Custom Github App
This page details how to install Port's GitHub integration using a custom GitHub App, which provides automatic access token rotation.
This page outlines the following steps:
- How to create a new app in your GitHub organization;
- How to install the GitHub app in your GitHub organization and select repositories.
- How to deploy the integration in the configuration that fits your use case.
Prerequisitesโ
- A GitHub account with permissions to create and manage GitHub Apps in your organization. This typically requires being an Organization Owner or having the "App Manager" role.
- Your Port user role is set to
Admin.
Create a GitHub appโ
- Navigate to your Github organization and click on Settings:
- Inside the settings view, click on Developer Settings -> and then select GitHub Apps:
- Click on "New GitHub App":
- Insert the following properties:
- GitHub App name: Choose a unique name for the app. Note that GitHub App names must be globally unique.
- Homepage URL: https://port.io
- Callback URL: Leave this empty.
- Setup URL: Leave this empty.
- Uncheck Active under Webhooks. The integration will automatically create the webhook if you configure the
OCEAN__BASE_URLvariable later during deployment. - Repository Permissions:
- Checks: Readonly (for syncing
Port.yml). - Contents: Readonly (for reading port configuration files and repository files).
- Metadata: Readonly.
- Pull Request: Readonly
- Checks: Readonly (for syncing
- Organization Permissions:
- Webhooks: Read and Write (to allow the integration create webhook).
Then select "Create GitHub App"
- Go to the
Private keysat the bottom of theGeneralsettings page:
Keep the file, you will need it for the deployment step.
Installing GitHub Appโ
After you have the app registered in your organization, you can install it and select the repositories to integrate it with:
- First, navigate to your organization and click on Settings:
- Inside the settings view, click on Developer Settings -> and then select GitHub Apps:
- Click
editon the GitHub app created at the step before:
-
Go to Install App -> and select the installation button on your wanted organization;
-
Choose the repositories you want the integration to be installed for:
Deploy the integrationโ
To deploy the integration, you will need your Port CLIENT_ID and CLIENT_SECRET.
To get your Port credentials, go to your Port application, click on the ... button in the top right corner, and select Credentials. Here you can view and copy your CLIENT_ID and CLIENT_SECRET:
Choose the installation method that best suits your needs:
- Kubernetes
- Docker
Using this installation option means that the integration will be able to update Port in real time using webhooks.
Prerequisites
To install the integration, you need a Kubernetes cluster that the integration's container chart will be deployed to.
Please make sure that you have kubectl and helm installed on your machine, and that your kubectl CLI is connected to the Kubernetes cluster where you plan to install the integration.
If you are having trouble installing this integration, please refer to these troubleshooting steps.
For details about the available parameters for the installation, see the table below.
- Helm
- ArgoCD
To install the integration using Helm:
Add Port's Helm chart repository:
helm repo add --force-update port-labs https://port-labs.github.io/helm-charts
Install the Helm chart:
- Create a
values.yamlfile with the following content:
port:
clientId: "<PORT_CLIENT_ID>"
clientSecret: "<PORT_CLIENT_SECRET>"
baseUrl: "https://api.port.io"
integration:
identifier: "github-ocean"
type: "github-ocean"
version: "1.2.0-beta"
eventListener:
type: "POLLING"
config:
githubOrganization: "<GITHUB_ORGANIZATION>"
githubHost: "<GITHUB_HOST>" # e.g https://api.github.com
githubAppId: "<GITHUB_APP_ID>" # app client id also works
secrets:
githubAppPrivateKey: "<BASE_64_ENCODED_PRIVATEKEY>"
# uncomment to enable live events
# liveEvents:
# baseUrl: "<your-domain>"
initializePortResources: true
sendRawDataExamples: true
scheduledResyncInterval: 360
- Install the Helm chart using the
values.yamlfile:
helm upgrade --install github-ocean port-labs/port-ocean -f values.yaml
See all available helm options
The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance or Port API will be used.
Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.
- If you use the EU region of Port (https://app.port.io), your API URL is
https://api.port.io. - If you use the US region of Port (https://app.us.port.io), your API URL is
https://api.us.port.io.
