Skip to main content

Create a GitHub App for DevOps Genie

Use a GitHub App when you want DevOps Genie to create pull requests without using a long-lived personal access token. The DevOps Genie Agent uses the app credentials inside your Kubernetes environment to generate short-lived GitHub installation tokens.

When to use this

Use GitHub App authentication for production installations when you want:

  • Repository-scoped access.
  • Auditable app installation permissions.
  • Easier credential rotation than a personal access token.
  • Pull requests from the DevOps Genie Agent into infrastructure, deployment, or application repositories.

Create the GitHub App

  1. In GitHub, open your organization settings.
  2. Go to Developer settings > GitHub Apps.
  3. Click New GitHub App.
  4. Use a clear name, such as DevOps Genie.
  5. Set the homepage URL to https://devopsgenie.ai.
  6. Leave webhook delivery disabled unless your organization requires it for audit workflows. DevOps Genie Agent authentication does not require an inbound webhook.
  7. Save the app.

Configure permissions

Grant only the permissions needed for pull-request based workflows:

PermissionAccessWhy it is needed
MetadataRead-onlyRequired by GitHub for app installations.
ContentsRead and writeRead repository files and push generated branches.
Pull requestsRead and writeOpen and update pull requests.
ChecksRead-onlyOptional, useful when the agent needs to inspect CI status.

If you use separate infrastructure and deployment repositories, install the app only on those repositories.

Install the app

  1. Open the GitHub App settings page.
  2. Click Install App.
  3. Choose the GitHub organization or account.
  4. Select the repositories DevOps Genie should work with.
  5. Complete installation.

After installation, capture:

  • App ID from the GitHub App settings page.
  • Installation ID from the app installation URL. It is the numeric ID in the URL after /installations/.

Generate a private key

  1. In the GitHub App settings page, open Private keys.
  2. Click Generate a private key.
  3. Download the .pem file.
  4. Store it in your secret manager. Do not commit it to Git.

Configure the DevOps Genie Agent

Set the GitHub App values in your agent Helm values. For quick testing:

vcs:
  provider: github
  infrastructureRepoUrl: "https://github.com/example-org/infrastructure.git"
  infrastructureRepoPath: "terraform/"
  deploymentRepoUrl: "https://github.com/example-org/kubernetes-manifests.git"
  deploymentRepoPath: "clusters/prod/"
  githubApp:
    id: "123456"
    installationId: "78901234"
    privateKey: |
      -----BEGIN RSA PRIVATE KEY-----
      <private-key-body>
      -----END RSA PRIVATE KEY-----

For local Helm usage, prefer --set-file for the private key:

helm upgrade "$DG_RELEASE" devopsgenie/dg-platform-agent \
  --namespace "$DG_NAMESPACE" \
  -f values.yaml \
  --set vcs.githubApp.id="<github-app-id>" \
  --set vcs.githubApp.installationId="<github-app-installation-id>" \
  --set-file vcs.githubApp.privateKey=./devops-genie-github-app.pem

For production, store these values in an external secret manager or a Kubernetes Secret referenced by agentPod.existingSecret.

Secret-backed production pattern

Create a Secret with the environment keys the agent pod expects:

kubectl create secret generic dg-agent-vcs \
  --namespace "$DG_NAMESPACE" \
  --from-literal=GITHUB_APP_ID="<github-app-id>" \
  --from-literal=GITHUB_APP_INSTALLATION_ID="<github-app-installation-id>" \
  --from-file=GITHUB_APP_PRIVATE_KEY=./devops-genie-github-app.pem \
  --dry-run=client -o yaml | kubectl apply -f -

Reference the Secret and keep repository URLs in values:

agentPod:
  existingSecret: dg-agent-vcs

vcs:
  provider: github
  infrastructureRepoUrl: "https://github.com/example-org/infrastructure.git"
  infrastructureRepoPath: "terraform/"
  deploymentRepoUrl: "https://github.com/example-org/kubernetes-manifests.git"
  deploymentRepoPath: "clusters/prod/"

Verify readiness

After applying the Helm values:

  1. Restart or upgrade the agent release.
  2. Open Integrations > Capabilities in DevOps Genie.
  3. Confirm Terraform, Kubernetes deployment, or CI/CD capabilities move from Partial to Ready when their repository URLs are configured.
  4. Ask the AI Assistant for a small test change and confirm DevOps Genie can open a pull request.

Troubleshooting

SymptomWhat to check
Capability remains PartialConfirm the agent is live, GitHub App values are present, and repository URLs are configured.
Pull request creation failsConfirm Contents and Pull requests are both set to read/write.
Repository cannot be foundConfirm the GitHub App is installed on the selected repository.
Private key errorsConfirm the .pem file includes the full begin/end lines and preserves newlines.
Installation ID mismatchConfirm the installation ID belongs to the same organization where the repository is installed.