Agent skill
github-core-app-setup
Configure organization-level GitHub Apps for secure cross-repository automation. Machine identity, audit trails, and enterprise-grade authentication.
Install this agent skill to your Project
npx add-skill https://github.com/adaptive-enforcement-lab/claude-skills/tree/main/plugins/secure/skills/github-core-app-setup
SKILL.md
GitHub Core App Setup
When to Use This Skill
This guide describes the concept, setup, and configuration of a GitHub Core App for organization-level automation.
Prerequisites
Required Access
Required Access
To create a Core App, you need:
- Organization owner role
- Access to organization settings:
https://github.com/organizations/{ORG}/settings/apps
Planning Considerations
Planning Considerations
Before creating the app, determine:
- Permission scope - Which repository and organization permissions are needed
- Installation scope - All repositories or specific teams
- Token management - Where secrets will be stored (repository or organization level)
- Naming convention - Standard naming (e.g., "CORE App", "Automation Core")
Implementation
See the full implementation guide in the source documentation.
Comparison
| Aspect | Core App | Standard App |
|---|---|---|
| Scope | Organization-wide | Single repository or selected repos |
| Purpose | Infrastructure automation | Feature-specific functionality |
| Permissions | Broad, covers common operations | Narrow, task-specific |
| Installation | All repositories | Selective repositories |
| Ownership | Organization-level admin | Project or team |
| Lifespan | Permanent infrastructure | Project lifecycle |
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
github-token-permissions-overview
Understanding GITHUB_TOKEN scope, default permissions, and implementing least-privilege principle for GitHub Actions workflows.
secure
Find and fix security issues before they become incidents. Vulnerability scanning, SBOM generation, supply chain security, and secure authentication workflows.
complete-workflow-examples
Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.
ephemeral-runner-patterns
Disposable runner patterns for GitHub Actions. Container-based, VM-based, and ARC deployment strategies with complete state isolation between jobs.
action-pinning-overview
Why pinning GitHub Actions to SHA-256 commits matters for supply chain security. Attack vectors from unpinned actions and comparison of tag vs SHA pinning.
github-actions-security-patterns-hub
Complete security patterns for GitHub Actions covering action pinning, GITHUB_TOKEN permissions, third-party action risks, secret management, and runner security.
Didn't find tool you were looking for?