GitHub Connection - Infisical

Infisical supports three methods for connecting to GitHub.

GitHub App (Recommended)
OAuth
Personal Access Token

Infisical will use a GitHub App with finely grained permissions to connect to GitHub.

Self-Hosted Instance

Using the GitHub integration with app authentication on a self-hosted instance of Infisical requires configuring an application on GitHub and registering your instance with it.

Create an application on GitHub

Navigate to the GitHub app settings here. Click New GitHub App. integrations github app create

Give the application a name, a homepage URL (your self-hosted domain i.e. https://your-domain.com), and a callback URL (i.e. https://your-domain.com/organization/app-connections/github/oauth/callback). integrations github app basic details

Enable request user authorization during app installation. integrations github app enable auth

Disable webhook by unchecking the Active checkbox. integrations github app webhook

Set the repository permissions as follows: Metadata: Read-only, Secrets: Read and write, Environments: Read and write, Actions: Read. integrations github app repository

Similarly, set the organization permissions as follows: Secrets: Read and write. integrations github app organization

Create the Github application. integrations github app create confirm

If you have a GitHub organization, you can create an application under it in your organization Settings > Developer settings > GitHub Apps > New GitHub App.

Add your application credentials to Infisical

Generate a new Client Secret for your GitHub application. integrations github app create secret

Generate a new Private Key for your Github application. integrations github app create private key

Obtain the necessary Github application credentials. This would be the application slug, client ID, app ID, client secret, and private key. integrations github app credentials

Back in your Infisical instance, you can configure the GitHub App credentials in one of two ways:Option 1: Server Admin Panel (Recommended)Navigate to the server admin panel > Integrations > GitHub App and enter the GitHub application credentials: integrations github app admin panel

Client ID: The Client ID of your GitHub application
Client Secret: The Client Secret of your GitHub application
App Slug: The Slug of your GitHub application (found in the URL)
App ID: The App ID of your GitHub application
Private Key: The Private Key of your GitHub application

Option 2: Environment VariablesAlternatively, you can add the new environment variables for the credentials of your GitHub application:

INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID: The Client ID of your GitHub application.
INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET: The Client Secret of your GitHub application.
INF_APP_CONNECTION_GITHUB_APP_SLUG: The Slug of your GitHub application. This is the one found in the URL.
INF_APP_CONNECTION_GITHUB_APP_ID: The App ID of your GitHub application.
INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY: The Private Key of your GitHub application.
INF_APP_CONNECTION_GITHUB_APP_HOST (GitHub Enterprise Server only): The hostname of the GitHub instance where the shared GitHub App is registered (e.g. github.mycompany.com). Only required when the shared app is registered on a GHES instance. Defaults to github.com.

If your shared GitHub App is registered on a GitHub Enterprise Server instance, you must set INF_APP_CONNECTION_GITHUB_APP_HOST to that instance’s hostname. Without it, the OAuth exchange will be directed to github.com instead of your GHES host.

Once configured, you can use the GitHub integration via app authentication. If you configured the credentials using environment variables, restart your Infisical instance for the changes to take effect. If you configured them through the server admin panel, allow approximately 5 minutes for the changes to propagate.

Setup GitHub Connection in Infisical

Navigate to App Connections

Navigate to the Integrations tab in the desired project, then select App Connections. App Connections Tab

Add Connection

Select the GitHub Connection option from the connection options modal. Select GitHub Connection

Authorize Connection

Select the GitHub App method.Choose which GitHub App to use for the connection:

Instance — the instance-default GitHub App configured by your Infisical server admin.
Private — a GitHub App registered under your organization. Select an existing one from the list, or click the gear to manage your private apps.

GitHub Apps are scoped to where they were created: apps created from the organization’s App Connections page are available to organization-level connections and to every project, while apps created from a project’s App Connections page are only available within that project. The shared instance-default app is available in both scopes.

