GitHub Apps Setup¶
Two separate GitHub Apps are required. They serve different purposes and must be created independently.
| App | Purpose | Used by |
|---|---|---|
| Jenkins CI App | Reads repos, posts build status, manages webhooks | Jenkins CI pipeline |
| Jenkins Login App | GitHub OAuth login for the Jenkins UI | Humans logging into Jenkins |
Part 1 — Jenkins CI App¶
Create the app¶
- Go to GitHub → Settings → Developer settings → GitHub Apps → New GitHub App
- Fill in:
- Name:
<your-github-username>-jenkins(or any unique name) - Homepage URL: your
JENKINS_URL(e.g.https://jenkins.yourdomain.com) - Webhook URL:
https://jenkins.yourdomain.com/github-webhook/ -
Webhook secret: generate with
openssl rand -hex 32— same value goes in.envasGITHUB_WEBHOOK_SECRET -
Set Repository permissions:
| Permission | Access |
|---|---|
| Contents | Read |
| Metadata | Read (mandatory) |
| Pull requests | Read |
| Commit statuses | Read & Write |
| Checks | Read & Write |
| Webhooks | Read & Write |
-
Subscribe to events: Push, Pull request
-
Where can this app be installed: Only on this account
-
Click Create GitHub App
Get the App ID¶
The App ID is shown at the top of the app settings page. Add it to .env:
Generate the private key¶
Scroll to the bottom of the app settings page → Generate a private key
A .pem file downloads automatically. Copy it to the repo root:
Never commit this file
github-app.pem is gitignored. It is mounted read-only into the container and never
leaves the host. Anyone with this key can authenticate as your Jenkins CI App.
Install the app¶
- In the app settings, click Install App
- Select your account
- Choose All repositories — covers every current and future repo automatically
Part 2 — Jenkins Login App (OAuth)¶
Create the app¶
- Go to GitHub → Settings → Developer settings → OAuth Apps → New OAuth App
- Fill in:
- Application name:
Jenkins Login - Homepage URL: your
JENKINS_URL -
Authorization callback URL:
https://jenkins.yourdomain.com/securityRealm/finishLogin -
Click Register application
Get credentials¶
On the next page:
- Note the Client ID → add to
.envasGITHUB_OAUTH_CLIENT_ID - Click Generate a new client secret → add to
.envasGITHUB_OAUTH_CLIENT_SECRET
Summary — what goes where¶
| Value | Destination |
|---|---|
| Jenkins CI App — App ID | .env → GITHUB_APP_ID |
| Jenkins CI App — private key | github-app.pem in repo root |
| Jenkins CI App — webhook URL | GitHub App settings field |
| Jenkins CI App — webhook secret | GitHub App settings field + .env → GITHUB_WEBHOOK_SECRET |
| OAuth App — Client ID | .env → GITHUB_OAUTH_CLIENT_ID |
| OAuth App — Client Secret | .env → GITHUB_OAUTH_CLIENT_SECRET |
| OAuth App — callback URL | OAuth App settings field |
Updating the webhook URL¶
If your Cloudflare Tunnel URL changes, update it in two places:
- Jenkins CI App settings → Webhook URL
- Jenkins Login App settings → Authorization callback URL
Then update JENKINS_URL in .env and restart Jenkins.