GitHub App provisioning runbook
Purpose: Provision three GitHub Apps (raxx-dev-bot, raxx-ops-bot, raxx-pm-bot) so dispatched agents author commits/PRs/issues under bot identities instead of Kristerpher's user account.
Audience: Kristerpher (operator). Steps 1-7 must be done manually in the GitHub web UI; only the org owner can create Apps under raxx-app.
Time: ~30 minutes total (~10 min per App).
Tracking: Issue #335.
Before you start
- [ ] You're signed in to GitHub as the raxx-app org owner.
- [ ] You have access to Infisical (where the private keys will be stored).
- [ ] You have a writable scratch directory for downloaded
.pemfiles (delete after upload to Infisical).
Per-App provisioning steps
Repeat this whole section three times — once for each of raxx-dev-bot, raxx-ops-bot, raxx-pm-bot. Permissions differ; see the matrix below.
Step 1 — Create the App
- Open
https://github.com/organizations/raxx-app/settings/apps/new - GitHub App name:
raxx-dev-bot(orraxx-ops-bot/raxx-pm-bot) - Description: Use the description from the matrix below.
- Homepage URL:
https://raxx.app - Webhook → Active: Uncheck (we don't need webhooks for v1).
- Repository permissions: set per the matrix below.
- Where can this GitHub App be installed? → "Only on this account" (raxx-app org).
- Click Create GitHub App.
Step 2 — Note the App ID
After creation you land on the App's settings page. At the top:
App ID: 123456
Copy the App ID. You'll store it in Infisical in step 5.
Step 3 — Generate a private key
Scroll to Private keys at the bottom of the App settings page.
- Click Generate a private key.
- A
.pemfile downloads automatically (e.g.,raxx-dev-bot.2026-04-25.private-key.pem). - Move it to a scratch directory (
~/scratch/or similar). Do not commit.
Step 4 — Install the App on the repo
- From the App's left sidebar click Install App.
- Click Install next to raxx-app.
- Choose Only select repositories → select
TradeMasterAPI. - Click Install.
- After install, the URL will look like
https://github.com/organizations/raxx-app/settings/installations/12345678. The12345678at the end is your Installation ID — copy it.
Step 5 — Store secrets in Infisical
In Infisical, under /MooseQuest/<bot-name>/:
| Key | Value |
|---|---|
APP_ID |
The App ID from step 2 (numeric) |
INSTALLATION_ID |
The Installation ID from step 4 (numeric) |
PRIVATE_KEY_PEM |
Full contents of the .pem file (including BEGIN/END lines) |
Key names must be uppercase. The mint script (
scripts/agents/mint_github_token.py) fetchesAPP_ID,INSTALLATION_ID, andPRIVATE_KEY_PEMby exact name. Lowercase or hyphenated names causeexit 4("bot secrets missing keys").
Verify with:
infisical run --env=prod --path=/MooseQuest/raxx-dev-bot -- env | grep -E "(APP_ID|INSTALLATION_ID)"
(Should print the IDs without revealing the PEM.)
Step 6 — Delete the local .pem
rm ~/scratch/raxx-dev-bot.*.private-key.pem
The PEM only lives in Infisical from this point.
Step 7 — Verify token minting
Once scripts/agents/mint_github_token.py lands (PR for issue #335), test:
python scripts/agents/mint_github_token.py --bot raxx-dev-bot
# Should print: ghs_AAAAAAAAA... (installation token, valid 1 hour)
If the token mints correctly, the App is provisioned.
Permissions matrix per App
raxx-dev-bot — Engineering activity
Description: Bot identity for code-writing agents (feature-developer, ux-polisher, ux-designer). Pushes commits, opens PRs, comments on issues.
| Permission | Level |
|---|---|
| Contents | Read & Write |
| Pull requests | Read & Write |
| Issues | Read & Write |
| Workflows | Read & Write |
| Metadata | Read (default) |
Webhooks: none.
raxx-ops-bot — Operations & Security activity
Description: Bot identity for ops agents (sre-agent, security-agent, card-groomer). Files security issues, comments on infra PRs, grooms backlog.
| Permission | Level |
|---|---|
| Contents | Read |
| Pull requests | Read & Write |
| Issues | Read & Write |
| Security events | Read & Write |
| Metadata | Read |
Webhooks: none.
raxx-pm-bot — Product & Architecture activity
Description: Bot identity for design + product agents (product-manager, software-architect, marketing-strategist, business-legal-researcher, data-scientist). Files cards, opens design-doc PRs.
| Permission | Level |
|---|---|
| Contents | Read & Write |
| Pull requests | Read & Write |
| Issues | Read & Write |
| Metadata | Read |
| Discussions | Read & Write |
Webhooks: none.
After all three Apps are provisioned
Comment on issue #335 with:
Provisioned. App IDs:
- raxx-dev-bot: <ID>
- raxx-ops-bot: <ID>
- raxx-pm-bot: <ID>
Private keys stored in Infisical at /MooseQuest/<bot-name>/.
That unblocks the implementation half (token-mint helper + agent dispatch wiring).
Rollback / removal
If something goes wrong (key leaked, App misconfigured):
- Revoke the App's installation:
https://github.com/organizations/raxx-app/settings/installations→ Configure → Uninstall. - Delete the App:
https://github.com/organizations/raxx-app/settings/apps→ click App → Advanced → Delete this GitHub App. - Delete the Infisical entries: clear
/MooseQuest/<bot-name>/. - Agents fall back to Kristerpher's PAT (per the fallback path in #335).
References
- GitHub: About GitHub Apps
- GitHub: Authenticating as a GitHub App installation
- Issue: #335 — implementation tracking
- Existing SOP:
docs/ops/runbooks/rotation/github-app-installation-token.md— covers rotating App private keys (relevant once provisioned)