Creating GitHub Apps from a manifest

A GitHub App Manifest is a preconfigured GitHub App you can share with anyone who wants to use your app in their personal repositories. The manifest flow allows someone to quickly create, install, and start extending a GitHub App without needing to register the app or connect the registration to the hosted app code.

About GitHub App Manifests

When someone creates a GitHub App from a manifest, they only need to follow a URL and name the app. The manifest includes the permissions, events, and webhook URL needed to automatically register the app. The manifest flow creates the GitHub App registration and retrieves the app's webhook secret, private key (PEM file), and GitHub App ID. The person who creates the app from the manifest will own the app and can choose to edit the app's configuration settings, delete it, or transfer it to another person on GitHub.

You can use Probot to get started with GitHub App Manifests or see an example implementation. See "Using Probot to implement the GitHub App Manifest flow" to learn more.

Note: Currently, you can only install GitHub Apps created using the manifest flow on personal repositories.

Here are some scenarios where you might use GitHub App Manifests to create preconfigured apps:

  • Help new team members come up-to-speed quickly when developing GitHub Apps.
  • Allow others to extend a GitHub App using the GitHub APIs without requiring them to configure an app.
  • Create GitHub App reference designs to share with the GitHub community.
  • Ensure you deploy GitHub Apps to development and production environments using the same configuration.
  • Track revisions to a GitHub App configuration.

Implementing the GitHub App Manifest flow

The GitHub App Manifest flow uses a handshaking process similar to the OAuth flow. The flow uses a manifest to register a GitHub App and receives a temporary code used to retrieve the app's private key, webhook secret, and ID.

Follow these steps to implement the GitHub App Manifest flow:

  1. You redirect people to GitHub to create a new GitHub App.
  2. GitHub redirects people back to your site.
  3. You exchange the temporary code to retrieve the app configuration.

1. You redirect people to GitHub to create a new GitHub App

To redirect people to create a new GitHub App, provide a link for them to click that sends a POST request to https://github.com/settings/apps/new. You must include the GitHub App Manifest parameters as a JSON-encoded string in a parameter called manifest.

The person creating the app will be redirected to a GitHub page with an input field where they can edit the name of the app you included in the manifest parameter. If you do not include a name in the manifest, they can set their own name for the app in this field.

Create a GitHub App Manifest

GitHub App Manifest parameters

Name Type Description
name string The name of the GitHub App.
url string Required. The homepage of your GitHub App.
hook_attributes object Required. The configuration of the GitHub App's webhook.
redirect_url string The full URL to redirect to after the person installs the GitHub App.
description string A description of the GitHub App.
public boolean Set to true when your GitHub App is available to the public or false when it is only accessible to the owner of the app.
default_events array The list of events the GitHub App subscribes to.
default_permissions object The set of permissions needed by the GitHub App. The format of the object uses the permission name for the key (for example, issues) and the access type for the value (for example, write).

The hook_attributes object has the following key:

Name Type Description
url string Required. The URL of the server that will receive the webhook POST requests.

Example

This example uses a form on a web page with a button that triggers the POST request:

<form action="https://github.com/settings/apps/new" method="post">
 Create a GitHub App Manifest: <input type="textarea" name="manifest" id="manifest"><br>
 <input type="submit" value="Submit">
</form>

<script>
 input = document.getElementById("manifest")
 input.value = JSON.stringify({
   "name": "Octoapp",
   "url": "https://www.example.com",
   "hook_attributes": {
     "url": "https://example.com/github/events",
   },
   "redirect_url": "https://example.com/callback",
   "public": true,
   "default_permissions": {
     "issues": "write",
     "checks": "write"
   },
   "default_events": [
     "issues",
     "issue_comment",
     "check_suite",
     "check_run"
   ]
 })
</script>

2. GitHub redirects people back to your site

When the person clicks Create GitHub App, GitHub redirects back to the redirect_url with a temporary code in a code parameter. For example:

https://example.com/callback?code=a180b1a3d263c81bc6441d7b990bae27d4c10679

3. You exchange the temporary code to retrieve the app configuration

To complete the handshake, send the temporary code in a POST request to the GitHub API. The response will include the id (GitHub App ID), pem (private key), and webhook_secret. GitHub creates a webhook secret for the app automatically. You can store these values in environment variables on the app's server. For example, if your app uses dotenv to store environment variables, you would store the variables in your app's .env file.

Note: GitHub App Manifests are currently available for developers to preview. To access this API during the preview period, you must provide a custom media type in the Accept header:

application/vnd.github.fury-preview+json

Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact GitHub Support.

