๐ง What is a GitHub App?
A GitHub App is a first-class actor in the GitHub ecosystem. Unlike OAuth apps which act on behalf of a user, GitHub Apps have granular permissions, are installable on organizations or repositories, and authenticate as themselves or as an installation.
Theyโre designed for automation, integrations, and custom workflows such as CI/CD, issue bots, custom pull request checks, and more.
๐ Tutorial Roadmap
Section 1: GitHub App Basics
- What is a GitHub App
- GitHub App vs OAuth App
- Use Cases
- Basic GitHub App Architecture
Section 2: Building Your First GitHub App
- Creating the GitHub App
- Installing the App on a Repository
- Authenticating the App (JWT & Installation Token)
- Handling Webhooks
- Sample Node.js App with Probot
Section 3: Advanced Concepts
- Scopes and Permissions
- Webhook Security and Verification
- GitHub App Manifest Flow (for user-friendly installs)
- GitHub APIs: REST vs GraphQL in GitHub Apps
- Multi-repo & Org-level Access Management
Section 4: Real-World Use Cases
- Auto-labeling Pull Requests
- Slack Notifications on Issues
- GitHub App for CI/CD Trigger
- GitHub App with Terraform Workflows
- Marketplace App Deployment
๐งฉ Section 1: GitHub App Basics
โ What is a GitHub App?
- GitHub App = A bot/integration that acts independently, with restricted and customizable access to your repositories and orgs.
- Supports webhooks, fine-grained permissions, and custom API interactions.
๐ GitHub App vs OAuth App
| Feature | GitHub App | OAuth App |
|---|---|---|
| Authentication | JWT + Installation Token | OAuth token (user context) |
| Permissions | Granular per repo/org | Broad (user-level scopes) |
| Webhooks | App-specific | Shared via user |
| Recommended Use | Automation, integrations | User-based access |
๐ง Use Cases
- GitHub bot (like Mergify)
- Security scanners (e.g., Dependabot)
- CI/CD trigger tools
- PR auto-review and checks
- GitHub โ Slack, Jira integrations
โ๏ธ Section 2: Building Your First GitHub App
๐ Step 1: Create a GitHub App
Go to: https://github.com/settings/apps
- App Name:
my-first-gh-app - Homepage URL:
http://localhost:3000or your project site - Webhook URL:
http://localhost:3000/webhooks - Permissions:
- Contents: Read-only
- Issues: Read & write
- Pull requests: Read & write
- Subscribe to Webhooks:
issuespull_request
After creation, download the private key (PEM file) and note your:
- App ID
- Client ID & Secret
- Webhook Secret
๐ Step 2: Authentication (JWT โ Installation Token)
GitHub Apps authenticate using:
- JWT (JSON Web Token) โ signs requests as the App.
- Installation Token โ used to act on a specific repo/org installation.
๐งช Example: Generate JWT (Node.js)
const jwt = require("jsonwebtoken");
const fs = require("fs");
const APP_ID = "YOUR_APP_ID";
const PRIVATE_KEY = fs.readFileSync("private-key.pem");
const token = jwt.sign(
{
iat: Math.floor(Date.now() / 1000), // issued at
exp: Math.floor(Date.now() / 1000) + (10 * 60), // expires in 10 min
iss: APP_ID,
},
PRIVATE_KEY,
{ algorithm: "RS256" }
);
console.log(token);
Code language: JavaScript (javascript)Use this JWT to call:
POST /app/installations/:installation_id/access_tokens
๐ Step 3: Handle Webhooks
GitHub will send webhooks to your app for subscribed events.
const express = require("express");
const bodyParser = require("body-parser");
const crypto = require("crypto");
const app = express();
const PORT = 3000;
const WEBHOOK_SECRET = "your-webhook-secret";
app.use(bodyParser.json());
app.post("/webhooks", (req, res) => {
const sig = req.headers["x-hub-signature-256"];
const payload = JSON.stringify(req.body);
const hmac = crypto
.createHmac("sha256", WEBHOOK_SECRET)
.update(payload)
.digest("hex");
const expected = `sha256=${hmac}`;
if (sig !== expected) {
return res.status(401).send("Invalid signature");
}
console.log("Received event:", req.body.action);
res.sendStatus(200);
});
app.listen(PORT, () => console.log(`Listening on port ${PORT}`));
Code language: JavaScript (javascript)๐ค Step 4: Use Probot (Quick Start)
Probot is a framework to build GitHub Apps quickly.
npx create-probot-app my-github-app
cd my-github-app
npm start
This gives you a working app that responds to PRs or Issues.
๐ Section 3: Advanced Concepts
1. ๐ Permissions
Choose carefully:
Repository contents: Needed to read/write filesIssues: Read/write for issue botsMetadata: Always needed to list repos
You can update permissions in the GitHub App settings or dynamically request permissions during manifest-based installs.
2. ๐งช Webhook Security Tips
- Always verify webhook signature
- Rate limit / retry safe
- Use GitHub’s IP allowlist for security
3. ๐ GitHub App Manifest Flow
Use the manifest flow to allow users to easily install your GitHub App from a public-facing app.
Benefits:
- Avoid manual configuration
- Better UX for your appโs installation
4. ๐ REST vs GraphQL APIs
| Feature | REST API | GraphQL API |
|---|---|---|
| Simplicity | Easier for simple tasks | More efficient querying |
| Flexibility | Fixed endpoints | Custom queries |
| App Support | Both supported | GraphQL works with JWT tokens |
๐ก Section 4: Real-World Use Cases
๐ค Use Case 1: Auto-label Pull Requests
Label PRs based on title/author.
// listen to pull_request.opened and label accordingly
context.octokit.issues.addLabels({
owner,
repo,
issue_number: context.payload.pull_request.number,
labels: ['auto-labeled']
});
Code language: JavaScript (javascript)๐ข Use Case 2: Slack Notifications
Send a message to Slack on new issue creation via webhook logic.
๐ Use Case 3: CI/CD GitHub App
Trigger a deployment pipeline from PR merges or release tags using app permissions and webhook events.
โ Use Case 4: App for Terraform Automation
A GitHub App can:
- Watch
.tffile changes - Run validation pipelines
- Comment back status on PR
๐ฐ Use Case 5: Publish to GitHub Marketplace
Once stable, your GitHub App can be published as a Marketplace App to share with the world.
๐ Summary
| Topic | Description |
|---|---|
| GitHub App | First-class automation/integration bot |
| Auth | JWT + Installation Token |
| Key Libraries | jsonwebtoken, probot, @octokit/rest |
| Key Features | Webhooks, fine-grained access, marketplace |
| Real-World Use Cases | Bots, CI/CD, Slack/Discord integrations |
๐งฐ Recommended Tools & Libraries
- Probot
- Octokit.js
- @actions/github
- GitHub CLI:
gh app install
๐ Want to Go Further?
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals