GitHub App
Create the GitHub App that gives sandboxes repository access.
Cloud sandboxes clone repositories using a GitHub App that you create and install on your organization. The Proliferate server acts through it with scoped access you can revoke, instead of personal tokens.
Why a GitHub App
The app is what lets a newly created sandbox clone your code and lets the server act on repositories on your team's behalf. Because you own the app, you decide exactly which repositories it can reach, and you can revoke access in one place.
Throughout this page, <site> is your server's public address (the
SITE_ADDRESS from the Docker guide, for
example proliferate.company.com). GitHub must be able to reach it over
HTTPS.
Set up
Register the app
Go to your organization's settings on GitHub: Settings → Developer
settings → GitHub Apps → New GitHub App (or open
https://github.com/organizations/<your-org>/settings/apps/new). Create a
standard GitHub App, not GitHub's newer "Agentic App" type. Fill in:
- GitHub App name: anything recognizable, for example
Proliferate (Company). GitHub derives the app's URL slug from this name; you will need the slug later. - Homepage URL:
https://<site> - Callback URL:
https://<site>/auth/github-app/user-authorization/callback - Expire user authorization tokens: enabled
- Request user authorization (OAuth) during installation: leave disabled
- Setup URL (under Post installation):
https://<site>/auth/github-app/installation/callback - Webhook: Active, with Webhook URL
https://<site>/v1/cloud/webhooks/github-app - Webhook secret: generate a random value (for example
openssl rand -hex 32) and save it; the server needs it asGITHUB_APP_WEBHOOK_SECRET.
Screenshot: GitHub - Register new GitHub App form
The new-app form with homepage URL, callback URL, setup URL, and webhook URL filled in per the values above.
Grant permissions
Under Repository permissions, grant:
| Permission | Access |
|---|---|
| Contents | Read and write |
| Pull requests | Read and write |
| Workflows | Read and write |
| Metadata | Read-only (GitHub sets this automatically) |
GitHub may warn that Contents "Read and write" can't be used for Agentic Apps. That warning applies only to GitHub's Agentic App type; this is a standard GitHub App, so ignore it.
No event subscriptions are needed. GitHub always delivers the installation events the server consumes to the app's webhook.
Under Where can this GitHub App be installed?, choose Only on this account. Then click Create GitHub App.
Screenshot: GitHub - App permissions configuration
The repository permissions section with Contents, Pull requests, and Workflows set to Read and write.
Collect the app's identity
The app's settings page now shows most of the values the server needs:
- App ID (a number, in the About section)
- Client ID
- The app's slug: the last path segment of its public link,
https://github.com/apps/<slug> - Click Generate a new client secret and copy it; GitHub shows it only once.
Generate a private key
Scroll to Private keys, click Generate a private key, and download
the .pem file. This key is what lets the server mint installation tokens,
so treat it like a root credential.
Place it on the deploy host. The Docker stack mounts /opt/proliferate/bin
into the API container read-only at the same path, so that directory is a
convenient home:
Screenshot: GitHub - Generate private key
The private keys section with the generate button and the downloaded .pem file.
Install the app
From the app's settings page, choose Install App and install it on your organization. Select all repositories or only the ones your team works in; you can change this later, and the server picks up changes automatically through the webhook.
Screenshot: GitHub - Install app repository selection
The installation screen with the organization selected and repository access chosen.
Configure the Proliferate server
Add the six GITHUB_APP_* variables to your env file (.env.static in the
deploy bundle):
| Variable | Value |
|---|---|
GITHUB_APP_ID | The numeric App ID |
GITHUB_APP_SLUG | The app's slug from https://github.com/apps/<slug> |
GITHUB_APP_CLIENT_ID | The Client ID |
GITHUB_APP_CLIENT_SECRET | The client secret you generated |
GITHUB_APP_WEBHOOK_SECRET | The webhook secret you generated |
GITHUB_APP_PRIVATE_KEY_PATH | Path to the .pem file, for example /opt/proliferate/bin/github-app.pem |
Two variants, in case you need them:
GITHUB_APP_PRIVATE_KEYholds the key inline instead ofGITHUB_APP_PRIVATE_KEY_PATH; escape newlines as\n.GITHUB_APP_CALLBACK_BASE_URLoverrides the base used to build callback URLs. It defaults to your server's API base URL, which is correct for the standard stack, so most installs leave it unset.
Apply by running the update script from the deploy directory (it regenerates the runtime env and restarts the stack):
Verify
Create a cloud workspace from the desktop app and confirm the sandbox clones
a repository the app is installed on. On the GitHub App settings page,
Advanced → Recent Deliveries should show your webhook deliveries
answered with 2xx responses. If deliveries fail, re-check the webhook URL
and that GITHUB_APP_WEBHOOK_SECRET matches the secret configured on
GitHub.
A one-click creation flow is planned: the server will submit an app manifest to GitHub and receive all credentials back automatically, collapsing the manual steps on this page to a single button.
Next: E2B & sandbox template, the second of the two setup pages.