A cheat sheet for GitHub Apps...
- Key concepts
- Creating your first GitHub App
- Resources
- Notable APIs for GitHub Apps
- Tools
- Best practices
-
GitHub Apps
- Offer a secure way for third parties to programmatically access protected resources on GitHub
- Are a first-class actor on GitHub -- acting independently of resource owners (GitHub users and organizations)
- Have a fine-grained permissions model -- customers are able to more confidently grant third parties access to their protected resources
- Have dedicated rate limits, that scale with the app's usage
- Facilitate webhook event consumption
- Follow a repo-centric permissions model through installations
- Are supported by GitHub.com and GitHub Enterprise Server
-
Other key terms:
Installation
: Connects a GitHub App to one or more repositories owned by an organization or userPermissions
: Dictate what an App can see, or do in the context of an installationWebhooks
: Dictate what events an App will be notified about, over a single HTTP endpoint, registered with the GitHub AppServer-to-server token
: (Also commonly referred to as theinstallation token
, orinstallation access token
) Permits access to resources within the scope of an installation, expires after one hour, created via the REST APIUser-to-server token
: Permits access to resources that are visible to both an end-user and the GitHub App, acquired through an OAuth-like flowJWT
: (JSON Web Tokens) an open web standard, allowing for information to be securely transmitted between two parties as a JSON object, in this context, JWTs are used to securely transmit a signature to GitHub.com to confirm to GitHub that we are the App we are claiming to be
- Navigate to GitHub Apps from your GitHub Developer Settings
- Register a New GitHub App, setting up URLs, permissions, and events
- Download the private key and App ID and start coding!
- Building GitHub Apps
- GitHub Developer Documentation
- GitHub REST and GraphQL APIs
- Migrating OAuth Apps to GitHub Apps
- GitHub App information
- Identify installation information
- List installations (
JWT
) - Get an organization installation (
JWT
) - Get a user installation (
JWT
)
- List installations (
- Token creation / revocation
- Create a new installation token (
JWT
) - Revoke an installation token (
installation access token
)
- Create a new installation token (
- Identify installation resources
- List repositories (
installation access token
)
- List repositories (
- Identify user-accessible resources
- List installations for a user (
user-to-server OAuth access token
) - List repositories accessible to the user for an installation (
user-to-server OAuth access token
)
- List installations for a user (
- Octokit libraries
apptokit
a CLI for working with GitHub Apps, built by one of the GitHub Apps Engineersgithub-apps-helper
plugin for Insomnia- API route specifications for Insomnia
- Probot a Node.js framework for building GitHub Apps
smee.io
a webhook payload delivery servicesmee-client
a client for receiving webhook payloads locally viasmee.io
jsonwebtokenydoo
a command line utility to assist with GitHub App authenticationjwt-cli
a command line utility to assist with JWT creation
Do:
- ✅ Use webhooks to ingest data
- ✅ Cache and re-use server-to-server (installation access tokens) as much as possible
- ✅ Use conditional requests wherever possible
- ✅ Retry requests when handling "fresh" data
- ✅ Include a descriptive User-Agent header in your API requests
- ✅ Save the
X-GitHub-Request-Id
response header value, especially for error (4xx, 5xx) responses - ✅ Subscribe to this RSS feed for Platform updates
- ✅ Consider listing your GitHub App on GitHub Marketplace
- ✅ Consider other best practices listed here
Don't:
- ❌ Depend on concurrent requests, this can trigger secondary rate limits
- ❌ Poll, use webhooks where possible