zomg-api mint short-lived GitHub installation tokens. Boxes get only a Zomg proxy token, and zomg-api uses the GitHub App credentials server-side when Git needs repository access.
Use this when different boxes need different repositories or different permission scopes.
The proxy token is not a GitHub token. It only authenticates the box to Zomg’s GitHub proxy. The GitHub installation token is minted by
zomg-api for the attached grant and is not returned to the box.Mental model
- A GitHub App belongs to one Zomg deployment.
- The GitHub App’s configured permissions are the maximum permission envelope for that deployment.
- A Zomg GitHub grant narrows that envelope to specific repositories and permission levels.
- A grant is attached to one or more boxes.
- Git traffic goes through
zomg-api, which verifies the box proxy token, checks the attached grant, mints a short-lived GitHub installation token, and forwards the smart-HTTP Git request to GitHub.
The deployment GitHub App
Your instance’s operator installs a GitHub App for the deployment and installs it on the GitHub organization or repositories Zomg should be able to reach. Once the app is installed, the grant commands below work — grants can only narrow the repositories and permissions the app installation already has. Check whether your instance has a GitHub App configured:Create a repository grant
A grant names the repositories and permissions the boxes you attach it to can use.Attach a grant to a box
Attach the grant to the box that should use it:Clone through the proxy
zomg github attach configures Git inside the box. It stores the box’s Zomg
proxy token in /etc/zomg/github-proxy-token, installs a system credential
helper, and adds URL rewrites for each repository in the grant.
After attaching the grant, clone with the normal GitHub URL inside the box:
Security properties
Zomg limits blast radius in a few places:- The GitHub App private key stays server-side with
zomg-api; it is never sent to a box. - GitHub installation tokens are minted server-side and scoped to one repository plus the grant permissions.
- The box receives only a Zomg proxy token.
- Detaching the grant stops future proxy access for that box.
- Rotating the box proxy token invalidates the previous proxy token.