The Infisical GitHub dynamic secret allows you to generate short-lived tokens for a GitHub App on demand based on service account permissions.

Setup GitHub App

1

Create an application on GitHub

Navigate to GitHub App settings and click New GitHub App.

Give the application a name and a homepage URL. These values do not need to be anything specific.

Disable webhook by unchecking the Active checkbox.

Configure the app’s permissions to grant the necessary access for the dynamic secret’s short-lived tokens based on your use case.

Create the GitHub Application.

If you have a GitHub organization, you can create an application under it in your organization Settings > Developer settings > GitHub Apps > New GitHub App.

2

Save app credentials

Copy the App ID and generate a new Private Key for your GitHub Application.

Save these for later steps.

3

Install app

Install your application to whichever repositories and organizations that you want the dynamic secret to access.

Once you’ve installed the app, copy the installation ID from the URL and save it for later steps.

Set up Dynamic Secrets with GitHub

1

Open Secret Overview Dashboard

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.

2

Click on the 'Add Dynamic Secret' button

3

Select 'GitHub'

4

Provide the inputs for dynamic secret parameters

Secret Name
string
required

Name by which you want the secret to be referenced

App ID
string
required

The ID of the app created in earlier steps.

App Private Key PEM
string
required

The Private Key of the app created in earlier steps.

Installation ID
string
required

The ID of the installation from earlier steps.

5

Click `Submit`

After submitting the form, you will see a dynamic secret created in the dashboard.

6

Generate dynamic secrets

Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.

When generating these secrets, the TTL will be fixed to 1 hour.

Once you click the Submit button, a new secret lease will be generated and the credentials from it will be shown to you.

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard.

This will allow you to see the expiration time of the lease or delete a lease before its set time to live.

GitHub App tokens cannot be revoked. As such, revoking a token on Infisical does not invalidate the GitHub token; it remains active until it expires.

Renew Leases

GitHub App tokens cannot be renewed because they are fixed to a lifetime of 1 hour.