GitHub App Scaffold
Turn existing GitHub automation into a real GitHub App with Probot and the modern Octokit stack.
Stack (2026 Standard)
- Runtime: Node.js + TypeScript
- Framework: Probot
- Auth + App primitives:
@octokit/app - API client:
@octokit/rest(viacontext.octokit)
Why this stack:
- Probot gives webhook-first structure, fast.
@octokit/apphandles JWT + installation tokens clean.- You can drop to raw Octokit when you need control.
Scaffold CLI
Use Probot’s official scaffolder:
npx create-probot-app my-github-app
cd my-github-app
npm run dev
During setup:
- Choose TypeScript.
- Choose a minimal template.
- Keep scope narrow. One automation loop per app if possible.
Workflow
Follow this sequence. Keep it tight.
- Identify automation opportunities.
- Map them to webhook events + repo actions.
- Scaffold with Probot.
- Implement webhook handlers.
- Lock permissions to minimum viable.
- Deploy.
- Verify in a staging repo/org.
Automation discovery checklist:
- What exact event starts the automation?
- What repo/issue/PR state is required?
- What GitHub writes will happen?
- What permissions are required for those writes?
- What is the failure mode? (retry, comment, label, noop)
Project Structure
Default Probot layout is already decent:
my-github-app/
├─ src/
│ └─ index.ts # App entry, register webhooks
├─ test/ # Probot tests (add early)
├─ app.yml # App metadata + permissions (if used)
├─ package.json
└─ tsconfig.json
Suggested internal structure once logic grows:
src/
├─ index.ts # wire events only
├─ handlers/
│ ├─ pull-request.ts
│ ├─ issues.ts
│ └─ push.ts
├─ domain/
│ └─ <automation>.ts # core decision logic, testable
└─ github/
└─ client.ts # small helpers around octokit
Rule: keep webhook glue thin. Put decisions in deep modules.
Common Use Cases
PR automation:
- Auto-label by paths changed.
- Enforce checklist comments.
- Auto-request reviewers.
Issue management:
- Triage labels by templates.
- Auto-close stale issues with escape hatches.
- Route issues to teams.
Code review bots:
- Comment on risky diffs.
- Enforce conventions on PR open/sync.
- Block merge with a status check.
CI integration:
- Trigger external systems on PR/push.
- Mirror commit status back to GitHub.
- Manage deployments via checks.
Permissions Model
Treat permissions as an interface. Small surface.
Approach:
- Start from events + writes.
- Add only required read/write scopes.
- Prefer read-only unless you must write.
Typical mappings:
- Labeling issues/PRs → Issues: Read & Write, Pull requests: Read & Write
- Commenting → Issues or Pull requests: Read & Write
- Status checks → Commit statuses or Checks: Read & Write
- Repo config reads → Metadata: Read-only (always)
Keep a simple table in the repo:
- Action
- API call
- Permission required
Deployment Options
Pick the simplest host that fits the webhook model.
Good defaults:
- Vercel: fast for webhook handlers.
- Cloud functions: AWS Lambda, GCP Cloud Functions, Azure Functions.
- Self-hosted: long-lived workers, queues, custom infra.
Notes:
- Probot can run serverless with light glue.
- For heavier automations, use queues and idempotency keys.
- Keep webhook latency low; defer heavy work.
Verification Steps
Do not skip this.
Local loop:
npm run dev
Then:
- Create a GitHub App (dev) and install it on a staging repo.
- Point the webhook URL to your dev tunnel.
- Trigger the event (open PR, edit issue, push).
- Confirm logs show the expected handler path.
- Confirm the GitHub side effect happened (label, comment, check).
- Run tests for decision logic + handlers.
Minimal verification checklist:
- Event received.
- Guardrails applied (repo, org, branch filters).
- API calls succeed.
- No duplicate side effects.
- Permissions are sufficient but not excessive.
See: skills/github-app-scaffold/references/probot-patterns.md.