OpenSkillIndex← back to search
claude-codedevelopment

Claude-skill-registry github-app-dev

GitHub App development guide for building custom integrations. Use this skill when creating a GitHub App, building webhook handlers, implementing GitHub API integrations, developing PR/Issue automation apps, or deploying GitHub Apps to Cloudflare Workers.

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/github-app-dev" ~/.claude/skills/majiayu000-claude-skill-registry-github-app-dev && rm -rf "$T"
manifest: skills/data/github-app-dev/SKILL.md
tags
#github-apps#webhook-handling#api-integration#automation#cloudflare-workers
source content

GitHub App Development

Build custom GitHub Apps for automation, integrations, and workflow management using best practices for scalable, maintainable applications.

Getting Started

GitHub Apps are first-class integrations that act on their own behalf, providing granular permissions and webhook subscriptions for specific repositories.

Quick wins:

This skill covers:

  • App registration and authentication
  • Webhook handling and API integration
  • Best practices and anti-patterns
  • Deployment strategies
  • Security and error handling

This skill does NOT cover:

  • GitHub Actions development (see 
    github-actions
    skill)
  • OAuth apps for user authentication
  • App marketplace strategy

Quick Reference

App Types

TypeActs AsUse Case
GitHub AppItself or userAutomation, integrations, bots
OAuth AppUser only"Sign in with GitHub", user-facing tools

Authentication

GitHub Apps use a three-tier authentication model:

  1. JWT tokens - Authenticate the app itself (signed with your private key)
  2. Installation tokens - Scoped access to specific repositories (exchanged from JWT)
  3. User tokens - Optional user-delegated permissions (OAuth flow)

Most apps only need installation tokens. See examples/auth-patterns.ts for implementation details.

Authentication Best Practices

Essential security patterns:

  • Generate fresh JWT tokens (expire in 10 minutes)
  • Cache and refresh installation tokens (expire in 1 hour)
  • Scope operations to specific installations
  • Handle 401/403 errors gracefully

See references/authentication.md for advanced patterns and examples/auth-patterns.ts for implementation examples.

Permission Categories

CategoryExamplesWhen to Use
Repositorycontents, pull_requests, issuesMost apps
Organizationmembers, teamsOrg-level automation

See references/permissions.md for complete permission matrix.

Example Use Cases & Configurations

Common App Types with Ready-to-Use Configs

🚀 PR Automation Bot Auto-label PRs, assign reviewers, enforce quality gates

🔒 Security Scanner Scan for secrets, vulnerabilities, license compliance

📋 Issue Triage Assistant Route issues to teams, auto-label by content

🚢 Release Manager Generate changelogs, manage releases, close issues

Framework-Specific Examples

⚡ Cloudflare Workers (Edge-First) Best for: Low latency, global deployment, simple logic

// Minimal viable app in <100 lines
export default { async fetch(request, env) { ... } }

🤖 Probot Framework (Rapid Development) Best for: Prototyping, complex logic, multiple integrations

export = (app) => {
  app.on('pull_request.opened', async (context) => { ... })
}

☁️ Serverless Functions (Auto-scaling) Best for: Variable load, complex processing, existing infrastructure

Configuration Examples

Best practice examples:

Best Practices & Anti-patterns

Essential Best Practices

🔒 Security First

  • Verify all webhook signatures - Never process unverified webhooks
  • Request minimal permissions - Use principle of least privilege
  • Secure secret management - Use dedicated secret managers, not env vars
  • Validate all inputs - Sanitize webhook payloads and user data

⚡ Performance & Reliability

  • Acknowledge webhooks quickly - Respond within 30 seconds, process async
  • Implement circuit breakers - Graceful degradation when GitHub API is slow
  • Cache installation tokens - Refresh before expiry, batch API calls
  • Monitor rate limits proactively - Check remaining quota before operations

🏗️ Architecture & Maintainability

  • Separate concerns - Dedicated modules for auth, webhooks, services
  • Make operations idempotent - Handle duplicate webhook deliveries gracefully
  • Use structured logging - Include context (repo, PR number, installation)
  • Test with realistic payloads - Use actual GitHub webhook examples

See examples/best-practices.md for comprehensive implementation examples and security checklists.

