From 8bdb3cc859127309bbbbfa5545e68c8e9a5aa457 Mon Sep 17 00:00:00 2001
From: Arkadiusz Szarama <arkadiusz@szarama.it>
Date: Mon, 20 Oct 2025 21:37:04 +0200
Subject: [PATCH] feat: update GitHub app token handling and refine related
 documentation

---
 README.relay.md                               | 27 +++++++++----------
 .../accept_files/accept.github.app.json       |  2 +-
 2 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/README.relay.md b/README.relay.md
index 6a55952..c2365c2 100644
--- a/README.relay.md
+++ b/README.relay.md
@@ -73,21 +73,18 @@ Generally the naming works like:
 
 ### Environment Variables Summary
 
-| Integration    | Environment Variables                                                                                                                                                                                                                                           |
-|----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **GitHub**     | `GITHUB=https://github.com`, `GITHUB_API=https://api.github.com`, `GITHUB_GRAPHQL=https://api.github.com/graphql`, `GITHUB_TOKEN`                                                                                                                               |
-| **GitHub Hosted** | `GITHUB=https://github.mycompany.com`, `GITHUB_API=https://github.mycompany.com/api/v3`, `GITHUB_GRAPHQL=https://github.mycompany.com/api/graphql`, `GITHUB_TOKEN`                                                                                                          |
-| **GitHub App** | Arg `-s app`, `GITHUB=https://github.com`, `GITHUB_API=https://api.github.com`, `GITHUB_GRAPHQL=https://api.github.com/graphql`, `GITHUB_APP_CLIENT_ID`, `GITHUB_APP_CLIENT_PEM` (either path to PEM or PEM contents), `GITHUB_INSTALLATION_ID`, `GITHUB_TOKEN` |
-| **Prometheus** | `PROMETHEUS_API=http://mycompany.prometheus.internal`, `PROMETHEUS_USERNAME`, `PROMETHEUS_PASSWORD`                                                                                                                                                             |
-| **Gitlab**     | `GITLAB_API=https://gitlab.com`, `GITLAB_TOKEN`                                                                                                                                                                                                                 |
-| **Sonarqube**  | `SONARQUBE_API=https://sonarqube.mycompany.com`, `SONARQUBE_TOKEN`                                                                                                                                                                                              |
-| **Bitbucket Cloud**  | `BITBUCKET_API=https://api.bitbucket.org`, `BITBUCKET_TOKEN`                                                                                                                                                                                                    |
-| **Bitbucket Hosted**  | `BITBUCKET_API=https://bitbucket.mycompany.com`, `BITBUCKET_USERNAME`, `BITBUCKET_PASSWORD`                                                                                                                                                                     |
-| **Jira**  | `JIRA_API=https://jira.mycompany.com`, `JIRA_USERNAME`, `JIRA_TOKEN`                                                                                                                                                                                            |
-| **Jira Bearer/Cloud**  | Arg `-s bearer`, `JIRA_API=https://mycompany.atlassian.com`, `JIRA_TOKEN`                                                                                                                                                                                       |
-
-> [!NOTE]
-> `GITHUB_TOKEN` in GitHub App is the [installation access token](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation) and is needed only for [scaffolder](https://docs.cortex.io/streamline/workflows/scaffolder) purposes.
+| Integration           | Environment Variables                                                                                                                                                                                                                           |
+|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **GitHub**            | `GITHUB=https://github.com`, `GITHUB_API=https://api.github.com`, `GITHUB_GRAPHQL=https://api.github.com/graphql`, `GITHUB_TOKEN`                                                                                                               |
+| **GitHub Hosted**     | `GITHUB=https://github.mycompany.com`, `GITHUB_API=https://github.mycompany.com/api/v3`, `GITHUB_GRAPHQL=https://github.mycompany.com/api/graphql`, `GITHUB_TOKEN`                                                                              |
+| **GitHub App**        | Arg `-s app`, `GITHUB=https://github.com`, `GITHUB_API=https://api.github.com`, `GITHUB_GRAPHQL=https://api.github.com/graphql`, `GITHUB_APP_CLIENT_ID`, `GITHUB_APP_CLIENT_PEM` (either path to PEM or PEM contents), `GITHUB_INSTALLATION_ID` |
+| **Prometheus**        | `PROMETHEUS_API=http://mycompany.prometheus.internal`, `PROMETHEUS_USERNAME`, `PROMETHEUS_PASSWORD`                                                                                                                                             |
+| **Gitlab**            | `GITLAB_API=https://gitlab.com`, `GITLAB_TOKEN`                                                                                                                                                                                                 |
+| **Sonarqube**         | `SONARQUBE_API=https://sonarqube.mycompany.com`, `SONARQUBE_TOKEN`                                                                                                                                                                              |
+| **Bitbucket Cloud**   | `BITBUCKET_API=https://api.bitbucket.org`, `BITBUCKET_TOKEN`                                                                                                                                                                                    |
+| **Bitbucket Hosted**  | `BITBUCKET_API=https://bitbucket.mycompany.com`, `BITBUCKET_USERNAME`, `BITBUCKET_PASSWORD`                                                                                                                                                     |
+| **Jira**              | `JIRA_API=https://jira.mycompany.com`, `JIRA_USERNAME`, `JIRA_TOKEN`                                                                                                                                                                            |
+| **Jira Bearer/Cloud** | Arg `-s bearer`, `JIRA_API=https://mycompany.atlassian.com`, `JIRA_TOKEN`                                                                                                                                                                       |
 
 ## How it works
 
diff --git a/agent/server/snykbroker/accept_files/accept.github.app.json b/agent/server/snykbroker/accept_files/accept.github.app.json
index d13fe5b..f3b97a8 100644
--- a/agent/server/snykbroker/accept_files/accept.github.app.json
+++ b/agent/server/snykbroker/accept_files/accept.github.app.json
@@ -12,7 +12,7 @@
       "auth": {
         "scheme": "basic",
         "username": "github",
-        "password": "${GITHUB_TOKEN:please_set_GITHUB_TOKEN}"
+        "password": "${plugin:github-app-token}"
       },
       "valid": [
         {