GitHub Integration
Link a GitHub repository to enable Just-in-Time (JIT) access for your team.
The GitHub Integration lets you link an Envault project to a specific GitHub repository. When a developer runs envault pull, Envault automatically checks if they are a collaborator on that repository and grants them Viewer access on the spot - no manual invite required.
How It Works
- You install the Envault GitHub App on your GitHub account or organization.
- You link the app to a specific repository in your Envault project settings.
- When a team member runs
envault pull, Envault checks their GitHub identity against that repository's collaborator list. - If they are a collaborator, they are automatically granted
vieweraccess and their secrets are returned. - If they are not a collaborator, the CLI prompts them to submit an access request, which notifies the project owner.
JIT access only grants the Viewer role. To give a team member Editor or Owner access, invite them manually from the project settings.
Setup
Install the GitHub App
Open your Envault project, click the Settings icon in the project header, and select GitHub Integration. Click Connect GitHub Repository.
- First project: You will be redirected to GitHub to install the Envault GitHub App on your account or organization, then redirected back automatically.
- Additional projects: If the app is already installed, the repository picker appears immediately - no GitHub redirect needed.
Select a Repository
The dialog shows a list of repositories the app has access to. Select the one that corresponds to this project.
Each repository can only be linked to one project at a time. If a repository is already linked elsewhere, you will need to unlink it first.
Done
The dialog shows Successfully Linked with the repository name. From this point, any collaborator on that repository who runs envault pull will automatically receive access.
Unlinking a Repository
Click Unlink in the GitHub Integration dialog. This clears the linked repository but keeps the GitHub App installed - you can immediately select a different repository without going through GitHub again.
To fully remove the integration, uninstall the Envault GitHub App from github.com/settings/installations. Envault will automatically clear the linked data via webhook.
Access Request Flow
When a developer runs envault pull on a project they don't have access to, the CLI prompts them:
You do not have access to this project. Would you like to send an access request to the project owner? (y/N)
- y - An access request is sent to the project owner. The owner receives an email and an in-app notification. Once approved, the developer can run
envault pullagain. - N - Outputs
Access request cancelled.and exits cleanly.
If a request was already submitted, the CLI shows:
You already have a pending access request for this project.
Self-Hosting: Required Environment Variables
If you are self-hosting Envault, you need to create your own GitHub App and configure the following variables:
| Variable | Description |
|---|---|
ENVAULT_GITHUB_APP_CLIENT_ID | Client ID from your GitHub App settings |
ENVAULT_GITHUB_APP_CLIENT_SECRET | Client secret from your GitHub App settings |
ENVAULT_GITHUB_APP_PRIVATE_KEY | RSA private key (single-line, \n-escaped) |
ENVAULT_GITHUB_WEBHOOK_SECRET | Secret used to verify webhook payloads from GitHub |
NEXT_PUBLIC_GITHUB_APP_NAME | The slug name of your GitHub App (e.g. My-App) |
NEXT_PUBLIC_APP_URL | Your deployment URL (e.g. https://envault.tech) |
GitHub App Configuration
In your GitHub App settings, set:
- Setup URL:
https://your-domain.com/api/github/callback - Webhook URL:
https://your-domain.com/api/github/webhook - Webhook secret: same value as
ENVAULT_GITHUB_WEBHOOK_SECRET - Permissions: Repository metadata: Read-only, Members: Read-only
- Events: Subscribe to Installation
The private key must be stored as a single line with literal \n characters replacing newlines. Multi-line values in .env files are truncated by most platforms.