knowledge, real-world experiences, and industry best practices. I have worked at Cotocus and regularly write about technology, travel, investing, health, product reviews, and digital marketing through my various platforms.
I publish technical articles at DevOps School, travel stories at Holiday Landmark, stock market insights at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow, and SEO and digital marketing strategies at Wizbrand.
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals