RepoPilot authenticates as a GitHub App (not an OAuth app): per-installation tokens, fine-grained permissions, and webhook delivery with HMAC signatures.
| Permission | Access | Why |
|---|---|---|
| Issues | Read & write | Read issue content; apply labels, post comments |
| Contents | Read-only | Index README/docs/source for retrieval |
| Metadata | Read-only | Mandatory baseline |
No code write access, ever. See SECURITY.md.
Subscribe to: installation, installation_repositories, issues.
- GitHub → Settings → Developer settings → GitHub Apps → New GitHub App.
- Name:
repopilot-<yourname>(names are global). - Webhook URL:
https://<your-api-host>/webhooks/github(local dev: runsmeeorngrokand point it athttp://localhost:8000/webhooks/github). - Webhook secret: generate one —
openssl rand -hex 32— and save it; this becomesGITHUB_WEBHOOK_SECRET. - Set permissions and events per the tables above.
- "Where can this app be installed?" → Any account.
- After creation: note the App ID (
GITHUB_APP_ID), then Generate a private key and download the.pem.
GITHUB_APP_ID=123456
# The downloaded PEM, inline with literal \n escapes; settings accept raw PEM text
GITHUB_APP_PRIVATE_KEY="<contents of the .pem>"
GITHUB_WEBHOOK_SECRET=<from step 4># Option A: smee (free, no signup)
npx smee-client --url https://smee.io/<channel> --target http://localhost:8000/webhooks/github
# set the smee URL as the app's webhook URL
# Option B: ngrok
ngrok http 8000docker compose -f infra/docker-compose.yml up -d postgres redis- Run migrations:
cd packages/core && uv run alembic upgrade head - Start api + worker (two terminals):
uv run uvicorn repopilot_api.main:app --reloaduv run arq repopilot_worker.main.WorkerSettings - Install the app on a test repo → check
installationsandrepostables populate. - Open an issue on the test repo → worker logs
issues.triage_requested.