POST /app-manifests/:code/conversions

Response

Status: 200 OK
{
  "id": 1,
  "node_id": "MDM6QXBwNTk=",
  "owner": {
    "login": "octocat",
    "id": 1,
    "node_id": "MDQ6VXNlcjE=",
    "avatar_url": "https://github.com/images/error/octocat_happy.gif",
    "gravatar_id": "",
    "url": "https://api.github.com/users/octocat",
    "html_url": "https://github.com/octocat",
    "followers_url": "https://api.github.com/users/octocat/followers",
    "following_url": "https://api.github.com/users/octocat/following{/other_user}",
    "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
    "organizations_url": "https://api.github.com/users/octocat/orgs",
    "repos_url": "https://api.github.com/users/octocat/repos",
    "events_url": "https://api.github.com/users/octocat/events{/privacy}",
    "received_events_url": "https://api.github.com/users/octocat/received_events",
    "type": "User",
    "site_admin": false
  },
  "name": "octoapp",
  "description": null,
  "external_url": "https://www.example.com",
  "html_url": "https://github.com/apps/octoapp",
  "created_at": "2018-09-13T12:28:37Z",
  "updated_at": "2018-09-13T12:28:37Z",
  "webhook_secret": "e340154128314309424b7c8e90325147d99fdafa",
  "pem": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAuEPzOUE+kiEH1WLiMeBytTEF856j0hOVcSUSUkZxKvqczkWM\n9vo1gDyC7ZXhdH9fKh32aapba3RSsp4ke+giSmYTk2mGR538ShSDxh0OgpJmjiKP\nX0Bj4j5sFqfXuCtl9SkH4iueivv4R53ktqM+n6hk98l6hRwC39GVIblAh2lEM4L/\n6WvYwuQXPMM5OG2Ryh2tDZ1WS5RKfgq+9ksNJ5Q9UtqtqHkO+E63N5OK9sbzpUUm\noNaOl3udTlZD3A8iqwMPVxH4SxgATBPAc+bmjk6BMJ0qIzDcVGTrqrzUiywCTLma\nszdk8GjzXtPDmuBgNn+o6s02qVGpyydgEuqmTQIDAQABAoIBACL6AvkjQVVLn8kJ\ndBYznJJ4M8ECo+YEgaFwgAHODT0zRQCCgzd+Vxl4YwHmKV2Lr+y2s0drZt8GvYva\nKOK8NYYZyi15IlwFyRXmvvykF1UBpSXluYFDH7KaVroWMgRreHcIys5LqVSIb6Bo\ngDmK0yBLPp8qR29s2b7ScZRtLaqGJiX+j55rNzrZwxHkxFHyG9OG+u9IsBElcKCP\nkYCVE8ZdYexfnKOZbgn2kZB9qu0T/Mdvki8yk3I2bI6xYO24oQmhnT36qnqWoCBX\nNuCNsBQgpYZeZET8mEAUmo9d+ABmIHIvSs005agK8xRaP4+6jYgy6WwoejJRF5yd\nNBuF7aECgYEA50nZ4FiZYV0vcJDxFYeY3kYOvVuKn8OyW+2rg7JIQTremIjv8FkE\nZnwuF9ZRxgqLxUIfKKfzp/5l5LrycNoj2YKfHKnRejxRWXqG+ZETfxxlmlRns0QG\nJ4+BYL0CoanDSeA4fuyn4Bv7cy/03TDhfg/Uq0Aeg+hhcPE/vx3ebPsCgYEAy/Pv\neDLssOSdeyIxf0Brtocg6aPXIVaLdus+bXmLg77rJIFytAZmTTW8SkkSczWtucI3\nFI1I6sei/8FdPzAl62/JDdlf7Wd9K7JIotY4TzT7Tm7QU7xpfLLYIP1bOFjN81rk\n77oOD4LsXcosB/U6s1blPJMZ6AlO2EKs10UuR1cCgYBipzuJ2ADEaOz9RLWwi0AH\nPza2Sj+c2epQD9ZivD7Zo/Sid3ZwvGeGF13JyR7kLEdmAkgsHUdu1rI7mAolXMaB\n1pdrsHureeLxGbRM6za3tzMXWv1Il7FQWoPC8ZwXvMOR1VQDv4nzq7vbbA8z8c+c\n57+8tALQHOTDOgQIzwK61QKBgERGVc0EJy4Uag+VY8J4m1ZQKBluqo7TfP6DQ7O8\nM5MX73maB/7yAX8pVO39RjrhJlYACRZNMbK+v/ckEQYdJSSKmGCVe0JrGYDuPtic\nI9+IGfSorf7KHPoMmMN6bPYQ7Gjh7a++tgRFTMEc8956Hnt4xGahy9NcglNtBpVN\n6G8jAoGBAMCh028pdzJa/xeBHLLaVB2sc0Fe7993WlsPmnVE779dAz7qMscOtXJK\nfgtriltLSSD6rTA9hUAsL/X62rY0wdXuNdijjBb/qvrx7CAV6i37NK1CjABNjsfG\nZM372Ac6zc1EqSrid2IjET1YqyIW2KGLI1R2xbQc98UGlt48OdWu\n-----END RSA PRIVATE KEY-----\n"
}

When the final step in the manifest flow is completed, the person creating the app from the flow will be an owner of a registered GitHub App that they can install on any of their personal repositories. They can choose to extend the app using the GitHub APIs, transfer ownership to someone else, or delete it at any time.

Using Probot to implement the GitHub App Manifest flow

Probot is a framework built with Node.js that performs many of the tasks needed by all GitHub Apps, like validating webhooks and performing authentication. Probot implements the GitHub App manifest flow, making it easy to create and share GitHub App reference designs with the GitHub community.

To create a Probot App that you can share, follow these steps:

  1. Generate a new GitHub App.
  2. Open the project you created, and customize the settings in the app.yml file. Probot uses the settings in app.yml as the GitHub App Manifest parameters.
  3. Add your application's custom code.
  4. Run the GitHub App locally or host it anywhere you'd like. When you navigate to the hosted app's URL, you'll find a web page with a Register GitHub App button that people can click to create a preconfigured app. The web page below is Probot's implementation of step 1 in the GitHub App Manifest flow:

Register a Probot GitHub App

Using dotenv, Probot creates a .env file and sets the APP_ID, PRIVATE_KEY, and WEBHOOK_SECRET environment variables with the values retrieved from the app configuration.

Hosting your app with Glitch

You can see an example Probot app that uses Glitch to host and share the app. The example uses the Checks API and selects the necessary Checks API events and permissions in the app.yml file. Glitch is a tool that allows you to "Remix your own" apps. Remixing an app creates a copy of the app that Glitch hosts and deploys. See "How it works" to learn about remixing Glitch apps.