Common Anti-patterns to Avoid

❌ Security Anti-patterns

  • Skipping signature verification - "Just for development" becomes production 
    // DON'T: Skip verification
app.post('/webhook', (req, res) => {
  // Process without verifying req.headers['x-hub-signature-256']
})
  • Over-privileged permissions - Requesting 
    admin
    when 
    read
    suffices 
    # DON'T: Request excessive permissions
permissions:
  administration: write  # Dangerous! Almost never needed
  contents: write        # Do you really need to modify files?
  • Logging sensitive data - Tokens in error messages or debug logs
  • Hardcoded secrets - Credentials in source code or config files

❌ Performance Anti-patterns

  • Synchronous webhook processing - Blocking responses while making API calls
  • Unbounded API requests - Making 100+ calls without rate limit checks
  • Memory leaks in long-running apps - Not cleaning up event listeners
  • Missing error boundaries - One failed operation breaks entire workflow

❌ Integration Anti-patterns

  • Polling instead of webhooks - Inefficient API usage patterns
  • Not handling app uninstalls - Continuing to process events after removal
  • Ignoring GitHub API deprecations - Using outdated endpoints or parameters
  • Assuming webhook order - Events may arrive out of sequence
  • Under-configured webhooks - Missing critical events for your use case 
    # DON'T: Miss critical events for PR bot
events: [issues]  # Forgot pull_request events!

Framework Selection Guidelines

ScaleComplexityRecommended ApproachWhen to Use
Small (< 100 repos)Simple automationProbotLearning, prototyping, simple bots
Medium (100-1000 repos)Custom logicHono + OctokitProduction apps, edge deployment
Large (1000+ repos)Enterprise featuresCustom frameworkEvent streaming, multi-tenant

See references/implementation-patterns.md for detailed architecture guidance and references/anti-patterns.md for comprehensive anti-pattern examples and recovery strategies.

Error Handling & Rate Limiting

Quick Error Response Guide

Key error handling patterns:

  • 403 (Rate Limited): Wait for reset time, implement backoff
  • 5xx (Server Errors): Retry with exponential backoff
  • 401/403: Check credentials/permissions, refresh tokens
  • 400/404: Validate request parameters, verify resource exists

Rate Limit Essentials

Key principles:

  • Monitor usage before hitting limits
  • Implement graceful degradation strategies
  • Use exponential backoff for retries

See examples/webhook-security.ts for rate limit monitoring implementation and references/error-handling.md for comprehensive patterns.

Observability & Monitoring

Essential Monitoring Targets

Application health: Response times, error rates, resource usage GitHub API integration: Rate limits, authentication failures, API errors Business metrics: Installations, active repositories, feature usage

Quick OpenTelemetry Setup

Key trace targets for GitHub Apps:

  • webhook.{event_type}
    - Processing time and errors
  • github.api.{operation}
    - API performance and rate limits
  • auth.installation_token
    - Authentication overhead

See references/observability.md for complete OpenTelemetry setup, alerting strategies, health checks, and dashboard configurations.

Architecture & Patterns

Framework Decision Matrix

ScaleFrameworkArchitecture
Small (< 100 repos)ProbotSingle instance, simple
Medium (100-1000 repos)Probot or HonoLoad balanced, cached
Large (1000+ repos)Custom OctokitEvent streaming, queues

Core Design Principles

✅ Essential patterns:

  • Event-driven architecture with dedicated handlers
  • Stateless operations (no in-memory state)
  • Background processing for heavy operations
  • Idempotent webhook handling

❌ Avoid these anti-patterns:

  • Monolithic webhook handlers processing all events
  • Synchronous processing of heavy operations
  • Direct database access from webhook handlers

See references/probot.md for framework comparisons and references/hosting/ for platform-specific patterns.

Testing & Quality

Test Strategy Overview

Follow the 70/20/10 test pyramid:

  • 70% Unit Tests - Business logic and utilities
  • 20% Integration Tests - Webhook processing with mocked API
  • 10% End-to-End Tests - Full flow with test repositories

Critical Test Scenarios

Authentication: Token expiration, app uninstalls, permission changes Webhooks: Duplicate delivery, signature verification, malformed payloads Rate limits: Graceful degradation, retry logic, secondary limits

See references/testing.md for complete testing frameworks, patterns, and automation strategies.

