Skip to main content

Documentation Index

Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The GitHub App integration provides fine-grained, organization-approved access to repositories and resources. Unlike the GitHub OAuth integration which uses personal access tokens, GitHub Apps are installed at the organization or user level with explicit repository and permission grants. This is the recommended approach for teams that need organizational control over what repositories and permissions agents can access.

Setup

1

Create a GitHub App

Go to your GitHub organization settings (or personal settings) > Developer settings > GitHub Apps > New GitHub App.Configure the app with the permissions your agents need:
PermissionAccessDescription
ContentsRead & WriteCode, commits, and branches
Pull requestsRead & WriteCreate, review, and merge PRs
IssuesRead & WriteCreate and manage issues
ActionsRead & WriteView runs and trigger workflows
ChecksRead & WriteRead CI results, create check runs
MetadataReadRepository metadata (always required)
Generate a private key from the app settings page.
2

Install the app

Install the GitHub App on your organization or user account. Choose which repositories to grant access to — you can select all repositories or specific ones.
3

Connect in OneCLI

Open the OneCLI dashboard, go to Connections > GitHub App, and provide:
  • App ID: The numeric ID from your GitHub App settings
  • App Slug: The URL-friendly name from your GitHub App settings
  • Private Key: The PEM private key you generated
OneCLI uses these to generate short-lived installation access tokens automatically.

How it works

  1. OneCLI stores your GitHub App credentials (App ID and private key)
  2. When an agent sends a request to api.github.com, the gateway generates a JWT signed with the private key
  3. The JWT is exchanged for a short-lived installation access token (expires in 1 hour)
  4. The access token is injected into the request as an Authorization header
  5. Expired tokens are refreshed automatically
Agents never see the private key or raw tokens.

GitHub App vs GitHub OAuth

FeatureGitHub AppGitHub OAuth
AuthorizationOrg admin installs the appIndividual user authorizes
Repository scopeExplicit per-repo grantsAll repos the user can access
Token lifetime1 hour (auto-refreshed)Long-lived
PermissionsFine-grained per-resourceScope-based
Best forTeams, CI/CD, org-controlled accessPersonal use, quick setup

Self-hosted setup

For self-hosted deployments, set these environment variables:
  • GITHUB_APP_ID — Numeric App ID
  • GITHUB_APP_SLUG — URL-friendly app name
  • GITHUB_APP_PRIVATE_KEY — PEM private key contents

Controlling access with rules

Use OneCLI’s rules engine to add further restrictions beyond GitHub App permissions. For example, block force-push operations or require manual approval for merging PRs. Rules are evaluated before credential injection.