To install the integration using ArgoCD:
- Create a
values.yamlfile inargocd/my-ocean-github-integrationin your git repository with the content:
Be sure to replace the <GITHUB_TOKEN> and <GITHUB_ORGANIZATION> placeholders with your actual values. If you are using a self-hosted GitHub instance, update the githubHost value to point to your instance.
initializePortResources: true
scheduledResyncInterval: 120
integration:
identifier: my-ocean-github-integration
type: github-ocean
version: 1.2.0-beta
eventListener:
type: POLLING
config:
githubHost: https://api.github.com # Or your self-hosted GitHub URL
githubOrganization: "<GITHUB_ORGANIZATION>" # your github organization, e.g port-labs
secrets:
githubToken: "<GITHUB_TOKEN>"
# uncomment to enable live events
# liveEvents:
# baseUrl: "<your-domain>"
- Install the
my-ocean-github-integrationArgoCD Application by creating the followingmy-ocean-github-integration.yamlmanifest:
Remember to replace the placeholders for YOUR_PORT_CLIENT_ID YOUR_PORT_CLIENT_SECRET and YOUR_GIT_REPO_URL.
Multiple sources ArgoCD documentation can be found here.
ArgoCD Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-ocean-github-integration
namespace: argocd
spec:
destination:
namespace: my-ocean-github-integration
server: https://kubernetes.default.svc
project: default
sources:
- repoURL: 'https://port-labs.github.io/helm-charts/'
chart: port-ocean
targetRevision: 0.9.5
helm:
valueFiles:
- $values/argocd/my-ocean-github-integration/values.yaml
parameters:
- name: port.clientId
value: <YOUR_PORT_CLIENT_ID>
- name: port.clientSecret
value: <YOUR_PORT_CLIENT_SECRET>
- name: port.baseUrl
value: https://api.getport.io
- repoURL: <YOUR_GIT_REPO_URL>
targetRevision: main
ref: values
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance or Port API will be used.
Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.
- If you use the EU region of Port (https://app.port.io), your API URL is
https://api.port.io. - If you use the US region of Port (https://app.us.port.io), your API URL is
https://api.us.port.io.
- Apply your application manifest with
kubectl:
kubectl apply -f my-ocean-github-integration.yaml
On MacOS and Linux you can get base64 encoded private key by using:
base64 -i <path/to/downloaded/private_key.pem>
You can accomplish the same on Windows using Powershell:
[Convert]::ToBase64String([IO.File]::ReadAllBytes("path\to\downloaded\private_key.pem"))
Online: https://www.base64encode.org/
Enabling live-eventsโ
The liveEvents.baseUrl parameter is used specifically to enable the real-time functionality of the integration.
For debugging, services like Ngrok can provide a temporary public URL. For production, a stable and publicly accessible host is required.
If it is not provided, the integration will continue to function correctly. In such a configuration, to retrieve the latest information from the target system, the scheduledResyncInterval parameter has to be set, or a manual resync will need to be triggered through Port's UI.
This integration supports live events, allowing real-time updates to your software catalog without waiting for the next scheduled sync.
The Repository: pull_request: pushliveEvents.baseUrl specifies the public-facing URL for your integration. This URL, which must be reachable from the internet, is used to receive real-time updates from Github. It can be a public IP address or a configured domain name (e.g., https://mygithubintegration.com).Supported live event triggers
This table summarizes the available parameters for the installation.
| Parameter | Description | Required |
|---|---|---|
port.clientId | Your Port client ID. | โ |
port.clientSecret | Your Port client secret. | โ |
port.baseUrl | Your Port API URL (https://api.getport.io for EU, https://api.us.getport.io for US). | โ |
integration.identifier | A unique identifier for your integration. | โ |
integration.type | The integration type. | โ |
integration.eventListener.type | The event listener type. | โ |
integration.config.githubOrganization | The GitHub organization to sync data from. | โ |
integration.config.githubHost | The API endpoint for your GitHub instance. For GitHub Enterprise Cloud, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided. | โ |
scheduledResyncInterval | The number of minutes between each resync. | โ |
initializePortResources | When true, the integration will create default blueprints and port-app-config.yml mapping. | โ |
sendRawDataExamples | When true, sends raw data examples from the third-party API to Port for testing and managing the integration mapping. | โ |
liveEvents.baseUrl | The base url of the instance where the GitHub integration is hosted, used for real-time updates (e.g. https://mygithuboceanintegration.com). | โ |
integration.config.webhookSecret | A secret to secure webhooks from GitHub. This is optional but highly recommended for security if you enable live-events. | โ |
integration.config.githubAppId | The app id or client id of your GitHub App. Required if you are authenticating as a GitHub App instead of using a PAT. | โ |
integration.secrets.githubAppPrivateKey | The base64 encoded private key of your GitHub App. Required if you are authenticating as a GitHub App. | โ |
For advanced configuration such as proxies or self-signed certificates, click here.
