GitHub App Guide

This guide walks you through creating a GitHub App for Tinkero and configuring it to receive webhooks.

Table of Contents

1. Overview
2. Creating the GitHub App
3. Configuring Permissions
4. Setting Up Webhooks
5. Generating Private Key
6. Installing the App
7. Configuring Tinkero
8. Validation
9. Troubleshooting

Overview

Tinkero uses a GitHub App for:

• Webhook delivery: Receiving push events from repositories
• Repository access: Cloning private repositories for builds
• Deployment status: Creating and updating GitHub Deployments

Why a GitHub App?

Feature	GitHub App	Personal Access Token
Fine-grained permissions	Yes	Limited
Per-repository access	Yes	All or nothing
Webhook validation	Built-in secret	Manual setup
Token expiration	Auto-refreshed	Manual rotation
Rate limits	Higher	Standard

Creating the GitHub App

Step 1: Navigate to GitHub App Settings

1. Go to GitHub.com and log in
2. Click your profile picture (top right)
3. Go to Settings > Developer settings > GitHub Apps
4. Click New GitHub App

Or go directly to: https://github.com/settings/apps/new

Step 2: Basic Information

Fill in the following fields:

Field	Value	Notes
GitHub App name	Tinkero Deploy	Must be unique across GitHub
Description	Automatic static site deployments	Optional
Homepage URL	https://lair.nntin.xyz/tinkero	Your Tinkero domain

Step 3: Identifying and Authorizing Users

For Tinkero's use case, you can skip most of these settings:

Setting	Value
Callback URL	Leave empty
Request user authorization (OAuth)	Unchecked
Enable Device Flow	Unchecked

Step 4: Post Installation

Setting	Value
Setup URL	Leave empty
Redirect on update	Unchecked

Configuring Permissions

Navigate to the Permissions & events section and configure:

Repository Permissions

Permission	Access	Purpose
Contents	Read-only	Clone repositories for builds
Deployments	Read and write	Create deployment statuses
Metadata	Read-only	Basic repository information (auto-granted)

Account Permissions

No account permissions required. Leave all as No access.

Subscribe to Events

Check the following events:

Event	Purpose
Push	Trigger deployments on code push

Setting Up Webhooks

Webhook Configuration

In the Webhook section:

Field	Value
Active	Checked
Webhook URL	https://lair.nntin.xyz/tinkero/webhook
Webhook secret	Generate a secure random string

Generating a Webhook Secret

You can use any method to generate a secure random string:

# Using openssl
openssl rand -hex 32

# Using /dev/urandom
head -c 32 /dev/urandom | base64 | tr -d '=' | tr '+/' '-_'

# Using Python
python3 -c "import secrets; print(secrets.token_urlsafe(32))"

Important: Save this secret - you'll need it when running tinkero config.

SSL/TLS Verification

Setting	Value
SSL verification	Enable SSL verification (default)

Only disable SSL verification for testing. Production should always use verified SSL.

Generating Private Key

After creating the app, you need to generate a private key for authentication.

Step 1: Find the App ID

After creating the app, note the App ID displayed at the top of the app settings page:

App ID: 123456

Step 2: Generate Private Key

1. Scroll to the bottom of the app settings page
2. Find the Private keys section
3. Click Generate a private key

Step 3: Download the Key

Your browser will download a .pem file (e.g., my-app.2024-01-08.private-key.pem).

Step 4: Store the Key Securely

# Move to a secure location
sudo mv ~/Downloads/my-app.*.private-key.pem /srv/tinkero/github-app-key.pem

# Set restrictive permissions
sudo chmod 600 /srv/tinkero/github-app-key.pem
sudo chown root:root /srv/tinkero/github-app-key.pem

Security Notes: - Never commit the private key to git - Keep a secure backup - If compromised, revoke and regenerate immediately

Installing the App

After creating the app, install it on the repositories you want to deploy.

Step 1: Access Install Page

From the app settings page: 1. Click Install App in the left sidebar 2. Or go to: https://github.com/apps/YOUR-APP-NAME/installations/new

Step 2: Select Account

Choose the GitHub account or organization where your repositories are located.

Step 3: Select Repositories

You can either:

Option	When to Use
All repositories	If you want to deploy all repos (not recommended)
Only select repositories	Choose specific repositories (recommended)

Step 4: Confirm Installation

Click Install to complete the installation.

Configuring Tinkero

Now configure Tinkero with your GitHub App credentials using the CLI.

Running the Config Wizard

# Navigate to Tinkero directory
cd /path/to/tinkero

# Run the configuration wizard
tinkero config

Configuration Walkthrough

🔧 GitHub App Configuration Wizard

ℹ️  This wizard will help you configure your GitHub App credentials.
ℹ️  You'll need your GitHub App ID, private key file, and webhook secret.

ℹ️  Step 1/4: Collecting GitHub App credentials...