Production Deployment

Pre-deploy Checklist

Security essentials:

  • Webhook signature verification enabled
  • Private key in secure vault (not env vars)
  • Minimum required permissions only

Reliability essentials:

  • Health checks responding
  • Error monitoring configured
  • Response times < 10s (GitHub timeout)

Configuration

Required environment variables:

  • GITHUB_APP_ID
    - Your app's unique identifier
  • GITHUB_PRIVATE_KEY
    - App authentication key
  • GITHUB_WEBHOOK_SECRET
    - Webhook signature verification

See references/hosting/ for platform-specific deployment guides and examples/deployment/ for complete configuration examples.

Performance & Optimization

Critical Performance Targets

Response times: Acknowledge webhooks within 30 seconds Async processing: Queue non-critical operations Resource management: Stream large payloads, monitor memory

Common Bottlenecks

Avoid these performance killers:

  • Synchronous GitHub API calls in webhook handlers
  • Database queries blocking webhook responses
  • Loading large payloads into memory
  • CPU-intensive tasks blocking the main thread

See references/observability.md for detailed performance monitoring and optimization strategies.

Implementation Guides

Quick Setup (15 minutes)

  1. Register app - GitHub Settings → Developer settings → GitHub Apps
  2. Choose framework - Probot for rapid development, raw Octokit for Workers
  3. Deploy - Start with examples, customize for your needs

See examples/README.md for step-by-step setup guides.

Development Workflow

Three-phase approach:

  1. Setup - Register app, configure permissions, download key
  2. Development - Clone templates, implement handlers, test locally
  3. Deployment - Configure secrets, deploy, install on repos

See examples/setup-guide.md for detailed step-by-step instructions.

Advanced Configuration Examples

🏢 Enterprise Apps - Multi-tenant, organization-scoped with SAML/SSO integration 🔄 Multi-Repository Orchestration - Coordinate changes across multiple repositories 📊 Analytics & Reporting - Read-only apps that collect metrics without making changes

See references/advanced-configuration.md for complete enterprise patterns, deployment scenarios by scale, and configuration examples.

Integration Examples

Connect GitHub Apps with external systems using proven integration patterns:

🔗 External API Integration - Slack, Jira, CI/CD systems 📝 Custom Workflow Automation - Repository-specific business logic 🔐 Security Integration - Automated security scanning and policies

See references/integration-patterns.md for implementation details, authentication patterns, and resilience strategies.

Common Implementation Patterns

Essential App Patterns

Auto-labeling - Label PRs based on conventional commit titles Reviewer assignment - Route to team members based on file paths Quality gates - Enforce checks based on repository settings Welcome automation - Greet first-time contributors Configuration-based logic - Use repository properties for behavior

See references/implementation-patterns.md for complete code examples, event processing patterns, and state management strategies.

Hosting Platforms

Choose the right platform based on your scale and requirements. See references/hosting/ for detailed deployment guides and platform comparisons.

API Reference

Core Operations

Essential API categories:

  • Pull Requests - Reviews, comments, status updates
  • Issues & Comments - Create, label, assign, respond
  • Checks & Status - CI integration, status reporting
  • Repository - Files, branches, webhooks, settings

See references/octokit.md for complete API reference and examples/production-app.ts for real-world usage patterns.

Webhook Events

Most common events:

  • pull_request.opened
    - New PR created
  • issues.opened
    - New issue created
  • issue_comment.created
    - Comment added
  • check_run.completed
    - CI check finished

See references/webhooks.md for complete event reference.

Security & Operations

Security Checklist

Essential security measures:

  • Verify webhook signatures before processing
  • Request minimum necessary permissions
  • Store private key securely (use secrets manager)
  • Validate all webhook payload input
  • Use HTTPS for all communication

Common Issues

Authentication problems:

  • Check private key format (PEM) and app ID
  • Verify token hasn't expired
  • Confirm app is installed on target repository

Webhook delivery issues:

  • Verify webhook URL is accessible
  • Check webhook secret matches
  • Confirm app subscribes to necessary events

See references/error-handling.md for detailed troubleshooting guides.

See Also

External Resources