GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET for Better Auth. The repository connector uses the GITHUB_CONNECTOR_APP_* settings below.
Public URLs
Use the same public hosts that you set in the Helm chart:| GitHub App field | Value |
|---|---|
| Homepage URL | https://openwork.example.com |
| Setup URL | https://openwork.example.com/dashboard/integrations/github |
| Webhook URL | https://api.openwork.example.com/v1/webhooks/connectors/github |
installation_id and state; Den web completes the installation by calling Den API.
No OAuth callback URL is required for the current repository connector flow. If you also enable GitHub user authorization later, treat that as a separate OAuth setup from this connector.
Create the GitHub App
In GitHub, create a new GitHub App for the account that should own the connector. Use these settings:- Webhook: active.
- Webhook URL:
https://api.openwork.example.com/v1/webhooks/connectors/github. - Webhook secret: generate a strong random secret and keep it for Helm.
- Setup URL:
https://openwork.example.com/dashboard/integrations/github. - Redirect on update: enabled.
- Repository permissions:
- Contents: read-only.
- Metadata: read-only. GitHub grants this automatically.
- Subscribe to events:
pushinstallationinstallation_repositoriesrepository
- App ID
- Client ID
- Client secret if you generated one
- Private key (
.pem) - Webhook secret
Configure Helm
Add the GitHub App values to your production values file:\n). Den normalizes escaped newlines before signing GitHub App JWTs.
If you use an existing Kubernetes Secret instead of secret.values, keep config.githubConnector.appId in values and include these secret-backed keys in that Secret:
GITHUB_CONNECTOR_APP_IDGITHUB_CONNECTOR_APP_PRIVATE_KEYGITHUB_CONNECTOR_APP_WEBHOOK_SECRET
GITHUB_CONNECTOR_APP_CLIENT_IDGITHUB_CONNECTOR_APP_CLIENT_SECRET
GITHUB_CONNECTOR_APP_ID and GITHUB_CONNECTOR_APP_CLIENT_ID through the shared ConfigMap, and writes GITHUB_CONNECTOR_APP_PRIVATE_KEY, GITHUB_CONNECTOR_APP_WEBHOOK_SECRET, and GITHUB_CONNECTOR_APP_CLIENT_SECRET through the shared Secret.
What OpenWork does with it
When an admin clicks Connect GitHub in OpenWork:- Den API calls
/v1/connectors/github/install/start. - Den API reads the GitHub App metadata with the app ID and private key.
- Den API sends the admin to the GitHub App installation URL with a signed
state. - GitHub redirects to
/dashboard/integrations/github?installation_id=...&state=.... - Den web calls
/v1/connectors/github/install/complete. - Den API stores the GitHub installation as a connector account and lists repositories visible to that installation.
/v1/webhooks/connectors/github, Den API verifies the x-hub-signature-256 header with GITHUB_CONNECTOR_APP_WEBHOOK_SECRET before enqueueing connector sync work.
Validate the setup
After deploying the chart, sign in to Den web and open:503 response from /v1/webhooks/connectors/github means the webhook secret is not configured in the Den API pod.