Our integration can be directly run as a docker container, it can be deployed on any platform that allows deploying images as containers such as: K8S, ECS, AWS App Runner, etc.
You can pull the Docker image by running:
docker pull ghcr.io/port-labs/port-ocean-github-ocean:1.2.0-beta
Run the following command to start the app:
docker run \
-e OCEAN__PORT__CLIENT_ID="<PORT_CLIENT_ID>" \
-e OCEAN__PORT__CLIENT_SECRET="<PORT_CLIENT_SECRET>" \
-e OCEAN__PORT__BASE_URL="https://api.getport.io" \
-e OCEAN__BASE_URL="<https.example.com>" \ #optional, only required if you want to enable live-events
-e OCEAN__EVENT_LISTENER__TYPE="POLLING" \
-e OCEAN__INTEGRATION__CONFIG__GITHUB_HOST="<GITHUB_HOST>" \ # e.g https://api.github.com
-e OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION="<GITHUB_ORGANIZATION>" \
-e OCEAN__INTEGRATION__IDENTIFIER="github-ocean" \
-e OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID="<GITHUB_APP_ID>" \ # client id also works
-e OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY="<BASE_64_ENCODED_PRIVATEKEY>" \
-p 8000:8000 \
ghcr.io/port-labs/port-ocean-github-ocean:1.2.0-beta
The command above contains placeholder values in angle brackets (e.g., <PORT_CLIENT_ID>). Be sure to replace them with your actual values before running the command.
On MacOS and Linux you can get base64 encoded private key by using:
base64 -i <path/to/downloaded/private_key.pem>
You can accomplish the same on Windows using Powershell:
[Convert]::ToBase64String([IO.File]::ReadAllBytes("path\to\downloaded\private_key.pem"))
Online: https://www.base64encode.org/
| Env variable | Description | Required |
|---|---|---|
OCEAN__PORT__CLIENT_ID | Port client id for interacting with the API | โ |
OCEAN__PORT__CLIENT_SECRET | Port client secret for interacting with the API | โ |
OCEAN__PORT__BASE_URL | Port's API Base URL | โ |
OCEAN__BASE_URL | The base url of the instance where the GitHub integration is hosted, used for real-time updates (e.g. https://mygithuboceanintegration.com). | โ |
OCEAN__INTEGRATION__CONFIG__WEBHOOK_SECRET | A secret to secure webhooks from GitHub. This is optional but highly recommended for security if you enable live-events. | โ |
OCEAN__EVENT_LISTENER__TYPE | Define the appropriate event listener type to handle incoming events and resync requests from Port. This listener will forward the events to the GitHub Ocean integration. For more details, see the Port Event Listener documentation | โ |
OCEAN__INTEGRATION__CONFIG__GITHUB_HOST | The API endpoint for your GitHub instance. For GitHub Enterprise, this will be https://api.<SUBDOMAIN>.ghe.com. Defaults to https://api.github.com if not provided. | โ |
OCEAN__INTEGRATION__CONFIG__GITHUB_ORGANIZATION | The GitHub organization the integration was installed in. | โ |
OCEAN__INTEGRATION__IDENTIFIER | A unique identifier for the integration instance. Useful if you are running multiple self-hosted GitHub integrations. Defaults to github-ocean. | โ |
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_ID | App id or client id. You can find it in the edit GitHub app page. | โ |
OCEAN__INTEGRATION__CONFIG__GITHUB_APP_PRIVATE_KEY | A base64 encoded Github app private key. | โ |
The port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance or Port API will be used.
Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.
- If you use the EU region of Port (https://app.port.io), your API URL is
https://api.port.io. - If you use the US region of Port (https://app.us.port.io), your API URL is
https://api.us.port.io.
To use Self-Service Actions with GitHub Workflows, you need to install our public GitHub Cloud App.