App for GitHub

for an overview of git integration options (auth types, cloud vs satellite), see git integration docid\ tkz2d5tlfeinmdrysqwg6 this page covers connecting resolve ai to your code on github, in all three ways customers commonly run it github com via the resolve managed app , fastest path one click install, no app credentials to manage see connect via the resolve managed app docid\ jr5wemheelnozhvsz81ne bring your own github app , for github enterprise server (on prem), github enterprise cloud, or github com when you want to operate the app yourself see bring your own github app docid\ jr5wemheelnozhvsz81ne token auth , fine grained or classic pat for any github variant; useful for mixed provider setups see git integration docid\ tkz2d5tlfeinmdrysqwg6 for token auth setup how it works resolve ai integrates with github through a github app once installed github automatically issues a short lived installation token per request you never manage or rotate personal access tokens resolve ai handles token lifecycle and refresh behind the scenes the agent pulls in relevant code, commits, and pull requests as part of an investigation to help you quickly zero in on the root cause you can ask questions that span your telemetry and your codebase , and resolve ai connects the dots for you connect via the resolve managed app use this on github com when you can install the resolve managed github app it's the fastest path, no app credentials, no private key, no base url prerequisite log in to your resolve ai account first, then go to the integrations page log in to the resolve ai app at app0 resolve ai https //app0 resolve ai/ open the github integration https //app0 resolve ai/integrations/github page create a new integration, add a name and click install application in github, pick all or a subset of your repositories in the dropdown and click save select a github repo the resolve managed app requests the same permission set documented under step 3 set repository permissions docid\ jr5wemheelnozhvsz81ne below bring your own github app create a github app you own, install it on your organization, and connect it to resolve via the git integration's ghe auth type the same procedure works for all github variants github com , when you'd rather operate the app yourself instead of installing the resolve managed one (compliance, audit, scoped permissions) github enterprise cloud github enterprise server (on prem), including air gapped instances reachable only from inside your network (use a satellite) step 1 navigate to developer settings for the org account log in to your github instance (github com or your ghe server url) navigate to your organization's main page in the left sidebar, click settings click developer settings > github apps github apps page in organization settings step 2 click on new github app click new github app and fill in the basic details github app name e g resolve ai (must be unique on the instance) homepage url https //resolve ai/ webhook uncheck active , resolve does not consume github webhooks register new github app form step 3 set repository permissions grant the github app the following repository permissions read access to actions, checks, commit statuses, deployments, discussions, issues, merge queues, and metadata read and write access to code and pull requests per permission detail permission access what it enables actions read reading github actions workflow runs and workflow definitions checks read reading check run results and pr check status commit statuses read commit level ci status contents (code) read & write cloning, file reads, history, diffs deployments read deployment history, environment context discussions read repo level discussions if referenced in investigations issues read issue context referenced in prs / investigations merge queues read merge queue state on prs metadata read mandatory base permission required for any github app pull requests read & write reading pr metadata, diffs, comments, and file contents recently added actions , checks , and discussions are newly recommended scopes grant them so investigations can read github actions runs, pr check status, and any in repo discussions referenced as context if you previously installed resolve's app with a narrower set, accept the prompt to apply the updated permissions on the existing installation, no reinstall is required step 4 collect credentials and generate a private key after saving, capture from the app settings page app id , shown on the general tab private key , scroll down to private keys and click generate a private key ; a pem file downloads store it somewhere safe, github will not show it again app id and client id on general tab generate a private key section step 5 install the github app from the app settings page click edit on the app you just created (or install app in the left sidebar) click install next to your organization choose all repositories or only select repositories and pick the repos you want resolve to access github apps list showing the new app install app page choose repositories and confirm permissions step 6 collect the installation id and base url installation id path profile picture > settings > applications > configure (on the app you just created) the installation id is the trailing number in the url example https //github com/organizations/\<your org>/settings/installations/84995228 , installation id is 84995228 installation url containing the installation id api base url github variant base url github com https //api github com github enterprise cloud (your org ghe com) https //api your org ghe com github enterprise server (v2 5+) https //github your company com/api/v3 for older ghe server versions or custom overridden base urls, contact your github administrator step 7 configure the resolve integration connect the byo app to resolve through the git integration's ghe auth type pick saas if your github instance is reachable from the public internet, or satellite if it lives inside your network