📝 GitHub App Configuration

Enter GitHub App ID (numeric): 123456
✅ App ID: 123456

Enter path to GitHub App private key file (.pem): /srv/tinkero/github-app-key.pem
✅ Private key: /srv/tinkero/github-app-key.pem

Enter GitHub App webhook secret: your-webhook-secret-here
✅ Webhook secret configured

ℹ️  Step 2/4: Validating GitHub App credentials...
✅ Successfully validated GitHub App: Tinkero Deploy

ℹ️  Step 3/4: Updating configuration file...
✅ Configuration file updated successfully

ℹ️  Step 4/4: Restarting webhook-handler service...
✅ Webhook handler restarted successfully

Configuration Fields

Field	Description	Example
App ID	Numeric ID from app settings	123456
Private key path	Path to downloaded .pem file	/srv/tinkero/github-app-key.pem
Webhook secret	Secret you configured in the app	abc123...

Manual Configuration

If you prefer manual configuration, edit the .env file:

# Edit .env file
nano .env

# Update these values:
GITHUB_APP_ID=123456
GITHUB_APP_PRIVATE_KEY_PATH=/srv/tinkero/github-app-key.pem
GITHUB_WEBHOOK_SECRET=your-webhook-secret

# Restart the webhook handler
docker compose restart webhook-handler

Validation

Verify Service Health

tinkero health

Expected output:

✅ webhook-handler     HEALTHY

Verify Webhook Delivery

1. Go to your GitHub App settings
2. Click Advanced in the left sidebar
3. Check Recent Deliveries

Successful deliveries show a green checkmark.

Test with a Push

1. Make a change to a repository with the app installed
2. Add a .tinkero.yml file if not present
3. Push the changes
4. Check:
5. Webhook delivery in GitHub App settings
6. Deployment status on the commit
7. Tinkero logs: docker compose logs -f webhook-handler

Troubleshooting

Authentication Failed (401)

❌ Authentication failed (401 Unauthorized)

Causes: - Wrong App ID - Private key doesn't match the app - Private key was regenerated

Solutions: 1. Verify the App ID matches your GitHub App settings 2. Ensure you're using the correct private key file 3. If the key was regenerated, download the new one 4. Check the private key file is readable: ls -la /path/to/key.pem

GitHub App Not Found (404)

❌ GitHub App not found (404 Not Found)

Causes: - App ID is incorrect - App was deleted - App is owned by a different account

Solutions: 1. Go to https://github.com/settings/apps and verify the app exists 2. Double-check the App ID

Private Key Format Error

❌ Failed to generate JWT token: failed to parse private key

Causes: - Corrupted private key file - Wrong file format (not PEM) - File is empty

Solutions:

# Check the file exists and has content
cat /srv/tinkero/github-app-key.pem

# Should start with:
# -----BEGIN RSA PRIVATE KEY-----
# or
# -----BEGIN PRIVATE KEY-----

# Check file permissions
ls -la /srv/tinkero/github-app-key.pem
# Should be readable

# If corrupted, regenerate from GitHub App settings

Webhook Signature Validation Failed

webhook signature validation failed

Causes: - Webhook secret doesn't match - Secret was copied incorrectly (extra spaces, etc.)

Solutions: 1. Verify the secret in GitHub App settings matches .env 2. Re-enter the secret using tinkero config 3. Check for trailing whitespace:

grep GITHUB_WEBHOOK_SECRET .env

Webhooks Not Being Received

Causes: - App not installed on the repository - Wrong webhook URL - Firewall blocking incoming connections - SSL certificate issues

Solutions:

1. Verify app installation:
2. Go to repository Settings > Integrations > GitHub Apps

3. Ensure your app is listed

4. Check webhook URL:

5. In app settings, verify URL is https://lair.nntin.xyz/tinkero/webhook

6. Test the URL is accessible: curl -I https://lair.nntin.xyz/tinkero/webhook

7. Check firewall:

   # Verify port 443 is open
   sudo ufw status
   

8. Check Traefik logs:

   docker compose logs traefik | grep webhook
   

Webhook Delivery Failed

In GitHub App settings > Advanced > Recent Deliveries:

Response Code	Meaning	Solution
200	Success	Working correctly
401	Unauthorized	Check webhook secret
404	Not Found	Check webhook URL
500	Server Error	Check webhook-handler logs
Connection refused	Service down	Verify Tinkero is running

Service Restart After Configuration

If the webhook handler doesn't restart automatically:

# Manual restart
docker compose restart webhook-handler

# Check logs
docker compose logs -f webhook-handler

# Verify service is healthy
tinkero health

Security Best Practices

1. Protect the private key:
2. Store in a secure location
3. Use restrictive file permissions (600)
4. Never commit to version control

5. Keep a secure backup

6. Use a strong webhook secret:

7. At least 32 characters
8. Randomly generated

9. Unique per installation

10. Rotate credentials periodically:

11. Regenerate private key annually

12. Update webhook secret if compromised

13. Minimal permissions:

14. Only grant required repository permissions

15. Install on specific repositories, not all

16. Monitor webhook deliveries:

17. Check GitHub App settings regularly
18. Set up alerting for failed deliveries

---

Next Steps: - Configuration Reference - Configure your repositories - Operations Guide - Day-to-day operations - Troubleshooting - More troubleshooting tips