Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Uncategorised

What is a GitHub App?

May 14, 2025 Leave a Comment

🧠 What is a GitHub App?

A GitHub App is a first-class actor in the GitHub ecosystem. Unlike OAuth apps which act on behalf of a user, GitHub Apps have granular permissions, are installable on organizations or repositories, and authenticate as themselves or as an installation.

They’re designed for automation, integrations, and custom workflows such as CI/CD, issue bots, custom pull request checks, and more.

πŸš€ Tutorial Roadmap

Section 1: GitHub App Basics

  1. What is a GitHub App
  2. GitHub App vs OAuth App
  3. Use Cases
  4. Basic GitHub App Architecture

Section 2: Building Your First GitHub App

  1. Creating the GitHub App
  2. Installing the App on a Repository
  3. Authenticating the App (JWT & Installation Token)
  4. Handling Webhooks
  5. Sample Node.js App with Probot

Section 3: Advanced Concepts

  1. Scopes and Permissions
  2. Webhook Security and Verification
  3. GitHub App Manifest Flow (for user-friendly installs)
  4. GitHub APIs: REST vs GraphQL in GitHub Apps
  5. Multi-repo & Org-level Access Management

Section 4: Real-World Use Cases

  1. Auto-labeling Pull Requests
  2. Slack Notifications on Issues
  3. GitHub App for CI/CD Trigger
  4. GitHub App with Terraform Workflows
  5. Marketplace App Deployment

🧩 Section 1: GitHub App Basics

βœ… What is a GitHub App?

  • GitHub App = A bot/integration that acts independently, with restricted and customizable access to your repositories and orgs.
  • Supports webhooks, fine-grained permissions, and custom API interactions.

πŸ” GitHub App vs OAuth App

FeatureGitHub AppOAuth App
AuthenticationJWT + Installation TokenOAuth token (user context)
PermissionsGranular per repo/orgBroad (user-level scopes)
WebhooksApp-specificShared via user
Recommended UseAutomation, integrationsUser-based access

πŸ”§ Use Cases

  • GitHub bot (like Mergify)
  • Security scanners (e.g., Dependabot)
  • CI/CD trigger tools
  • PR auto-review and checks
  • GitHub β†’ Slack, Jira integrations

βš™οΈ Section 2: Building Your First GitHub App

πŸ“ Step 1: Create a GitHub App

Go to: https://github.com/settings/apps

  • App Name: my-first-gh-app
  • Homepage URL: http://localhost:3000 or your project site
  • Webhook URL: http://localhost:3000/webhooks
  • Permissions:
    • Contents: Read-only
    • Issues: Read & write
    • Pull requests: Read & write
  • Subscribe to Webhooks:
    • issues
    • pull_request

After creation, download the private key (PEM file) and note your:

  • App ID
  • Client ID & Secret
  • Webhook Secret

πŸ” Step 2: Authentication (JWT β†’ Installation Token)

GitHub Apps authenticate using:

  1. JWT (JSON Web Token) – signs requests as the App.
  2. Installation Token – used to act on a specific repo/org installation.

πŸ§ͺ Example: Generate JWT (Node.js)

const jwt = require("jsonwebtoken");
const fs = require("fs");

const APP_ID = "YOUR_APP_ID";
const PRIVATE_KEY = fs.readFileSync("private-key.pem");

const token = jwt.sign(
  {
    iat: Math.floor(Date.now() / 1000), // issued at
    exp: Math.floor(Date.now() / 1000) + (10 * 60), // expires in 10 min
    iss: APP_ID,
  },
  PRIVATE_KEY,
  { algorithm: "RS256" }
);

console.log(token);

Use this JWT to call:

POST /app/installations/:installation_id/access_tokens

πŸ” Step 3: Handle Webhooks

GitHub will send webhooks to your app for subscribed events.

const express = require("express");
const bodyParser = require("body-parser");
const crypto = require("crypto");

const app = express();
const PORT = 3000;
const WEBHOOK_SECRET = "your-webhook-secret";

app.use(bodyParser.json());

app.post("/webhooks", (req, res) => {
  const sig = req.headers["x-hub-signature-256"];
  const payload = JSON.stringify(req.body);

  const hmac = crypto
    .createHmac("sha256", WEBHOOK_SECRET)
    .update(payload)
    .digest("hex");

  const expected = `sha256=${hmac}`;

  if (sig !== expected) {
    return res.status(401).send("Invalid signature");
  }

  console.log("Received event:", req.body.action);
  res.sendStatus(200);
});

app.listen(PORT, () => console.log(`Listening on port ${PORT}`));

πŸ€– Step 4: Use Probot (Quick Start)

Probot is a framework to build GitHub Apps quickly.

npx create-probot-app my-github-app
cd my-github-app
npm start

This gives you a working app that responds to PRs or Issues.

πŸ“š Section 3: Advanced Concepts

1. πŸ” Permissions

Choose carefully:

  • Repository contents: Needed to read/write files
  • Issues: Read/write for issue bots
  • Metadata: Always needed to list repos

You can update permissions in the GitHub App settings or dynamically request permissions during manifest-based installs.

2. πŸ§ͺ Webhook Security Tips

  • Always verify webhook signature
  • Rate limit / retry safe
  • Use GitHub’s IP allowlist for security

3. πŸš€ GitHub App Manifest Flow

Use the manifest flow to allow users to easily install your GitHub App from a public-facing app.

Benefits:

  • Avoid manual configuration
  • Better UX for your app’s installation

Manifest Docs

4. πŸ” REST vs GraphQL APIs

FeatureREST APIGraphQL API
SimplicityEasier for simple tasksMore efficient querying
FlexibilityFixed endpointsCustom queries
App SupportBoth supportedGraphQL works with JWT tokens

πŸ’‘ Section 4: Real-World Use Cases

πŸ€– Use Case 1: Auto-label Pull Requests

Label PRs based on title/author.

// listen to pull_request.opened and label accordingly
context.octokit.issues.addLabels({
  owner,
  repo,
  issue_number: context.payload.pull_request.number,
  labels: ['auto-labeled']
});

πŸ“’ Use Case 2: Slack Notifications

Send a message to Slack on new issue creation via webhook logic.

πŸ— Use Case 3: CI/CD GitHub App

Trigger a deployment pipeline from PR merges or release tags using app permissions and webhook events.

βš™ Use Case 4: App for Terraform Automation

A GitHub App can:

  • Watch .tf file changes
  • Run validation pipelines
  • Comment back status on PR

πŸ’° Use Case 5: Publish to GitHub Marketplace

Once stable, your GitHub App can be published as a Marketplace App to share with the world.

πŸ“Œ Summary

TopicDescription
GitHub AppFirst-class automation/integration bot
AuthJWT + Installation Token
Key Librariesjsonwebtoken, probot, @octokit/rest
Key FeaturesWebhooks, fine-grained access, marketplace
Real-World Use CasesBots, CI/CD, Slack/Discord integrations

🧰 Recommended Tools & Libraries

πŸ”— Want to Go Further?

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x