connect via resolve ui (cloud) open git integrations https //app0 resolve ai/integrations/git/edit create a cloud git connection select the ghe auth tab fill in the four fields api base url , from step 6 docid\ jr5wemheelnozhvsz81ne app id , from step 4 docid\ jr5wemheelnozhvsz81ne installation id , from step 6 docid\ jr5wemheelnozhvsz81ne private key , paste the pem contents of the file from step 4 docid\ jr5wemheelnozhvsz81ne save and verify the health check and repository listing connect git (cloud) modal with the ghe tab selected for full cloud setup details (including json examples), see git on cloud docid\ jnylm3jccqrvieuavzdqs connect via resolve satellite use this when your github instance is only reachable from inside your network, or when you need code to stay in your environment the resolve ui includes a satellite configuration for git form that generates the right resolve values yaml and a matching secret template, open your git integration, choose on prem , and click add ghe auth choose cloud vs on prem in the integration setupsatellite configuration for git, add ghe auth form the form emits yaml in the shape below, plus a suggested kubernetes secret format generated yaml and suggested secret format 1 create a kubernetes secret with the private key the private key goes into gheauthcredentials \<authconfigname> privatekey , keyed by the auth config name you'll use in the next step git credentials yaml apiversion v1 kind secret type opaque metadata name git credentials stringdata gheauthcredentials | mygheapp # auth config key, must match `authconfigs` in resolve values yaml privatekey | \ begin rsa private key your downloaded private key \ end rsa private key kubectl apply f git credentials yaml 2 configure the git integration on satellite add a ghe auth config to your existing git integration (or create a new one) in resolve values yaml resolve values yaml integrations gitghe type git create true secretname git credentials connection authconfigs mygheapp # must match the key in gheauthcredentials type "ghe" ghe baseurl "https //github your company com/api/v3" appid "12345" installationid "84995228" gitvolume type persistentvolumeclaim for a self signed ghe server, add a trustedcertificateoverrides \<authconfigname> block to the secret, see git on satellite → custom ssl certificates docid\ xpgmd3gralx1wkgfybh8a 3 apply changes helm upgrade install resolve satellite \\ oci //registry 1 docker io/resolveaihq/satellite chart \\ \ values resolve values yaml 4 verify integration open your git integration in resolve https //app0 resolve ai/integrations/git/edit and confirm the health check and repository listing for multi auth examples (mixing ghe with github and token auth in one integration), advanced storage / certificate config, and satellite side troubleshooting, see git on satellite docid\ xpgmd3gralx1wkgfybh8a github app permissions reference capabilities only become available when the matching permission is granted on the app installation resolve capability permissions required repository read (clone, file reads, history, diffs) contents (read), metadata (read) reading pr data (metadata, diffs, comments, file contents) pull requests (read), contents (read), metadata (read) reading github actions workflow runs and workflow definitions actions (read) reading pr check status checks (read), pull requests (read) commit statuses, deployments, discussions, issues, merge queue context the matching read permission for each if a feature returns 403 /permission denied at runtime, the app installation is usually missing one of these update the app's permissions on github, accept the prompt to apply the new permission set on the existing installation, then retry frequently asked questions how does resolve ai's github integration work? the integration is installed as a github app you install the app on any repository you want resolve ai to read github issues a short lived installation access token automatically for each request, so you never manage or rotate pats yourself all token lifecycle and refresh logic is handled by resolve ai behind the scenes what data does it look at? the github app requests the permissions documented in step 3 docid\ jr5wemheelnozhvsz81ne with those scopes, during an investigation the agent reads repository tree (file paths and file contents) pull / merge requests (open and merged), including diffs and review comments commit metadata and diffs basic repository metadata (default branch, topics, permissions) github actions workflow definitions and recent runs (statuses, conclusions, head shas) check runs and ci status for prs issues and discussions referenced as context you can review the precise permission set during installation or on the github app page at any time does resolve ai store the source code? no source code is streamed from github at runtime only and is not persisted or mirrored on resolve ai's servers the sole exception is small code snippets that appear in your investigations, which are saved in resolve ai saas or sent to slack can resolve ai make changes to my repositories? the github app has write permissions on contents (code) and pull requests , but those are only used for explicit, user invoked actions resolve never auto pushes commits or opens prs in the background the app cannot merge code or alter repository settings if you want to disable writes entirely on a git integration, set disablewrites true on the integration's connection read only operations stay available, write/remediation paths are blocked for byo setups, you control the granted permissions on your own github app i'm using a github ip allowlist https //docs github com/en/enterprise cloud\@latest/organizations/keeping your organization secure/managing security settings for your organization/managing allowed ip addresses for your organization how do i connect with resolve? contact us at help\@resolve ai mailto\ help\@resolve ai to manage the allowlist of ip addresses for resolve ai to connect to your github organization