When managing your apps, you can inspect them on GitHub, delete existing apps, or click Create New GitHub App to register a new app directly from Infisical using GitHub’s App Manifest flow. New apps are automatically configured with the required permissions and callback URLs. Manage GitHub Apps

You may optionally enable GitHub Enterprise to configure enterprise-specific options:

Instance Type: Enterprise Cloud or Enterprise Server
Instance Hostname: The hostname of your GitHub Enterprise instance (e.g. github.mycompany.com)
Gateway: The gateway connected to your private network (Enterprise Server only)

Click Connect to GitHub when ready.

Install GitHub App

You will then be redirected to the GitHub app installation page.Install and authorize the GitHub application. This will redirect you back to Infisical’s App Connections page. Install GitHub App

Connection Created

Your GitHub Connection is now available for use. Assume Role AWS Connection

Infisical will use an OAuth App to connect to GitHub.

Self-Hosted Instance

Using the GitHub integration on a self-hosted instance of Infisical requires configuring an OAuth application in GitHub and registering your instance with it.

Create an OAuth application in GitHub

Navigate to your user Settings > Developer settings > OAuth Apps to create a new GitHub OAuth application. integrations github config

Create the OAuth application. As part of the form, set the Homepage URL to your self-hosted domain https://your-domain.com and the Authorization callback URL to https://your-domain.com/organization/app-connections/github/oauth/callback. integrations github config

If you have a GitHub organization, you can create an OAuth application under it in your organization Settings > Developer settings > OAuth Apps > New Org OAuth App.

Add your OAuth application credentials to Infisical

Obtain the Client ID and generate a new Client Secret for your GitHub OAuth application. integrations github config

Back in your Infisical instance, add two new environment variables for the credentials of your GitHub OAuth application:

INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID: The Client ID of your GitHub OAuth application.
INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET: The Client Secret of your GitHub OAuth application.

Once added, restart your Infisical instance and use the GitHub integration.

Setup GitHub Connection in Infisical

Navigate to App Connections

Navigate to the Integrations tab in the desired project, then select App Connections. App Connections Tab

Add Connection

Select the GitHub Connection option from the connection options modal. Select GitHub Connection

Authorize Connection

Select the OAuth method and click Connect to GitHub. Connect via GitHub App

Grant Access

You will then be redirected to the GitHub to grant Infisical access to your GitHub account (organization and repo privileges). Once granted, you will redirect you back to Infisical’s App Connections page. GitHub Authorization

Connection Created

Your GitHub Connection is now available for use. Assume Role AWS Connection

Infisical will use a Personal Access Token to connect to GitHub.

Create a Personal Access Token

Create a Personal Access Token in GitHub

Navigate to your user Settings > Developer settings > Personal Access Tokens to create a new Personal Access Token. integrations github config

Click Generate new token to create the token.

Fill in the Personal Access Token details

Fill in the Personal Access Token details:

Token name: A descriptive name for the token (e.g., “infisical-connection-token”)
Repository access: Select the repositories you want to grant access to
- Select All repositories or Only selected repositories to be able to manage the secrets in the selected repositories.
Select scopes: Add the following scopes:
- Metadata: Read-only
- Environments: Read and write
- Secrets: Read and write

Click Generate token to create the token.

Copy the Personal Access Token

Copy the generated token immediately as it won’t be shown again. Personal Access Token Generated

Keep your Personal Access Token secure and do not share it. Anyone with access to this token can access your GitHub account and repositories.

Setup GitHub Connection in Infisical

Navigate to App Connections

Navigate to the Integrations tab in the desired project, then select App Connections. App Connections Tab

Add Connection

Select the GitHub Connection option from the connection options modal. Select GitHub Connection

Authorize Connection

Select the Personal Access Token method and fill in the Personal Access Token field with your Personal Access Token.You may optionally configure GitHub Enterprise options:

Gateway: The gateway connected to your private network
Hostname: The hostname at which to access your GitHub Enterprise instance

Click Create Connection. Personal Access Token

Connection Created

Your GitHub Connection is now available for use. Personal Access Token Connection

​Setup GitHub Connection in Infisical

​Setup GitHub Connection in Infisical

​Create a Personal Access Token

​Setup GitHub Connection in Infisical

Setup GitHub Connection in Infisical

Setup GitHub Connection in Infisical

Create a Personal Access Token

Setup GitHub Connection in Infisical