GitHub App Permissions
Shoehorn uses GitHub Apps for repository discovery, manifest reading, and workflow automation. Two apps are involved: the main Shoehorn app and the optional Shoehorn Forge app.
Why Two Apps
Section titled “Why Two Apps”The main app has read-only access and handles discovery. The Forge app has write access for creating repositories and PRs. Separating them follows the principle of least privilege — most installations only need the read-only app.
Shoehorn App (Main)
Section titled “Shoehorn App (Main)”The main app handles repository discovery, manifest reading, README fetching, and webhook processing.
Required Permissions
Section titled “Required Permissions”| Permission | Access | Purpose |
|---|---|---|
| Repository: Contents | Read | Read manifests (.shoehorn/**/*.yml), READMEs, changelogs |
| Repository: Metadata | Read | List repositories, discover topics for ownership |
| Repository: Pull requests | Read | Track PR activity for engineering insights |
| Organization: Members | Read | Sync organization membership for team mapping |
Required Webhook Events
Section titled “Required Webhook Events”| Event | Purpose |
|---|---|
push | Detect manifest changes on the default branch |
repository | Discover new repositories, track deletions |
pull_request | PR workflow events for insights and notifications |
Configuration
Section titled “Configuration”After creating and installing the GitHub App, configure Shoehorn:
GITHUB_APP_ID=123456GITHUB_APP_INSTALLATION_ID=789012GITHUB_APP_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n..."GITHUB_ORGANIZATIONS=your-orgStore credentials in Kubernetes secrets:
kubectl create secret generic integration-credentials \ --from-literal=github_app_id="123456" \ --from-literal=github_app_installation_id="789012" \ --from-file=github_app_private_key=private-key.pemShoehorn Forge App (Optional)
Section titled “Shoehorn Forge App (Optional)”The Forge app enables workflow automation: creating repositories, scaffolding files, and opening pull requests.
Required Permissions
Section titled “Required Permissions”| Permission | Access | Purpose |
|---|---|---|
| Repository: Contents | Read & Write | Create files, scaffold project templates |
| Repository: Pull requests | Read & Write | Create PRs for review-based workflows |
| Organization: Administration | Read | Create repositories in the organization |
Configuration
Section titled “Configuration”GITHUB_FORGE_APP_ID=234567GITHUB_FORGE_INSTALLATION_ID=890123GITHUB_FORGE_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n..."Store credentials in Kubernetes secrets:
kubectl create secret generic integration-credentials \ --from-literal=github_forge_app_id="234567" \ --from-literal=github_forge_installation_id="890123" \ --from-file=github_forge_private_key=forge-private-key.pemCreating a GitHub App
Section titled “Creating a GitHub App”Step-by-Step
Section titled “Step-by-Step”- Go to your GitHub organization settings
- Navigate to Developer settings > GitHub Apps > New GitHub App
- Fill in the app details:
| Setting | Main App | Forge App |
|---|---|---|
| App name | Shoehorn | Shoehorn Forge |
| Homepage URL | https://shoehorn.example.com | https://shoehorn.example.com |
| Webhook | (uncheck “Active”) | (uncheck “Active”) |
- Set the permissions as listed above
- Click Create GitHub App
- Generate a private key and download it
Installing the App
Section titled “Installing the App”- From the app settings page, click Install App
- Select your organization
- Choose All repositories or select specific ones
- Click Install
Repeat for both apps if using Forge.
Permissions Summary
Section titled “Permissions Summary”| Capability | Main App | Forge App |
|---|---|---|
| Read manifests and READMEs | Yes | — |
| List repositories and topics | Yes | — |
| Sync org membership | Yes | — |
| Track pull requests | Yes | — |
| Create repositories | — | Yes |
| Create/update files | — | Yes |
| Create pull requests | — | Yes |
| Set repository topics | — | Yes |
Helm Values
Section titled “Helm Values”secrets: integrations: secretRef: name: integration-credentials keys: githubAppId: github_app_id githubAppInstallationId: github_app_installation_id githubAppPrivateKey: github_app_private_key githubForgeAppId: github_forge_app_id githubForgeInstallationId: github_forge_installation_id githubForgePrivateKey: github_forge_private_keyRate Limiting
Section titled “Rate Limiting”Configure the GitHub API rate limit budget:
GITHUB_RATE_LIMIT_PER_HOUR=1000 # DefaultGITHUB_CONCURRENT_REPOS=5 # Max concurrent repo crawlsGITHUB_CACHE_TTL_MINUTES=15 # Cache TTL for API responsesThe crawler distributes API calls across the budget to avoid hitting GitHub’s rate limits.
See Also
Section titled “See Also”- GitHub Integration - Full GitHub setup guide
- Repository Ownership - How ownership is established
- Forge Overview - Self-service workflows
- Forge Actions - Available Forge actions