GitHub

Setup

1. Create a GitHub OAuth App

GitHub → Settings → Developer settings → OAuth Apps → New OAuth App:

• Homepage URL: https://tappass.example.com
• Authorization callback URL: https://tappass.example.com/providers/github/callback

Note the Client ID and Client Secret.

2. Configure on the TapPass server

GITHUB_CLIENT_ID=<id>
GITHUB_CLIENT_SECRET=<secret>

The provider is declared in config/providers/github.yaml and auto-registers.

3. Authorise the agent

tappass provider connect github --agent chat-bot
# opens an OAuth flow; TapPass stores the refresh token in the vault

Operations

Operation	Op group	Endpoint
list_repos	read	GET /user/repos
get_repo	read	GET /repos/{owner}/{repo}
list_issues	read	GET /repos/{owner}/{repo}/issues
get_issue	read	GET /repos/{owner}/{repo}/issues/{number}
create_issue	write	POST /repos/{owner}/{repo}/issues
create_comment	write	POST /repos/{owner}/{repo}/issues/{number}/comments
search_code	read	GET /search/code

Usage

from tappass import Agent

agent = Agent("https://tappass.example.com", "tp_...")

# Read
issues = agent.call_provider(
    provider="github",
    operation="list_issues",
    params={"owner": "tappass", "repo": "tappass", "state": "open"},
)

# Write — gated by tool_decision.rego
agent.call_provider(
    provider="github",
    operation="create_issue",
    params={
        "owner": "tappass",
        "repo": "tappass",
        "title": "Pipeline broke in prod",
        "body": "See audit event abc123",
    },
)

Example policy

Deny agents from opening issues in production repos:

package tool_decision

deny[msg] {
    input.provider == "github"
    input.operation == "create_issue"
    startswith(input.params.repo, "prod-")
    msg := "cannot open issues in prod repos"
}

Data residency

GitHub hosts data in the US. If you require EU residency, use GitHub Enterprise Server with the same YAML spec — change api_base_url to your GHES instance.