Skip to main content

Connecting a GitHub App

If you're looking to connect your GitHub account using the GitHub App, you'll need to configure your own app and connect it to your Cortex instance.

Setup Instructions

Create the App

First, you'll need to create a GitHub App in your GH organization.

  1. Go to<org>/settings/apps
  2. Click on “New GitHub App”
  3. Set the following settings:
    1. Callback URL: https://<FRONTEND HOST>/github/redirect
    2. Disable "Expire user authorization tokens," since Cortex does not support this OAuth workflow yet
    3. Request user authorization (OAuth) during installation: true
    4. Webhook: active = true
    5. Webhook URL: https://<API HOST>/api/internal/v1/github/webhook
    6. Webhook secret: Random string (save this somewhere)
    7. Enable SSL verification: true
  4. Click “Generate a private key” and save the key.
  5. Under “Permissions & Events” for repository permissions:
    1. Single file: R+W to path cortex.yaml
    2. Dependabot alerts: R
    3. Actions: R
    4. Metadata: R
    5. Code scanning alerts: R
    6. Administration: R+W
    7. Checks: R+W
    8. Commit statuses: R+W
    9. Contents: R+W (Write is only needed if using the Scaffolder)
    10. Pull Requests: R+W (Write is needed if you're using the Scaffolder)
    11. Secrets: R+W
    12. Workflows: R+W
  6. Under “Permissions & Events” for organization permissions:
    1. Members: R
  7. Subscribe to events: Check suite, Push (For GitOps). Note: these options will only show up when Contents permission is selected earlier.
  8. Save the application

Install the App

Visit your app page, for example<org>/settings/apps/<app>/installations. Install the app into the org, and you should be good to go!

Setup Instructions (Legacy)

Create the App (Legacy)

Follow the same steps as above to set up your GitHub App.

Connect your Cortex instance (Legacy)

This step is no longer necessary, but you can configure your on-prem deployment with environment variables to talk your GitHub App.

  1. Prepare the private key stored in step 4 in the previous section by replacing all whitespaces with \n, for example with awk '{printf "%s\\n", $0}' gh-private-key.pem | pbcopy
  2. Create a k8s secret and add the secret in your values.yaml file for the Helm chart. You may already have a secret set up if you had configured a persistent store previously, so be sure to verify in your Helm chart.
  3. Add the following keys to your secret (make sure they're base64 encoded with no extraneous \n at the end):
    1. GITHUB_APPLICATION_ID (from the app page)
    2. GITHUB_CLIENT_ID (from the app page)
    3. GITHUB_CLIENT_SECRET (generated on the app page by clicking "Generate a new Client Secret")
    4. GITHUB_SECRET (webhook secret defined in Step 3.6)
    5. GITHUB_PRIVATE_KEY (the secret you just modified in step 2)
    6. Optionally, if you're using self-hosted GitHub Enterprise, set GITHUB_URL to your GitHub API endpoint. This usually ends with /api/v3
  4. Restart Cortex backend deployment in k8s

Install the App (Legacy)

Once your backend has restarted, you're ready to install the app.

Note: Make sure you're logged in on your Cortex application before triggering this install.

Follow the same steps as above to install the app.


You can verify that Cortex is able to reach GitHub by clicking "Import New Service" on the homepage, and checking whether your repositories are being discovered.